gwhite-so · July 29, 2024 01:26
diff --git a/session-enumeration-runbook.toml b/session-enumeration-runbook.toml
 [[testCases]]
 id = "1.0.0"
 name = '1.0.0 - Enumerate SMB Sessions from Third-Party Utility On Disk (NetSess)'
 description = "Using the third party NetSess.exe utility to enumerate active SMB sessions"
 tooling.name = "NetSess.exe"
 tooling.references = [
    "http://www.joeware.net/freetools/tools/netsess/"
 ]
 executionSteps = [
    'agent> upload -File NetSess.exe',
    'agent> run NetSess.exe <HOSTNAME>'
 ]
 executionRequirements = [
    "Member of one of the following groups on target host - Administrators, Server Operators, Power Users on newer OS versions"
 ]

 [[testCases]]
 id = "1.1.0"
 name = '1.1.0 - Enumerate SMB Sessions via Beacon Object File BOF (get-netsession)'
 description = "Using a BOF to enumerate active SMB sessions."
 tooling.name = "get-netsession BOF"
 tooling.references = [
    "https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/SA/get-netsession/get-netsession.x64.o",
    "https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/SA/SA.cna"
 ]
 executionSteps = [
    'agent> register_coff get-netsession.x64.o',
    '''agent> execute_coff {"coff_name":"get-netsession.x64.o","function_name":"go","timeout":"30","coff_arguments":[["wchar","<HOSTNAME>"]]}'''
 ]
 executionRequirements = [
    "Member of one of the following groups on target host - Administrators, Server Operators, Power Users on newer OS versions"
 ]

 [[testCases]]
 id = "1.2.0"
 name = '''1.2.0 - Enumerate SMB Sessions via PowerView's Get-NetSession'''
 description = "Use Get-NetSession.ps1 script to enumerate active SMB sessions"
 tooling.name = "Get-NetSessions.ps1"
 tooling.references = [
    "https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1"
 ]
 executionSteps = [
    'agent> upload -File Get-NetSessions.ps1',
    'agent> run {"executable":"powershell.exe","arguments":"IEX $(gc c:\\ProgramData\\Get-NetSessions.ps1 | out-string);Get-NetSessions -hostname <HOSTNAME>"}'
 ]
 executionRequirements = [
    "Member of one of the following groups on target host - Administrators, Server Operators, Power Users on newer OS versions"
 ]

 [[testCases]]
 id = "1.3.0"
 name = '1.3.0 - Enumerate SMB Sessions via Proxied RPC'
 description = "using the netview.py Impacket script to generate RPC network traffic and send it through a SOCKS proxy to enumerate active SMB sessions on a REMOTE WORKSTATION."
 tooling.name = "Impacket netview.py"
 tooling.references = [
    "https://github.com/fortra/impacket/blob/master/examples/netview.py"
 ]
 executionSteps = [
    'agent> socks 7005',
    'terminal> `proxychains4 python3 netview.py -target <TARGET_HOST_NAME> <USER_NAME>`.'
 ]
 executionRequirements = [
    "Member of one of the following groups on target host - Administrators, Server Operators, Power Users on newer OS versions"
 ]

 [[testCases]]
 id = "2.0.0"
 name = '2.0.0 - Enumerate Interactive, Service, and Batch Logon Sessions from BOF (server)'
 description = "Use the third party netloggedon BOF to enumerate active logon sessions (interactive, service, and batch logons)"
 tooling.name = "netloggedon BOF"
 tooling.references = [
    "https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/SA/netloggedon/netloggedon.x64.o",
    "https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/SA/SA.cna"
 ]
 executionSteps = [
    'agent> register_coff netloggedon.x64.o',
    '''agent> execute_coff {"coff_name":"netloggedon.x64.o","function_name":"go","timeout":"30","coff_arguments":[["wchar","<HOSTNAME>"]]}'''
 ]
 executionRequirements = [
    "Member of one of the following groups on target host - Administrators, and the Server, System and Print Operator"
 ]

