☕
Brinkles Pentesting Notebook
  • Introduction
    • My Journey to Pentesting
    • Twitter
    • Github
  • Certification Reviews
    • OSEP Review
    • CISSP Review
    • OSCP Review
    • RTJC Review
    • RTAC Review
    • CEH Review
    • CRTO Review
    • PNPT Review
    • eWPT Review
    • eJPTv1 Review
    • CCNP Security Review
    • CCNA Review
    • CompTIA Net +, A+ Review
  • C2 and Payloads
    • Sliver C2
    • Cobalt Strike
      • BOFs and Aggressor Scripts
        • Situational Awareness BOF
        • HOLLOW BOF
        • DLL_Version_Enumeration_BOF
        • InlineExecute-Assembly BOF
        • BOF.NET
        • C2-Tool-Collection BOFs
        • Inline-Execute-PE
      • Payloads
  • Tools
    • Internal Tools
      • BloodHound
      • Certi
      • Coercer
      • CrackMapExec
      • DCSync
      • DFSCoerce
      • DonPAPI
      • WMIEXEC
      • Kerberoasting
      • Lsassy
      • mitm6
      • Pcredz
      • PowerSploit
      • PrivExchange
      • Responder / RunFinger
      • Rubeus
      • Seatbelt
      • Seth
    • Web App Pentesting
      • Payload All The Things
        • Directory traversal
          • Deep Traversal
          • More Directory Traversal Payloads
        • SAML Injection
        • XXE - XML External Entity
        • XSS - Cross Site Scripting
        • XSLT Injection
        • XPATH injection
        • Upload Insecure Files
        • SQL injection
          • MSSQL Injection
          • MYSQL Injection
          • Oracle SQL Injection
          • PostgreSQL injection
          • SQLite Injection
        • Server Side Templates Injections
        • Server-Side Request Forgery
          • Payloads Included in Server-Side Request Forgery
        • Request Smuggling
        • OAuth
        • NoSQL injection
        • LDAP injection
        • Kubernetes
        • JSON Web Token
        • HTTP Parameter Pollution
        • GraphQL injection
        • CORS Misconfiguration
        • CRLF
        • Cross-Site Request Forgery
        • CSV Injection (Formula Injection)
        • File Inclusion
          • PHPINFOlfi.py
          • uploadlfi.py
  • Network Security
    • DMVPN GRE NHRP IPsec Profiles
    • Flex VPNs
    • GET VPN with Key Server
    • IKE Site to Site w/ IPSec
    • Point to Point GRE over IPSec
    • Remote Access VPN
    • Helpful Cisco Firewall CLI Commands
Powered by GitBook
On this page
  • Installation
  • Interacting with Beacon
  1. C2 and Payloads
  2. Cobalt Strike
  3. BOFs and Aggressor Scripts

Situational Awareness BOF

PreviousBOFs and Aggressor ScriptsNextHOLLOW BOF

Last updated 2 years ago

Installation

$ git clone

Go to Cobalt Strike Script Manager, Load, then navigate to the SA.cna file within the clone. Upload the SA.cna file to CS.

Interacting with Beacon

Here is the list of commands that are inputted into Cobalt Strike.

command
Usage
notes

arp

arp

Lists ARP table

adcs_enum

adcs_enum

Enumerates CAs and templates in the AD using Win32 functions

adcs_enum_com

adcs_enum_com

Enumerates CAs and templates in the AD using ICertConfig COM object

adcs_enum_com2

adcs_enum_com2

Enumerates CAs and templates in the AD using IX509PolicyServerListManager COM object

adv_audit_policies

adv_audit_policies

Retrieves advanced security audit policies

cacls

cacls [filepath]

lists user permissions for the specified file, wildcards supported

dir

dir [directory] [/s]

List files in a directory. Supports wildcards (e.g. "C:\Windows\S*") the CobaltStrike ls command

driversigs

driversigs

enumerate installed services Imagepaths to check the signing cert against known edr/av vendors

enum_filter_driver

enum_filter_driver [opt:computer]

Enumerates all the filter drivers

enumLocalSessions

enumLocalSessions

Enumerate the currently attached user sessions both local and over rdp

env

env

Prints process environment variables

findLoadedModule

findLoadedModule [modulepart] [opt:procnamepart]

