# Situational Awareness BOF ## Installation $ git clone Go to Cobalt Strike Script Manager, Load, then navigate to the SA.cna file within the clone. Upload the SA.cna file to CS. ## Interacting with Beacon Here is the list of commands that are inputted into Cobalt Strike. | command | Usage | notes | | ------------------------ | ------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | arp | arp | Lists ARP table | | adcs\_enum | adcs\_enum | Enumerates CAs and templates in the AD using Win32 functions | | adcs\_enum\_com | adcs\_enum\_com | Enumerates CAs and templates in the AD using ICertConfig COM object | | adcs\_enum\_com2 | adcs\_enum\_com2 | Enumerates CAs and templates in the AD using IX509PolicyServerListManager COM object | | adv\_audit\_policies | adv\_audit\_policies | Retrieves advanced security audit policies | | cacls | cacls \[filepath] | lists user permissions for the specified file, wildcards supported | | dir | dir \[directory] \[/s] | List files in a directory. Supports wildcards (e.g. "C:\Windows\S\*") the CobaltStrike `ls` command | | driversigs | driversigs | enumerate installed services Imagepaths to check the signing cert against known edr/av vendors | | enum\_filter\_driver | enum\_filter\_driver \[opt:computer] | Enumerates all the filter drivers | | enumLocalSessions | enumLocalSessions | Enumerate the currently attached user sessions both local and over rdp | | env | env | Prints process environment variables | | findLoadedModule | findLoadedModule \[modulepart] \[opt:procnamepart] | Finds what processes \*modulepart\* is loaded into, optionally searching just \*procnamepart\* | | get\_password\_policy | get\_password\_policy \[hostname] | Gets target server or domain's configured password policy and lockouts | | ipconfig | ipconfig | Simply gets ipv4 addresses, hostname and dns server | | ldapsearch | ldapsearch \[query] \[opt: attribute] \[opt: results\_limit] \[opt: DC hostname or IP] \[opt: Distingished Name] | Executes LDAP searches (NOTE: specify \*,ntsecuritydescriptor as attribute if you want all attributes + base64 encoded ACL of the objects, this can then be resolved using BOFHound) | | listdns | listdns | Pulls dns cache entries, attempts to query and resolve each | | listmods | listmods \[opt: pid] | List a process modules (DLL). Target current process if pid is empty. Complement to driversigs to determine if our process was injected by edr/av. | | listpipes | listpipes | Lists named pipes | | locale | locale | Display system locale language, locale id, date/time, and country | | netstat | netstat | tcp / udp ipv4 netstat listing | | netuser | netuser \[username] \[opt: domain] | Pulls info about specific user. Pulls from domain if a domainname is specified | | netuse\_add | netuse\_add \[sharename] \[opt:username] \[opt:password] \[opt:/DEVICE:devicename] \[opt:/PERSIST] \[opt:/REQUIREPRIVACY] | bind a new connection to a remote machine | | netuse\_delete | netuse\_delete \[device\|\|sharename] \[opt:/PERSIST] \[opt:/FORCE] | delete the bound device / sharename] | | netuse\_list | netuse\_list \[opt:target] | list all bound share resources or info about target local resource | | netview | netview | Gets a list of reachable servers in the current domain | | netGroupList | netGroupList \[opt: domain] | Lists Groups from the default (or specified) domain | | netGroupListMembers | netGroupListMembers \[groupname] \[opt: domain] | Lists group members from the default (or specified) domain | | netLocalGroupList | netLocalGroupList \[opt: server] | List local groups from the local (or specified) computer | | netLocalGroupListMembers | netLocalGroupListMembers \[groupname] \[opt: server] | Lists local groups from the local (or specified) computer | | nslookup | nslookup \[hostname] \[opt:dns server] \[opt: record type] |

Makes a dns query.
dns server is the server you want to query (do not specify or 0 for default)
record type is something like A, AAAA, or ANY. Some situations are limited due to observed crashes.

| | probe | probe \[host] \[port] | Check if port is open | | reg\_query | \[opt:hostname] \[hive] \[path] \[opt: value to query] | queries a registry value or enumerates a single key | | reg\_query\_recursive | \[opt:hostname] \[hive] \[path] | recursively enumerates a key starting at path | | routeprint | routeprint | prints ipv4 configured routes | | schtasksenum | schtasksenum \[opt: server] | Enumerates all scheduled tasks on the local or if provided remote machine | | schtasksquery | schtasksquery \[opt: server] \[taskpath] | Queries the given task from the local or if provided remote machine | | sc\_enum | sc\_enum \[opt:server] | Enumerates all services for qc, query, qfailure, and qtriggers info | | sc\_qc | sc\_qc \[service name] \[opt:server] | sc qc impelmentation in bof | | sc\_qfailure | sc\_qfailure \[service name] \[opt:server] | Queries a service for failure conditions | | sc\_qtriggerinfo | sc\_qtriggerinfo \[service name] \[opt:server] | Queries a service for trigger conditions | | sc\_query | sc\_query \[opt: service name] \[opt: server] | sc query implementation in bof | | sc\_qdescription | sc\_qdescription \[service name] \[opt: server] | sc qdescription implementation in bof | | tasklist | tasklist \[opt: server] | Get a list of running processes including PID, PPID and ComandLine (uses wmi) | | whoami | whoami | simulates whoami /all | | windowlist | windowlist \[opt:all] | lists visible windows in the current users session | | wmi\_query | wmi\_query query \[opt: server] \[opt: namespace] | Run a wmi query and display results in CSV format | | netsession | netsession \[opt:computer] | Enumerates all sessions on the specified computer or the local one | | resources | resources | Prints memory usage and available disk space on the primary hard drive | | uptime | uptime | Prints system boot time and how long it's been since then | | vssenum | vssenum \[hostname] \[opt:sharename] | Enumerates shadow copies on some server 2012+ machines |