This repository contains a collection of tools that integrate with Cobalt Strike through Beacon Object Files (BOFs).
The following tools are currently in the operators' kit:
Name | Description |
---|---|
AddExclusion | Add a new exclusion to Windows Defender for a folder, file, process or extension. |
AddFirewallRule | Add a new inbound/outbound firewall rule. |
AddLocalCert | Add a (self signed) certificate to a specific local computer certificate store. |
AddTaskScheduler | Create a scheduled task on the current- or remote host. |
BlindEventlog | Blind Eventlog by suspending its threads. |
CaptureNetNTLM | Capture the NetNTLMv2 hash of the current user. |
CredPrompt | Start persistent credential prompt in an attempt to capture user credentials. |
DelFirewallRule | Delete a firewall rule. |
DelLocalCert | Delete a local computer certificate from a specific store. |
DelTaskScheduler | Delete a scheduled task on the current- or a remote host. |
DllEnvHijacking | BOF implementation of DLL environment hijacking published by Wietze. |
EnumLocalCert | Enumerate all local computer certificates from a specific store. |
EnumSecProducts | Enumerate security products (like AV/EDR) that are running on the current/remote host. |
EnumShares | Enumerate remote shares and your access level using a predefined list with hostnames. |
EnumTaskScheduler | Enumerate all scheduled tasks in the root folder. |
EnumWSC | List what security products are registered in Windows Security Center. |
FindDotnet | Find processes that most likely have .NET loaded. |
FindExclusions | Check the AV for excluded files, folders, extentions and processes. |
FindFile | Search for matching files based on a word, extention or keyword in the file content. |
FindHandle | Find "process" and "thread" handle types between processes. |
FindLib | Find loaded module(s) in remote process(es). |
FindRWX | Find RWX memory regions in a target process. |
FindSysmon | Verify if Sysmon is running by checking the registry and listing Minifilter drivers. |
FindWebClient | Find hosts with the WebClient service running based on a list with predefined hostnames. |
ForceLockScreen | Force the lock screen of the current user session. |
HideFile | Hide a file or directory by setting it's attributes to systemfile + hidden. |
IdleTime | Check current user activity based on the user's last input. |
LoadLib | Load an on disk present DLL via RtlRemoteCall API in a remote process. |
PSremote | Enumerate all running processes on a remote host. |
SilenceSysmon | Silence the Sysmon service by patching its capability to write ETW events to the log. |
SystemInfo | Enumerate system information via WMI (limited use case). |
Each individual tool has its own README file with usage information and compile instructions.
A round of virtual applause to reenz0h. Lots of tools in this kit are based on his code examples from the Malware Development and Windows Evasion courses. I highly recommend purchasing them!
Furthermore, some code from the CS-Situational-Awareness-BOF project is used to neatly print beacon output.