 [[testCases]]
 id = "2.0.1"
 name = '2.0.1 - Enumerate Interactive, Service, and Batch Logon Sessions from BOF (workstation)'
 description = "Use the third party netloggedon BOF to enumerate active logon sessions (interactive, service, and batch logons)"
 tooling.name = "netloggedon BOF"
 tooling.references = [
    "https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/SA/netloggedon/netloggedon.x64.o",
    "https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/SA/SA.cna"
 ]
 executionSteps = [
    'agent> register_coff netloggedon.x64.o',
    '''agent> execute_coff {"coff_name":"netloggedon.x64.o","function_name":"go","timeout":"30","coff_arguments":[["wchar","<HOSTNAME>"]]}'''
 ]
 executionRequirements = [
    "Member of one of the following groups on target host - Administrators, and the Server, System and Print Operator"
 ]

 [[testCases]]
 id = "2.1.0"
 name = '2.1.0 - Enumerate Interactive, Service, and Batch Logon Sessions via Proxied RPC'
 description = "Use a netloggedon.py Impacket script to generate RPC network traffic and send it through a SOCKS proxy to enumerate active sessions"
 tooling.name = "Impacket netloggedon.py"
 tooling.references = [
     "https://gist.github.com/cham423/aa63b9cbc2961cef43c32b319100bffa"
 ]
 executionSteps = [
    'agent> socks 7005',
    'terminal> proxychains4 python3 getloggedon.py <DOMAIN/USERNAME>:"<Password>"@<HOSTNAME>'
 ]
 executionRequirements = [
    "Member of one of the following groups on target host - Administrators, and the Server, System and Print Operator"
 ]

 [[testCases]]
 id = "2.2.0"
 name = '2.2.0 - Enumerate Interactive, Service, and Batch Logon Sessions via PowerShell Get-NetLoggedon.ps1'
 description = "Use Get-NetLoggedon.ps1 script to enumerate active sessions"
 tooling.name = "PowerShell Get-NetLoggedon.ps1"
 tooling.references = [
     "https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1"
 ]
 executionSteps = [
    'agent> upload -File Get-NetLoggedon.ps1',
    'agent> run {"executable":"powershell.exe","arguments":"IEX $(gc c:\\ProgramData\\Get-NetLoggedon.ps1 | out-string);Get-NetLoggedon -hostname <HOSTNAME>"}'
 ]
 executionRequirements = [
    "Member of one of the following groups on target host - Administrators, and the Server, System and Print Operator"
 ]

 [[testCases]]
 id = "3.0.0"
 name = '3.0.0 - Enumerate Interactive Sessions via reg_query BOF (server)'
 description = "Use the third party reg_query BOF to enumerate interactive logon sessions"
 tooling.name = "reg_query BOF"
 tooling.references = [
    "https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/SA/reg_query/reg_query.x64.o",
    "https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/SA/SA.cna"
 ]
 executionSteps = [
    'agent> register_coff reg_query.x64.o',
    '''agent> execute_coff {"coff_name":"reg_query.x64.o","function_name":"go","timeout":"30","coff_arguments":[["string","<HOSTNAME>"],["int32","3"],["string",""]]}'''
 ]
 executionRequirements = [
    "Requires the Remote Registry service to be running or triggerable on the remote computer"
 ]

 [[testCases]]
 id = "3.0.1"
 name = '3.0.1 - Enumerate Interactive Logon Sessions via reg_query BOF (workstation)'
 description = "Use the third party reg_query BOF to enumerate interactive logon sessions"
 tooling.name = "reg_query BOF"
 tooling.references = [
    "https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/SA/reg_query/reg_query.x64.o",
    "https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/SA/SA.cna"
 ]
 executionSteps = [
    'agent> register_coff reg_query.x64.o',
    '''agent> execute_coff {"coff_name":"reg_query.x64.o","function_name":"go","timeout":"30","coff_arguments":[["string","<HOSTNAME>"],["int32","3"],["string",""]]}'''
 ]
 executionRequirements = [
    "Requires the Remote Registry service to be running or triggerable on the remote computer"
 ]

