Skip to content

CodeXTF2/GeoLocation_BOF

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

GeolocationBOF

A Cobalt Strike BOF that attempts to retrieve Windows geolocation coordinates without fork & run. It uses the WinRT Geolocator API first and falls back to the legacy ILocation API.

Implementation

Simple BOF that uses WinRT geolocation with a legacy ILocation fallback. Will flip the following registry keys:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location
    • Value = Allow
  • HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location\NonPackaged\<encoded process path>
    • Value = Allow
  • Admin only: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location
    • Value = Allow
  • Admin only: HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors
    • DisableLocation = 0
    • DisableWindowsLocationProvider = 0
  • Admin only: HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy
    • LetAppsAccessLocation = 1
  • Admin only: HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration
    • Status = 1

Admin execution also temporarily changes the lfsvc service start type to demand start and attempts to start the service.

All changes are undone after execution.

Self Compilation

  1. git clone the repo
  2. run make

Usage

  1. import the GeoLocationBOF.cna script into Cobalt Strike
  2. use the command geolocation_bof
beacon> geolocation_bof
[*] Running geolocation_bof by (@codex_tf2)
[+] host called home, sent: 30095 bytes
[+] received output:
latitude=12.34567890
longitude=-12.34567890
accuracy_radius_meters=25.00

Notes

  • Windows location services must be available on the target.
  • Location privacy settings, policy, sensors, and provider availability can prevent results.
  • Admin context is required to enable the location permission if not already granted
  • Temporary registry changes made to grant location permissions and restored before the BOF exits
  • No evasion is performed - apply your own OPSEC

Why did I make this?

This BOF is meant to provide a direct in-process way to request Windows geolocation data.

Credits

Disclaimer

usual disclaimer here, I am not responsible for any crimes against humanity you may commit or nuclear war you may cause using this piece of poorly written code.

About

Cobalt Strike BOF to obtain location data

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors