Cobalt Strike Beacon Object Files

My CobaltStrike BOFS

The ADSyncDump BOF is a port of Dirk-Jan Mollema's adconnectdump.py / ADSyncDecrypt into a Beacon Object File (BOF) with zero dependencies.

A Beacon Object File (BOF) for Havoc/CS to Bypass PPL and Dump Lsass

adws enumeration bof

Injecting DLL into LSASS at boot

Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

AzureAD beacon object files

Hijacks code execution via overwriting Control Flow Guard pointers in combase.dll

Identify common EDR processes, directories, and services. Simple BOF of Invoke-EDRChecker.

An example of a client and server using Windows' ALPC functions to send and receive data.

A PICO for Crystal Palace that implements CLR hosting to execute a .NET assembly in memory.

BOF to steal Teams cookies

A BOF to retrieve decryption keys for WhatsApp Desktop and a utility script to decrypt the databases.

DLL Exports Extraction BOF with optional NTFS transactions.

Crystal Palace library for proxying Nt API calls via the Threadpool

Cobalt Strike BOF that Add an admin user

Alternative Read and Write primitives using Rtl* functions the unintended way.

Beacon Object File (BOF) for Using the BadSuccessor Technique for Account Takeover

Attempting to Hook LSASS APIs to Retrieve Plaintext Credentials

A care package of useful bofs for red team engagments

PrimitiveInjection by using Read, Write and Allocation Primitives.

BOF for C2 framework

EDR & AV Bypass Arsenal— a comprehensive collection of tools, patches, and techniques for evading modern EDR and antivirus defenses.

Extended Process List (Search functionality)

Hotkey-based keylogger for Windows

Windows Kernel Rootkit