 [[testCases]]
 id = "3.1.0"
 name = '3.1.0 - Enumerate Interactive Logon Sessions via Impacket reg.py'
 description = "Use a reg.py Impacket script to generate RPC network traffic and send it through a SOCKS proxy to enumerate interactive sessions"
 tooling.name = "Impacket reg.py"
 tooling.references = [
    "https://github.com/fortra/impacket/blob/master/examples/reg.py"
 ]
 executionSteps = [
    'agent> socks 7005',
    'terminal> proxychains4 python3 reg.py <DOMAIN/USERNAME>:"<Password>"@<HOSTNAME> query -keyName HKU'
 ]
 executionRequirements = [
    "Requires the Remote Registry service to be running or triggerable on the remote computer"
 ]
	[[testCases]]
	id = "1.0.0"
	name = '1.0.0 - Enumerate SMB Sessions from Third-Party Utility On Disk (NetSess)'
	description = "Using the third party NetSess.exe utility to enumerate active SMB sessions"
	tooling.name = "NetSess.exe"
	tooling.references = [
	"http://www.joeware.net/freetools/tools/netsess/"
	]
	executionSteps = [
	'agent> upload -File NetSess.exe',
	'agent> run NetSess.exe <HOSTNAME>'
	]
	executionRequirements = [
	"Member of one of the following groups on target host - Administrators, Server Operators, Power Users on newer OS versions"
	]

	[[testCases]]
	id = "1.1.0"
	name = '1.1.0 - Enumerate SMB Sessions via Beacon Object File BOF (get-netsession)'
	description = "Using a BOF to enumerate active SMB sessions."
	tooling.name = "get-netsession BOF"
	tooling.references = [
	"https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/SA/get-netsession/get-netsession.x64.o",
	"https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/SA/SA.cna"
	]
	executionSteps = [
	'agent> register_coff get-netsession.x64.o',
	'''agent> execute_coff {"coff_name":"get-netsession.x64.o","function_name":"go","timeout":"30","coff_arguments":[["wchar","<HOSTNAME>"]]}'''
	]
	executionRequirements = [
	"Member of one of the following groups on target host - Administrators, Server Operators, Power Users on newer OS versions"
	]

	[[testCases]]
	id = "1.2.0"
	name = '''1.2.0 - Enumerate SMB Sessions via PowerView's Get-NetSession'''
	description = "Use Get-NetSession.ps1 script to enumerate active SMB sessions"
	tooling.name = "Get-NetSessions.ps1"
	tooling.references = [
	"https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1"
	]
	executionSteps = [
	'agent> upload -File Get-NetSessions.ps1',
	'agent> run {"executable":"powershell.exe","arguments":"IEX $(gc c:\\ProgramData\\Get-NetSessions.ps1 \| out-string);Get-NetSessions -hostname <HOSTNAME>"}'
	]
	executionRequirements = [
	"Member of one of the following groups on target host - Administrators, Server Operators, Power Users on newer OS versions"
	]

	[[testCases]]
	id = "1.3.0"
	name = '1.3.0 - Enumerate SMB Sessions via Proxied RPC'
	description = "using the netview.py Impacket script to generate RPC network traffic and send it through a SOCKS proxy to enumerate active SMB sessions on a REMOTE WORKSTATION."
	tooling.name = "Impacket netview.py"
	tooling.references = [
	"https://github.com/fortra/impacket/blob/master/examples/netview.py"
	]
	executionSteps = [
	'agent> socks 7005',
	'terminal> `proxychains4 python3 netview.py -target <TARGET_HOST_NAME> <USER_NAME>`.'
	]
	executionRequirements = [
	"Member of one of the following groups on target host - Administrators, Server Operators, Power Users on newer OS versions"
	]

	[[testCases]]
	id = "2.0.0"
	name = '2.0.0 - Enumerate Interactive, Service, and Batch Logon Sessions from BOF (server)'
	description = "Use the third party netloggedon BOF to enumerate active logon sessions (interactive, service, and batch logons)"
	tooling.name = "netloggedon BOF"
	tooling.references = [
	"https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/SA/netloggedon/netloggedon.x64.o",
	"https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/SA/SA.cna"
	]
	executionSteps = [
	'agent> register_coff netloggedon.x64.o',
	'''agent> execute_coff {"coff_name":"netloggedon.x64.o","function_name":"go","timeout":"30","coff_arguments":[["wchar","<HOSTNAME>"]]}'''
	]
	executionRequirements = [
	"Member of one of the following groups on target host - Administrators, and the Server, System and Print Operator"
	]

	[[testCases]]
	id = "2.0.1"
	name = '2.0.1 - Enumerate Interactive, Service, and Batch Logon Sessions from BOF (workstation)'
	description = "Use the third party netloggedon BOF to enumerate active logon sessions (interactive, service, and batch logons)"
	tooling.name = "netloggedon BOF"
	tooling.references = [
	"https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/SA/netloggedon/netloggedon.x64.o",
	"https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/SA/SA.cna"
	]
	executionSteps = [
	'agent> register_coff netloggedon.x64.o',
	'''agent> execute_coff {"coff_name":"netloggedon.x64.o","function_name":"go","timeout":"30","coff_arguments":[["wchar","<HOSTNAME>"]]}'''
	]
	executionRequirements = [
	"Member of one of the following groups on target host - Administrators, and the Server, System and Print Operator"
	]

