• Stars
    star
    1,230
  • Rank 38,157 (Top 0.8 %)
  • Language
    C
  • License
    GNU General Publi...
  • Created over 4 years ago
  • Updated 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Situational Awareness commands implemented using Beacon Object Files

Situational Awareness BOF

This repo intends to serve two purposes. First it provides a nice set of basic situational awareness commands implemented in a Beacon Object File (BOF). This allows you to perform some checks on a host before you begin executing commands that may be more invasive.

Its larger goal is providing a code example and workflow for others to begin making more BOFs. It is a companion document of the blog post made here: https://www.trustedsec.com/blog/a-developers-introduction-to-beacon-object-files/

Making a new BOF

If you want to use the same workflow as this repository, your basic steps are as follows:

  1. Make a folder that covers the target topic, for example in this repo we are using SA
  2. Copy the base_template into topic/commandname
  3. Modify the Makefile to have your commandname on the first line. This should be the same as the folder name
  4. If doing something other then SA, make sure to modify lines 14 and 15 of the makefile as well so its moved to the correct location
  5. Make a .cna file in the base of your topic folder and add the commands that you reference. If you followed this format you can take the helper function readbof from SA.cna

Realistically, this could be compressed into a helper script, but those steps were not taken for this effort.

Available commands

Commands Usage Notes
adcs_enum adcs_enum Enumerate CAs and templates in the AD using Win32 functions
adcs_enum_com adcs_enum_com Enumerate CAs and templates in the AD using ICertConfig COM object
adcs_enum_com2 adcs_enum_com2 Enumerate CAs and templates in the AD using IX509PolicyServerListManager COM object
adv_audit_policies adv_audit_policies Retrieve advanced security audit policies
arp arp List ARP table
cacls cacls [filepath] List user permissions for the specified file, wildcards supported
dir dir [directory] [/s] List files in a directory. Supports wildcards (e.g. "C:\Windows\S*") unlike the CobaltStrike ls command
driversigs driversigs Enumerate installed services Imagepaths to check the signing cert against known AV/EDR vendors
enum_filter_driver enum_filter_driver [opt:computer] Enumerate filter drivers
enumLocalSessions enumLocalSessions Enumerate currently attached user sessions both local and over RDP
env env List process environment variables
findLoadedModule findLoadedModule [modulepart] [opt:procnamepart] Find what processes *modulepart* are loaded into, optionally searching just *procnamepart*
get_password_policy get_password_policy [hostname] Get target server or domain's configured password policy and lockouts
ipconfig ipconfig List IPv4 address, hostname, and DNS server
ldapsearch ldapsearch [query] [opt: attribute] [opt: results_limit] [opt: DC hostname or IP] [opt: Distingished Name] Execute LDAP searches (NOTE: specify *,ntsecuritydescriptor as attribute parameter if you want all attributes + base64 encoded ACL of the objects, this can then be resolved using BOFHound. Could possibly break pagination, although everything seemed fine during testing.)
listdns listdns List DNS cache entries. Attempt to query and resolve each
list_firewall_rules list_firewall_rules List Windows firewall rules
listmods listmods [opt: pid] List process modules (DLL). Target current process if PID is empty. Complement to driversigs to determine if our process was injected by AV/EDR
listpipes listpipes List named pipes
locale locale List system locale language, locale ID, date, time, and country
netGroupList netGroupList [opt: domain] List groups from the default or specified domain
netGroupListMembers netGroupListMembers [groupname] [opt: domain] List group members from the default or specified domain
netLocalGroupList netLocalGroupList [opt: server] List local groups from the local or specified computer
netLocalGroupListMembers netLocalGroupListMembers [groupname] [opt: server] List local groups from the local or specified computer
netloggedon netloggedon [hostname] Return users logged on the local or remote computer
netsession netsession [opt:computer] Enumerate sessions on the local or specified computer
netshares netshares [hostname] List shares on the local or remote computer
netstat netstat TCP and UDP IPv4 listing ports
netuptime netuptime [hostname] Return information about the boot time on the local or remote computer
netuser netuser [username] [opt: domain] Get info about specific user. Pull from domain if a domainname is specified
netuse_add netuse_add [sharename] [opt:username] [opt:password] [opt:/DEVICE:devicename] [opt:/PERSIST] [opt:/REQUIREPRIVACY] Bind a new connection to a remote computer
netuse_delete netuse_delete [device||sharename] [opt:/PERSIST] [opt:/FORCE] Delete the bound device / sharename]
netuse_list netuse_list [opt:target] List all bound share resources or info about target local resource
netview netview List reachable computers in the current domain
nslookup nslookup [hostname] [opt:dns server] [opt: record type] Make a DNS query.
DNS server is the server you want to query (do not specify or 0 for default)
record type is something like A, AAAA, or ANY. Some situations are limited due to observed crashes
probe probe [host] [port] Check if a specific port is open
reg_query [opt:hostname] [hive] [path] [opt: value to query] Query a registry value or enumerate a single key
reg_query_recursive [opt:hostname] [hive] [path] Recursively enumerate a key starting at path
resources resources List memory usage and available disk space on the primary hard drive
routeprint routeprint List IPv4 routes
sc_enum sc_enum [opt:server] Enumerate services for qc, query, qfailure, and qtriggers info
sc_qc sc_qc [service name] [opt:server] sc qc impelmentation in BOF
sc_qdescription sc_qdescription [service name] [opt: server] sc qdescription implementation in BOF
sc_qfailure sc_qfailure [service name] [opt:server] Query a service for failure conditions
sc_qtriggerinfo sc_qtriggerinfo [service name] [opt:server] Query a service for trigger conditions
sc_query sc_query [opt: service name] [opt: server] sc query implementation in BOF
schtasksenum schtasksenum [opt: server] Enumerate scheduled tasks on the local or remote computer
schtasksquery schtasksquery [opt: server] [taskpath] Query the given task on the local or remote computer
tasklist tasklist [opt: server] List running processes including PID, PPID, and ComandLine (uses wmi)
uptime uptime List system boot time and how long it has been running
vssenum vssenum [hostname] [opt:sharename] Enumerate Shadow Copies on some Server 2012+ servers
whoami whoami List whoami /all
windowlist windowlist [opt:all] List visible windows in the current user session
wmi_query wmi_query query [opt: server] [opt: namespace] Run a wmi query and display results in CSV format

