Skip to content

Instantly share code, notes, and snippets.

@HarmJ0y
Created September 28, 2018 22:22
Show Gist options
  • Save HarmJ0y/fe676e3ceba74f22a28bd1b121182db7 to your computer and use it in GitHub Desktop.
Save HarmJ0y/fe676e3ceba74f22a28bd1b121182db7 to your computer and use it in GitHub Desktop.
Cobalt Strike Situational Awareness Commands
Windows version:
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Users who have authed to the system:
ls C:\Users\
System env variables:
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Saved outbound RDP connections:
reg query x64 HKCU\Software\Microsoft\Terminal Server Client\Servers
more info example:
reg query x64 HKCU\Software\Microsoft\Terminal Server Client\Servers\10.10.10.25
IE proxy settings:
reg query x64 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
reg query x64 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
reg query x64 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
reg queryv x64 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\ DefaultConnectionSettings
From https://github.com/leechristensen/Random/blob/master/PowerShellScripts/Get-HostProfile.ps1:
Check system policies (token filter policy/etc.)
reg query x64 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Audit settings:
reg query x64 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
Command line process auditing:
reg queryv x64 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit ProcessCreationIncludeCmdLine_Enabled
Check if PS version 2 is installed:
reg queryv x64 HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine PowerShellVersion
Check if PS version 5 is installed:
reg queryv x64 HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine PowerShellVersion
Check if CLR 2.0 installed:
ls C:\Windows\Microsoft.Net\Framework\v2.0.50727\
Check if CLR 4.0 installed:
ls C:\Windows\Microsoft.Net\Framework\v4.0.30319\
PowerShell transcription settings:
reg query x64 HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription
PowerShell module logging:
reg query x64 HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging
PowerShell script block logging:
reg query x64 HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
LSA settings (NTLM, PPL, etc.)
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Lsa
LAPS enabled:
reg query x64 HKLM\Software\Policies\Microsoft Services\AdmPwd
WEF settings:
reg query x64 HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager\1
MS Cached Logon Count:
reg queryv x64 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon CachedLogonsCount
Putty:
reg query x64 HKCU\SOFTWARE\SimonTatham\Putty\
Sysmon:
reg query x64 HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters
reg queryv x64 HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters Rules
Users logged onto the machine:
net logons
Local admins:
net localgroup administrators
Local drives:
drives
Local shares:
net share
From https://github.com/threatexpress/red-team-scripts/blob/master/HostEnum.ps1:
Recently typed "run" commands:
reg query x64 HKCU\software\microsoft\windows\currentversion\explorer\runmru
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment