Collection of Beacon Object Files (BOF) for Cobalt Strike

Various BOF collection

Name Description
ChromiumKeyDump BOF implementation of Chlonium tool to dump Chrome/Edge Masterkey and download Cookie/Login Data files
Sleeper BOF to call the SetThreadExecutionState function to prevent host from Sleeping

How to compile:

  • Visual Studio:
x86:
"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvars32.bat"
cl.exe /c /GS- /TP BOF.cpp /FoBOF.o

x64:
"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvars64.bat"
cl.exe /c /GS- /TP BOF.cpp /FoBOF.x64.o
  • MinGW:
x86: i686-w64-mingw32-gcc -c BOF.cpp -o BOF.o
x64: x86_64-w64-mingw32-gcc -c BOF.cpp -o BOF.x64.o

After compiling, place the object files (.o) into the bin folder and load the (.cna) files to Cobalt Strike.

ChromiumKeyDump

Usage:

chromiumkeydump [edge|chrome] [argument(required)]
               Arguments      Description
               ---------      -----------
               masterkey      Dump Masterkey
               cookies        Download Chrome Cookies file
               logindata      Download Chrome Login Data file
               all            Dump Masterkey and download files

References:

https://github.com/rxwx/chlonium

Sleeper

Usage:

sleeper [argument(required)]
               Arguments      Description
               ---------      -----------
               off            Set the `ES_CONTINUOUS` flag and return to Default state
               on             Set the `ES_SYSTEM_REQUIRED` flag to prevent the Sleep
               force          Set the `ES_SYSTEM_REQUIRED|ES_AWAYMODE_REQUIRED` flags to prevent the Sleep, 
                              even if the Sleep button is pressed

References:

https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-setthreadexecutionstate

Similar Resources

Cobalt Strike BOF Files with Nim!

Cobalt Strike BOF Files with Nim!

BOF-Nim oh yeah baby I have an inkling it's possible, right now the problem seems to be getting the go function to be present in the Symbol table. No

Dec 24, 2022

Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Cobalt Strike BOF - Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. Running inje

Dec 28, 2022

SPAWN - Cobalt Strike BOF

 SPAWN - Cobalt Strike BOF

Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing.

Dec 1, 2022

Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes

Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes

HalosGate Processlist Cobalt Strike BOF Cobalt Strike Beacon Object File (BOF) that uses a custom HalosGate & HellsGate syscaller, written in assembly

Nov 9, 2022

Section Mapping Process Injection (secinject): Cobalt Strike BOF

Section Mapping Process Injection (secinject): Cobalt Strike BOF Beacon Object File (BOF) that leverages Native APIs to achieve process injection thro

Dec 16, 2022

Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions

Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions

xPipe Cobalt Strike BOF (x64) Cobalt Strike Beacon Object File (BOF) to list active Pipes & return their Owner & Discretionary Access Control List (DA

Nov 9, 2022

Collection of Beacon Object Files

Beacon Object Files Name Syntax ETW Patching etw stop / etw start API Function Utility read_function / check_function / patch_function dll_path fun

Dec 27, 2022

Beacon Object File (BOF) for remote process injection via thread hijacking

cThreadHijack ___________.__ .______ ___ .__ __ __ ___\__ ___/| |_________ ____ _____

Dec 28, 2022

Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Detect-Hooks Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will r

Dec 25, 2022

Collection of BOFs for Cobalt Strike

Collection of BOFs for Cobalt Strike

Jul 27, 2022

Load and execute COFF files and Cobalt Strike BOFs in-memory

COFFLoader2 This repo contains the source code of a Common Object File Format (COFF) loader, which is a rewrite of the research and implementation don

Dec 22, 2022

A BOF for enumerating version information for DLLs associated for a Beacon process.

A BOF for enumerating version information for DLLs associated for a Beacon process.

DLL Image Resource Version Enumeration BOF What is this? This is a Cobalt Strike BOF file (a mildly massaged port of @N4k3dTurtl3's existing PoC , mea

Nov 5, 2022

Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++, the architecture and usage like Cobalt Strike

Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++, the architecture and usage like Cobalt Strike

Khepri Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++ Description Khepri is a Cross-platform agent, the archi

Jan 3, 2023

Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

Cobalt Strike User-Defined Reflective Loader Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. B

Jan 3, 2023

EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3]

 EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3]

EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3] note that i dont claim that the idea is mine, this repo is probably

Oct 29, 2022

Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode

Hellsgate Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode Features: Using Syscalls from Hellsgate tech loading the shell

Nov 5, 2021

Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors".

 	Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as

COBALT STRIKE 4.4 Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to exe

Aug 21, 2022

A Visual Studio template used to create Cobalt Strike BOFs

A Visual Studio template used to create Cobalt Strike BOFs

Introduction Cobalt Strike beacon object files (BOFs) is a feature that added to the beacon in order to allow rapid beacon extendibility in a more OPS

Dec 28, 2022

BokuLoader - Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

BokuLoader - Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

BokuLoader - Cobalt Strike Reflective Loader Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. B

Dec 31, 2022
Comments
  • chromiumkeydump masterkey

    chromiumkeydump masterkey

    chromiumkeydump master key outputs nothing.

    cookies working login data is ok, but dump mastery outputs only the banner for the command. any help please?

  • Errors when compiling with mingw

    Errors when compiling with mingw

    Hi,

    I tried compiling with the command you have in your README: x86_64-w64-mingw32-gcc -c ChromiumKeyDump.cpp -o ChromiumKeyDump.x64.o

    But get the below error. Anything I should change?

    image

  • Option of specific path on ChromiumKeyDump

    Option of specific path on ChromiumKeyDump

    From a recent experience, I encountered a situation that the Chrome folder is not located in the %localappdata% but a mounted drive that the current implementation could not extract the Masterkey. In the Chlonium tool, the path to the Local State key could be specified in order to handle this case, so I wonder if this feature could be added to this bof too. I can submit a pr if you are happy with this.

    output

A collection of single-file C libraries. (generic containers, random number generation, argument parsing and other functionalities)

cauldron A collection of single-file C libraries and tools with the goal to be portable and modifiable. Libraries library description arena-allocator.

Dec 29, 2022
Collection of beacon object files for use with Cobalt Strike to facilitate 🐚.

Beacon Object Files Name Syntax MiniDumpWriteDump minidumpwritedump <PID> <path_of_dmp?> MiniDumpWriteDump BOF (64-bit only) Custom implementation of

Dec 28, 2022
A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific loaded modules or process handles.
A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific loaded modules or process handles.

FindObjects-BOF A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process

Dec 28, 2022
A Beacon Object File (BOF) for Cobalt Strike which uses direct system calls to enable WDigest credential caching.
A Beacon Object File (BOF) for Cobalt Strike which uses direct system calls to enable WDigest credential caching.

WdToggle A Proof of Concept Cobalt Strike Beacon Object File which uses direct system calls to enable WDigest credential caching and circumvent Creden

Dec 3, 2022
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).

Dec 1, 2022
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Nov 30, 2022
This repository is meant to host the core files needed to create a Beacon Object File for use with Cobalt Strike

BOF Template This repository is meant to host the core files needed to create a Beacon Object File for use with Cobalt Strike. A Beacon Object File (B

Nov 9, 2022
CredBandit - Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel

CredBandit CredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process a

Dec 25, 2022
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Dec 28, 2022
Dec 26, 2022