Situational Awareness BOF

Installation

$ git clone https://github.com/trustedsec/CS-Situational-Awareness-BOF

Go to Cobalt Strike Script Manager, Load, then navigate to the SA.cna file within the clone. Upload the SA.cna file to CS.

Interacting with Beacon

Here is the list of commands that are inputted into Cobalt Strike.

command

Usage

notes

arp

Lists ARP table

adcs_enum

Enumerates CAs and templates in the AD using Win32 functions

adcs_enum_com

Enumerates CAs and templates in the AD using ICertConfig COM object

adcs_enum_com2

Enumerates CAs and templates in the AD using IX509PolicyServerListManager COM object

adv_audit_policies

Retrieves advanced security audit policies

cacls

cacls [filepath]

lists user permissions for the specified file, wildcards supported

dir

dir [directory] [/s]

List files in a directory. Supports wildcards (e.g. "C:\Windows\S*") the CobaltStrike ls command

driversigs

enumerate installed services Imagepaths to check the signing cert against known edr/av vendors

enum_filter_driver

enum_filter_driver [opt:computer]

Enumerates all the filter drivers

enumLocalSessions

Enumerate the currently attached user sessions both local and over rdp

env

Prints process environment variables

findLoadedModule

findLoadedModule [modulepart] [opt:procnamepart]

Finds what processes *modulepart* is loaded into, optionally searching just *procnamepart*

get_password_policy

get_password_policy [hostname]

Gets target server or domain's configured password policy and lockouts

ipconfig

Simply gets ipv4 addresses, hostname and dns server

ldapsearch

ldapsearch [query] [opt: attribute] [opt: results_limit] [opt: DC hostname or IP] [opt: Distingished Name]

Executes LDAP searches (NOTE: specify *,ntsecuritydescriptor as attribute if you want all attributes + base64 encoded ACL of the objects, this can then be resolved using BOFHound)

listdns

Pulls dns cache entries, attempts to query and resolve each

listmods

listmods [opt: pid]

List a process modules (DLL). Target current process if pid is empty. Complement to driversigs to determine if our process was injected by edr/av.

listpipes

Lists named pipes

locale

Display system locale language, locale id, date/time, and country

netstat

tcp / udp ipv4 netstat listing

netuser

netuser [username] [opt: domain]

Pulls info about specific user. Pulls from domain if a domainname is specified

netuse_add

netuse_add [sharename] [opt:username] [opt:password] [opt:/DEVICE:devicename] [opt:/PERSIST] [opt:/REQUIREPRIVACY]

bind a new connection to a remote machine

netuse_delete

netuse_delete [device||sharename] [opt:/PERSIST] [opt:/FORCE]

delete the bound device / sharename]

netuse_list

netuse_list [opt:target]

list all bound share resources or info about target local resource

netview

Gets a list of reachable servers in the current domain

netGroupList

netGroupList [opt: domain]

Lists Groups from the default (or specified) domain

netGroupListMembers

netGroupListMembers [groupname] [opt: domain]

Lists group members from the default (or specified) domain

netLocalGroupList

netLocalGroupList [opt: server]

List local groups from the local (or specified) computer

netLocalGroupListMembers

netLocalGroupListMembers [groupname] [opt: server]

Lists local groups from the local (or specified) computer

nslookup

nslookup [hostname] [opt:dns server] [opt: record type]

Makes a dns query. dns server is the server you want to query (do not specify or 0 for default) record type is something like A, AAAA, or ANY. Some situations are limited due to observed crashes.

probe

probe [host] [port]

Check if port is open

reg_query

[opt:hostname] [hive] [path] [opt: value to query]

queries a registry value or enumerates a single key

reg_query_recursive

[opt:hostname] [hive] [path]

recursively enumerates a key starting at path

routeprint

prints ipv4 configured routes

schtasksenum

schtasksenum [opt: server]

Enumerates all scheduled tasks on the local or if provided remote machine

schtasksquery

schtasksquery [opt: server] [taskpath]

Queries the given task from the local or if provided remote machine

sc_enum

sc_enum [opt:server]

Enumerates all services for qc, query, qfailure, and qtriggers info

sc_qc

sc_qc [service name] [opt:server]

sc qc impelmentation in bof

sc_qfailure

sc_qfailure [service name] [opt:server]

Queries a service for failure conditions

sc_qtriggerinfo

sc_qtriggerinfo [service name] [opt:server]

Queries a service for trigger conditions

sc_query

sc_query [opt: service name] [opt: server]

sc query implementation in bof

sc_qdescription

sc_qdescription [service name] [opt: server]

sc qdescription implementation in bof

tasklist

tasklist [opt: server]

Get a list of running processes including PID, PPID and ComandLine (uses wmi)

whoami

simulates whoami /all

windowlist

windowlist [opt:all]

lists visible windows in the current users session

wmi_query

wmi_query query [opt: server] [opt: namespace]

Run a wmi query and display results in CSV format

netsession

netsession [opt:computer]

Enumerates all sessions on the specified computer or the local one

resources

Prints memory usage and available disk space on the primary hard drive

uptime

Prints system boot time and how long it's been since then

vssenum

vssenum [hostname] [opt:sharename]