Note the reason for including reg_query when CS has a built in reg query(v) command is because this one can target remote computers and has the ability to recursively enumerate a whole key.

Credits

The functional code for most of these commands was taken from the reactos project or code examples hosted on MSDN. The driversigs codebase comes from https://gist.github.com/jthuraisamy/4c4c751df09f83d3620013f5d370d3b9

Thanks all of the contributors listed under contributors. Each of you have contributed something meaningful to this repository and dealt with me and my review processes. I appreciate each and every one of you for teaching me and helping make this BOF repository the best it can be!

Compiler used

Precompiled BOF's are provided in this project and are compiled using a recent version of Mingw-w64 typically installed from Brew.

System Support

These BOF's are written with support for Windows Vista+ in mind. A new branch called winxp_2003 has been created if you need to use the main set of BOF's on those older systems. This branch will remain in a less supported state. It will be functional, but not updated with every new push / feature that we may add.

More Repositories

1

social-engineer-toolkit

The Social-Engineer Toolkit (SET) repository from TrustedSec - All new versions of SET will be deployed here.
Python
10,592
star
2

ptf

The Penetration Testers Framework (PTF) is a way for modular support for up-to-date tools.
Python
5,071
star
3

unicorn

Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
Python
3,694
star
4

hate_crack

A tool for automating cracking methodologies through Hashcat from the TrustedSec team.
Python
1,628
star
5

trevorc2

TrevorC2 is a legitimate website (browsable) that tunnels client/server communications for covert command execution.
C
1,210
star
6

SysmonCommunityGuide

TrustedSec Sysinternals Sysmon Community Guide
CSS
1,119
star
7

CS-Remote-OPs-BOF

C
745
star
8

cve-2019-19781

This is a tool published for the Citrix ADC (NetScaler) vulnerability. We are only disclosing this due to others publishing the exploit code first.
Python
572
star
9

meterssh

MeterSSH is a way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection. The way it works is by injecting shellcode into memory, then wrapping a port spawned (meterpeter in this case) by the shellcode over SSH back to the attackers machine. Then connecting with meterpreter's listener to localhost will communicate through the SSH proxy, to the victim through the SSH tunnel. All communications are relayed through the SSH tunnel and not through the network.
Python
521
star
10

physical-docs

This is a collection of legal wording and documentation used for physical security assessments. The goal is to hopefully allow this as a template for other companies to use and to protect themselves when conducting physical security assessments.
469
star
11

