trustedsec / CS-Situational-Awareness-BOF

Situational Awareness commands implemented using Beacon Object Files
GNU General Public License v2.0
1.28k stars 220 forks source link

Remote wmi receives access denied after using make_token #94

Closed Octoberfest7 closed 1 year ago

Octoberfest7 commented 1 year ago

I have experienced an issue using the wmi_query as well as the tasklist BOF in which trying to use either BOF on a remote machine with a token created using make_token returns Access Denied.

In a beacon running as the user DA ( a Domain Admin in the network) I am successfully able to use the wmi_query and tasklist BOFs remotely.

image

In a beacon running as SYSTEM, I use make_token with DA's creds. I am successfully able to use the created token, as demonstrated by doing a ls \dev-dc\c$ as well as using shell wmic ...

I am unable however to use wmi_query or tasklist remotely, receiving an Access Denied error. I'm running CobaltStrike version 4.7.2 and have confirmed this using the latest branch of CS-Situational-Awareness-BOF

image

freefirex commented 1 year ago

Tracked this down and got it fixed, thanks for the report!

Octoberfest7 commented 1 year ago

Great, thanks so much for your work!