Home

Awesome

Remote Operations BOF

This repo serves as an addition to our previously released SA repo. Our original stance was that we would not release our tooling that modified other systems, and we would only provide information gathering tooling in a ready to go format.

Over time, we have seen many other public security companies release their offensive facing tooling, and we now feel it is appropriate for us to release a portion of our offensive tooling.

Nothing in this repo is particularly special, it is basic Microsoft Windows operations in BOF form. These primitives can be used for a large variety of operations.

Injection BOF

We have decided to include the injection BOFs that we use when doing EDR detection testing. These BOFs are provided as is and will not be supported (everything under src/Injection and Injection/*)

You are welcome to use these, but issues opened related to these will be closed without review.

Available Remote Operations commands

CommandNotes
adcs_requestRequest an enrollment certificate
adcs_request_on_behalfRequest an enrollment certificate on behalf of another user
adduserAdd specified user to a machine
addusertogroupAdd specified user to a group
chromeKeyDecrypt the provided base64 encoded Chrome key
enableuserEnable and unlock the specified user account
get_privActivate the specified token privledge, more for non-cobalt strike users
global_unprotectLocates and Decrypts GlobalProtect config files converted from: GlobalUnProtect
lastpassSearch Chrome, brave memory for LastPass passwords and data
make_token_certimpersonates a user using the altname of a .pfx file
office_tokensCollect Office JWT Tokens from any Office process
procdumpDump the specified process to the specified output file
ProcessDestroyClose handle(s) in a process
ProcessListHandlesList all open handles in a specified process
reg_deleteDelete a registry key
reg_saveSave a registry hive to disk
reg_setSet / create a registry key
sc_configConfigure an existing service
sc_createCreate a new service
sc_deleteDelete an existing service
sc_failureConfigures the actions upon failure of an existing service
sc_descriptionModify an existing services description
sc_startStart an existing service
sc_stopStop an existing service
schtaskscreateCreate a new scheduled task (via xml definition)
schtasksdeleteDelete an existing scheduled task
schtasksrunStart a scheduled task
schtasksstopStop a running scheduled task
setuserpassSet a user's password
shspawnasA misguided attempt at injecting code into a newly spawned process
shutdownShutdown or reboot a local or remote computer, with or without a warning/message
slack_cookieCollect the Slack authentication cookie from a Slack process
unexpireuserSet a user account to never expire
ghost_taskAdd/Delete a ghost task.

Contributing

This repo is intended for single task Windows primitives. That is to say, even if it takes multiple calls, creating a scheduled task is appropriate.

A command that would attempt to pre-generate an implant and perform automated movement using the BOFs in this repo would be awesome. But is not appropriate for submission to this repo directly.

Code expectations

What to expect as a contributor

After a pull request is received, it will receive an in-depth code review and testing. </br> After testing is completed, we will have zero or more rounds of change requests based on findings until there are no issues in the code. At that point it will be accepted into the repository, and your GitHub username will be added to our credit list. If you would prefer not to be added or some other handle to be used, just let me know.