This repository features a collection of tools designed to integrate with Cobalt Strike (and other C2 frameworks) via Beacon Object Files (BOFs).
Maintained by Western Tactics, these tools are open-sourced to help Red Teams build stronger defenses against evolving cyber threats.
🌐 Want to learn more? Discover our practical cyber security courses: westerntactics.com
The following tools are currently in the OperatorsKit:
| Name | Description |
|---|---|
| AddExclusion | Add a new exclusion to Windows Defender for a folder, file, process or extension. |
| AddFirewallRule | Add a new inbound/outbound firewall rule. |
| AddLocalCert | Add a (self signed) certificate to a specific local computer certificate store. |
| AddTaskScheduler | Create a scheduled task on the current- or remote host. |
| AuthenticateHTTP | Force a Windows-authenticated HTTP request from the current user context. |
| CaptureNetNTLM | Capture the NetNTLMv2 hash of the current user. |
| CredPrompt | Start persistent credential prompt in an attempt to capture user credentials. |
| DcomLocalServer32 | Instantiate a DCOM/COM class and start an EXE on a (remote) machine. |
| DelExclusion | Delete an exclusion from Windows Defender for a folder, file, process or extension. |
| DelFirewallRule | Delete a firewall rule. |
| DelLocalCert | Delete a local computer certificate from a specific store. |
| DelTaskScheduler | Delete a scheduled task on the current- or a remote host. |
| DllEnvHijacking | BOF implementation of DLL environment hijacking. |
| EnumActiveHosts | Enumerate active hosts or validate a single open port. |
| EnumDllSideloading | Enumerate .EXE's for DLL sideloading vulnerabilities. |
| EnumDrives | Enumerate drive letters and type. |
| EnumExclusions | Check the AV for excluded files, folders, extentions and processes. |
| EnumFiles | Search for matching files based on a word, extention or keyword in the file content. |
| EnumHandles | Enumerate "process" and "thread" handle types between processes. |
| EnumLib | Enumerate loaded module(s) in remote process(es). |
| EnumLocalCert | Enumerate all local computer certificates from a specific store. |
| EnumSecProducts | Enumerate security products (like AV/EDR) that are running on the current/remote host. |
| EnumShares | Enumerate remote shares and access level using a predefined list with hostnames. |
| EnumSysmon | Verify if Sysmon is running by checking the registry and listing Minifilter drivers. |
| EnumTaskScheduler | Enumerate all scheduled tasks in the root folder. |
| EnumWebClient | Find hosts with the WebClient service running based on a list with predefined hostnames. |
| ExecuteCrossSession | Execute a binary in the context of another user via COM cross-session interaction |
| ForceLockScreen | Force the lock screen of the current user session. |
| HideFile | Hide a file or directory by setting it's attributes to systemfile + hidden. |
| IdleTime | Check current user activity based on the user's last input. |
| InjectPoolParty | Inject beacon shellcode and execute it via Windows Thread Pools. |
| KeyloggerRawInput | Keylogger based on RegisterRawInputDevices. |
| PasswordSprayAD | Validate a single password against multiple accounts using LDAP/LDAPS/GC/GCS authentication. |
| PasswordSprayLocal | Validate a single set of credentials against multiple local hosts via SMB. |
| PSremote | Enumerate all running processes on a remote host. |
| SPN | Targeted kerberoasting with separate enumeration and roasting flows. |
| WiFiPasswords | Enumerates all saved SSID's, then retrieves each AP’s stored plaintext password. |
Each individual tool has its own README file with usage information and compile instructions.
You can also directly import the entire suite of tools by loading the OperatorsKit.cna script via the Cobalt Strike script manager. Furthermore, mass compilation can be executed by running the compile_all.bat script from within an x64 Native Tools Command Prompt for VS 2019 or VS 2022 terminal.
A round of virtual applause to everyone who laid the groundwork for the development of several of these techniques. Additional credits can be found in each corresponding README file.
This repository is for authorized security testing and education only. Provided "as is"—the authors accept no liability for misuse.