/BofAllTheThings

Creating a repository with all public Beacon Object Files (BoFs)

BofAllTheThings

Creating a repository with all public Beacon Object Files (BoFs)

The idea is to collect all the Beacon Object Files (BoF ) projects that are out there (similar to my SharpAllTheThings project) that can be used in Cobalt Strike as inline execute command. Credit the name to the amazing PayloadAllTheThings github repo (https://github.com/swisskyrepo/PayloadsAllTheThings)

BOF Collections

  1. TrustedSec BOFS
    • BOFS - arp, adcs_enum, adcs_enum_com, adcs_enum_com2, adv_audit_policies, cacls, dir, driversigs, enum_filter_driver, enumLocalSessions, env, findLoadedModule, get_password_policy, ipconfig, ldapsearch, listdns, listmods, listpipes, netstat, netuser, netuse_add, netuse_delete, netuse_list, netview, netGroupList, netGroupListMembers, netLocalGroupList, netLocalGroupListMembers, nslookup, reg_query, reg_query_recursive, routeprint, schtasksenum, schtasksquery, sc_enum, sc_qc, sc_qfailure, sc_qtriggerinfo, sc_query, sc_qdescription, tasklist, whoami, windowlist, wmi_query, netsession, resources, uptime, vssenum, adcs_request, chromeKey, enableuser, procdump, ProcessDestroy, ProcessListHandles, reg_delete, reg_save, reg_set, sc_config, sc_create, sc_delete, sc_description, sc_start, sc_stop, schtaskscreate, schtasksdelete, schtasksstop, setuserpass, shspawnas
    • Credit - https://twitter.com/ajpc500
    • Link - https://github.com/trustedsec/CS-Situational-Awareness-BOF and https://github.com/trustedsec/CS-Remote-OPs-BOF
  2. ajpc500 BOFs Collection
    • BOFS - ETW Patching, Syscalls shellcode injection, API Function Utility, Spawn and Syscalls Shellcode Injection, Spawn and Syscalls Shellcode Injection (NtQuereApcThread), Static Syscalls Shellcode Injection, Static syscalls Process Dump, curl
    • Credit - https://twitter.com/ajpc500
    • Link - https://github.com/ajpc500/BOFs
  3. Riccardo Ancarani BOFs Collection
  4. rvrsh3ll BOFs Collection
  5. Outflank BOFs Collection
  6. REDMED-X - OperatorsKit
    • BOFS - BlindEventlog, DllEnvHijacking, FindDotnet, FindHandle, FindLib, FindRWX, FindSysmon, HideFile, LoadLib, PSremote, SilenceSysmon
    • Credit - Unknown at the moment
    • Link - https://github.com/REDMED-X/OperatorsKit

Execution

  1. tgtdelegation - obtain a usable TGT for the current user and does not require elevated privileges on the host
  2. BOF.NET - A .NET Runtime for Cobalt Strike's Beacon Object Files
  3. InlineExecute-Assembly - proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module
  4. Inject-assembly - Execute .NET in an Existing Process. This tool is an alternative to traditional fork and run execution for Cobalt Strike. The loader can be injected into any process, including the current Beacon. Long-running assemblies will continue to run and send output back to the Beacon, similar to the behavior of execute-assembly.

Situational Awareness

  1. FindObjects-BOF - A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process handles.
  2. DLL Image Resource Version Enumeration BOF - As the name suggest
  3. Firewall_Enumerator_BOF - This is meant as a supplement to interact with the Windows firewall via COM interfaces.
  4. Process Protection Level Enumerator BOF - A Syscall-only BOF file intended to grab process protection attributes, limited to a handful that Red Team operators and pentesters would commonly be interested in.
  5. xPipe - Cobalt Strike Beacon Object File (BOF) to list active Pipes & return their Owner & Discretionary Access Control List (DACL) permissions.
  6. WhereAmiI - Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.
  7. Readfile - As the name suggests
  8. ChromiumKeyDump - BOF implementation of Chlonium tool to dump Chrome/Edge Masterkey and download Cookie/Login Data files
  9. LdapSignCheck - Beacon Object File to scan a Domain Controller to see if LdapEnforceChannelBinding or LdapServerIntegrity has been modified to mitigate against relaying attacks.
  10. ScreenshotBOF - An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot downloaded in memory.

