Home

Awesome

OperatorsKit

This repository contains a collection of Beacon Object Files (BOFs) that integrate with Cobalt Strike.

Kit content

The following tools are currently in the OperatorsKit:

NameDescription
AddExclusionAdd a new exclusion to Windows Defender for a folder, file, process or extension.
AddFirewallRuleAdd a new inbound/outbound firewall rule.
AddLocalCertAdd a (self signed) certificate to a specific local computer certificate store.
AddTaskSchedulerCreate a scheduled task on the current- or remote host.
BlindEventlogBlind Eventlog by suspending its threads.
CaptureNetNTLMCapture the NetNTLMv2 hash of the current user.
CredPromptStart persistent credential prompt in an attempt to capture user credentials.
DelExclusionDelete an exclusion from Windows Defender for a folder, file, process or extension.
DelFirewallRuleDelete a firewall rule.
DelLocalCertDelete a local computer certificate from a specific store.
DelTaskSchedulerDelete a scheduled task on the current- or a remote host.
DllComHijackingLeverage DLL Hijacking by instantiating a COM object on a target host
DllEnvHijackingBOF implementation of DLL environment hijacking.
EnumDotnetEnumerate processes that most likely have .NET loaded.
EnumDrivesEnumerate drive letters and type.
EnumExclusionsCheck the AV for excluded files, folders, extentions and processes.
EnumFilesSearch for matching files based on a word, extention or keyword in the file content.
EnumHandlesEnumerate "process" and "thread" handle types between processes.
EnumLibEnumerate loaded module(s) in remote process(es).
EnumLocalCertEnumerate all local computer certificates from a specific store.
EnumRWXEnumerate RWX memory regions in a target process.
EnumSecProductsEnumerate security products (like AV/EDR) that are running on the current/remote host.
EnumSharesEnumerate remote shares and your access level using a predefined list with hostnames.
EnumSysmonVerify if Sysmon is running by checking the registry and listing Minifilter drivers.
EnumTaskSchedulerEnumerate all scheduled tasks in the root folder.
EnumWebClientFind hosts with the WebClient service running based on a list with predefined hostnames.
EnumWSCList what security products are registered in Windows Security Center.
ExecuteCrossSessionExecute a binary in the context of another user via COM cross-session interaction
ForceLockScreenForce the lock screen of the current user session.
HideFileHide a file or directory by setting it's attributes to systemfile + hidden.
IdleTimeCheck current user activity based on the user's last input.
InjectPoolPartyInject beacon shellcode and execute it via Windows Thread Pools
LoadLibLoad an on disk present DLL via RtlRemoteCall API in a remote process.
PSremoteEnumerate all running processes on a remote host.
PasswordSprayValidate a single password against multiple accounts using kerberos authentication.
SilenceSysmonSilence the Sysmon service by patching its capability to write ETW events to the log.
SystemInfoEnumerate system information via WMI (limited use case).

Usage

Each individual tool has its own README file with usage information and compile instructions.

It is also possible to directly import all tools by loading the OperatorsKit.cna script using the Cobalt Strike script manager. Furthermore, mass compiling can now be done using the compile_all.bat script from within the x64 Native Tools Command Prompt for VS <2019/2022> terminal.

Credits

A round of virtual applause to reenz0h. Multiple tools in this kit are based on his code examples from the Malware Development and Windows Evasion courses. I highly recommend purchasing them!

Furthermore, some code from the CS-Situational-Awareness-BOF project is used to neatly print beacon output.