OperatorsKit

OperatorsKit

This repository contains a collection of tools that integrate with Cobalt Strike through Beacon Object Files (BOFs).

Kit content

The following tools are currently in the operators' kit:

Name	Decription
AddLocalCert	Add a (self signed) certificate to a specific local computer certificate store.
AddTaskScheduler	Create a scheduled task on the current- or remote host.
BlindEventlog	Blind Eventlog by suspending its threads.
DelLocalCert	Delete a local computer certificate from a specific store.
DelTaskScheduler	Delete a scheduled task on the current- or a remote host.
DllEnvHijacking	BOF implementation of DLL environment hijacking published by Wietze
EnumLocalCert	List all local computer certificates from a specific store.
FindDotnet	Find processes that most likely have .NET loaded.
FindHandle	Find "process" and "thread" handle types between processes.
FindLib	Find loaded module(s) in remote process(es).
FindRWX	Find RWX memory regions in a target process.
FindSysmon	Verify if Sysmon is running through enumerating Minifilter drivers and checking the registry.
HideFile	Hide file or directory by setting it's attributes to systemfile + hidden.
LoadLib	Load an on disk present DLL via RtlRemoteCall API in a remote process.
PSremote	List all running processes on a remote host.
SilenceSysmon	Silence the Sysmon service by patching its capability to write ETW events to the log.

Usage

Each individual tool has its own README file with usage information and compile instructions.

Credits

A round of virtual applause to reenz0h. Lots of tools in this kit are based on his code examples from the Malware Development and Windows Evasion courses. I highly recommend purchasing them!

Furthermore, some code from the C2-Tool-Collection project is copied to neatly print beacon output.