Home

Awesome

Situational Awareness BOF

This repo intends to serve two purposes. First it provides a nice set of basic situational awareness commands implemented in a Beacon Object File (BOF). This allows you to perform some checks on a host before you begin executing commands that may be more invasive.

Its larger goal is providing a code example and workflow for others to begin making more BOFs. It is a companion document of the blog post made here: https://www.trustedsec.com/blog/a-developers-introduction-to-beacon-object-files/

Making a new BOF

If you want to use the same workflow as this repository, your basic steps are as follows:

  1. Make a folder that covers the target topic, for example in this repo we are using SA
  2. Copy the base_template into topic/commandname
  3. Modify the Makefile to have your commandname on the first line. This should be the same as the folder name
  4. If doing something other then SA, make sure to modify lines 14 and 15 of the makefile as well so its moved to the correct location
  5. Make a .cna file in the base of your topic folder and add the commands that you reference. If you followed this format you can take the helper function readbof from SA.cna

Realistically, this could be compressed into a helper script, but those steps were not taken for this effort.

Available commands

CommandsUsageNotes
adcs_enumadcs_enumEnumerate CAs and templates in the AD using Win32 functions
adcs_enum_comadcs_enum_comEnumerate CAs and templates in the AD using ICertConfig COM object
adcs_enum_com2adcs_enum_com2Enumerate CAs and templates in the AD using IX509PolicyServerListManager COM object
adv_audit_policiesadv_audit_policiesRetrieve advanced security audit policies
arparpList ARP table
caclscacls [filepath]List user permissions for the specified file, wildcards supported
dirdir [directory] [/s]List files in a directory. Supports wildcards (e.g. "C:\Windows\S*") unlike the CobaltStrike ls command
driversigsdriversigsEnumerate installed services Imagepaths to check the signing cert against known AV/EDR vendors
enum_filter_driverenum_filter_driver [opt:computer]Enumerate filter drivers
enumLocalSessionsenumLocalSessionsEnumerate currently attached user sessions both local and over RDP
envenvList process environment variables
findLoadedModulefindLoadedModule [modulepart] [opt:procnamepart]Find what processes *modulepart* are loaded into, optionally searching just *procnamepart*
get_password_policyget_password_policy [hostname]Get target server or domain's configured password policy and lockouts
ipconfigipconfigList IPv4 address, hostname, and DNS server
ldapsearchldapsearch [query] [opt: attribute] [opt: results_limit] [opt: DC hostname or IP] [opt: Distingished Name]Execute LDAP searches (NOTE: specify *,ntsecuritydescriptor as attribute parameter if you want all attributes + base64 encoded ACL of the objects, this can then be resolved using BOFHound. Could possibly break pagination, although everything seemed fine during testing.)
listdnslistdnsList DNS cache entries. Attempt to query and resolve each
list_firewall_ruleslist_firewall_rulesList Windows firewall rules
listmodslistmods [opt: pid]List process modules (DLL). Target current process if PID is empty. Complement to driversigs to determine if our process was injected by AV/EDR
listpipeslistpipesList named pipes
localelocaleList system locale language, locale ID, date, time, and country
netGroupListnetGroupList [opt: domain]List groups from the default or specified domain
netGroupListMembersnetGroupListMembers [groupname] [opt: domain]List group members from the default or specified domain
netLocalGroupListnetLocalGroupList [opt: server]List local groups from the local or specified computer
netLocalGroupListMembersnetLocalGroupListMembers [groupname] [opt: server]List local groups from the local or specified computer
netLocalGroupListMembers2netLocalGroupListMembers2 [opt: groupname] [opt: server]Modified version of netLocalGroupListMembers that supports BOFHound
netloggedonnetloggedon [hostname]Return users logged on the local or remote computer
netloggedon2netloggedon2 [opt: hostname]Modified version of netloggedon that supports BOFHound
