Automated Host Recon, Persistence and Exfiltration
Batch script to automate collection, credential dumping, discovery and exfiltration techniques
CONTEXT
Each time during a red team or a PT we always find ourselves performing manual reconnaissance actions before deciding how to move laterally or perform more aggressive post exploitation actions.
This article will give you a vision of how to automate the initial reconnaissance actions without user interaction by presenting “actionable” results. Let’s see how …
AUTOMATED SCRIPT
Automatically collected information:
- Check EDR Presence: https://github.com/BankSecurity/Red_Team/blob/master/Discovery/Check_EDR_Presence.ps1
- Host & user details — Network details — Firewall details — Enumerate the Domain: https://github.com/BankSecurity/Red_Team/blob/master/Discovery/Host_Recon_Complete.bat
- Chrome saved Passwords in cleartext: https://github.com/BankSecurity/Red_Team/blob/master/Credential_Access/Chrome_Passwords.txt
- Wifi saved Passwords in cleartext: https://github.com/BankSecurity/Red_Team/blob/master/Credential_Access/Wifi_Passwords.txt
- Browsers History: https://github.com/BankSecurity/Red_Team/blob/master/Discovery/Get_Browsers_History.txt
The script then automatically loads all the data collected on Pastebin using this script: link, copy itself in the Startup folder as persistence mechanism and opens a reverse shell to your C2 (link).
There are also a couple of extras that can be added at will. One dedicated to taking a screenshot (different techniques here: link), the other to recover the outlook passwords (here a couple of techniques: link) and the last one recording the victim’s PC audio using the default microphone on Windows 7 and 8 (link) or for the others this could be fine but currently detected by different AVs: link
AUTO_RECON.bat script:
Putting all the techniques described above all together here the result:
https://github.com/BankSecurity/Red_Team/blob/master/AUTO_RECON.bat
You can customize the script as you prefer and add techniques based on what you need.
In my GitHub you can find all the techniques and scripts used with even more or less undetectable variants:
https://github.com/BankSecurity/Red_Team
At the time of writing, the script and the techniques contained within it bypass Windows Defender. As always, I recommend having a hunting team capable of detecting these normally “lawful” activities through custom alerts.
Enjoy Threat Hunting!
Follow me on Twitter:
and GitHub:
