OperatorsKit
This repository contains a collection of Beacon Object Files (BOFs) that integrate with Cobalt Strike.
Kit content
The following tools are currently in the OperatorsKit:
| Name | Description |
|---|---|
| AddExclusion | Add a new exclusion to Windows Defender for a folder, file, process or extension. |
| AddFirewallRule | Add a new inbound/outbound firewall rule. |
| AddLocalCert | Add a (self signed) certificate to a specific local computer certificate store. |
| AddTaskScheduler | Create a scheduled task on the current- or remote host. |
| BlindEventlog | Blind Eventlog by suspending its threads. |
| CaptureNetNTLM | Capture the NetNTLMv2 hash of the current user. |
| CredPrompt | Start persistent credential prompt in an attempt to capture user credentials. |
| DelExclusion | Delete an exclusion from Windows Defender for a folder, file, process or extension. |
| DelFirewallRule | Delete a firewall rule. |
| DelLocalCert | Delete a local computer certificate from a specific store. |
| DelTaskScheduler | Delete a scheduled task on the current- or a remote host. |
| DllComHijacking | Leverage DLL Hijacking by instantiating a COM object on a target host |
| DllEnvHijacking | BOF implementation of DLL environment hijacking. |
| EnumDotnet | Enumerate processes that most likely have .NET loaded. |
| EnumDrives | Enumerate drive letters and type. |
| EnumExclusions | Check the AV for excluded files, folders, extentions and processes. |
| EnumFiles | Search for matching files based on a word, extention or keyword in the file content. |
| EnumHandles | Enumerate “process” and “thread” handle types between processes. |
| EnumLib | Enumerate loaded module(s) in remote process(es). |
| EnumLocalCert | Enumerate all local computer certificates from a specific store. |
| EnumRWX | Enumerate RWX memory regions in a target process. |
| EnumSecProducts | Enumerate security products (like AV/EDR) that are running on the current/remote host. |
| EnumShares | Enumerate remote shares and your access level using a predefined list with hostnames. |
| EnumSysmon | Verify if Sysmon is running by checking the registry and listing Minifilter drivers. |
| EnumTaskScheduler | Enumerate all scheduled tasks in the root folder. |
| EnumWebClient | Find hosts with the WebClient service running based on a list with predefined hostnames. |
| EnumWSC | List what security products are registered in Windows Security Center. |
| ExecuteCrossSession | Execute a binary in the context of another user via COM cross-session interaction |
| ForceLockScreen | Force the lock screen of the current user session. |
| HideFile | Hide a file or directory by setting it’s attributes to systemfile + hidden. |
| IdleTime | Check current user activity based on the user’s last input. |
| InjectPoolParty | Inject beacon shellcode and execute it via Windows Thread Pools |
| LoadLib | Load an on disk present DLL via RtlRemoteCall API in a remote process. |
| PSremote | Enumerate all running processes on a remote host. |
| PasswordSpray | Validate a single password against multiple accounts using kerberos authentication. |
| SilenceSysmon | Silence the Sysmon service by patching its capability to write ETW events to the log. |
| SystemInfo | Enumerate system information via WMI (limited use case). |
