Situational Awareness BOF
Installation
$ git clone https://github.com/trustedsec/CS-Situational-Awareness-BOF
Go to Cobalt Strike Script Manager, Load, then navigate to the SA.cna file within the clone. Upload the SA.cna file to CS.
Interacting with Beacon
Here is the list of commands that are inputted into Cobalt Strike.
| command | Usage | notes |
|---|---|---|
arp | arp | Lists ARP table |
adcs_enum | adcs_enum | Enumerates CAs and templates in the AD using Win32 functions |
adcs_enum_com | adcs_enum_com | Enumerates CAs and templates in the AD using ICertConfig COM object |
adcs_enum_com2 | adcs_enum_com2 | Enumerates CAs and templates in the AD using IX509PolicyServerListManager COM object |
adv_audit_policies | adv_audit_policies | Retrieves advanced security audit policies |
cacls | cacls [filepath] | lists user permissions for the specified file, wildcards supported |
dir | dir [directory] [/s] | List files in a directory. Supports wildcards (e.g. "C:\Windows\S*") the CobaltStrike |
driversigs | driversigs | enumerate installed services Imagepaths to check the signing cert against known edr/av vendors |
enum_filter_driver | enum_filter_driver [opt:computer] | Enumerates all the filter drivers |
enumLocalSessions | enumLocalSessions | Enumerate the currently attached user sessions both local and over rdp |
env | env | Prints process environment variables |
findLoadedModule | findLoadedModule [modulepart] [opt:procnamepart] | Finds what processes *modulepart* is loaded into, optionally searching just *procnamepart* |
get_password_policy | get_password_policy [hostname] | Gets target server or domain's configured password policy and lockouts |
ipconfig | ipconfig | Simply gets ipv4 addresses, hostname and dns server |
ldapsearch | ldapsearch [query] [opt: attribute] [opt: results_limit] [opt: DC hostname or IP] [opt: Distingished Name] | Executes LDAP searches (NOTE: specify *,ntsecuritydescriptor as attribute if you want all attributes + base64 encoded ACL of the objects, this can then be resolved using BOFHound) |
listdns | listdns | Pulls dns cache entries, attempts to query and resolve each |
listmods | listmods [opt: pid] | List a process modules (DLL). Target current process if pid is empty. Complement to driversigs to determine if our process was injected by edr/av. |
listpipes | listpipes | Lists named pipes |
locale | locale | Display system locale language, locale id, date/time, and country |
netstat | netstat | tcp / udp ipv4 netstat listing |
netuser | netuser [username] [opt: domain] | Pulls info about specific user. Pulls from domain if a domainname is specified |
netuse_add | netuse_add [sharename] [opt:username] [opt:password] [opt:/DEVICE:devicename] [opt:/PERSIST] [opt:/REQUIREPRIVACY] | bind a new connection to a remote machine |
netuse_delete | netuse_delete [device||sharename] [opt:/PERSIST] [opt:/FORCE] | delete the bound device / sharename] |
netuse_list | netuse_list [opt:target] | list all bound share resources or info about target local resource |
netview | netview | Gets a list of reachable servers in the current domain |
netGroupList | netGroupList [opt: domain] | Lists Groups from the default (or specified) domain |
netGroupListMembers | netGroupListMembers [groupname] [opt: domain] | Lists group members from the default (or specified) domain |
netLocalGroupList | netLocalGroupList [opt: server] | List local groups from the local (or specified) computer |
netLocalGroupListMembers | netLocalGroupListMembers [groupname] [opt: server] | Lists local groups from the local (or specified) computer |
nslookup | nslookup [hostname] [opt:dns server] [opt: record type] | Makes a dns query. dns server is the server you want to query (do not specify or 0 for default) record type is something like A, AAAA, or ANY. Some situations are limited due to observed crashes. |
probe | probe [host] [port] | Check if port is open |
reg_query | [opt:hostname] [hive] [path] [opt: value to query] | queries a registry value or enumerates a single key |
reg_query_recursive | [opt:hostname] [hive] [path] | recursively enumerates a key starting at path |
routeprint | routeprint | prints ipv4 configured routes |
schtasksenum | schtasksenum [opt: server] | Enumerates all scheduled tasks on the local or if provided remote machine |
schtasksquery | schtasksquery [opt: server] [taskpath] | Queries the given task from the local or if provided remote machine |
sc_enum | sc_enum [opt:server] | Enumerates all services for qc, query, qfailure, and qtriggers info |
sc_qc | sc_qc [service name] [opt:server] | sc qc impelmentation in bof |
sc_qfailure | sc_qfailure [service name] [opt:server] | Queries a service for failure conditions |
sc_qtriggerinfo | sc_qtriggerinfo [service name] [opt:server] | Queries a service for trigger conditions |
sc_query | sc_query [opt: service name] [opt: server] | sc query implementation in bof |
sc_qdescription | sc_qdescription [service name] [opt: server] | sc qdescription implementation in bof |
tasklist | tasklist [opt: server] | Get a list of running processes including PID, PPID and ComandLine (uses wmi) |
whoami | whoami | simulates whoami /all |
windowlist | windowlist [opt:all] | lists visible windows in the current users session |
wmi_query | wmi_query query [opt: server] [opt: namespace] | Run a wmi query and display results in CSV format |
netsession | netsession [opt:computer] | Enumerates all sessions on the specified computer or the local one |
resources | resources | Prints memory usage and available disk space on the primary hard drive |
uptime | uptime | Prints system boot time and how long it's been since then |
vssenum | vssenum [hostname] [opt:sharename] | Enumerates shadow copies on some server 2012+ machines |
Last updated