https://github.com/zer0yu/awesome-cobaltstrike
List of Awesome CobaltStrike Resources
https://github.com/zer0yu/awesome-cobaltstrike
List: awesome-cobaltstrike
cobalt-strike redteam security
Last synced: 4 months ago
JSON representation
List of Awesome CobaltStrike Resources
- Host: GitHub
- URL: https://github.com/zer0yu/awesome-cobaltstrike
- Owner: zer0yu
- Created: 2020-08-15T09:10:13.000Z (almost 6 years ago)
- Default Branch: master
- Last Pushed: 2023-09-20T12:55:32.000Z (over 2 years ago)
- Last Synced: 2024-05-22T04:15:17.649Z (about 2 years ago)
- Topics: cobalt-strike, redteam, security
- Homepage: https://github.com/zer0yu/Awesome-CobaltStrike
- Size: 252 KB
- Stars: 3,836
- Watchers: 102
- Forks: 714
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Awesome CobaltStrike  
### Contents
- [0x00 Introduction](#0x00-introduction)
- [0x01 Articles & Videos](#0x01-articles--videos)
- [1. Basic Knowledge](#1-basic-knowledge)
- [2. Crack and Customisation](#2-crack-and-customisation)
- [3. Useful Trick](#3-useful-trick)
- [4. CobaltStrike Hide](#4-cobaltstrike-hide)
- [5. CobaltStrike Analysis](#5-cobaltstrike-analysis)
- [6. CobaltStrike Video](#6-cobaltstrike-video)
- [0x02 C2 Profiles](#0x02-c2-profiles)
- [0x03 BOF](#0x03-bof)
- [0x04 Aggressor Script](#0x04-aggressor-script)
- [0x05 Related Tools](#0x05-related-tools)
- [0x06 Related Resources](#0x06-related-resources)
### 0x00 Introduction
1. The first part is a collection of quality articles about CobaltStrike
2. The third part is about the integration of the new features BOF resources
3. This project is to solve the problem of not finding the right aggressor script or BOF when it is needed
4. If there is quality content that is not covered in this repo, welcome to submit pr
### 0x01 Articles & Videos
#### 1. Basic Knowledge
1. [Cobalt_Strike_wiki](https://github.com/aleenzz/Cobalt_Strike_wiki)
2. [Cobalt Strike Book](https://wbglil.gitbook.io/cobalt-strike/)
3. [CobaltStrike4.0笔记](https://github.com/Snowming04/CobaltStrike4.0_related)
4. [CobaltStrike相关网络文章集合](https://4hou.win/wordpress/?cat=306)
5. [Cobalt Strike 外部 C2 之原理篇](http://blog.leanote.com/post/snowming/50448511de58)
6. [Cobalt Strike 桌面控制问题的解决(以及屏幕截图等后渗透工具)](http://blog.leanote.com/post/snowming/32fabf2deae1)
7. [Cobalt Strike & MetaSploit 联动](http://blog.leanote.com/post/snowming/43cef4b64cbd)
8. [Cobalt-Strike-CheatSheet](https://github.com/S1ckB0y1337/Cobalt-Strike-CheatSheet)
9. [Cobalt Strike MITRE TTPs](https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence)
10. [Red Team Operations with Cobalt Strike (2019)](https://github.com/martabyte/Red-Team-Ops/blob/main/Red-Team-Ops.md)
11. [Cobalt Strike: Overview](https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/)
12. [CobaltStrike插件开发](https://t.zsxq.com/04RfYVNzb)
13. [Cobalt Strike 中文 Wiki](https://github.com/XXC385/Cobalt-Strike-Start)
#### 2. Crack and Customisation
1. [IntelliJ-IDEA修改cobaltstrike](https://pingmaoer.github.io/2020/06/08/IntelliJ-IDEA修改cobaltstrike/)
2. [CobaltStrike二次开发环境准备](https://pingmaoer.github.io/2020/06/24/CobaltStrike二次开发环境准备/)
3. [Cobal Strike 自定义OneLiner](https://evi1cg.me/archives/Custom_Oneliner.html)
4. [通过反射DLL注入来构建后渗透模块(第一课)](https://payloads.online/archivers/2020-03-02/1)
5. [Cobalt Strike Aggressor Script (第一课)](https://payloads.online/archivers/2020-03-02/4)
6. [Cobalt Strike Aggressor Script (第二课)](https://payloads.online/archivers/2020-03-02/5)
7. [Implementing Syscalls In The Cobaltstrike Artifact Kit](https://br-sn.github.io/Implementing-Syscalls-In-The-CobaltStrike-Artifact-Kit/)
8. [Cobalt Strike 4.0 认证及修补过程](https://xz.aliyun.com/t/8557)
9. [使用ReflectiveDLLInjection武装你的CobaltStrike](https://mp.weixin.qq.com/s/-Inh6uWV9YCz0zQYfitceA)
10. [Bypass cobaltstrike beacon config scan](https://mp.weixin.qq.com/s/fhcTTWV4Ddz4h9KxHVRcnw)
11. [Tailoring Cobalt Strike on Target](https://blog.xpnsec.com/tailoring-cobalt-strike-on-target/)
12. [COFFLOADER: BUILDING YOUR OWN IN MEMORY LOADER OR HOW TO RUN BOFS](https://www.trustedsec.com/blog/coffloader-building-your-own-in-memory-loader-or-how-to-run-bofs/)
13. [Yet Another Cobalt Strike Stager: GUID Edition](https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/)
14. [Cobalt Strike4.3 破解日记](https://blog.pr0ph3t.com/posts/Cobalt-Strike4.3%E7%A0%B4%E8%A7%A3%E6%97%A5%E8%AE%B0/)
15. [Cobalt Strike 进程创建与对应的 Syslog 日志分析](https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/)
16. [Behind the Mask: Spoofing Call Stacks Dynamically with Timers](https://www.cobaltstrike.com/blog/behind-the-mask-spoofing-call-stacks-dynamically-with-timers/)
#### 3. Useful Trick
1. [Cobalt Strike Spear Phish](https://evi1cg.me/archives/spear_phish.html)
2. [run CS in win -- teamserver.bat](https://evi1cg.me/archives/teamserver.html)
3. [Remote NTLM relaying through CS -- related to CVE_2018_8581](https://evi1cg.me/archives/Remote_NTLM_relaying_through_CS.html)
4. [Cobalt Strike Convet VPN](http://blog.leanote.com/post/snowming/82b418239c13)
5. [渗透神器CS3.14搭建使用及流量分析](https://mp.weixin.qq.com/s/DG87HFrwHf25_M2Dnfdx3g)
6. [CobaltStrike生成免杀shellcode](https://mp.weixin.qq.com/s/G1hmsDVTO2208Ymlia_ggQ)
7. [CS-notes](https://github.com/kluo84/CS-notes)--一系列CS的使用技巧笔记
8. [使用 Cobalt Strike 对 Linux 主机进行后渗透](http://blog.leanote.com/post/snowming/c34f9defe00c)
9. [Cobalt Strike Listener with Proxy](http://blog.leanote.com/post/snowming/2ec80f7823e0)
10. [Cobalt Strike Convet VPN](http://blog.leanote.com/post/snowming/82b418239c13)
11. [CS 4.0 SMB Beacon](http://blog.leanote.com/post/snowming/8b7ce0f84c03)
12. [Cobalt Strike 浏览器跳板攻击](http://blog.leanote.com/post/snowming/4e07af1cab60)
13. [Cobalt Strike 中 Bypass UAC](http://blog.leanote.com/post/snowming/b6f671477095)
14. [一起探索Cobalt Strike的ExternalC2框架](https://www.anquanke.com/post/id/103395/)
15. [深入探索Cobalt Strike的ExternalC2框架](https://xz.aliyun.com/t/2239)
16. [Cobalt Strike的特殊功能(external_C2)探究](https://www.anquanke.com/post/id/86980/)
17. [A tale of .NET assemblies, cobalt strike size constraints, and reflection](https://redteamer.tips/a-tale-of-net-assemblies-cobalt-strike-size-constraints-and-reflection/)
18. [AppDomain.AssemblyResolve](https://offensivedefence.co.uk/posts/assembly-resolve/)
19. [从webshell建立代理上线不出网的内网机器](https://mp.weixin.qq.com/s/mNCROss5pa4rkrWIIfjVfQ)
20. [在Cobalt Strike BOF中进行直接系统调用](https://mp.weixin.qq.com/s/TLyQOupzep1BN7_nbjCXeQ)
21. [Using Direct Syscalls in Cobalt Strike's Artifact Kit](https://www.youtube.com/watch?v=mZyMs2PP38w&feature=youtu.be&ab_channel=RaphaelMudge)
22. [Cobalt Strike Staging and Extracting Configuration Information](https://blog.securehat.co.uk/cobaltstrike/extracting-config-from-cobaltstrike-stager-shellcode)
23. [Create a proxy DLL with artifact kit](https://www.cobaltstrike.com/blog/create-a-proxy-dll-with-artifact-kit/)
24. [Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons](https://isc.sans.edu/forums/diary/Attackers+are+abusing+MSBuild+to+evade+defenses+and+implant+Cobalt+Strike+beacons/28180/#comments)
25. [Lateral Movement with LiquidSnake](https://tw1sm.github.io/2021-09-13-liquidsnake/)
26. [CoffLoader from OtterHacker](https://otterhacker.github.io/Malware/CoffLoader.html#introduction)
