/OperatorsKit

Collection of Beacon Object Files (BOF) for Cobalt Strike

Primary LanguageCMIT LicenseMIT

OperatorsKit

This repository contains a collection of Beacon Object Files (BOFs) that integrate with Cobalt Strike.

Kit content

The following tools are currently in the OperatorsKit:

Name Description
AddExclusion Add a new exclusion to Windows Defender for a folder, file, process or extension.
AddFirewallRule Add a new inbound/outbound firewall rule.
AddLocalCert Add a (self signed) certificate to a specific local computer certificate store.
AddTaskScheduler Create a scheduled task on the current- or remote host.
BlindEventlog Blind Eventlog by suspending its threads.
CaptureNetNTLM Capture the NetNTLMv2 hash of the current user.
CredPrompt Start persistent credential prompt in an attempt to capture user credentials.
DelExclusion Delete an exclusion from Windows Defender for a folder, file, process or extension.
DelFirewallRule Delete a firewall rule.
DelLocalCert Delete a local computer certificate from a specific store.
DelTaskScheduler Delete a scheduled task on the current- or a remote host.
DllComHijacking Leverage DLL Hijacking by instantiating a COM object on a target host
DllEnvHijacking BOF implementation of DLL environment hijacking published by Wietze.
EnumDotnet Enumerate processes that most likely have .NET loaded.
EnumExclusions Check the AV for excluded files, folders, extentions and processes.
EnumFiles Search for matching files based on a word, extention or keyword in the file content.
EnumHandles Enumerate "process" and "thread" handle types between processes.
EnumLib Enumerate loaded module(s) in remote process(es).
EnumLocalCert Enumerate all local computer certificates from a specific store.
EnumRWX Enumerate RWX memory regions in a target process.
EnumSecProducts Enumerate security products (like AV/EDR) that are running on the current/remote host.
EnumShares Enumerate remote shares and your access level using a predefined list with hostnames.
EnumSysmon Verify if Sysmon is running by checking the registry and listing Minifilter drivers.
EnumTaskScheduler Enumerate all scheduled tasks in the root folder.
EnumWebClient Find hosts with the WebClient service running based on a list with predefined hostnames.
EnumWSC List what security products are registered in Windows Security Center.
ForceLockScreen Force the lock screen of the current user session.
HideFile Hide a file or directory by setting it's attributes to systemfile + hidden.
IdleTime Check current user activity based on the user's last input.
InjectPoolParty Inject beacon shellcode and execute it via Windows Thread Pools
LoadLib Load an on disk present DLL via RtlRemoteCall API in a remote process.
PSremote Enumerate all running processes on a remote host.
SilenceSysmon Silence the Sysmon service by patching its capability to write ETW events to the log.
SystemInfo Enumerate system information via WMI (limited use case).

Usage

Each individual tool has its own README file with usage information and compile instructions.

It is also possible to directly import all tools by loading the OperatorsKit.cna script using the Cobalt Strike script manager. Furthermore, mass compiling can now be done using the compile_all.bat script from within the x64 Native Tools Command Prompt for VS <2019/2022> terminal.

Credits

A round of virtual applause to reenz0h. Multiple tools in this kit are based on his code examples from the Malware Development and Windows Evasion courses. I highly recommend purchasing them!

Furthermore, some code from the CS-Situational-Awareness-BOF project is used to neatly print beacon output.