-->

Opsec Considerations For Beacon Commands

Opsec Considerations For Beacon Commands


June 23, 2017 Influenza A virus subtype H5N1 practiced operator knows their tools in addition to has an persuasion of how the tool is accomplishing its objectives on their behalf. This weblog postal service surveys Beacons commands in addition to provides background on which commands inject into remote processes, which commands spawn jobs, in addition to which commands rely on cmd.exe or powershell.exe.

API-only

These commands are built-into Beacon in addition to rely on Win32 APIs to encounter their objectives.
cd
cp
download
drives
exit
getuid
kerberos_ccache_use
kerberos_ticket_purge
kerberos_ticket_use
jobkill
kill
link
ls
make_token
mkdir
mv
ppid
ps
pwd
rev2self
rm
rportfwd
socks
steal_token
timestomp
unlink
upload

House-keeping Commands

The next commands are built into Beacon in addition to be to configure Beacon or perform house-keeping actions. Some of these commands (e.g., clear, downloads, help, mode, note) do non generate a project for Beacon to execute.
cancel
checkin
clear
downloads
help
jobs
trend dns
trend dns-txt
trend dns6
trend http
note
powershell-import
sleep
socks stop
spawnto

Post-Exploitation Jobs (Process Execution + Remote Process Injection)

Many Beacon post-exploitation features spawn a procedure in addition to inject a capability into that process. Beacon does this for a lay out of reasons: (i) this protects the agent if the capability crashes, (ii) this scheme makes it seamless for an x86 Beacon to launch x64 post-exploitation tasks. The next commands run equally post-exploitation jobs:
browserpivot
bypassuac
covertvpn
dcsync
desktop
elevate
hashdump
keylogger
logonpasswords
mimikatz
net
portscan
powerpick
psinject
pth
screenshot
shspawn
spawn
ssh
ssh-key
wdigest
OPSEC Advice: Use the spawnto ascendence to alter the procedure Beacon volition launch for its post-exploitation jobs. The default is rundll32.exe (you likely don’t desire that). The ppid ascendence volition change the bring upwards procedure these jobs are run under equally well.

Process Execution

These commands spawn a novel process:
execute
runas
runu
OPSEC Advice: The ppid ascendence volition alter the bring upwards procedure of commands run past times execute. The ppid ascendence does non behave upon runas or spawnu.

Process Execution: Cmd.exe

The shell ascendence depends on cmd.exe.
The pth in addition to getsystem commands larn honorable cry here. These commands rely on cmd.exe to transcend a token to Beacon via a named pipe.
OPSEC Advice: the vanquish ascendence uses the COMSPEC surroundings variable to discovery the preferred command-line interpreter on Windows. Use Aggressor Script’s &bsetenv business office to indicate COMSPEC to a dissimilar cmd.exe location, if needed. Use the ppid ascendence to alter the bring upwards procedure the command-line interpreter is run under. To pth without cmd.exe, execute the pth steps past times hand.

Process Execution: PowerShell.exe

The next commands launch powershell.exe to perform around project on your behalf.
powershell
spawnas
spawnu
winrm
wmi
OPSEC Advice: Use the ppid ascendence to alter the bring upwards procedure powershell.exe is run under. Be aware, at that spot are alternatives to each of these commands that do non work powershell.exe:
  • spawnu has runu which runs an arbitrary ascendence nether around other process.
  • spawnas has runas which runs an arbitrary ascendence equally around other user.
  • powershell has powerpick, this command runs powershell scripts without powershell.exe.
  • It’s also possible to laterally spread without the winrm in addition to wmi commands.

Remote Process Injection

The post-exploitation project commands (previously mentioned) rely on procedure injection too. The other commands that inject into a remote procedure are:
dllinject
inject
shinject

Service Creation

The next internal Beacon commands create a service (either on the electrical flow host or a remote target) to run a command. These commands work Win32 APIs to create in addition to manipulate services.
getsystem
psexec
psexec_psh
Blogger
Disqus
Pilih Sistem Komentar

No comments

Advertiser