README.md 3.4 KB
OperatorsKit
This repository contains a collection of tools that integrate with Cobalt Strike through Beacon Object Files (BOFs).
Kit content
The following tools are currently in the operators' kit:
| Name | Decription |
|---|---|
| AddLocalCert | Add a (self signed) certificate to a specific local computer certificate store. |
| AddTaskScheduler | Create a scheduled task on the current- or remote host. |
| BlindEventlog | Blind Eventlog by suspending its threads. |
| CaptureNetNTLM | Capture the NetNTLMv2 hash of the current user. |
| CredPrompt | Start persistent credential prompt in an attempt to capture user credentials. |
| DelLocalCert | Delete a local computer certificate from a specific store. |
| DelTaskScheduler | Delete a scheduled task on the current- or a remote host. |
| DllEnvHijacking | BOF implementation of DLL environment hijacking published by Wietze. |
| EnumLocalCert | Enumerate all local computer certificates from a specific store. |
| EnumSecProducts | Enumerate security products (like AV/EDR) that are running on the current/remote host. |
| EnumShares | Enumerate remote shares and your access level using a predefined list with hostnames. |
| EnumTaskScheduler | Enumerate all scheduled tasks in the root folder. |
| FindDotnet | Find processes that most likely have .NET loaded. |
| FindFile | Search for matching files based on a word, extention or keyword in the file content. |
| FindHandle | Find "process" and "thread" handle types between processes. |
| FindLib | Find loaded module(s) in remote process(es). |
| FindRWX | Find RWX memory regions in a target process. |
| FindSysmon | Verify if Sysmon is running by checking the registry and listing Minifilter drivers. |
| FindWebClient | Find hosts with the WebClient service running based on a list with predefined hostnames. |
| ForceLockScreen | Force the lock screen of the current user session. |
| HideFile | Hide a file or directory by setting it's attributes to systemfile + hidden. |
| IdleTime | Check current user activity based on the user's last input. |
| LoadLib | Load an on disk present DLL via RtlRemoteCall API in a remote process. |
| PSremote | Enumerate all running processes on a remote host. |
| SilenceSysmon | Silence the Sysmon service by patching its capability to write ETW events to the log. |
| SystemInfo | Enumerate system information via WMI (limited use case). |
Usage
Each individual tool has its own README file with usage information and compile instructions.
Credits
A round of virtual applause to reenz0h. Lots of tools in this kit are based on his code examples from the Malware Development and Windows Evasion courses. I highly recommend purchasing them!
Furthermore, some code from the CS-Situational-Awareness-BOF project is copied to neatly print beacon output.