REDMED-X
f7bdbefa41
New tool update
|
2 lat temu | |
|---|---|---|
| KIT | 2 lat temu | |
| LICENSE | 2 lat temu | |
| README.md | 2 lat temu |
README.md
OperatorsKit
This repository contains a collection of tools that integrate with Cobalt Strike through Beacon Object Files (BOFs).
Kit content
The following tools are currently in the operators' kit:
| Name | Decription |
|---|---|
| AddLocalCert | Add a (self signed) certificate to a specific local computer certificate store. |
| AddTaskScheduler | Create a scheduled task on the current- or remote host. |
| BlindEventlog | Blind Eventlog by suspending its threads. |
| CaptureNetNTLM | Capture the NetNTLMv2 hash of the current user. |
| CredPrompt | Start persistent credential prompt in an attempt to capture user credentials. |
| DelLocalCert | Delete a local computer certificate from a specific store. |
| DelTaskScheduler | Delete a scheduled task on the current- or a remote host. |
| DllEnvHijacking | BOF implementation of DLL environment hijacking published by Wietze. |
| EnumLocalCert | List all local computer certificates from a specific store. |
| EnumSecProducts | List security products (like AV/EDR) that are running on the system. |
| FindDotnet | Find processes that most likely have .NET loaded. |
| FindHandle | Find "process" and "thread" handle types between processes. |
| FindLib | Find loaded module(s) in remote process(es). |
| FindRWX | Find RWX memory regions in a target process. |
| FindSysmon | Verify if Sysmon is running through enumerating Minifilter drivers and checking the registry. |
| FindWebClient | Find hosts with the WebClient service running based on a list with predefined hostnames. |
| HideFile | Hide file or directory by setting it's attributes to systemfile + hidden. |
| IdleTime | Check current user activity based on the user's last input. |
| LoadLib | Load an on disk present DLL via RtlRemoteCall API in a remote process. |
| PSremote | List all running processes on a remote host. |
| SilenceSysmon | Silence the Sysmon service by patching its capability to write ETW events to the log. |
Usage
Each individual tool has its own README file with usage information and compile instructions.
Credits
A round of virtual applause to reenz0h. Lots of tools in this kit are based on his code examples from the Malware Development and Windows Evasion courses. I highly recommend purchasing them!
Furthermore, some code from the C2-Tool-Collection project is copied to neatly print beacon output.