netsessionnetsession [opt:computer]Enumerate sessions on the local or specified computer
netsession2netsession2 [opt:computer] [opt:resolution method] [opt:dns server]Modified version of netsession that supports BOFHound
netsharesnetshares [hostname]List shares on the local or remote computer
netstatnetstatTCP and UDP IPv4 listing ports
nettimenettime [hostname]Display time on remote computer
netuptimenetuptime [hostname]Return information about the boot time on the local or remote computer
netusernetuser [username] [opt: domain]Get info about specific user. Pull from domain if a domainname is specified
netuse_addnetuse_add [sharename] [opt:username] [opt:password] [opt:/DEVICE:devicename] [opt:/PERSIST] [opt:/REQUIREPRIVACY]Bind a new connection to a remote computer
netuse_deletenetuse_delete [device||sharename] [opt:/PERSIST] [opt:/FORCE]Delete the bound device / sharename]
netuse_listnetuse_list [opt:target]List all bound share resources or info about target local resource
netviewnetviewList reachable computers in the current domain
nslookupnslookup [hostname] [opt:dns server] [opt: record type]Make a DNS query.<br/> DNS server is the server you want to query (do not specify or 0 for default) <br/>record type is something like A, AAAA, or ANY. Some situations are limited due to observed crashes
probeprobe [host] [port]Check if a specific port is open
regsessionregsession [opt: hostname]Return logged on user SIDs by enumerating HKEY_USERS. BOFHound compatible
reg_query[opt:hostname] [hive] [path] [opt: value to query]Query a registry value or enumerate a single key
reg_query_recursive[opt:hostname] [hive] [path]Recursively enumerate a key starting at path
resourcesresourcesList memory usage and available disk space on the primary hard drive
routeprintrouteprintList IPv4 routes
sc_enumsc_enum [opt:server]Enumerate services for qc, query, qfailure, and qtriggers info
sc_qcsc_qc [service name] [opt:server]sc qc impelmentation in BOF
sc_qdescriptionsc_qdescription [service name] [opt: server]sc qdescription implementation in BOF
sc_qfailuresc_qfailure [service name] [opt:server]Query a service for failure conditions
sc_qtriggerinfosc_qtriggerinfo [service name] [opt:server]Query a service for trigger conditions
sc_querysc_query [opt: service name] [opt: server]sc query implementation in BOF
schtasksenumschtasksenum [opt: server]Enumerate scheduled tasks on the local or remote computer
schtasksqueryschtasksquery [opt: server] [taskpath]Query the given task on the local or remote computer
tasklisttasklist [opt: server]List running processes including PID, PPID, and ComandLine (uses wmi)
uptimeuptimeList system boot time and how long it has been running
vssenumvssenum [hostname] [opt:sharename]Enumerate Shadow Copies on some Server 2012+ servers
whoamiwhoamiList whoami /all
windowlistwindowlist [opt:all]List visible windows in the current user session
wmi_querywmi_query query [opt: server] [opt: namespace]Run a wmi query and display results in CSV format

Note the reason for including reg_query when CS has a built in reg query(v) command is because this one can target remote computers and has the ability to recursively enumerate a whole key.

Credits

The functional code for most of these commands was taken from the reactos project or code examples hosted on MSDN. The driversigs codebase comes from https://gist.github.com/jthuraisamy/4c4c751df09f83d3620013f5d370d3b9

Thanks all of the contributors listed under contributors. Each of you have contributed something meaningful to this repository and dealt with me and my review processes. I appreciate each and every one of you for teaching me and helping make this BOF repository the best it can be!

Compiler used

Precompiled BOF's are provided in this project and are compiled using a recent version of Mingw-w64 typically installed from Brew.

System Support

These BOF's are written with support for Windows Vista+ in mind. A new branch called winxp_2003 has been created if you need to use the main set of BOF's on those older systems. This branch will remain in a less supported state. It will be functional, but not updated with every new push / feature that we may add.