The pse_host_recon playbook utilizes an existing PowerShell Empire container task and connected C2 agent to perform various host reconnaissance activities. This playbook does not create the required PowerShell Empire container task or C2 agent components so they must be initialized separately such as via the c2_and_http_server playbook.

Requirements

Running this playbook requires the following pre-existing components:

• A PowerShell Empire container task with an established connection from a C2 agent.

  Note that the PowerShell Empire task name and C2 agent name to be used by the playbook must be specified in the task_name and agent_name parameters when configuring the playbook.

Architecture

The architecture and workflow of this playbook looks as follows:

Configuration

To configure the pse_host_recon playbook, use the ./havoc -c CLI option, select the number associated with the pse_host_recon playbook and provide the requested details.

Required parameters:
[c2_task]
task_name - the task name assigned to the PowerShell Empire task.
agent_name - the name assigned to the agent that is connected to the PowerShell Empire task.

[module]
Enable - indicate if this module should be executed by the playbook (True|False).
Module - the powershell empire module to execute.

Optional parameters present for all modules:
completion_string - a string that should be present in the results to indicate the module is done. If not specified results are returned as soon as any results data becomes available, which may lead to incomplete results being returned.

Additional parameters per module:
[antivirusproduct]
ComputerName - (optional) host name or IP address of a computer to gather results from. If not specified, results are gathered from the local host.

[dnsserver]
No additional parameters.

[get_proxy]
ComputerName - (optional) host name or IP address of a computer to gather results from. If not specified, results are gathered from the local host.

[get_uaclevel]
No additional parameters.

[winenum]
Keywords - (optional) specify a keyword or array of keywords to use in file searches.
UserName - (optional) specify a user to enumerate. The default is the current user context.

$./havoc -c
1) activity_report	         3) pse_host_recon	     5) pse_network_recon
2) c2_and_http_server	 4) pse_lateral_movement  6) simple_exfil
Select a playbook to configure: 3
Configuring playbook pse_host_recon.

If you have previously configured this playbook, configuring it again will delete the existing configuration.
Are you sure you want to continue? [Y/N]: y

Creating a customized pse_host_recon.ini file.
Provide a value for each parameter.
Press enter without providing a value to accept the default.

[c2_task]
task_name [c2-http_mm_dd_YYYY_HH_MM]: <c2_task_name>
agent_name [1w2x3y4z]: <agent_name>

[antivirusproduct]
Enable [True]: 
Module [powershell/situational_awareness/host/antivirusproduct]: 
ComputerName []: 
completion_string [completed]: 

[dnsserver]
Enable [True]: 
Module [powershell/situational_awareness/host/dnsserver]: 
completion_string [completed]: 

[get_proxy]
Enable [True]: 
Module [powershell/situational_awareness/host/get_proxy]: 
ComputerName []: 
completion_string [completed]: 

[get_uaclevel]
Enable [True]: 
Module [powershell/situational_awareness/host/get_uaclevel]: 
completion_string [completed]: 

[winenum]
Enable [True]: 
Module [powershell/situational_awareness/host/winenum]: 
Keywords []: 
UserName []: 
completion_string [Firewall]:

<snip - installing required Python modules>

Playbook pse_host_recon configured.
$

Execution

To execute the pse_host_recon playbook, run the following ./HAVOC CLI command (where <profile> is replaced with the ./HAVOC config profile name that you would like to authenticate to the ./HAVOC API with):

$ ./havoc -e pse_host_recon <profile>

Clean up

Error handling
If the playbook encounters errors during execution, it will self terminate. If the playbook is hung on a specific task, you can press Ctrl+C to terminate the playbook.

Successful execution
After the playbook executes all operations successfully it will self terminate.

Associated resources
This playbook does not create any resources.