Host Reconnaissance

Running Processes

beacon> ps

[*] This Beacon PID:    YELLOW 7480  
 PID   PPID  Name                                   Arch  Session     User
 ---   ----  ----                                   ----  -------     ----
 0     0     [System Process]                                         
 4     0         System                                               
 88    4             Registry                                         
 364   4             smss.exe                                         
 1532  4             Memory Compression                               
 464   456   csrss.exe                                                
 540   532   csrss.exe                                                
 564   456   wininit.exe                                              
 680   564       services.exe                                         
 448   680           svchost.exe                                      
 2812  448               taskhostw.exe              x64   2           DEV\bfarmer
 4632  448               mmc.exe                                      
 4796  448               sihost.exe                 x64   2           DEV\bfarmer
 6048  448               taskhostw.exe              x64   2           DEV\bfarmer
 7896  448               powershell.exe             x64   2           DEV\bfarmer
 2252  7896                  conhost.exe            x64   2           DEV\bfarmer
 8088  7896                  powershell.exe         x64   2           DEV\bfarmer

There are several interesting processes here including Sysmon64, MsMpEng, elastic-endpoint, and elastic-agent. When running in medium integrity (i.e. a standard user), you will not be able to see arch, session and user information for processes that your current user does not own.

Seatbelt

beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe -group=system

====== AntiVirus ======

  Engine                         : Windows Defender
  ProductEXE                     : windowsdefender://
  ReportingEXE                   : %ProgramFiles%\Windows Defender\MsMpeng.exe

====== AppLocker ======

    [*] Applocker is not running because the AppIDSvc is not running

====== DotNet ======

  Installed CLR Versions
      4.0.30319

  Installed .NET Versions
      4.8.04084

  Anti-Malware Scan Interface (AMSI)
      OS supports AMSI           : True
     .NET version support AMSI   : True
        [!] The highest .NET version is enrolled in AMSI!

====== InternetSettings ======

  HKCU                       ProxyEnable : 1
  HKCU                     ProxyOverride : *.cyberbotic.io;<local>
  HKCU                       ProxyServer : squid.dev.cyberbotic.io:3128

====== LAPS ======

  LAPS Enabled                          : False

====== OSInfo ======

  Hostname                      :  wkstn-2
  Domain Name                   :  dev.cyberbotic.io
  Username                      :  DEV\bfarmer
  Build                         :  19044.1889
  BuildBranch                   :  vb_release
  CurrentMajorVersionNumber     :  10
  CurrentVersion                :  6.3
  Architecture                  :  AMD64
  IsLocalAdmin                  :  True
    [*] In medium integrity but user is a local administrator - UAC can be bypassed.
  TimeZone                      :  Coordinated Universal Time

====== PowerShell ======

  Installed CLR Versions
      4.0.30319

  Installed PowerShell Versions
      2.0
        [!] Version 2.0.50727 of the CLR is not installed - PowerShell v2.0 won't be able to run.
      5.1.19041.1

====== UAC ======

  ConsentPromptBehaviorAdmin     : 5 - PromptForNonWindowsBinaries
  EnableLUA (Is UAC enabled?)    : 1

One thing to note from this output is that there's a web proxy in place - squid.dev.cyberbotic.io. This has implications for HTTP(S) C2 for a variety of reasons.

PreviousLAPS Backdoors NextWindows

Last updated 1 day ago

beacon> ps [*] This Beacon PID: YELLOW 7480 PID PPID Name Arch Session User --- ---- ---- ---- ------- ---- 0 0 [System Process] 4 0 System 88 4 Registry 364 4 smss.exe 1532 4 Memory Compression 464 456 csrss.exe 540 532 csrss.exe 564 456 wininit.exe 680 564 services.exe 448 680 svchost.exe 2812 448 taskhostw.exe x64 2 DEV\bfarmer 4632 448 mmc.exe 4796 448 sihost.exe x64 2 DEV\bfarmer 6048 448 taskhostw.exe x64 2 DEV\bfarmer 7896 448 powershell.exe x64 2 DEV\bfarmer 2252 7896 conhost.exe x64 2 DEV\bfarmer 8088 7896 powershell.exe x64 2 DEV\bfarmer

beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe -group=system ====== AntiVirus ====== Engine : Windows Defender ProductEXE : windowsdefender:// ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe ====== AppLocker ====== [*] Applocker is not running because the AppIDSvc is not running ====== DotNet ====== Installed CLR Versions 4.0.30319 Installed .NET Versions 4.8.04084 Anti-Malware Scan Interface (AMSI) OS supports AMSI : True .NET version support AMSI : True [!] The highest .NET version is enrolled in AMSI! ====== InternetSettings ====== HKCU ProxyEnable : 1 HKCU ProxyOverride : *.cyberbotic.io;<local> HKCU ProxyServer : squid.dev.cyberbotic.io:3128 ====== LAPS ====== LAPS Enabled : False ====== OSInfo ====== Hostname : wkstn-2 Domain Name : dev.cyberbotic.io Username : DEV\bfarmer Build : 19044.1889 BuildBranch : vb_release CurrentMajorVersionNumber : 10 CurrentVersion : 6.3 Architecture : AMD64 IsLocalAdmin : True [*] In medium integrity but user is a local administrator - UAC can be bypassed. TimeZone : Coordinated Universal Time ====== PowerShell ====== Installed CLR Versions 4.0.30319 Installed PowerShell Versions 2.0 [!] Version 2.0.50727 of the CLR is not installed - PowerShell v2.0 won't be able to run. 5.1.19041.1 ====== UAC ====== ConsentPromptBehaviorAdmin : 5 - PromptForNonWindowsBinaries EnableLUA (Is UAC enabled?) : 1