Persistence

Privilege Escalation

  1. kernel-mii - Cobalt Strike (CS) Beacon Object File (BOF) foundation for kernel exploitation using CVE-2021-21551.
  2. amd-ryzen-master-driver-v17-exploit - Cobalt Strike (CS) Beacon Object File (BOF) for kernel exploitation using AMD's Ryzen Master Driver (version 17).

Defense Evasion

  1. WdToggle - A Proof of Concept Cobalt Strike Beacon Object File which uses direct system calls to enable WDigest credential caching and circumvent Credential Guard (if enabled).
  2. InlineWhispers2 - Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2.
  3. HOLLOW - Beacon Object File (BOF) that spawns an arbitrary process from beacons memory in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode; using the Early Bird injection
  4. secinject - Beacon Object File (BOF) that leverages Native APIs to achieve process injection through memory section mapping.
  5. unhook-bof - This is a Beacon Object File to refresh DLLs and remove their hooks. The code is from Cylance's Universal Unhooking research.
  6. Self_Deletion_BOF - BOF implementation of the research by @jonasLyk for executable self deletion.
  7. Toggle_Token_Privileges_BOF - An (almost) syscall-only BOF file intended to either add or remove token privileges within the context of your current process.
  8. Inject ETW Bypass - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)
  9. Inject AMSI Bypass - Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection.
  10. Trusted Path UAC Bypass - Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.
  1. Detect-Hooks - Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR
  1. Defender Exclusions BOF - A BOF to determine Windows Defender exclusions.
  2. ASRenum-BOF - Cobalt Strike BOF that identifies Attack Surface Reduction (ASR) rules, actions, and exclusion locations.
  3. CobaltWhispers - CobaltWhispers is an aggressor script that utilizes a collection of Beacon Object Files (BOF) for Cobalt Strike to perform process injection, persistence and more, leveraging direct syscalls (SysWhispers2) to bypass EDR/AV.

Credential Access

  1. Cobalt-Clip - Cobalt-Clip is clipboard add-on for Cobalt Strike to interact with the victim's clipboard. With Cobalt-Clip you can dump, edit and monitor the content of a clipboard.
  2. PPLDump BOF - A fully-fledged BOF to dump an arbitrary protected process.
  3. NoteThief - Grab unsaved Notepad contents with a Beacon Object File
  4. CredManBOF - dumping the credential manager by abusing the SeTrustedCredmanAccess Privilege
  5. CredBandit - redBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon
  6. BofRoast - Beacon Object File repo for roasting Active Directory
  7. Silent Lsass Dump - Dump Lsass using Slient Process method
  8. aad_prt - extract Azure AD PRT tokens

Lateral Movement

  1. DCOM Lateral Movement - quick PoC that uses DCOM (ShellWindows) via beacon object files for lateral movement.
  2. WMI Lateral Movement - quick PoC that uses WMI (Win32_Process and Event Subscription) via beacon object files for lateral movement.
  3. ServiceMove-BOF - Lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking
  4. DelegationBOF - This tool uses LDAP to check a domain for known abusable Kerberos delegation settings. Currently, it supports RBCD, Constrained, Constrained w/Protocol Transition, and Unconstrained Delegation checks.
  5. RDPHijack-BOF - Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking.

Exfiltration

Other Projects

  1. DLL Exports Extraction BOF - As the name suggests
  2. DLL Hijack Search Order BOF - As the name suggests
  3. PE Import Enumerator BOF - As the name suggests
  4. Sleeper - BOF to call the SetThreadExecutionState function to prevent host from Sleeping

BOF Builders

  1. BOF Template - This repository is meant to host the core files needed to create a Beacon Object File for use with Cobalt Strike.
  2. BOF-Builder - C# .Net 5.0 project to build BOF (Beacon Object Files) in mass based on them all being in a folder directory struct somewhere.
  3. Visual-Studio-BOF-template - baseline template that can be reused to develop BOFs with Visual Studio without having to worry about dynamic function resolution syntax, stripping symbols, compiler configurations, C++ name mangling, or unexpected runtime errors
  4. BOF Creation Helper - I knocked together this script to make the process of making BOFs slightly easier.

BOF in Other Lang

  1. Invoke-Bof - Load any Beacon Object File using Powershell!
  2. BOF-Nim