#### 4. CobaltStrike Hide
1. [CobaltStrike证书修改躲避流量审查](https://mp.weixin.qq.com/s/sYfvD0XQqi6BFw70_jrv5Q)
2. [CS 合法证书 + Powershell 上线](http://blog.leanote.com/post/snowming/6a724671de78)
3. [Cobalt Strike 团队服务器隐匿](http://blog.leanote.com/post/snowming/d5d2b4ba20d0)
4. [红队基础建设:隐藏你的C2 server](https://xz.aliyun.com/t/4509)
5. [Cobalt Strike HTTP C2 Redirectors with Apache mod_rewrite](https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/)
6. [深入研究cobalt strike malleable C2配置文件](https://xz.aliyun.com/t/2796)
7. [A Brave New World: Malleable C2](http://www.harmj0y.net/blog/redteaming/a-brave-new-world-malleable-c2/)
8. [How to Write Malleable C2 Profiles for Cobalt Strike](https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/)
9. [Randomized Malleable C2 Profiles Made Easy](https://bluescreenofjeff.com/2017-08-30-randomized-malleable-c2-profiles-made-easy/)
10. [关于CobaltStrike的Stager被扫问题](https://mp.weixin.qq.com/s/0MPM3bysJJYr5jbRnES_Vg)
11. [Beacon Stager listener 去特征](https://mp.weixin.qq.com/s/HibtLfikI_0ezcLVCRxqaA)
12. [检测与隐藏Cobaltstrike服务器](https://hosch3n.github.io/2020/12/16/%E6%A3%80%E6%B5%8B%E4%B8%8E%E9%9A%90%E8%97%8FCobaltstrike%E6%9C%8D%E5%8A%A1%E5%99%A8/)
13. [记一次cs bypass卡巴斯基内存查杀](https://xz.aliyun.com/t/9224)
14. [cs bypass卡巴斯基内存查杀 2](https://xz.aliyun.com/t/9399)
15. [Cobalt Strike – Bypassing C2 Network Detections](https://newtonpaul.com/cobalt-strike-bypassing-c2-network-detections/)
16. [Cobalt Strike特征隐藏](https://www.cnblogs.com/Xy--1/p/14396744.html)
17. [Cobalt Strike 反溯源之 CDN 篇](https://mp.weixin.qq.com/s/9taI6KQzKy2vcKHJXnwgmg)
18. [Unleashing The Unseen: Harnessing The Power Of Cobalt Strike Profiles For EDR Evasion](https://whiteknightlabs.com/2023/05/23/unleashing-the-unseen-harnessing-the-power-of-cobalt-strike-profiles-for-edr-evasion/)
#### 5. CobaltStrike Analysis
1. Volatility Plugin for Detecting Cobalt Strike Beacon. [blog](https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html)|[Toolset](https://github.com/RomanEmelyanov/CobaltStrikeForensic)
2. [逆向分析Cobalt Strike安装后门](https://mp.weixin.qq.com/s/VHpcHzLc829hmQjrx1139A)
3. [分析cobaltstrike c2 协议](https://github.com/verctor/Cobalt_Homework)
4. Small [tool](https://github.com/Mkv4/cobaltstrike-authfile-decrypt) to decrypt a Cobalt Strike auth file
5. [Cobalt Strike 的 ExternalC2](https://xz.aliyun.com/t/6565)
6. [Detecting Cobalt Strike Default Modules via Named Pipe Analysis](https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/)
7. [浅析CobaltStrike Beacon Staging Server扫描](https://mp.weixin.qq.com/s/WUf96myUi8F3X_eNWPRTdw)
8. [Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability](https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/)
9. [Analyzing Cobalt Strike for Fun and Profit](https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/)
10. [Cobalt Strike Remote Threads detection](https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f)
11. [The art and science of detecting Cobalt Strike](https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf)
12. [A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers](https://go.recordedfuture.com/hubfs/reports/cta-2019-0618.pdf)
13. [How to detect Cobalt Strike activities in memory forensics](https://www.andreafortuna.org/2020/11/22/how-to-detect-cobalt-strike-activity-in-memory-forensics/)
14. [Detecting Cobalt Strike by Fingerprinting Imageload Events](https://redhead0ntherun.medium.com/detecting-cobalt-strike-by-fingerprinting-imageload-events-6c932185d67c)
15. [The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration](https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/)
16. [CobaltStrike - beacon.dll : Your No Ordinary MZ Header](https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html)
17. [GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic](https://www.bleepingcomputer.com/news/security/github-hosted-malware-calculates-cobalt-strike-payload-from-imgur-pic/)
18. [Detecting Cobalt Strike beacons in NetFlow data](https://delaat.net/rp/2019-2020/p29/report.pdf)
19. [Volatility Plugin for Detecting Cobalt Strike Beacon](https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html)
20. [Easily Identify Malicious Servers on the Internet with JARM](https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a)
21. [Cobalt Strike Beacon Analysis](https://isc.sans.edu/forums/diary/Quick+Tip+Cobalt+Strike+Beacon+Analysis/26818/)
22. [Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike](https://isc.sans.edu/forums/diary/Hancitor+infection+with+Pony+Evil+Pony+Ursnif+and+Cobalt+Strike/25532/)
23. [Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike](https://isc.sans.edu/forums/diary/Attackers+Exploiting+WebLogic+Servers+via+CVE202014882+to+install+Cobalt+Strike/26752/)
24. [Hiding in the Cloud: Cobalt Strike Beacon C2 using Amazon APIs](https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/)
25. [Identifying Cobalt Strike team servers in the wild](https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/)
26. [Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature](https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/)
27. [Operation Cobalt Kitty](http://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf)
28. [Detecting and Advancing In-Memory .NET Tradecraft](https://www.mdsec.co.uk/2020/06/detecting-and-advancing-in-memory-net-tradecraft/)
29. [Analysing Fileless Malware: Cobalt Strike Beacon](https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/)
30. [IndigoDrop spreads via military-themed lures to deliver Cobalt Strike](https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html)
31. [Cobalt Group Returns To Kazakhstan](https://research.checkpoint.com/2019/cobalt-group-returns-to-kazakhstan/)
32. [Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability](https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/)
33. [Azure Sentinel Quick-Deploy with Cyb3rWard0g’s Sentinel To-Go – Let’s Catch Cobalt Strike!](https://www.blackhillsinfosec.com/azure-sentinel-quick-deploy-with-cyb3rward0gs-sentinel-to-go-lets-catch-cobalt-strike/)
34. [Cobalt Strike stagers used by FIN6](https://malwarelab.eu/posts/fin6-cobalt-strike/)
35. [Malleable C2 Profiles and You](https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929)
36. [C2 Traffic patterns including Cobalt Strike](https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/)
37. [Cobalt Strike DNS Direct Egress Not That Far Away](https://dtm.uk/cobalt-strike-dns-direct-egress/)
38. [Detecting Exposed Cobalt Strike DNS Redirectors](https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors)
39. [Example of Cleartext Cobalt Strike Traffic](https://isc.sans.edu/forums/diary/Example+of+Cleartext+Cobalt+Strike+Traffic+Thanks+Brad/27300/)
40. [Cobaltstrike-Beacons analyzed](https://zero.bs/cobaltstrike-beacons-analyzed.html)
41. [通过DNS协议探测Cobalt Strike服务器](https://mp.weixin.qq.com/s/peIpPJLt4NuJI1a31S_qbQ)
42. [Detecting Cobalt Strike with memory signatures](https://www.elastic.co/cn/blog/detecting-cobalt-strike-with-memory-signatures)
43. [CobaltStrike通信中host字段的获取](https://zhufan.net/2021/01/05/cobaltstrike%E9%80%9A%E4%BF%A1%E4%B8%ADhost%E5%AD%97%E6%AE%B5%E7%9A%84%E8%8E%B7%E5%8F%96/)
44. [反击CobaltStrike(一) 以假乱真](https://www.anquanke.com/post/id/252332)