Enumerates shadow copies on some server 2012+ machines

PreviousBOFs and Aggressor Scripts NextHOLLOW BOF

Last updated 2 years ago

Interacting with Beacon

Here is the list of commands that are inputted into Cobalt Strike.

command

Usage

notes

arp

Lists ARP table

adcs_enum

Enumerates CAs and templates in the AD using Win32 functions

adcs_enum_com

Enumerates CAs and templates in the AD using ICertConfig COM object

adcs_enum_com2

Enumerates CAs and templates in the AD using IX509PolicyServerListManager COM object

adv_audit_policies

Retrieves advanced security audit policies

cacls

cacls [filepath]

lists user permissions for the specified file, wildcards supported

dir

dir [directory] [/s]

List files in a directory. Supports wildcards (e.g. "C:\Windows\S*") the CobaltStrike ls command

driversigs

enumerate installed services Imagepaths to check the signing cert against known edr/av vendors

enum_filter_driver

enum_filter_driver [opt:computer]

Enumerates all the filter drivers

enumLocalSessions

Enumerate the currently attached user sessions both local and over rdp

env

Prints process environment variables

findLoadedModule

findLoadedModule [modulepart] [opt:procnamepart]

Finds what processes *modulepart* is loaded into, optionally searching just *procnamepart*

get_password_policy

get_password_policy [hostname]

Gets target server or domain's configured password policy and lockouts

ipconfig

Simply gets ipv4 addresses, hostname and dns server

ldapsearch

ldapsearch [query] [opt: attribute] [opt: results_limit] [opt: DC hostname or IP] [opt: Distingished Name]

Executes LDAP searches (NOTE: specify *,ntsecuritydescriptor as attribute if you want all attributes + base64 encoded ACL of the objects, this can then be resolved using BOFHound)

listdns

Pulls dns cache entries, attempts to query and resolve each

listmods

listmods [opt: pid]

List a process modules (DLL). Target current process if pid is empty. Complement to driversigs to determine if our process was injected by edr/av.

listpipes

Lists named pipes

locale

Display system locale language, locale id, date/time, and country

netstat

tcp / udp ipv4 netstat listing

netuser

netuser [username] [opt: domain]

Pulls info about specific user. Pulls from domain if a domainname is specified

netuse_add

netuse_add [sharename] [opt:username] [opt:password] [opt:/DEVICE:devicename] [opt:/PERSIST] [opt:/REQUIREPRIVACY]

bind a new connection to a remote machine

netuse_delete

netuse_delete [device||sharename] [opt:/PERSIST] [opt:/FORCE]

delete the bound device / sharename]

netuse_list

netuse_list [opt:target]

list all bound share resources or info about target local resource

netview

Gets a list of reachable servers in the current domain

netGroupList

netGroupList [opt: domain]

Lists Groups from the default (or specified) domain

netGroupListMembers

netGroupListMembers [groupname] [opt: domain]

Lists group members from the default (or specified) domain

netLocalGroupList

netLocalGroupList [opt: server]

List local groups from the local (or specified) computer

netLocalGroupListMembers

netLocalGroupListMembers [groupname] [opt: server]

Lists local groups from the local (or specified) computer

nslookup

nslookup [hostname] [opt:dns server] [opt: record type]

Makes a dns query. dns server is the server you want to query (do not specify or 0 for default) record type is something like A, AAAA, or ANY. Some situations are limited due to observed crashes.

probe

probe [host] [port]

Check if port is open

reg_query

[opt:hostname] [hive] [path] [opt: value to query]

queries a registry value or enumerates a single key

reg_query_recursive

[opt:hostname] [hive] [path]

recursively enumerates a key starting at path

routeprint

prints ipv4 configured routes

schtasksenum

schtasksenum [opt: server]

Enumerates all scheduled tasks on the local or if provided remote machine

schtasksquery

schtasksquery [opt: server] [taskpath]

Queries the given task from the local or if provided remote machine

sc_enum

sc_enum [opt:server]

Enumerates all services for qc, query, qfailure, and qtriggers info

sc_qc

sc_qc [service name] [opt:server]

sc qc impelmentation in bof

sc_qfailure

sc_qfailure [service name] [opt:server]

Queries a service for failure conditions

sc_qtriggerinfo

sc_qtriggerinfo [service name] [opt:server]

Queries a service for trigger conditions

sc_query

sc_query [opt: service name] [opt: server]

sc query implementation in bof

sc_qdescription

sc_qdescription [service name] [opt: server]

sc qdescription implementation in bof

tasklist

tasklist [opt: server]

Get a list of running processes including PID, PPID and ComandLine (uses wmi)

whoami

simulates whoami /all

windowlist

windowlist [opt:all]

lists visible windows in the current users session

wmi_query

wmi_query query [opt: server] [opt: namespace]

Run a wmi query and display results in CSV format

netsession

netsession [opt:computer]

Enumerates all sessions on the specified computer or the local one

resources

Prints memory usage and available disk space on the primary hard drive

uptime

Prints system boot time and how long it's been since then

vssenum

vssenum [hostname] [opt:sharename]

Enumerates shadow copies on some server 2012+ machines