COFFLoader

C
462
star
12

nps_payload

This script will generate payloads for basic intrusion detection avoidance. It utilizes publicly demonstrated techniques from several different sources. Written by Larry Spohn (@Spoonman1091) Payload written by Ben Mauch (@Ben0xA) aka dirty_ben
Python
434
star
13

tap

The TrustedSec Attack Platform is a reliable method for droppers on an infrastructure in order to ensure established connections to an organization.
Python
376
star
14

orpheus

Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types
Python
360
star
15

hardcidr

hardCIDR is a Linux Bash script, but also functions under macOS. Your mileage may vary on other distros. The script with no specified options will query ARIN and a pool of BGP route servers. The route server is selected at random at runtime.
Shell
356
star
16

egressbuster

Egressbuster is a method to check egress filtering and identify if ports are allowed. If they are, you can automatically spawn a shell.
Python
341
star
17

artillery

The Artillery Project is an open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods.
326
star
18

spraywmi

SprayWMI is an easy way to get mass shells on systems that support WMI. Much more effective than PSEXEC as it does not leave remnants on a system.
Python
253
star
19

ELFLoader

C
246
star
20

ridenum

Rid_enum is a null session RID cycle attack for brute forcing domain controllers.
Python
228
star
21

The_Shelf

Retired TrustedSec Capabilities
Python
216
star
22

Obsidian-Vault-Structure

213
star
23

SeeYouCM-Thief

HTML
178
star
24

User-Behavior-Mapping-Tool

Python
159
star
25

specula

Python
158
star
26

spoonmap

Python
147
star
27

SliverKeylogger

C++
141
star
28

pivoter

Pivoter is a proxy tool for pentesters to have easier lateral movement.
C
139
star
29

CrackHound

Python
132
star
30

PPLFaultDumpBOF

C
131
star
31

cors-poc

HTML
128
star
32

SHIPS

The Shared Host Integrated Password System (SHIPS) is a solution to provide unique and rotated local super user or administrator passwords for environments where it is not possible or not appropriate to disable these local accounts. Clients may be configured to rotate passwords automatically. Stored passwords can be retrieved by desktop support personnel as required, or updated when a password has to be manually changed in the course of system maintenance. By having unique passwords on each machine and logging of password retrievals, security can be improved my making networks more resistant to lateral movement by attackers and enhancing the ability to attribute actions to individual persons.
JavaScript
127
star
33

CS_COFFLoader

C#
122
star
34

quicksql

QuickSQL is a simple MSSQL query tool that allows you to connect to MSSQL databases and does not require administrative level rights to use.
Python
100
star
35

tscopy

Python
88
star
36

HoneyBadger

Ruby
81
star
37

conqr

ConQR is an open source ticketing system for conferences to issue QRCode's in a quick, efficient, and easy manner.
Python
74
star
38

auto_SettingContent-ms

This is a quick POC for using the Matt Nelson (enigma0x3) technique for generating a malicious .SettingContent-ms extension type for remote code execution. This automates generating an HTA downloader and embeds it in the SettingContent-ms file for you and starts Apache.
Python
49
star
39

defensive-scripts

PowerShell
45
star
40

wpupdate

WPUpdate is a simple Linux service that automatically checks for a new version of Wordpress each night at 2AM.
Python
37
star
41

proxy_helper

Proxy Helper is a WiFi Pineapple module that will automatically configure the Pineapple for use with a proxy such as Burp Suite.
JavaScript
32
star
42

Windows-MS-LSAT-RPC-Example

Windows RPC example calling stubs generated from MS-LSAT and MS-LSAD
C
24
star
43

hash_parser

This is a hash parser that will export a rc file compatible with Metasploit. This is useful when compromising a separate domain and want to see if any of the credentials work on another domain or other systems.
Python
22
star
44

Zoinks

Manage Engine Decrypter
Python
22
star
45

VerifyELF

C
21
star
46

inProc_Evade_Get-InjectedThread

PoC code from blog
C
15
star
47

scriptkiddie-wmi-provider

C#
13
star
48

TCS_InjectionTechniques

C
12
star
49

RisingSun

RisingSun: Decoding SUNBURST C2 to identify infected hosts without network telemetry.
Go
9
star
50

LLVM-Obfuscation-Experiments

C
7
star