OperatorsKit: Collection of Beacon Object Files (BOF) for Cobalt Strike

OperatorsKit

This repository contains a collection of Beacon Object Files (BOFs) that integrate with Cobalt Strike.

Kit content

The following tools are currently in the OperatorsKit:

Name Description
AddExclusion Add a new exclusion to Windows Defender for a folder, file, process or extension.
AddFirewallRule Add a new inbound/outbound firewall rule.
AddLocalCert Add a (self signed) certificate to a specific local computer certificate store.
AddTaskScheduler Create a scheduled task on the current- or remote host.
BlindEventlog Blind Eventlog by suspending its threads.
CaptureNetNTLM Capture the NetNTLMv2 hash of the current user.
CredPrompt Start persistent credential prompt in an attempt to capture user credentials.
DelExclusion Delete an exclusion from Windows Defender for a folder, file, process or extension.
DelFirewallRule Delete a firewall rule.
DelLocalCert Delete a local computer certificate from a specific store.
DelTaskScheduler Delete a scheduled task on the current- or a remote host.
DllComHijacking Leverage DLL Hijacking by instantiating a COM object on a target host
DllEnvHijacking BOF implementation of DLL environment hijacking.
EnumDotnet Enumerate processes that most likely have .NET loaded.
EnumDrives Enumerate drive letters and type.
EnumExclusions Check the AV for excluded files, folders, extentions and processes.
EnumFiles Search for matching files based on a word, extention or keyword in the file content.
EnumHandles Enumerate “process” and “thread” handle types between processes.
EnumLib Enumerate loaded module(s) in remote process(es).
EnumLocalCert Enumerate all local computer certificates from a specific store.
EnumRWX Enumerate RWX memory regions in a target process.
EnumSecProducts Enumerate security products (like AV/EDR) that are running on the current/remote host.
EnumShares Enumerate remote shares and your access level using a predefined list with hostnames.
EnumSysmon Verify if Sysmon is running by checking the registry and listing Minifilter drivers.
EnumTaskScheduler Enumerate all scheduled tasks in the root folder.
EnumWebClient Find hosts with the WebClient service running based on a list with predefined hostnames.
EnumWSC List what security products are registered in Windows Security Center.
ExecuteCrossSession Execute a binary in the context of another user via COM cross-session interaction
ForceLockScreen Force the lock screen of the current user session.
HideFile Hide a file or directory by setting it’s attributes to systemfile + hidden.
IdleTime Check current user activity based on the user’s last input.
InjectPoolParty Inject beacon shellcode and execute it via Windows Thread Pools
LoadLib Load an on disk present DLL via RtlRemoteCall API in a remote process.
PSremote Enumerate all running processes on a remote host.
PasswordSpray Validate a single password against multiple accounts using kerberos authentication.
SilenceSysmon Silence the Sysmon service by patching its capability to write ETW events to the log.
SystemInfo Enumerate system information via WMI (limited use case).

Download & Use