Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/REDMED-X/OperatorsKit

Collection of Beacon Object Files (BOF) for Cobalt Strike
https://github.com/REDMED-X/OperatorsKit

Last synced: about 2 months ago
JSON representation

Collection of Beacon Object Files (BOF) for Cobalt Strike

Host: GitHub
URL: https://github.com/REDMED-X/OperatorsKit
Owner: REDMED-X
License: mit
Created: 2023-02-06T07:34:02.000Z (over 1 year ago)
Default Branch: main
Last Pushed: 2024-07-19T18:09:28.000Z (2 months ago)
Last Synced: 2024-07-19T23:16:45.340Z (2 months ago)
Language: C
Size: 461 KB
Stars: 456
Watchers: 8
Forks: 68
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # OperatorsKit

This repository contains a collection of Beacon Object Files (BOFs) that integrate with Cobalt Strike.  

## Kit content

The following tools are currently in the OperatorsKit: 

|Name|Description|

|----|----------|

|**[AddExclusion](KIT/AddExclusion)**|Add a new exclusion to Windows Defender for a folder, file, process or extension.|

|**[AddFirewallRule](KIT/AddFirewallRule)**|Add a new inbound/outbound firewall rule.|

|**[AddLocalCert](KIT/AddLocalCert)**|Add a (self signed) certificate to a specific local computer certificate store.|

|**[AddTaskScheduler](KIT/AddTaskScheduler)**|Create a scheduled task on the current- or remote host.|

|**[BlindEventlog](KIT/BlindEventlog)**|Blind Eventlog by suspending its threads.|

|**[CaptureNetNTLM](KIT/CaptureNetNTLM)**|Capture the NetNTLMv2 hash of the current user.|

|**[CredPrompt](KIT/CredPrompt)**|Start persistent credential prompt in an attempt to capture user credentials.|

|**[DelExclusion](KIT/DelExclusion)**|Delete an exclusion from Windows Defender for a folder, file, process or extension.|

|**[DelFirewallRule](KIT/DelFirewallRule)**|Delete a firewall rule.|

|**[DelLocalCert](KIT/DelLocalCert)**|Delete a local computer certificate from a specific store.|

|**[DelTaskScheduler](KIT/DelTaskScheduler)**|Delete a scheduled task on the current- or a remote host.|

|**[DllComHijacking](KIT/DllComHijacking)**|Leverage DLL Hijacking by instantiating a COM object on a target host |

|**[DllEnvHijacking](KIT/DllEnvHijacking)**|BOF implementation of DLL environment hijacking.|

|**[EnumDotnet](KIT/EnumDotnet)**|Enumerate processes that most likely have .NET loaded.|

|**[EnumDrives](KIT/EnumDrives)**|Enumerate drive letters and type.|

|**[EnumExclusions](KIT/EnumExclusions)**|Check the AV for excluded files, folders, extentions and processes.|

|**[EnumFiles](KIT/EnumFiles)**|Search for matching files based on a word, extention or keyword in the file content.|

|**[EnumHandles](KIT/EnumHandles)**|Enumerate "process" and "thread" handle types between processes.|

|**[EnumLib](KIT/EnumLib)**|Enumerate loaded module(s) in remote process(es).|

|**[EnumLocalCert](KIT/EnumLocalCert)**|Enumerate all local computer certificates from a specific store.|

|**[EnumRWX](KIT/EnumRWX)**|Enumerate RWX memory regions in a target process.|

|**[EnumSecProducts](KIT/EnumSecProducts)**|Enumerate security products (like AV/EDR) that are running on the current/remote host.|

|**[EnumShares](KIT/EnumShares)**|Enumerate remote shares and your access level using a predefined list with hostnames.|

|**[EnumSysmon](KIT/EnumSysmon)**|Verify if Sysmon is running by checking the registry and listing Minifilter drivers.|

|**[EnumTaskScheduler](KIT/EnumTaskScheduler)**|Enumerate all scheduled tasks in the root folder.|

|**[EnumWebClient](KIT/EnumWebClient)**|Find hosts with the WebClient service running based on a list with predefined hostnames.|

|**[EnumWSC](KIT/EnumWSC)**|List what security products are registered in Windows Security Center.|

|**[ExecuteCrossSession](KIT/ExecuteCrossSession)**|Execute a binary in the context of another user via COM cross-session interaction|

|**[ForceLockScreen](KIT/ForceLockScreen)**|Force the lock screen of the current user session.|

|**[HideFile](KIT/HideFile)**|Hide a file or directory by setting it's attributes to systemfile + hidden.|

|**[IdleTime](KIT/IdleTime)**|Check current user activity based on the user's last input.|

|**[InjectPoolParty](KIT/InjectPoolParty)**|Inject beacon shellcode and execute it via Windows Thread Pools|

|**[LoadLib](KIT/LoadLib)**|Load an on disk present DLL via RtlRemoteCall API in a remote process.|

|**[PSremote](KIT/PSremote)**|Enumerate all running processes on a remote host.|

|**[PasswordSpray](KIT/PasswordSpray)**|Validate a single password against multiple accounts using kerberos authentication.|

|**[SilenceSysmon](KIT/SilenceSysmon)**|Silence the Sysmon service by patching its capability to write ETW events to the log.|

|**[SystemInfo](KIT/SystemInfo)**|Enumerate system information via WMI (limited use case).|

## Usage

Each individual tool has its own README file with usage information and compile instructions. 

It is also possible to directly import all tools by loading the `OperatorsKit.cna` script using the Cobalt Strike script manager. Furthermore, mass compiling can now be done using the `compile_all.bat` script from within the `x64 Native Tools Command Prompt for VS <2019/2022>` terminal. 

## Credits

A round of virtual applause to [reenz0h](https://twitter.com/SEKTOR7net). Multiple tools in this kit are based on his code examples from the Malware Development and Windows Evasion courses. I highly recommend purchasing them!

Furthermore, some code from the [CS-Situational-Awareness-BOF](https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/src/common/base.c) project is used to neatly print beacon output.