45. [某 C2 鸡肋漏洞分析:你的 CS 安全吗?](https://mp.weixin.qq.com/s/SqU7NaFa9du-1r2HX3BJcQ)
46. [Cobalt Strike Beacon Analysis from a Live C2](https://blog.spookysec.net//cs-beacon-analysis/)
#### 6. CobaltStrike Video
1. [Malleable Memory Indicators with Cobalt Strike's Beacon Payload](https://www.youtube.com/watch?v=93GyP-mEUAw&feature=emb_title)
2. [STAR Webcast: Spooky RYUKy: The Return of UNC1878](https://www.youtube.com/watch?v=BhjQ6zsCVSc)
3. [Excel 4.0 Macros Analysis - Cobalt Strike Shellcode Injection](https://www.youtube.com/watch?v=XnN_UWfHlNM)
4. [Profiling And Detecting All Things SSL With JA3](https://www.youtube.com/watch?v=oprPu7UIEuk)
### 0x02 C2 Profiles
| Type | Name | Description | Popularity | Language |
|:---:|:---:|:---:|:---:|:---:|
| ALL | [Malleable-C2-Profiles](https://github.com/rsmudge/Malleable-C2-Profiles) | Official Malleable C2 Profiles |  |  |
| ALL | [Malleable-C2-Randomizer](https://github.com/bluscreenofjeff/Malleable-C2-Randomizer) | This script randomizes Cobalt Strike Malleable C2 profiles through the use of a metalanguage |  | |
| ALL | [malleable-c2](https://github.com/threatexpress/malleable-c2) | Cobalt Strike Malleable C2 Design and Reference Guide |  |  |
| ALL | [Malleable-C2-Profiles](https://github.com/BC-SECURITY/Malleable-C2-Profiles) | A collection of profiles used in Cobalt Strike and Empire's Malleable C2 Listener. |  |  |
| ALL | [random_c2_profile](https://github.com/threatexpress/random_c2_profile) | Random C2 Profile Generator |  |  |
| ALL | [SourcePoint](https://github.com/Tylous/SourcePoint) | SourcePoint is a C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion. |  |  |
| ALL | [C2concealer](https://github.com/FortyNorthSecurity/C2concealer) | C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike. |  | |
| ALL | [MalleableC2-Profiles](https://github.com/mhaskar/MalleableC2-Profiles) | A collection of Cobalt Strike Malleable C2 profiles. now have Windows Updates Profile |  | |
| ALL | [MalleableC2-Profiles](https://github.com/xx0hcd/Malleable-C2-Profiles) | Cobalt Strike - Malleable C2 Profiles. A collection of profiles used in different projects using Cobalt Strike |  | |
| ALL | [pyMalleableC2](https://github.com/Porchetta-Industries/pyMalleableC2) | A Python interpreter for Cobalt Strike Malleable C2 profiles that allows you to parse, modify, build them programmatically and validate syntax. |  |  |
| ALL | [1135-CobaltStrike-ToolKit](https://github.com/1135/1135-CobaltStrike-ToolKit) | Cobalt Strike的Malleable C2配置文件,被设计用来对抗流量分析 |  |  |
| ALL | [service_cobaltstrike](https://github.com/wikiZ/service_cobaltstrike) | CobaltStrike profile |  |  |
| ALL | [CobaltNotion](https://github.com/HuskyHacks/CobaltNotion) | A spin-off research project. Cobalt Strike x Notion collab 2022. |  |  |
| ALL | [Burp2Malleable](https://github.com/CodeXTF2/Burp2Malleable) | This is a quick python utility I wrote to turn HTTP requests from burp suite into Cobalt Strike Malleable C2 profiles. |  |  |
| ALL | [autoRebind](https://github.com/CrossC2/autoRebind) | Automatically parse Malleable C2 profiled into CrossC2 rebinding library source code |  |  |
| ALL | [goMalleable](https://github.com/D00Movenok/goMalleable) | Malleable C2 profiles parser and assembler written in golang |  |  |
| ALL | [Malleable-CS-Profiles](https://github.com/WKL-Sec/Malleable-CS-Profiles) | A list of python tools to help create an OPSEC-safe Cobalt Strike profile. |  |  |
### 0x03 BOF
| Type | Name | Description | Popularity | Language |
|:---:|:---:|:---:|:---:|:---:|
| ALL | [BOF_Collection](https://github.com/rvrsh3ll/BOF_Collection) | Various Cobalt Strike BOFs |  |  |
| ALL | [cobaltstrike-bof-toolset](https://github.com/AttackTeamFamily/cobaltstrike-bof-toolset) | 收集网络中在cobaltstrike中使用的bof工具集。 |  |  |
| ALL | [Situational Awareness BOF](https://github.com/trustedsec/CS-Situational-Awareness-BOF) | Its larger goal is providing a code example and workflow for others to begin making more BOF files. [Blog](https://www.trustedsec.com/blog/a-developers-introduction-to-beacon-object-files/) |  |  |
| ALL | [bof_helper](https://github.com/dtmsecurity/bof_helper) | Beacon Object File (BOF) Creation Helper |  |  |
| ALL | [BOF-DLL-Inject](https://github.com/tomcarver16/BOF-DLL-Inject) | BOF DLL Inject is a custom Beacon Object File that uses manual map DLL injection in order to migrate a dll into a process all from memory. |  |  |
| ALL | [cobaltstrike_bofs](https://github.com/m57/cobaltstrike_bofs) | BOF spawns a process of your choice under a specified parent, and injects a provided shellcode file via QueueUserAPC(). |  |  |
| ALL | [BOF-RegSave](https://github.com/EncodeGroup/BOF-RegSave) | Beacon Object File(BOF) for CobaltStrike that will acquire the necessary privileges and dump SAM - SYSTEM - SECURITY registry keys for offline parsing and hash extraction. |  |  |
| ALL | [CobaltStrike BOF](https://github.com/Yaxser/CobaltStrike-BOF) | DCOM Lateral Movement; WMI Lateral Movement - Win32_Process Create; WMI Lateral Movement - Event Subscription |  |  |
| ALL | [BOFs](https://github.com/ajpc500/BOFs) | ETW Patching; API Function Utility; Syscalls Shellcode Injection |  |  |
| ALL | [Remote Operations BOF](https://github.com/trustedsec/CS-Remote-OPs-BOF) | This repo serves as an addition to our previously released SA Repo. Our original stance was that we would not release our tooling that modified other systems, and we would only provide information gathering tooling in a ready to go format. |  |  |
| ALL | [OperatorsKit](https://github.com/REDMED-X/OperatorsKit) | This repository contains a collection of tools that integrate with Cobalt Strike through Beacon Object Files (BOFs). |  |  |
| Dev | [bof](https://github.com/nccgroup/nccfsas/blob/main/Tools/bof-vs-template/README.md) | This is a template project for building Cobalt Strike BOFs in Visual Studio. |  |  |
| Dev | [Needle_Sift_BOF](https://github.com/EspressoCake/Needle_Sift_BOF) | Strstr with user-supplied needle and filename as a BOF. |  |  |
| Dev | [Quser-BOF](https://github.com/netero1010/Quser-BOF) | Beacon Object Files Quser implementation using Windows API |  |  |
| Dev | [BOF.NET](https://github.com/CCob/BOF.NET) | A .NET Runtime for Cobalt Strike's Beacon Object Files. |  |  |
| Dev | [beacon-object-file](https://github.com/realoriginal/beacon-object-file) | The format, described by Mudge [here](https://youtube.com/watch?v=gfYswA_Ronw), asks that the operator construct an COFF file using a mingw-w64 compiler or the msvc compiler that holds an symbol name indicating its entrypoint, and underlying function calls. |  |  |
| Dev | [InlineWhispers](https://github.com/outflanknl/InlineWhispers) | Demonstrate the ability to easily use syscalls using inline assembly in BOFs. |  |  |
| Dev | [WdToggle](https://github.com/outflanknl/WdToggle) | A Proof of Concept Cobalt Strike Beacon Object File which uses direct system calls to enable WDigest credential caching and circumvent Credential Guard (if enabled). |  |  |
