Awesome
OperatorsKit
This repository contains a collection of Beacon Object Files (BOFs) that integrate with Cobalt Strike.
Kit content
The following tools are currently in the OperatorsKit:
| Name | Description |
|---|---|
| AddExclusion | Add a new exclusion to Windows Defender for a folder, file, process or extension. |
| AddFirewallRule | Add a new inbound/outbound firewall rule. |
| AddLocalCert | Add a (self signed) certificate to a specific local computer certificate store. |
| AddTaskScheduler | Create a scheduled task on the current- or remote host. |
| BlindEventlog | Blind Eventlog by suspending its threads. |
| CaptureNetNTLM | Capture the NetNTLMv2 hash of the current user. |
| CredPrompt | Start persistent credential prompt in an attempt to capture user credentials. |
| DelExclusion | Delete an exclusion from Windows Defender for a folder, file, process or extension. |
| DelFirewallRule | Delete a firewall rule. |
| DelLocalCert | Delete a local computer certificate from a specific store. |
| DelTaskScheduler | Delete a scheduled task on the current- or a remote host. |
| DllComHijacking | Leverage DLL Hijacking by instantiating a COM object on a target host |
| DllEnvHijacking | BOF implementation of DLL environment hijacking. |
| EnumDotnet | Enumerate processes that most likely have .NET loaded. |
| EnumDrives | Enumerate drive letters and type. |
| EnumExclusions | Check the AV for excluded files, folders, extentions and processes. |
| EnumFiles | Search for matching files based on a word, extention or keyword in the file content. |
| EnumHandles | Enumerate "process" and "thread" handle types between processes. |
| EnumLib | Enumerate loaded module(s) in remote process(es). |
| EnumLocalCert | Enumerate all local computer certificates from a specific store. |
| EnumRWX | Enumerate RWX memory regions in a target process. |
| EnumSecProducts | Enumerate security products (like AV/EDR) that are running on the current/remote host. |
| EnumShares | Enumerate remote shares and your access level using a predefined list with hostnames. |
| EnumSysmon | Verify if Sysmon is running by checking the registry and listing Minifilter drivers. |
| EnumTaskScheduler | Enumerate all scheduled tasks in the root folder. |
| EnumWebClient | Find hosts with the WebClient service running based on a list with predefined hostnames. |
| EnumWSC | List what security products are registered in Windows Security Center. |
| ExecuteCrossSession | Execute a binary in the context of another user via COM cross-session interaction |
| ForceLockScreen | Force the lock screen of the current user session. |
| HideFile | Hide a file or directory by setting it's attributes to systemfile + hidden. |
| IdleTime | Check current user activity based on the user's last input. |
| InjectPoolParty | Inject beacon shellcode and execute it via Windows Thread Pools |
| LoadLib | Load an on disk present DLL via RtlRemoteCall API in a remote process. |
| PSremote | Enumerate all running processes on a remote host. |
| PasswordSpray | Validate a single password against multiple accounts using kerberos authentication. |
| SilenceSysmon | Silence the Sysmon service by patching its capability to write ETW events to the log. |
| SystemInfo | Enumerate system information via WMI (limited use case). |
Usage
Each individual tool has its own README file with usage information and compile instructions.
It is also possible to directly import all tools by loading the OperatorsKit.cna script using the Cobalt Strike script manager. Furthermore, mass compiling can now be done using the compile_all.bat script from within the x64 Native Tools Command Prompt for VS <2019/2022> terminal.
Credits
A round of virtual applause to reenz0h. Multiple tools in this kit are based on his code examples from the Malware Development and Windows Evasion courses. I highly recommend purchasing them!
Furthermore, some code from the CS-Situational-Awareness-BOF project is used to neatly print beacon output.