This Repo intends to serve two purposes. First it provides a nice set of basic situational awareness commands implemented in BOF. This allows you to perform some checks on a host before you begin executing commands that may be more invasive.
Its larger goal is providing a code example and workflow for others to begin making more BOF files. It is a companion document of the blog post made here: https://www.trustedsec.com/blog/a-developers-introduction-to-beacon-object-files/
If you want to use the same workflow as this repository, your basic steps are as follows
- Make a folder that covers the target topic, for example in this repo we are using SA
- copy base_template into topic/commandname
- modify the Makefile to have your commandname on the first line, this should be the same as the folder name
- If doing something other then SA make sure to modify lines 14 / 15 of the makefile as well so its moved to the correct location
- Make a .cna file in the base of your topic folder and add the commands that you reference. If you followed this format you can take the helper function readbof from SA.cna
Realistically, this could be compressed into a helper script, but those steps were not taken for this effort.
| command | Usage | notes |
|---|---|---|
| cacls | cacls [filepath] | lists user permissions for the specified file, wildcards supported |
| dir | dir [directory] | List files in a directory. Supports wildcards (e.g. "C:\Windows\S*") the CobaltStrike ls command |
| driversigs | driversigs | enumerate installed services Imagepaths to check the signing cert against known edr/av vendors |
| env | env | Prints process environment variables |
| ipconfig | ipconfig | Simply gets ipv4 addresses, hostname and dns server |
| ldapsearch | ldapsearch [query] [opt: attribute] [opt: results_limit] | Executes LDAP searches |
| listdns | listdns | Pulls dns cache entries, attempts to query and resolve each |
| listmods | listmods [opt: pid] | List a process modules (DLL). Target current process if pid is empty. Complement to driversigs to determine if our process was injected by edr/av. |
| netstat | netstat | tcp / udp ipv4 netstat listing |
| netuser | netuser [username] [opt: domain] | Pulls info about specific user. Pulls from domain if a domainname is specified |
| netview | netview | Gets a list of reachable servers in the current domain |
| netGroupList | netGroupList [opt: domain] | Lists Groups from the default (or specified) domain |
| netGroupListMembers | netGroupListMembers [groupname] [opt: domain] | Lists group members from the default (or specified) domain |
| netLocalGroupList | netLocalGroupList [opt: server] | List local groups from the local (or specified) computer |
| netLocalGroupListMembers | netLocalGroupListMembers [groupname] [opt: server] | Lists local groups from the local (or specified) computer |
| nslookup | nslookup [hostname] [opt:dns server] [opt: record type] | Makes a dns query. dns server is the server you want to query (do not specify or 0 for default) record type is something like A, AAAA, or ANY. Some situations are limited due to observed crashes. |
| reg_query | [opt:hostname] [hive] [path] [opt: value to query] | queries a registry value or enumerates a single key |
| reg_query_recursive | [opt:hostname] [hive] [path] | recursively enumerates a key starting at path |
| routeprint | routeprint | prints ipv4 configured routes |
| schtasksenum | schtasksenum [opt: server] | Enumerates all scheduled tasks on the local or if provided remote machine |
| schtasksquery | schtasksquery [opt: server] [taskpath] | Queries the given task from the local or if provided remote machine |
| sc_enum | sc_enum [opt:server] | Enumerates all services for qc, query, qfailure, and qtriggers info |
| sc_qc | sc_qc [service name] [opt:server] | sc qc impelmentation in bof |
| sc_qfailure | sc_qfailure [service name] [opt:server] | Queries a service for failure conditions |
| sc_qtriggerinfo | sc_qtriggerinfo [service name] [opt:server] | Queries a service for trigger conditions |
| sc_query | sc_query [opt: service name] [opt: server] | sc query implementation in bof |
| sc_qdescription | sc_qdescription [service name] [opt: server] | sc qdescription implementation in bof |
| tasklist | tasklist [opt: server] | Get a list of running processes including PID, PPID and ComandLine (uses wmi) |
| whoami | whoami | simulates whoami /all |
| windowlist | windowlist [opt:all] | lists visible windows in the current users session |
| wmi_query | wmi_query query [opt: server] [opt: namespace] | Run a wmi query and display results in CSV format |
| netsession | netsession [opt:computer] | Enumerates all sessions on the specified computer or the local one |
| resources | resources | Prints memory usage and available disk space on the primary hard drive |
| uptime | uptime | Prints system boot time and how long it's been since then |
Note the reason for including reg_query when CS has a built in reg query(v) command is because this one can target remote systems and has the ability to recursively enumerate a whole key.
The functional code for most of these commands was taken from the reactos project or code examples hosted on MSDN.
The driversigs codebase comes from https://gist.github.com/jthuraisamy/4c4c751df09f83d3620013f5d370d3b9
Thank you to martindube for his contribution of listmods
Thank you to ajpc500 for their contribution of ldapsearch
Thank you to Kapn-kaos for their contribution of tasklist and wmi_query
Thank you to JohnLaTwC for opening issues related to code correctness that prompted a full code review
Thank you to sysenter-eip for the fix to a possible crash in internal_printf
Thank you to m0t for their contribution of get-netsession
The follow compiler was used. This project has not been tested with other compilers.
Using built-in specs.
COLLECT_GCC=x86_64-w64-mingw32-gcc
COLLECT_LTO_WRAPPER=/usr/local/Cellar/mingw-w64/7.0.0_2/toolchain-x86_64/libexec/gcc/x86_64-w64-mingw32/9.3.0/lto-wrapper
Target: x86_64-w64-mingw32
Configured with: ../configure --target=x86_64-w64-mingw32 --with-sysroot=/usr/local/Cellar/mingw-w64/7.0.0_2/toolchain-x86_64 --prefix=/usr/local/Cellar/mingw-w64/7.0.0_2/toolchain-x86_64 --with-bugurl=https://github.com/Homebrew/homebrew-core/issues --enable-languages=c,c++,fortran --with-ld=/usr/local/Cellar/mingw-w64/7.0.0_2/toolchain-x86_64/bin/x86_64-w64-mingw32-ld --with-as=/usr/local/Cellar/mingw-w64/7.0.0_2/toolchain-x86_64/bin/x86_64-w64-mingw32-as --with-gmp=/usr/local/opt/gmp --with-mpfr=/usr/local/opt/mpfr --with-mpc=/usr/local/opt/libmpc --with-isl=/usr/local/opt/isl --disable-multilib --enable-threads=posix
Thread model: posix
gcc version 9.3.0 (GCC)