| Dev | [Situational Awareness BOF](https://github.com/trustedsec/CS-Situational-Awareness-BOF) | This Repo intends to serve two purposes. First it provides a nice set of basic situational awareness commands implemented in BOF. This allows you to perform some checks on a host before you begin executing commands that may be more invasive. |  |  |
| Dev | [MiniDumpWriteDump](https://github.com/rookuu/BOFs/tree/main/MiniDumpWriteDump) | Custom implementation of DbgHelp's MiniDumpWriteDump function. Uses static syscalls to replace low-level functions like NtReadVirtualMemory. |  |  |
| Dev | [COFF Loader](https://github.com/trustedsec/COFFLoader) | This is a quick and dirty COFF loader (AKA Beacon Object Files). Currently can run un-modified BOF's so it can be used for testing without a CS agent running it. The only exception is that the injection related beacon compatibility functions are just empty. |  |  |
| Dev | [Self_Deletion_BOF](https://github.com/EspressoCake/Self_Deletion_BOF) | BOF implementation of the research by @jonasLyk and the drafted PoC from @LloydLabs |  |  |
| Dev | [PE Import Enumerator BOF](https://github.com/EspressoCake/DLL_Imports_BOF) | This is a BOF to enumerate DLL files to-be-loaded by a given PE file. Depending on the number of arguments, this will allow an operator to either view a listing of anticipated imported DLL files, or to view the imported functions for an anticipated DLL. |  |  |
| Dev | [Visual-Studio-BOF-template](https://github.com/securifybv/Visual-Studio-BOF-template) | A Visual Studio template used to create Cobalt Strike BOFs |  |  |
| Dev | [BOF-Builder](https://github.com/ceramicskate0/BOF-Builder) | C# .Net 5.0 project to build BOF (Beacon Object Files) in mass based on them all being in a folder directory struct somewhere. |  |  |
| Dev | [ELFLoader](https://github.com/trustedsec/ELFLoader) | This is a ELF object in memory loader/runner. The goal is to create a single elf loader that can be used to run follow on capabilities across all x86_64 and x86 nix operating systems. |  |  |
| Dev | [Rust BOFs for Cobalt Strike](https://github.com/wumb0/rust_bof) | This took me like 4 days, but I got it working... rust core + alloc for Cobalt Strike BOFs. This is very much a PoC, but I'd love to see others playing around with it and contributing. |  |  |
| Dev | [CoffeeLdr](https://github.com/Cracked5pider/CoffeeLdr) | CoffeeLdr is a loader for so called Beacon Object Files. This project can be used for testing Beacon Object files without using the Cobalt Strike framework or can be used to give custom implants a way to execute BOFs that where designed for Cobalt strike. |  |  |
| Dev | [HalosGate Processlist Cobalt Strike BOF](https://github.com/boku7/halosgate-ps) | Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes. |  |  |
| Dev | [PPLFaultDumpBOF](https://github.com/trustedsec/PPLFaultDumpBOF) | Takes the original PPLFault and the original included DumpShellcode and combinds it all into a BOF targeting cobalt strike. |  |  |
| Dev | [Winsocky](https://github.com/WKL-Sec/Winsocky) | Winsocket implementation for Cobalt Strike. Used to communicate with the victim using winsockets instead of the traditional ways. |  |  |
| Dev | [bof-vs](https://github.com/Cobalt-Strike/bof-vs) | A Beacon Object File (BOF) template for Visual Studio. |  |  |
| Auxiliary | [Defender Exclusions BOF](https://github.com/EspressoCake/Defender_Exclusions-BOF) | A BOF to determine Windows Defender exclusions. |  |  |
| Auxiliary | [ScreenShot-BOF](https://github.com/qwqdanchun/ScreenShot-BOF) | ScreenShot bof for Cobalt Strike . All in memory and no spawn/inject. |  |  |
| Auxiliary | [BofRoast](https://github.com/cube0x0/BofRoast) | Beacon Object File repo for roasting Active Directory. |  |  |
| Auxiliary | [EnumCLR.c](https://gist.github.com/G0ldenGunSec/8ca0e853dd5637af2881697f8de6aecc) | Cobalt Strike BOF to identify processes with the CLR loaded with a goal of identifying SpawnTo / injection candidates. |  |  |
| Auxiliary | [PPEnum](https://github.com/rasta-mouse/PPEnum) | Simple BOF to read the protection level of a process. |  |  |
| Auxiliary | [secinject](https://github.com/apokryptein/secinject) | Section Mapping Process Injection (secinject): Cobalt Strike BOF |  | |
| Auxiliary | [FindObjects-BOF](https://github.com/outflanknl/FindObjects-BOF) | A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process handles. |  |  |
| Auxiliary | [Inject-assembly](https://github.com/kyleavery/inject-assembly) | Inject-assembly - Execute .NET in an Existing Process. This tool is an alternative to traditional fork and run execution for Cobalt Strike. The loader can be injected into any process, including the current Beacon. Long-running assemblies will continue to run and send output back to the Beacon, similar to the behavior of execute-assembly. |  |  |
| Auxiliary | [WhereAmiI](https://github.com/boku7/whereami) | WhereAmiI - Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's. |  |
| Auxiliary | [GetWebDAVStatus](https://github.com/G0ldenGunSec/GetWebDAVStatus) | Small project to determine if the Web Client service (WebDAV) is running on a remote system by checking for the presence of the DAV RPC SERVICE named pipe. |  |  |
| Auxiliary | [ChromeKeyDump](https://github.com/crypt0p3g/bof-collection/tree/main/ChromeKeyDump) | BOF implementation of Chlonium tool to dump Chrome Masterkey and download Cookie/Login Data files |  |  |
| Auxiliary | [Sleeper](https://github.com/crypt0p3g/bof-collection/tree/main/Sleeper) | BOF to call the SetThreadExecutionState function to prevent host from Sleeping |  |  |
| Auxiliary | [LSASS](https://github.com/pwn1sher/CS-BOFs/tree/main/lsass) | Beacon Object File to dump Lsass memory by obtaining a snapshot handle. Does MiniDumpWriteDump/NtReadVirtualMemory on SnapShot of LSASS instad of original LSASS itself hence evades some AV/EDR. |  |  |
| Auxiliary | [getsystem](https://github.com/pwn1sher/CS-BOFs/tree/main/get-system) | get system by duplicating winlogon's token. |  |  |
| Auxiliary | [Silent Lsass Dump](https://github.com/guervild/BOFs) | Silent Lsass Dump |  |  |
| Auxiliary | [unhook-bof](https://github.com/Cobalt-Strike/unhook-bof) | This is a Beacon Object File to refresh DLLs and remove their hooks. |  |  |
| Auxiliary | [Beacon Health Check Aggressor Script](https://github.com/Cobalt-Strike/beacon_health_check) | This aggressor script uses a beacon's note field to indicate the health status of a beacon. |  |  |
| Auxiliary | [Registry BOF](https://github.com/lpBunny/bof-registry) | A beacon object file for use with cobalt strike v4.1+. Supports querying, adding, and deleting keys/values of local and remote registries. |  |  |
| Auxiliary | [InlineExecute-Assembly](https://github.com/anthemtotheego/InlineExecute-Assembly) | InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module |  |  |
| Auxiliary | [CredBandit](https://github.com/xforcered/CredBandit) | CredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel. The memory dump is done by using NTFS transactions which allows us to write the dump to memory and the MiniDumpWriteDump API has been replaced with an adaptation of ReactOS's implementation of MiniDumpWriteDump. |  |  |
| Auxiliary | [Inject AMSI Bypass](https://github.com/boku7/injectAmsiBypass) | Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. |  |  |
