Operator Toolkits — Catalog & Reference.
Meterpreter, PowerShell, and the broader pentest toolkit catalog — recommended defaults per slot, with the Linux and Python operator notes that round out the kit.
Toolkit by slot — default + fallback
- C2. Default Sliver (open source, modern, robust). Fallback Cobalt Strike (still the polished baseline, IOC-loud). Mythic for engagements where modular agents are needed.
- Initial access — Windows. Default
InveighZerofor LLMNR/NBT-NS responder +ntlmrelayxchain. Fallbackresponder+impacket-ntlmrelayx. - Credential dump — Windows. Default
nanodump(PROCEXP152-style, bypasses many EDR LSASS hooks). Fallbacksecretsdump.py -ntdsvia VSS shadow copy on DC. - Lateral movement. Default WinRM via
evil-winrm(least loud), then SMB-Exec viaimpacket-psexec, last resort DCOM viaimpacket-dcomexec. - Privilege escalation enum. Default
winPEAS/linPEAS. FallbackPowerUp.ps1for Windows token paths. - Exfiltration. Default DNS over Cloudflare DoH (
iodine, custom). Fallback HTTPS to attacker domain with valid Let's Encrypt cert.
Meterpreter — commands to know cold
- Session management.
background,sessions -i N,sessions -u Nupgrade shell→meterpreter,sessions -Kkill all. - Pivoting.
route add 10.10.10.0/24 N, thenauxiliary/server/socks_proxyon operator side. - Post-modules.
post/windows/gather/hashdump,post/windows/manage/migrate,post/multi/recon/local_exploit_suggester. - Don't.
getsystemon EDR-hardened hosts — every technique it tries is flagged. Use credential-based pathways instead.
PowerShell that survives modern EDR
- AMSI bypass. Patch
amsi.dll!AmsiScanBufferin-memory before loading payload. Signatures rotate; use a current loader. - Constrained Language Mode escape. Find a signed binary that loads attacker-controlled DLL (DLL hijack via signed COM/RunDLL surface).
- Avoid
Invoke-Expression,DownloadString. Both ETW-logged and signature-matched. Prefer[Reflection.Assembly]::Load([Convert]::FromBase64String(...))with rotated obfuscation. - Disable PowerShell logging at the script-block level. Patch ETW via
ntdll!EtwEventWritehook before any logged command.
Linux post-foothold
- Capability enum.
getcap -r / 2>/dev/null.cap_setuid,cap_dac_read_search,cap_sys_adminare immediate paths to root. - SUID chains.
find / -perm -4000 -type f 2>/dev/null. Cross-check each result against GTFOBins. - Kernel exploit selection.
uname -a+linux-exploit-suggester.sh. Last resort only — kernel exploits crash hosts, document scope explicitly. - Cron + systemd.
cat /etc/crontab /etc/cron.*/* 2>/dev/null;systemctl list-timers. Writable cron scripts run as root often enough to check first. - Mount + path injection.
mount | grep -v nosuidfor missing nosuid mount option;echo $PATHfor writable PATH entries before root commands.
Rule of thumbMatch the tool to the host's defensive posture. Cobalt Strike on a vanilla Defender host is fine. Cobalt Strike on a Crowdstrike-managed host is a fast way to get caught. Know what they run before you load.
Related notes in this domain
- Featured Comprehensive Pentest Reference
- Featured Pentest Methodology — Canonical Reference
- Featured Advanced Penetration Testing & Red Team
- Featured Recon & Discovery
- Featured Web Server — Attack & Defense
- Featured Active Directory Pentest
- Featured Internal Pivoting & Lateral Movement
- Reference Recon Tooling — Operator Reference
- Reference Automation vs. Manual Testing
- Background Social Engineering & Phishing
- Background Pentester Foundations & CTF Practice
From reference to evidence