# Situational Awareness BOF ## Installation $ git clone Go to Cobalt Strike Script Manager, Load, then navigate to the SA.cna file within the clone. Upload the SA.cna file to CS. ## Interacting with Beacon Here is the list of commands that are inputted into Cobalt Strike. | command | Usage | notes | | ------------------------ | ------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | arp | arp | Lists ARP table | | adcs\_enum | adcs\_enum | Enumerates CAs and templates in the AD using Win32 functions | | adcs\_enum\_com | adcs\_enum\_com | Enumerates CAs and templates in the AD using ICertConfig COM object | | adcs\_enum\_com2 | adcs\_enum\_com2 | Enumerates CAs and templates in the AD using IX509PolicyServerListManager COM object | | adv\_audit\_policies | adv\_audit\_policies | Retrieves advanced security audit policies | | cacls | cacls \[filepath] | lists user permissions for the specified file, wildcards supported | | dir | dir \[directory] \[/s] | List files in a directory. Supports wildcards (e.g. "C:\Windows\S\*") the CobaltStrike `ls` command | | driversigs | driversigs | enumerate installed services Imagepaths to check the signing cert against known edr/av vendors | | enum\_filter\_driver | enum\_filter\_driver \[opt:computer] | Enumerates all the filter drivers | | enumLocalSessions | enumLocalSessions | Enumerate the currently attached user sessions both local and over rdp | | env | env | Prints process environment variables | | findLoadedModule | findLoadedModule \[modulepart] \[opt:procnamepart] | Finds what processes \*modulepart\* is loaded into, optionally searching just \*procnamepart\* | | get\_password\_policy | get\_password\_policy \[hostname] | Gets target server or domain's configured password policy and lockouts | | ipconfig | ipconfig | Simply gets ipv4 addresses, hostname and dns server | | ldapsearch | ldapsearch \[query] \[opt: attribute] \[opt: results\_limit] \[opt: DC hostname or IP] \[opt: Distingished Name] | Executes LDAP searches (NOTE: specify \*,ntsecuritydescriptor as attribute if you want all attributes + base64 encoded ACL of the objects, this can then be resolved using BOFHound) | | listdns | listdns | Pulls dns cache entries, attempts to query and resolve each | | listmods | listmods \[opt: pid] | List a process modules (DLL). Target current process if pid is empty. Complement to driversigs to determine if our process was injected by edr/av. | | listpipes | listpipes | Lists named pipes | | locale | locale | Display system locale language, locale id, date/time, and country | | netstat | netstat | tcp / udp ipv4 netstat listing | | netuser | netuser \[username] \[opt: domain] | Pulls info about specific user. Pulls from domain if a domainname is specified | | netuse\_add | netuse\_add \[sharename] \[opt:username] \[opt:password] \[opt:/DEVICE:devicename] \[opt:/PERSIST] \[opt:/REQUIREPRIVACY] | bind a new connection to a remote machine | | netuse\_delete | netuse\_delete \[device\|\|sharename] \[opt:/PERSIST] \[opt:/FORCE] | delete the bound device / sharename] | | netuse\_list | netuse\_list \[opt:target] | list all bound share resources or info about target local resource | | netview | netview | Gets a list of reachable servers in the current domain | | netGroupList | netGroupList \[opt: domain] | Lists Groups from the default (or specified) domain | | netGroupListMembers | netGroupListMembers \[groupname] \[opt: domain] | Lists group members from the default (or specified) domain | | netLocalGroupList | netLocalGroupList \[opt: server] | List local groups from the local (or specified) computer | | netLocalGroupListMembers | netLocalGroupListMembers \[groupname] \[opt: server] | Lists local groups from the local (or specified) computer | | nslookup | nslookup \[hostname] \[opt:dns server] \[opt: record type] |

Makes a dns query.
dns server is the server you want to query (do not specify or 0 for default)
record type is something like A, AAAA, or ANY. Some situations are limited due to observed crashes.

| | probe | probe \[host] \[port] | Check if port is open | | reg\_query | \[opt:hostname] \[hive] \[path] \[opt: value to query] | queries a registry value or enumerates a single key | | reg\_query\_recursive | \[opt:hostname] \[hive] \[path] | recursively enumerates a key starting at path | | routeprint | routeprint | prints ipv4 configured routes | | schtasksenum | schtasksenum \[opt: server] | Enumerates all scheduled tasks on the local or if provided remote machine | | schtasksquery | schtasksquery \[opt: server] \[taskpath] | Queries the given task from the local or if provided remote machine | | sc\_enum | sc\_enum \[opt:server] | Enumerates all services for qc, query, qfailure, and qtriggers info | | sc\_qc | sc\_qc \[service name] \[opt:server] | sc qc impelmentation in bof | | sc\_qfailure | sc\_qfailure \[service name] \[opt:server] | Queries a service for failure conditions | | sc\_qtriggerinfo | sc\_qtriggerinfo \[service name] \[opt:server] | Queries a service for trigger conditions | | sc\_query | sc\_query \[opt: service name] \[opt: server] | sc query implementation in bof | | sc\_qdescription | sc\_qdescription \[service name] \[opt: server] | sc qdescription implementation in bof | | tasklist | tasklist \[opt: server] | Get a list of running processes including PID, PPID and ComandLine (uses wmi) | | whoami | whoami | simulates whoami /all | | windowlist | windowlist \[opt:all] | lists visible windows in the current users session | | wmi\_query | wmi\_query query \[opt: server] \[opt: namespace] | Run a wmi query and display results in CSV format | | netsession | netsession \[opt:computer] | Enumerates all sessions on the specified computer or the local one | | resources | resources | Prints memory usage and available disk space on the primary hard drive | | uptime | uptime | Prints system boot time and how long it's been since then | | vssenum | vssenum \[hostname] \[opt:sharename] | Enumerates shadow copies on some server 2012+ machines | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.brinkles.wiki/c2-and-payloads/cobalt-strike/bofs-and-aggressor-scripts/situational-awareness-bof.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.