| Auxiliary | [Firewall_Enumerator_BOF](https://github.com/EspressoCake/Firewall_Walker_BOF) | Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. |  |  |
| Auxiliary | [Detect-Hooks](https://github.com/anthemtotheego/Detect-Hooks) | Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR |  |  |
| Auxiliary | [unhook-bof](https://github.com/rsmudge/unhook-bof) | Remove API hooks from a Beacon process. |  |  |
| Auxiliary | [whereami](https://github.com/boku7/whereami) | Cobalt Strike "Where Am I?" Beacon Object File |  |  |
| Auxiliary | [HOLLOW](https://github.com/boku7/HOLLOW) | EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode |  |  |
| Auxiliary | [BOFs](https://github.com/RiccardoAncarani/BOFs) | send_shellcode_via_pipe;cat;wts_enum_remote_processes |  |  |
| Auxiliary | [SCShell](https://github.com/Mr-Un1k0d3r/SCShell) | SCShell is a fileless lateral movement tool that relies on ChangeServiceConfigA to run commands. |  |  |
| Auxiliary | [WinRMDLL](https://github.com/mez-0/winrmdll) | A while ago I produced CSharpWinRM which was alright, but I wanted to look at the WinRM C++ API properly. |  |  |
| Auxiliary | [LSASS Dumping With Foreign Handles](https://github.com/alfarom256/BOF-ForeignLsass) | LSASS Dumping With Foreign Handles |  |  |
| Auxiliary | [PPLDump BOF](https://github.com/EspressoCake/PPLDump_BOF) | this is a fully-fledged BOF to dump an arbitrary protected process.(LSASS) |  |  |
| Auxiliary | [PortBender](https://github.com/praetorian-inc/PortBender) | PortBender is a TCP port redirection utility that allows a red team operator to redirect inbound traffic destined for one TCP port (e.g., 445/TCP) to another TCP port (e.g., 8445/TCP). |  |  |
| Auxiliary | [BOF2Shellcode](https://github.com/FalconForceTeam/BOF2shellcode) | POC tool to convert a Cobalt Strike BOF into raw shellcode. |  |  |
| Auxiliary | [DLL Hijack Search Order BOF](https://github.com/EspressoCake/DLL-Hijack-Search-Order-BOF) | DLL Hijack Search Order Enumeration BOF |  |  |
| Auxiliary | [InlineWhispers2](https://github.com/Sh0ckFR/InlineWhispers2) | Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2 |  |  |
| Auxiliary | [NetUser](https://github.com/lengjibo/NetUser) | 使用windows api添加用户,可用于net无法使用时 |  |  |
| Auxiliary | [BOF-Nim](https://github.com/byt3bl33d3r/BOF-Nim) | 用Nim语言写BoF |  |  |
| Auxiliary | [Invoke-Bof](https://github.com/airbus-cert/Invoke-Bof) | Load any Beacon Object File using Powershell! |  |  |
| Auxiliary | [Cobalt-Clip](https://github.com/DallasFR/Cobalt-Clip) | Cobalt-clip is clipboard addons for cobaltstrike to interact with clipboard. With this you can dump, edit and monitor the content of q clipboard. |  |  |
| Auxiliary | [CoffLoader](https://github.com/OtterHacker/CoffLoader) | Load and execute COFF files and Cobalt Strike BOFs in-memory |  |  |
| Auxiliary | [COFFLoader2](https://github.com/Yaxser/COFFLoader2) | Load and execute COFF files and Cobalt Strike BOFs in-memory |  |  |
| Auxiliary | [Process Protection Level Enumerator BOF](https://github.com/EspressoCake/Process_Protection_Level_BOF) | A Syscall-only BOF file intended to grab process protection attributes, limited to a handful that Red Team operators and pentesters would commonly be interested in. |  |  |
| Auxiliary | [Toggle_Token_Privileges_BOF](https://github.com/EspressoCake/Toggle_Token_Privileges_BOF) | AAn (almost) syscall-only BOF file intended to either add or remove token privileges within the context of your current process. |  |  |
| Auxiliary | [Cobalt Strike BOF - Inject ETW Bypass](https://github.com/boku7/injectEtwBypass) | Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) |  |  |
| Auxiliary | [HandleKatz_BOF](https://github.com//EspressoCake/HandleKatz_BOF) | PIC your Katz! Say hello to HandleKatz, our position independent Lsass dumper abusing cloned handles, direct system calls and a modified version of minidumpwritedump() |  |  |
| Auxiliary | [tgtdelegation](https://github.com/connormcgarr/tgtdelegation) | tgtdelegation is a Beacon Object File (BOF) to obtain a usable TGT via the "TGT delegation trick" |  |  |
| Auxiliary | [nanodump](https://github.com/helpsystems/nanodump) | A Beacon Object File that creates a minidump of the LSASS process. |  |  |
| Auxiliary | [xPipe Cobalt Strike BOF (x64)](https://github.com/boku7/xPipe) | Cobalt Strike Beacon Object File (BOF) to list active Pipes & return their Owner & Discretionary Access Control List (DACL) permissions. |  |  |
| Auxiliary | [AddUser-Bof](https://github.com/0x3rhy/AddUser-Bof) | Cobalt Strike BOF that Add an admin user |  |  |
| Auxiliary | [ServiceMove-BOF](https://github.com/netero1010/ServiceMove-BOF) | Lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking |  |  |
| Auxiliary | [Detect-Hooks](https://github.com/xforcered/Detect-Hooks) | Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR |  |  |
| Auxiliary | [MemReader BoF](https://github.com/trainr3kt/MemReader_BoF) | MemReader Beacon Object File will allow you to search and extract specific strings from a target process memory and return what is found to the beacon output. |  |  |
| Auxiliary | [Readfile BoF](https://github.com/trainr3kt/Readfile_BoF) | Not the prettiest code, short sweet and to the point and will allow you to read file contents to beacon output. |  |  |
| Auxiliary | [ChromiumKeyDump](https://github.com/trainr3kt/Readfile_BoF) | BOF implementation of Chlonium tool to dump Chrome/Edge Masterkey and download Cookie/Login Data files |  |  |
| Auxiliary | [LdapSignCheck](https://github.com/cube0x0/LdapSignCheck) | Beacon Object File to scan a Domain Controller to see if LdapEnforceChannelBinding or LdapServerIntegrity has been modified to mitigate against relaying attacks. |  |  |
| Auxiliary | [DelegationBOF](https://github.com/IcebreakerSecurity/DelegationBOF) | This tool uses LDAP to check a domain for known abusable Kerberos delegation settings. Currently, it supports RBCD, Constrained, Constrained w/Protocol Transition, and Unconstrained Delegation checks. |  |  |
| Auxiliary | [RunOF](https://github.com/nettitude/RunOF) | A tool to run object files, mainly beacon object files (BOF), in .Net. |  |  |
| Auxiliary | [KillDefender_BOF](https://github.com/Octoberfest7/KillDefender_BOF) | Beacon Object File implementation of pwn1sher's KillDefender. |  |  |
| Auxiliary | [TokenStripBOF](https://github.com/nick-frischkorn/TokenStripBOF) | TokenStrip is a Beacon Object File implementation of pwn1sher's KillDefender project utilizing syscalls via InlineWhispers. |  |  |
| Auxiliary | [BOF - RDPHijack](https://github.com/netero1010/RDPHijack-BOF) | Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. |  |  |
| Auxiliary | [Koh](https://github.com/GhostPack/Koh) | Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. |  |  |
| Auxiliary | [RDPHijack](https://github.com/netero1010/RDPHijack-BOF) | Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. |  |  |
| Auxiliary | [KDStab](https://github.com/Octoberfest7/KDStab) | BOF combination of KillDefender and Backstab. |  |  |
| Auxiliary | [Token Vault BOF for Cobalt Strike](https://github.com/Henkru/cs-token-vault) | This Beacon Object File (BOF) creates in-memory storage for stolen/duplicated Windows access tokens. |  |  |