	[[testCases]]
	id = "2.1.0"
	name = '2.1.0 - Enumerate Interactive, Service, and Batch Logon Sessions via Proxied RPC'
	description = "Use a netloggedon.py Impacket script to generate RPC network traffic and send it through a SOCKS proxy to enumerate active sessions"
	tooling.name = "Impacket netloggedon.py"
	tooling.references = [
	"https://gist.github.com/cham423/aa63b9cbc2961cef43c32b319100bffa"
	]
	executionSteps = [
	'agent> socks 7005',
	'terminal> proxychains4 python3 getloggedon.py <DOMAIN/USERNAME>:"<Password>"@<HOSTNAME>'
	]
	executionRequirements = [
	"Member of one of the following groups on target host - Administrators, and the Server, System and Print Operator"
	]

	[[testCases]]
	id = "2.2.0"
	name = '2.2.0 - Enumerate Interactive, Service, and Batch Logon Sessions via PowerShell Get-NetLoggedon.ps1'
	description = "Use Get-NetLoggedon.ps1 script to enumerate active sessions"
	tooling.name = "PowerShell Get-NetLoggedon.ps1"
	tooling.references = [
	"https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1"
	]
	executionSteps = [
	'agent> upload -File Get-NetLoggedon.ps1',
	'agent> run {"executable":"powershell.exe","arguments":"IEX $(gc c:\\ProgramData\\Get-NetLoggedon.ps1 \| out-string);Get-NetLoggedon -hostname <HOSTNAME>"}'
	]
	executionRequirements = [
	"Member of one of the following groups on target host - Administrators, and the Server, System and Print Operator"
	]

	[[testCases]]
	id = "3.0.0"
	name = '3.0.0 - Enumerate Interactive Sessions via reg_query BOF (server)'
	description = "Use the third party reg_query BOF to enumerate interactive logon sessions"
	tooling.name = "reg_query BOF"
	tooling.references = [
	"https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/SA/reg_query/reg_query.x64.o",
	"https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/SA/SA.cna"
	]
	executionSteps = [
	'agent> register_coff reg_query.x64.o',
	'''agent> execute_coff {"coff_name":"reg_query.x64.o","function_name":"go","timeout":"30","coff_arguments":[["string","<HOSTNAME>"],["int32","3"],["string",""]]}'''
	]
	executionRequirements = [
	"Requires the Remote Registry service to be running or triggerable on the remote computer"
	]

	[[testCases]]
	id = "3.0.1"
	name = '3.0.1 - Enumerate Interactive Logon Sessions via reg_query BOF (workstation)'
	description = "Use the third party reg_query BOF to enumerate interactive logon sessions"
	tooling.name = "reg_query BOF"
	tooling.references = [
	"https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/SA/reg_query/reg_query.x64.o",
	"https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/SA/SA.cna"
	]
	executionSteps = [
	'agent> register_coff reg_query.x64.o',
	'''agent> execute_coff {"coff_name":"reg_query.x64.o","function_name":"go","timeout":"30","coff_arguments":[["string","<HOSTNAME>"],["int32","3"],["string",""]]}'''
	]
	executionRequirements = [
	"Requires the Remote Registry service to be running or triggerable on the remote computer"
	]

	[[testCases]]
	id = "3.1.0"
	name = '3.1.0 - Enumerate Interactive Logon Sessions via Impacket reg.py'
	description = "Use a reg.py Impacket script to generate RPC network traffic and send it through a SOCKS proxy to enumerate interactive sessions"
	tooling.name = "Impacket reg.py"
	tooling.references = [
	"https://github.com/fortra/impacket/blob/master/examples/reg.py"
	]
	executionSteps = [
	'agent> socks 7005',
	'terminal> proxychains4 python3 reg.py <DOMAIN/USERNAME>:"<Password>"@<HOSTNAME> query -keyName HKU'
	]
	executionRequirements = [
	"Requires the Remote Registry service to be running or triggerable on the remote computer"
	]