/OperatorsKit

Collection of Beacon Object Files (BOF) for Cobalt Strike

Primary LanguageCMIT LicenseMIT

OperatorsKit

This repository contains a collection of tools that integrate with Cobalt Strike through Beacon Object Files (BOFs).

Kit content

The following tools are currently in the operators' kit:

Name Decription
BlindEventlog Blind Eventlog by suspending its threads.
DllEnvHijacking BOF implementation of DLL environment hijacking published by Wietze
FindDotnet Find processes that most likely have .NET loaded.
FindHandle Find "process" and "thread" handle types between processes.
FindLib Find loaded module(s) in remote process(es).
FindRWX Find RWX memory regions in a target process.
FindSysmon Verify if Sysmon is running through enumerating Minifilter drivers and checking the registry.
HideFile Hide file or directory by setting it's attributes to systemfile + hidden.
LoadLib Load a on disk present DLL via RtlRemoteCall API in a remote process.
PSremote List all running processes on a remote host.
SilenceSysmon Silence the Sysmon service by patching its capability to write ETW events to the log.

Usage

Each individual tool has its own README file with usage information and compile instructions.

Credits

A round of virtual applause to reenz0h. Lots of tools in this kit are based on his code examples from the Malware Development and Windows Evasion courses. I highly recommend purchasing them!

Furthermore, some code from the C2-Tool-Collection project is copied to neatly print beacon output.