| Auxiliary | [ASRenum](https://github.com/mlcsec/ASRenum-BOF) | Identify ASR rules, actions, and exclusion locations. |  |  |
| Auxiliary | [ThreadlessInject-BOF](https://github.com/iilegacyyii/ThreadlessInject-BOF) | BOF implementation of @_EthicalChaos_'s ThreadlessInject project. A novel process injection technique with no thread creation, released at BSides Cymru 2023. |  |  |
| Auxiliary | [Inline-Execute-PE](https://github.com/Octoberfest7/Inline-Execute-PE) | Execute unmanaged Windows executables in CobaltStrike Beacons. This enables Operators to use many third party tools (Mimikatz, Dsquery, Sysinternals tools, etc) without needing to drop them to disk, reformat them to position independent code using a tool like Donut, or create a new process to run them. |  |  |
| Auxiliary | [BOFs](https://github.com/snovvcrash/BOFs) | Subscribes to WNF notifications for a number of seconds. && Backdoors SCManager SDDL. |  |  |
| Auxiliary | [DomainPasswordSpray](https://github.com/Hagrid29/BOF-SprayAD) | Perform LDAP-based or Kerberos-based password spray using Windows API LogonUserSSPI. Skip disabled accounts, locked accounts and large BadPwdCount (if specified). |  |  |
| Auxiliary | [BOF-CredUI](https://github.com/Hagrid29/BOF-CredUI) | Credentials Collection via CredUIPromptForWindowsCredentials |  |  |
| Auxiliary | [Cookie-Graber-BOF](https://github.com/Mr-Un1k0d3r/Cookie-Graber-BOF) | C or BOF file to extract WebKit master key to decrypt user cookie. The C code can be used to compile an executable or a bof script for Cobalt Strike. |  |  |
| Auxiliary | [ScreenshotBOF](https://github.com/CodeXTF2/ScreenshotBOF) | An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot downloaded in memory. |  |  |
| Auxiliary | [ScreenshotBOFPlus](https://github.com/baiyies/ScreenshotBOFPlus) | Take a screenshot without injection for Cobalt Strike. I only made minor optimizations to the existing code, and made it support the ability to get a complete screenshot when global scaling is initiated on Windows. |  |  |
| Auxiliary | [Elevate-System-Trusted-BOF](https://github.com/Mr-Un1k0d3r/Elevate-System-Trusted-BOF) | This BOF can be used to elevate the current beacon to SYSTEM and obtain the TrustedInstaller group privilege. The impersonation is done through the SetThreadToken API. |  |  |
| Auxiliary | [Hidden Desktop BOF](https://github.com/WKL-Sec/HiddenDesktop) | Hidden Desktop (often referred to as HVNC) is a tool that allows operators to interact with a remote desktop session without the user knowing. |  |  |
| Auxiliary | [DropSpawn](https://github.com/Octoberfest7/DropSpawn_BOF) | DropSpawn is a CobaltStrike BOF used to spawn additional Beacons via a relatively unknown method of DLL hijacking. Works x86-x86, x64-x64, and x86-x64/vice versa. Use as an alternative to process injection. |  |  |
| Auxiliary | [Nanorobeus](https://github.com/wavvs/nanorobeus) | COFF file (BOF) for managing Kerberos tickets. |  |  |
| Auxiliary | [SelfDel](https://github.com/seventeenman/SelfDel-BOF) | Delete file regardless of whether the handle is used via SetFileInformationByHandle |  |  |
| Auxiliary | [GetWeChatBOF](https://github.com/pyroxenites/BOFTools/tree/main/GetWeChatBOF) | 用于获取微信信息的BOF测试文件, 仅支持3.9.6.33版本的偏移 |  |  |
| Auxiliary | [ShadowRDP](https://github.com/c3r3br4t3/ShadowRDP) | 用This repository contains two applications. One is a beacon object file, which is used to retrieve the authentication string, also known as the invitation. The other is a graphical user interface program that can be run on the operator's system behind a SOCKS proxy to connect to the remote desktop session. |  |  |
| Auxiliary | [SharpHound4Cobalt](https://github.com/Hypnoze57/SharpHound4Cobalt) | The SharpHound data (test file, json, zip, cache file) will not be written on the disk but only sent to Cobalt Strike downloads through BOF.NET library. |  |  |
| Exploit | [CVE-2020-0796-BOF](https://github.com/rsmudge/CVE-2020-0796-BOF) | SMBGhost LPE |  |  |
| Exploit | [ZeroLogon-BOF](https://github.com/rsmudge/ZeroLogon-BOF) | ZeroLogon |  |  |
| Exploit | [kernel-mii](https://github.com/NorthwaveSecurity/kernel-mii) | Cobalt Strike (CS) Beacon Object File (BOF) foundation for kernel exploitation using CVE-2021-21551. |  |  |
| Exploit | [PrivKit](https://github.com/mertdas/PrivKit) | PrivKit is a simple beacon object file that detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS. |  |  |
| Exploit | [CVE-2023-36874](https://github.com/Octoberfest7/CVE-2023-36874_BOF) | About
Weaponized CobaltStrike BOF for CVE-2023-36874 Windows Error Reporting LPE. |  |  |
| Persistence | [SPAWN](https://github.com/boku7/spawn) | Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing. |  |  |
| Persistence | [PersistBOF](https://github.com/IcebreakerSecurity/PersistBOF) | A tool to help automate common persistence mechanisms. Currently supports Print Monitor (SYSTEM), Time Provider (Network Service), Start folder shortcut hijacking (User), and Junction Folder (User). |  |  |
| BypassAV | [ClipboardWindow-Inject](https://github.com/BronzeTicket/ClipboardWindow-Inject) | Beacon Object File (BOF) that injects beacon shellcode into remote process, avoiding the usage of common monitored APIs. |  |  |
| BypassAV | [SigFlip](https://github.com/med0x2e/SigFlip) | SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) in a way that doesn't affect or break the existing authenticode signature, in other words you can change PE file checksum/hash by embedding data (i.e shellcode) without breaking the file signature, integrity checks or PE file functionality. |  |  |
| BypassAV | [BokuLoader](https://github.com/boku7/BokuLoader) | Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. |  |  |
| BypassAV | [AddDefenderExclusions](https://github.com/Like0x/AddDefenderExclusions-BOF) | AddDefenderExclusions Beacon Object File Resources. |  |  |
| BypassAV | [BOFMask](https://github.com/passthehashbrowns/BOFMask) | it demonstrates a technique to stealthily run BOFs without exposing Beacon to detection. |  |  |
| BypassUAC | [Trusted Path UAC Bypass](https://github.com/netero1010/TrustedPath-UACBypass-BOF) | Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object. |  |  |
| BypassUAC | [EventViewerUAC_BOF](https://github.com/Octoberfest7/EventViewerUAC_BOF) | This is a Beacon Object File implementation of the Event Viewer deserialization UAC bypass discovered by @orange_8361 and the POC put together by CsEnox. |  |  |
### 0x04 Aggressor Script
| Type | Name | Description | Popularity | Language |
|:---:|:---:|:---:|:---:|:---:|
| BypassAV | [BypassAV](https://github.com/hack2fun/BypassAV) | 用于快速生成免杀的可执行文件 |  |  |
| BypassAV | [BypassAV](https://github.com/hack2fun/BypassAV) | 本质上利用的ps2exe.ps1脚本编译为exe,只是不想在命令行里操作,将其写为cna脚本,方便直接快速生成免杀的可执行文件且只有50KB,目前支持exe、ps1文件格式。 |  |  |
| BypassAV | [scrun](https://github.com/k8gege/scrun) | BypassAV ShellCode Loader (Cobaltstrike/Metasploit) [Useage](https://www.cnblogs.com/k8gege/p/11223393.html) |  |  |
| BypassAV | [ShellCode_Loader](https://github.com/Axx8/ShellCode_Loader) | Msf&CobaltStrike免杀ShellCode加载器 |  |  |
| BypassAV | [beacon-c2-go](https://github.com/wahyuhadi/beacon-c2-go) | beacon-c2-go (Cobaltstrike/Metasploit) |  |  |
| BypassAV | [C--Shellcode](https://github.com/OneHone/C--Shellcode) | python ShellCode Loader (Cobaltstrike&Metasploit) [Useage](http://hone.cool/2019/11/26/%E5%85%8D%E6%9D%80-C-Shellcode%E5%8A%A0%E8%BD%BD%E5%99%A8/) |  |  |
| BypassAV | [Doge-Loader](https://github.com/timwhitez/Doge-Loader) | Cobalt Strike Shellcode Loader by Golang |  |  |
| BypassAV | [CS-Loader](https://github.com/Gality369/CS-Loader) | CS免杀,包括python版和C版本的 |  |  |
| BypassAV | [CSSG](https://github.com/RCStep/CSSG) | Cobalt Strike Shellcode Generator. Generates beacon stageless shellcode with exposed exit method, additional formatting, encryption, encoding, compression, multiline output, etc |  |  |
| BypassAV | [Alaris](https://github.com/cribdragg3r/Alaris) | Alaris is a new and sneaky shellcode loader capable of bypassing most EDR systems as of today (02/28/2021). It uses several known TTP’s that help protect the malware and it’s execution flow. |  |  |
| BypassAV | [CarbonMonoxide](https://github.com/rkervella/CarbonMonoxide) | EDR Evasion - Combination of SwampThing - TikiTorch |  |  |
| BypassAV | [bypassAV-1](https://github.com/jas502n/bypassAV-1) | 条件触发式远控 VT 6/70 免杀国内杀软及defender、卡巴斯基等主流杀软. |  |  |
| BypassAV | [ScareCrow](https://github.com/optiv/ScareCrow) | ScareCrow is a payload creation framework for generating loaders for the use of side loading (not injection) into a legitimate Windows process (bypassing Application Whitelisting controls). |  |  |
| BypassAV | [Dent](https://github.com/optiv/Dent) | A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors. |  |  |
| BypassAV | [PEzor](https://github.com/phra/PEzor) | Open-Source PE Packer. |  |  |
| BypassAV | [FuckThatPacker](https://github.com/Unknow101/FuckThatPacker) | A simple python packer to easily bypass Windows Defender |  |  |
| BypassAV | [goShellCodeByPassVT](https://github.com/fcre1938/goShellCodeByPassVT) | Go编译-race参数实现VT全免杀 |  |  |
| BypassAV | [HouQing](https://github.com/An0ny-m0us/DesertFox) | Advanced AV Evasion Tool For Red Team Ops |  |  |
| BypassAV | [DesertFox](https://github.com/Hangingsword/HouQing) | 使用Golang实现免杀加载CobaltStrike和Metasploit的shellcode,目前免杀火绒、Avast、腾讯安全管家、360全家桶等主机安全软件。 |  |  |
| BypassAV | [DInjector](https://github.com/snovvcrash/DInjector) | This repository is an accumulation of code snippets for various shellcode injection techniques using fantastic D/Invoke API |  |  |
| BypassAV | [GoBypass](https://github.com/4ra1n/GoBypass) | Golang免杀马生成工具(该工具仅针对Windows系统) |  |  |
| BypassAV | [Bypass-script](https://github.com/sssqp/bypass-script) | 使用 GoBypass 来进行免杀生成 |  |  |
| BypassAV | [CobaltWhispers](https://github.com/NVISOsecurity/CobaltWhispers) | CobaltWhispers is an aggressor script that utilizes a collection of Beacon Object Files for Cobalt Strike to perform process injection, persistence and more, leveraging direct syscalls to bypass EDR/AV. |  |  |
| BypassAV | [AceLdr](https://github.com/kyleavery/AceLdr) | Cobalt Strike UDRL for memory scanner evasion. |  |  |
| BypassAV | [SharpTerminator](https://github.com/mertdas/SharpTerminator) | Terminate AV/EDR Processes using kernel driver |  |  |
| BypassUAC | [UAC-SilentClean](https://github.com/EncodeGroup/UAC-SilentClean) | This project implements a DLL planting technique to bypass UAC Always Notify and execute code in a high integrity process. |  |  |
| BypassUAC | [csload.net](https://github.com/YDHCUI/csload.net) | A cobaltStrike Shellcode loader, can bypass most of AV |  |  |
| Dev | [cs-rdll-example](https://github.com/rxwx/cs-rdll-ipc-example) | This is an example code pattern for using named pipes for IPC with ReflectiveDlls in Cobalt Strike. |  |  |
| Dev | [Titan](https://github.com/SecIdiot/titan) | Titan: A generic user defined reflective DLL for Cobalt Strike. |  |  |
| Dev | [GECC](https://github.com/Lz1y/GECC) | Go External C2 Client implementation for cobalt strike. |  |  |
| Dev | [CobaltStrike beacon in rust](https://github.com/b1tg/cobaltstrike-beacon-rust) | CobaltStrike beacon in rust. |  |  |
| Recon | [red-team-scripts](https://github.com/threatexpress/red-team-scripts) | perform some rudimentary Windows host enumeration with Beacon built-in commands |  |  |
| Recon | [Registry-Recon](https://github.com/optiv/Registry-Recon) | Cobalt Strike Aggressor Script that Performs System/AV/EDR Recon. |  |  |
| Recon | [aggressor-powerview](https://github.com/tevora-threat/aggressor-powerview) | All functions listed in the PowerView about page are included in this with all arguments for each function. [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) |  |  |
| Recon | [PowerView3-Aggressor](https://github.com/tevora-threat/PowerView3-Aggressor) | PowerView Aggressor Script for CobaltStrike [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) |  |  |
| Recon | [AggressorScripts](https://github.com/C0axx/AggressorScripts) | Sharphound-Aggressor- A user menu for the SharpHound ingestor |  |  |
| Recon | [ServerScan](https://github.com/Adminisme/ServerScan) | 内网横向信息收集的高并发网络扫描、服务探测工具。 |  |  |
| Recon | [TailorScan](https://github.com/uknowsec/TailorScan) | 端口扫描+探测网卡+ms17010探测 |  |  |
| Recon | [AggressiveProxy](https://github.com/EncodeGroup/AggressiveProxy) | LetMeOutSharp will try to enumerate all available proxy configurations and try to communicate with the Cobalt Strike server over HTTP(s) using the identified proxy configurations. |  |  |
| Recon | [Spray-AD](https://github.com/outflanknl/Spray-AD) | A Cobalt Strike tool to audit Active Directory user accounts for weak, well known or easy guessable passwords. |  |  |
| Recon | [Ladon](https://github.com/k8gege/Ladon) | Ladon一款用于大型网络渗透的多线程插件化综合扫描神器,含端口扫描、服务识别、网络资产、密码爆破、高危漏洞检测以及一键GetShell,支持批量A段/B段/C段以及跨网段扫描,支持URL、主机、域名列表扫描。 |  |  |
| Recon | [Ladon for Cobalt Strike](https://github.com/k8gege/Aggressor) | Ladon for Cobalt Strike(巨龙拉冬套件) |  |  |
| Recon | [Recon-AD](https://github.com/outflanknl/Recon-AD) | Recon-AD, an AD recon tool based on ADSI and reflective DLL’s |  |  |
| Exploit | [XSS-Fishing2-CS](https://github.com/TheKingOfDuck/XSS-Fishing2-CS) | 鱼儿在cs上线后自动收杆 / Automatically stop fishing in javascript after the fish is hooked |  |  |
| Exploit | [XSS-Phishing](https://github.com/timwhitez/XSS-Phishing) | xss钓鱼,cna插件配合php后端收杆 |  |  |
| Exploit | [custom_payload_generator](https://github.com/offsecginger/AggressorScripts) | CobaltStrike3.0+ --> creates various payloads for Cobalt Strike's Beacon. Current payload formats |  |  |
| Exploit | [CrossC2](https://github.com/gloxec/CrossC2) | CrossC2 framework - Generator CobaltStrike's cross-platform beacon |  |  |
| Exploit | [CrossC2 Kit](https://github.com/CrossC2/CrossC2Kit) | CrossC2Kit provides some interfaces for users to call to manipulate the CrossC2 Beacon session, thereby extending the functionality of Cobalt Strike. |  |  |
| Exploit | [Cobaltstrike-MS17-010](https://github.com/phink-team/Cobaltstrike-MS17-010) | ms17-010 exploit tool and scanner. |  |  |
| Exploit | [AES-PowerShellCode](https://github.com/offsecginger/AES-PowerShellCode) | Standalone version of my AES Powershell payload for Cobalt Strike. |  |  |
