This repository contains a collection of tools that integrate with Cobalt Strike through Beacon Object Files (BOFs).
The following tools are currently in the operators' kit:
| Name | Decription |
|---|---|
| AddLocalCert | Add a (self signed) certificate to a specific local computer certificate store. |
| AddTaskScheduler | Create a scheduled task on the current- or remote host. |
| BlindEventlog | Blind Eventlog by suspending its threads. |
| DelLocalCert | Delete a local computer certificate from a specific store. |
| DelTaskScheduler | Delete a scheduled task on the current- or a remote host. |
| DllEnvHijacking | BOF implementation of DLL environment hijacking published by Wietze |
| EnumLocalCert | List all local computer certificates from a specific store. |
| FindDotnet | Find processes that most likely have .NET loaded. |
| FindHandle | Find "process" and "thread" handle types between processes. |
| FindLib | Find loaded module(s) in remote process(es). |
| FindRWX | Find RWX memory regions in a target process. |
| FindSysmon | Verify if Sysmon is running through enumerating Minifilter drivers and checking the registry. |
| HideFile | Hide file or directory by setting it's attributes to systemfile + hidden. |
| LoadLib | Load an on disk present DLL via RtlRemoteCall API in a remote process. |
| PSremote | List all running processes on a remote host. |
| SilenceSysmon | Silence the Sysmon service by patching its capability to write ETW events to the log. |
Each individual tool has its own README file with usage information and compile instructions.
A round of virtual applause to reenz0h. Lots of tools in this kit are based on his code examples from the Malware Development and Windows Evasion courses. I highly recommend purchasing them!
Furthermore, some code from the C2-Tool-Collection project is copied to neatly print beacon output.