-
-
Save raystyle/4cb0b962333fd77473c34508c5a387c3 to your computer and use it in GitHub Desktop.
Cobalt Strike Situational Awareness Commands
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows version: | |
| reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | |
| Users who have authed to the system: | |
| ls C:\Users\ | |
| System env variables: | |
| reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment | |
| Saved outbound RDP connections: | |
| reg query x64 HKCU\Software\Microsoft\Terminal Server Client\Servers | |
| more info example: | |
| reg query x64 HKCU\Software\Microsoft\Terminal Server Client\Servers\10.10.10.25 | |
| IE proxy settings: | |
| reg query x64 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | |
| reg query x64 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | |
| reg query x64 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\ | |
| reg queryv x64 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\ DefaultConnectionSettings | |
| From https://github.com/leechristensen/Random/blob/master/PowerShellScripts/Get-HostProfile.ps1: | |
| Check system policies (token filter policy/etc.) | |
| reg query x64 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | |
| Audit settings: | |
| reg query x64 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit | |
| Command line process auditing: | |
| reg queryv x64 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit ProcessCreationIncludeCmdLine_Enabled | |
| Check if PS version 2 is installed: | |
| reg queryv x64 HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine PowerShellVersion | |
| Check if PS version 5 is installed: | |
| reg queryv x64 HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine PowerShellVersion | |
| Check if CLR 2.0 installed: | |
| ls C:\Windows\Microsoft.Net\Framework\v2.0.50727\ | |
| Check if CLR 4.0 installed: | |
| ls C:\Windows\Microsoft.Net\Framework\v4.0.30319\ | |
| PowerShell transcription settings: | |
| reg query x64 HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription | |
| PowerShell module logging: | |
| reg query x64 HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging | |
| PowerShell script block logging: | |
| reg query x64 HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging | |
| LSA settings (NTLM, PPL, etc.) | |
| reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Lsa | |
| LAPS enabled: | |
| reg query x64 HKLM\Software\Policies\Microsoft Services\AdmPwd | |
| WEF settings: | |
| reg query x64 HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager\1 | |
| MS Cached Logon Count: | |
| reg queryv x64 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon CachedLogonsCount | |
| Putty: | |
| reg query x64 HKCU\SOFTWARE\SimonTatham\Putty\ | |
| Sysmon: | |
| reg query x64 HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters | |
| reg queryv x64 HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters Rules | |
| Users logged onto the machine: | |
| net logons | |
| Local admins: | |
| net localgroup administrators | |
| Local drives: | |
| drives | |
| Local shares: | |
| net share | |
| From https://github.com/threatexpress/red-team-scripts/blob/master/HostEnum.ps1: | |
| Recently typed "run" commands: | |
| reg query x64 HKCU\software\microsoft\windows\currentversion\explorer\runmru | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment