What is host reconnaissance?
After establishing foothold on a host, it is necessary to evaluate the environment further before trying to exploit anything. For example, on Windows we should look for:
- AV, EDR presence
- Windows audit policies
- PowerShell logging
- Event forwarding
- etc
In order to bypass defense in depth, we must employ “offense in depth.” For instance, if PowerShell logging is enabled, then we must avoid using PowerShell related tools and find alternatives (e.g. .NET).
For Windows, run Seatbelt
- in Cobalt Strike:
beacon> execute-assembly Seatbelt.exe -group=system - ”It can check for security configurations such as OS info, AV, AppLocker, LAPS, PowerShell logging, audit policies, .NET versions, firewall rules, and more.”
- Seatbelt should be one of the first things to execute on a host machine
- check if web proxy is in place, since web proxy may block C2 traffic
Other tools
- LinPEAS/WinPEAS
- manual host enumeration