Protections enabled during testing (as of now):
- Compiler's Stack Buffer Overrun protection
'/GS-'
- Control Flow Guard (CFG)
| BOF |
Use |
| procenum |
Finds the PID of a process name given. This operation requires appropriate privileges to see the handle to the target process object. |
| BOF |
Use |
| cookiecrunch |
Test Test Test Test Test Test Test . |
| edgelord |
Test Test Test Test Test Test Test . |
| BOF |
Use |
| tokeninfo_recon |
Prints out target process' token attributes information such as TokenSource, TokenType, TokenImpersonationLevel, TokenSessionId, etc. |
| av_edr_enum |
Print out artifacts that indicates the existence of security solutions in the machine. |
| BOF |
Use |
| warbird |
Test Test Test Test Test Test Test Test Test Test Test Test Test Test Test Test Test Test Test Test Test Test . |
| BOF |
Use |
| rtcore-elevate2system |
Copy the token of the System.exe process' NT AUTHORITY\SYSTEM and transferring it to the target process by exploiting the vulnerable RTCore64.sys. |
| rtcore-settokenhighprivs |
Setting all the privileges of a target process to '1' by exploiting the vulnerable RTCore64.sys. |
| rtcore-setintegritylevel |
Elevate the integrity of the target process to NT AUTHORITY\SYSTEM by exploiting the vulnerable RTCore64.sys. |
| rtcore-unrestricttoken |
Allows access of the target process to any objects in the system usually proceeded by an "access denied" due to SID restriction by exploiting the vulnerable RTCore64.sys. |
| rtcore-flipprocprotection |
Flip the protection of the target process to Fully Protected Process or Process Protected Light by exploiting the vulnerable RTCore64.sys. |
| BOF |
Use |
| processinjection |
Executes the classic process injection technique through section maps. |
| BOF |
Use |
| dpapi-regsearch |
Test Test Test Test Test Test Test Test Test Test Test Test Test Test Test Test Test Test Test Test Test Test . |
| BOF |
Use |
| pers-runkeys |
Executes the runkeys persistence technique. |
| BOF |
Use |
| fodhelper |
The “fodhelper UAC bypass” is a well-known Windows privilege-escalation technique that abuses the auto-elevated Microsoft binary fodhelper.exe to bypass normal User Account Control (UAC) prompts. |
| BOF |
Use |
| dns-ptr |
Deliver payload into the target process' memory via DNS resolution's PTR record(s). |
| BOF |
Use |
| BlindingEventLog |
Interacting with the Event log service process to suspend logging. |
| EPPFirewallBlock |
Blocking of Endpoint Protection Telemetry directed to its server via Firewall. |
| SysmonUnload |
Unload the sysmon driver disabling endpoint telemetry. |
| windef-disable |
Disabling Windows Defender via Registry modification. |
| BOF |
Use |
| ransomware-sim-bof |
Executes a ransomware simulation on a proof of concept file with the most restricted access control. |
DISCLAIMER: These beacon object files are re-creation and analysis of already known techniques. None of the techniques discussed are novel, they have been publicly known and documented by the security research community for many years, and credit is given throughout to the researchers and projects that developed them. The creators and contributors of this repository accept no liability for any loss, damage, or consequences resulting from the use of the information or code contained in this repo. By utilizing this repo, you acknowledge and accept full responsibility for your actions. Use at your own risk.