Finds what processes *modulepart* is loaded into, optionally searching just *procnamepart*

get_password_policy

get_password_policy [hostname]

Gets target server or domain's configured password policy and lockouts

ipconfig

ipconfig

Simply gets ipv4 addresses, hostname and dns server

ldapsearch

ldapsearch [query] [opt: attribute] [opt: results_limit] [opt: DC hostname or IP] [opt: Distingished Name]

Executes LDAP searches (NOTE: specify *,ntsecuritydescriptor as attribute if you want all attributes + base64 encoded ACL of the objects, this can then be resolved using BOFHound)

listdns

listdns

Pulls dns cache entries, attempts to query and resolve each

listmods

listmods [opt: pid]

List a process modules (DLL). Target current process if pid is empty. Complement to driversigs to determine if our process was injected by edr/av.

listpipes

listpipes

Lists named pipes

locale

locale

Display system locale language, locale id, date/time, and country

netstat

netstat

tcp / udp ipv4 netstat listing

netuser

netuser [username] [opt: domain]

Pulls info about specific user. Pulls from domain if a domainname is specified

netuse_add

netuse_add [sharename] [opt:username] [opt:password] [opt:/DEVICE:devicename] [opt:/PERSIST] [opt:/REQUIREPRIVACY]

bind a new connection to a remote machine

netuse_delete

netuse_delete [device||sharename] [opt:/PERSIST] [opt:/FORCE]

delete the bound device / sharename]

netuse_list

netuse_list [opt:target]

list all bound share resources or info about target local resource

netview

netview

Gets a list of reachable servers in the current domain

netGroupList

netGroupList [opt: domain]

Lists Groups from the default (or specified) domain

netGroupListMembers

netGroupListMembers [groupname] [opt: domain]

Lists group members from the default (or specified) domain

netLocalGroupList

netLocalGroupList [opt: server]

List local groups from the local (or specified) computer

netLocalGroupListMembers

netLocalGroupListMembers [groupname] [opt: server]

Lists local groups from the local (or specified) computer

nslookup

nslookup [hostname] [opt:dns server] [opt: record type]

Makes a dns query. dns server is the server you want to query (do not specify or 0 for default) record type is something like A, AAAA, or ANY. Some situations are limited due to observed crashes.

probe

probe [host] [port]

Check if port is open

reg_query

[opt:hostname] [hive] [path] [opt: value to query]

queries a registry value or enumerates a single key

reg_query_recursive

[opt:hostname] [hive] [path]

recursively enumerates a key starting at path

routeprint

routeprint

prints ipv4 configured routes

schtasksenum

schtasksenum [opt: server]

Enumerates all scheduled tasks on the local or if provided remote machine

schtasksquery

schtasksquery [opt: server] [taskpath]

Queries the given task from the local or if provided remote machine

sc_enum

sc_enum [opt:server]

Enumerates all services for qc, query, qfailure, and qtriggers info

sc_qc

sc_qc [service name] [opt:server]

sc qc impelmentation in bof

sc_qfailure

sc_qfailure [service name] [opt:server]

Queries a service for failure conditions

sc_qtriggerinfo

sc_qtriggerinfo [service name] [opt:server]

Queries a service for trigger conditions

sc_query

sc_query [opt: service name] [opt: server]

sc query implementation in bof

sc_qdescription

sc_qdescription [service name] [opt: server]

sc qdescription implementation in bof

tasklist

tasklist [opt: server]

Get a list of running processes including PID, PPID and ComandLine (uses wmi)

whoami

whoami

simulates whoami /all

windowlist

windowlist [opt:all]

lists visible windows in the current users session

wmi_query

wmi_query query [opt: server] [opt: namespace]

Run a wmi query and display results in CSV format

netsession

netsession [opt:computer]

Enumerates all sessions on the specified computer or the local one

resources

resources

Prints memory usage and available disk space on the primary hard drive

uptime

uptime

Prints system boot time and how long it's been since then

vssenum

vssenum [hostname] [opt:sharename]

Enumerates shadow copies on some server 2012+ machines

https://github.com/trustedsec/CS-Situational-Awareness-BOF
Page cover image