Automated Host Recon, Persistence and Exfiltration
Batch script to automate collection, credential dumping, discovery and exfiltration techniques
Each time during a red team or a PT we always find ourselves performing manual reconnaissance actions before deciding how to move laterally or perform more aggressive post exploitation actions.
This article will give you a vision of how to automate the initial reconnaissance actions without user interaction by presenting “actionable” results. Let’s see how …
Automatically collected information:
- Check EDR Presence: https://github.com/BankSecurity/Red_Team/blob/master/Discovery/Check_EDR_Presence.ps1
- Host & user details — Network details — Firewall details — Enumerate the Domain: https://github.com/BankSecurity/Red_Team/blob/master/Discovery/Host_Recon_Complete.bat
- Chrome saved Passwords in cleartext: https://github.com/BankSecurity/Red_Team/blob/master/Credential_Access/Chrome_Passwords.txt
- Wifi saved Passwords in cleartext: https://github.com/BankSecurity/Red_Team/blob/master/Credential_Access/Wifi_Passwords.txt
- Browsers History: https://github.com/BankSecurity/Red_Team/blob/master/Discovery/Get_Browsers_History.txt
There are also a couple of extras that can be added at will. One dedicated to taking a screenshot (different techniques here: link), the other to recover the outlook passwords (here a couple of techniques: link) and the last one recording the victim’s PC audio using the default microphone on Windows 7 and 8 (link) or for the others this could be fine but currently detected by different AVs: link
Putting all the techniques described above all together here the result:
Here the video demonstration:
You can customize the script as you prefer and add techniques based on what you need.
In my GitHub you can find all the techniques and scripts used with even more or less undetectable variants:
At the time of writing, the script and the techniques contained within it bypass Windows Defender. As always, I recommend having a hunting team capable of detecting these normally “lawful” activities through custom alerts.
Enjoy Threat Hunting!
Follow me on Twitter:
The latest Tweets from Bank Security (@Bank_Security). #Bank #Security Threats ☢️ Bank #IOC ☣️ Security & Threat…