Situational Awareness BOF
Installation
$ git clone https://github.com/trustedsec/CS-Situational-Awareness-BOF
Go to Cobalt Strike Script Manager, Load, then navigate to the SA.cna file within the clone. Upload the SA.cna file to CS.
Interacting with Beacon
Here is the list of commands that are inputted into Cobalt Strike.
arp
arp
Lists ARP table
adcs_enum
adcs_enum
Enumerates CAs and templates in the AD using Win32 functions
adcs_enum_com
adcs_enum_com
Enumerates CAs and templates in the AD using ICertConfig COM object
adcs_enum_com2
adcs_enum_com2
Enumerates CAs and templates in the AD using IX509PolicyServerListManager COM object
adv_audit_policies
adv_audit_policies
Retrieves advanced security audit policies
cacls
cacls [filepath]
lists user permissions for the specified file, wildcards supported
dir
dir [directory] [/s]
List files in a directory. Supports wildcards (e.g. "C:\Windows\S*") the CobaltStrike ls
command
driversigs
driversigs
enumerate installed services Imagepaths to check the signing cert against known edr/av vendors
enum_filter_driver
enum_filter_driver [opt:computer]
Enumerates all the filter drivers
enumLocalSessions
enumLocalSessions
Enumerate the currently attached user sessions both local and over rdp
env
env
Prints process environment variables
findLoadedModule
findLoadedModule [modulepart] [opt:procnamepart]
Finds what processes *modulepart* is loaded into, optionally searching just *procnamepart*
get_password_policy
get_password_policy [hostname]
Gets target server or domain's configured password policy and lockouts
ipconfig
ipconfig
Simply gets ipv4 addresses, hostname and dns server
ldapsearch
ldapsearch [query] [opt: attribute] [opt: results_limit] [opt: DC hostname or IP] [opt: Distingished Name]
Executes LDAP searches (NOTE: specify *,ntsecuritydescriptor as attribute if you want all attributes + base64 encoded ACL of the objects, this can then be resolved using BOFHound)
listdns
listdns
Pulls dns cache entries, attempts to query and resolve each
listmods
listmods [opt: pid]
List a process modules (DLL). Target current process if pid is empty. Complement to driversigs to determine if our process was injected by edr/av.
listpipes
listpipes
Lists named pipes
locale
locale
Display system locale language, locale id, date/time, and country
netstat
netstat
tcp / udp ipv4 netstat listing
netuser
netuser [username] [opt: domain]
Pulls info about specific user. Pulls from domain if a domainname is specified
netuse_add
netuse_add [sharename] [opt:username] [opt:password] [opt:/DEVICE:devicename] [opt:/PERSIST] [opt:/REQUIREPRIVACY]
bind a new connection to a remote machine
netuse_delete
netuse_delete [device||sharename] [opt:/PERSIST] [opt:/FORCE]
delete the bound device / sharename]
netuse_list
netuse_list [opt:target]
list all bound share resources or info about target local resource
netview
netview
Gets a list of reachable servers in the current domain
netGroupList
netGroupList [opt: domain]
Lists Groups from the default (or specified) domain
netGroupListMembers
netGroupListMembers [groupname] [opt: domain]
Lists group members from the default (or specified) domain
netLocalGroupList
netLocalGroupList [opt: server]
List local groups from the local (or specified) computer
netLocalGroupListMembers
netLocalGroupListMembers [groupname] [opt: server]
Lists local groups from the local (or specified) computer
nslookup
nslookup [hostname] [opt:dns server] [opt: record type]
Makes a dns query. dns server is the server you want to query (do not specify or 0 for default) record type is something like A, AAAA, or ANY. Some situations are limited due to observed crashes.
probe
probe [host] [port]
Check if port is open
reg_query
[opt:hostname] [hive] [path] [opt: value to query]
queries a registry value or enumerates a single key
reg_query_recursive
[opt:hostname] [hive] [path]
recursively enumerates a key starting at path
routeprint
routeprint
prints ipv4 configured routes
schtasksenum
schtasksenum [opt: server]
Enumerates all scheduled tasks on the local or if provided remote machine
schtasksquery
schtasksquery [opt: server] [taskpath]
Queries the given task from the local or if provided remote machine
sc_enum
sc_enum [opt:server]
Enumerates all services for qc, query, qfailure, and qtriggers info
sc_qc
sc_qc [service name] [opt:server]
sc qc impelmentation in bof
sc_qfailure
sc_qfailure [service name] [opt:server]
Queries a service for failure conditions
sc_qtriggerinfo
sc_qtriggerinfo [service name] [opt:server]
Queries a service for trigger conditions
sc_query
sc_query [opt: service name] [opt: server]
sc query implementation in bof
sc_qdescription
sc_qdescription [service name] [opt: server]
sc qdescription implementation in bof
tasklist
tasklist [opt: server]
Get a list of running processes including PID, PPID and ComandLine (uses wmi)
whoami
whoami
simulates whoami /all
windowlist
windowlist [opt:all]
lists visible windows in the current users session
wmi_query
wmi_query query [opt: server] [opt: namespace]
Run a wmi query and display results in CSV format
netsession
netsession [opt:computer]
Enumerates all sessions on the specified computer or the local one
resources
resources
Prints memory usage and available disk space on the primary hard drive
uptime
uptime
Prints system boot time and how long it's been since then
vssenum
vssenum [hostname] [opt:sharename]
Enumerates shadow copies on some server 2012+ machines
Last updated