| Exploit | [SweetPotato_CS](https://github.com/Tycx2ry/SweetPotato_CS) | CobaltStrike4.x --> SweetPotato |  |  |
| Exploit | [ElevateKit](https://github.com/rsmudge/ElevateKit) | privilege escalation exploits |  |  |
| Exploit | [CVE-2018-4878](https://github.com/vysecurity/CVE-2018-4878) | CVE-2018-4878 |  |  |
| Exploit | [Aggressor-Scripts](https://github.com/RhinoSecurityLabs/Aggressor-Scripts) | The only current public is UACBypass, whose readme can be found inside its associated folder. |  |  |
| Exploit | [CVE_2020_0796_CNA](https://github.com/Rvn0xsy/CVE_2020_0796_CNA) | 基于[ReflectiveDLLInjection](https://github.com/stephenfewer/ReflectiveDLLInjection)实现的本地提权漏洞 |  |  |
| Exploit | [DDEAutoCS](https://github.com/p292/DDEAutoCS) | setup our stage(d) Web Delivery attack |  |  |
| Exploit | [geacon](https://github.com/darkr4y/geacon) | Implement CobaltStrike's Beacon in Go (can be used in Linux) |  |  |
| Exploit | [geacon_pro](https://github.com//H4de5-7/geacon_pro) | geacon_pro is an Anti-Virus bypassing CobaltStrike Beacon written in Golang based on geacon project. |  |  |
| Exploit | [geacon_plus](https://github.com/Z3ratu1/geacon_plus) | golang实现的CobaltStrike stageless http(s) beacon,在geacon项目基础上进行了较多扩展 |  |  |
| Exploit | [SpoolSystem](https://github.com/nccgroup/nccfsas/blob/main/Tools/spoolsystem/Readme.md) | SpoolSystem is a CNA script for Cobalt Strike which uses the Print Spooler named pipe impersonation trick to gain SYSTEM privileges. |  |  |
| Exploit | [CVE-2021-1675_RDL_LPE](https://github.com/mstxq17/CVE-2021-1675_RDL_LPE) | PrintNightMare LPE提权漏洞的CS 反射加载插件。开箱即用、通过内存加载、混淆加载的驱动名称来ByPass Defender/EDR |  |  |
| Exploit | [KRBTGS](https://github.com/realoriginal/krbtgs) | KRBTGS is a post-exploitation option for Cobalt Strike to retrieve a working TGT for the current user that Beacon is running as, or impersonating. The attack does not require the user's password, and only assumes that the user you are running as is within a domain-joined environment. It attempts to guess the encryption type by choosing the strongest to least strong. The resulting .ccache can be converted into KIRBI format to be imported into other Beacons, or passed to other toolsets such as Impacket's example scripts to perform your post-exploitation endeavours. |  |  |
| Exploit | [PrintSpoofer-ReflectiveDLL](https://github.com/crisprss/PrintSpoofer) | PrintSpoofer的反射dll实现,结合Cobalt Strike使用 |  |  |
| Persistence | [persistence-aggressor-script](https://github.com/ZonkSec/persistence-aggressor-script) | persistence-aggressor-script |  |  |
| Persistence | [Peinject_dll](https://github.com/m0ngo0se/Peinject_dll) | 弃用winexec函数,使用shellexecute函数,程序流不在卡顿,达到真正的无感。 |  |  |
| Persistence | [TikiTorch](https://github.com/rasta-mouse/TikiTorch) | TikiTorch follows the same concept([CACTUSTORCH](https://github.com/vysecurity/CACTUSTORCH)) but has multiple types of process injection available, which can be specified by the user at compile time. |  |  |
| Persistence | [CACTUSTORCH](https://github.com/mdsecactivebreach/CACTUSTORCH) | A JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it. |  |  |
| Persistence | [UploadAndRunFrp](https://github.com/Ch1ngg/AggressorScript-UploadAndRunFrp) | 上传frpc并且运行frpc |  |  |
| Persistence | [persistence-aggressor-script](https://github.com/threatexpress/persistence-aggressor-script) | [Persistence Aggressor Script](https://zonksec.com/blog/persistence-aggressor-script/) |  |  |
| Persistence | [AggressiveGadgetToJScript](https://github.com/EncodeGroup/AggressiveGadgetToJScript) | Automate the generation of payloads using the GadgetToJScript technique. |  |  |
| Persistence | [FrpProPlugin](https://github.com/mstxq17/FrpProPlugin) | frp0.33修改版,过流量检测,免杀,支持加载远程配置文件可用于cs直接使用的插件 |  |  |
| Persistence | [Automatic-permission-maintenance](https://github.com/j5s/Automatic-permission-maintenance) | CobaltStrike 上线自动权限维持插件 |  |  |
| Persistence | [cobalt-strike-persistence](https://github.com/Cyri1s/cobalt-strike-persistence) | 使用者通过cobalt strike生成Web Delivery类型的payload,然后加载此脚本可以到达自启动效果 |  |  |
| Persistence | [Cobalt_Strike_CNA](https://github.com/yanghaoi/CobaltStrike_CNA) | 使用多种WinAPI进行权限维持的CobaltStrike脚本,包含API设置系统服务,设置计划任务,管理用户等。 |  |  |
| Persistence | [CustomKeyboardLayoutPersistence](https://github.com/NtQuerySystemInformation/CustomKeyboardLayoutPersistence) | Achieve execution using a custom keyboard layout, tested in Windows 11 Home version 21H2 |  |  |
| Persistence | [SharpEventPersist](https://github.com/improsec/SharpEventPersist) | Persistence by writing/reading shellcode from Event Log. |  |  |
| Auxiliary | [SharpZippo](https://github.com/OG-Sadpanda/SharpZippo) | List/Read contents of Zip files (in memory and without extraction) using CobaltStrike's Execute-Assembly |  |  |
| Auxiliary | [SharpExcelibur](https://github.com/OG-Sadpanda/SharpExcelibur) | Read Excel Spreadsheets (XLS/XLSX) using Cobalt Strike's Execute-Assembly |  |  |
| Auxiliary | [SharpSword](https://github.com/OG-Sadpanda/SharpSword) | Read the contents of DOCX files using Cobalt Strike's Execute-Assembly |  |  |
| Auxiliary | [SharpCat](https://github.com/OG-Sadpanda/SharpCat) | C# alternative to the linux "cat" command... Prints file contents to console. For use with Cobalt Strike's Execute-Assembly |  |  |
| Auxiliary | [TabRenamer CNA](https://github.com/EspressoCake/DynamicTabRename) | This will allow programmatic renaming of tabs as you see fit, with toggles of your history as you see fit. |  |  |
| Auxiliary | [Liquid Snake](https://github.com/RiccardoAncarani/LiquidSnake) | LiquidSnake is a tool that allows operators to perform fileless lateral movement using WMI Event Subscriptions and GadgetToJScript |  |  |
| Auxiliary | [TaskShell](https://github.com/RiccardoAncarani/TaskShell) | TaskShell 计划任务相关自动化操作 |  |  |
| Auxiliary | [generate-rotating-beacon](https://github.com/eddiezab/aggressor-scripts/blob/master/generate-rotating-beacon.cna) | 1. Generate a beacon for a given listener; 2. Host the file at a specified location;3. Monitor the weblog for fetching of the specified location; |  |  |
| Auxiliary | [ScareCrow-CobaltStrike](https://github.com/GeorgePatsias/ScareCrow-CobaltStrike) | A Cobalt Strike script for ScareCrow payload generation. Works with all Loaders. |  |  |
| Auxiliary | [AggressorScripts](https://github.com/capt-meelo/AggressorScripts) | CreateTicket; Seatbelt; SharpHound |  |  |
| Auxiliary | [SharpeningCobaltStrike](https://github.com/cube0x0/SharpeningCobaltStrike) | In realtime compiling of dotnet v35/v40 exe/dll binaries + obfuscation with ConfuserEx on your linux cobalt strike server. |  |  |
| Auxiliary | [CS_Mail_Tip](https://github.com/0x50j/CS_Mail_Tip) | Cobalt Strike主机上线邮件提醒插件 |  |  |
| Auxiliary | [Cobalt_Strike_Bot](https://github.com/r1is/Cobalt_Strike_Bot) | CobaltStrike上线通知,飞书群聊机器人、server酱通知 |  |  |
| Auxiliary | [Cobaltstrike-atexec](https://github.com/Rvn0xsy/Cobaltstrike-atexec) | 利用任务计划进行横向,需要与135端口、445端口进行通信 |  |  |
| Auxiliary | [Sharp-HackBrowserData](https://github.com/S3cur3Th1sSh1t/Sharp-HackBrowserData) | C#的HackBrowserData工具,方便在cs中直接内存加载 |  |  |
| Auxiliary | [HackBrowserData](https://github.com/idiotc4t/Reflective-HackBrowserData) | HackBrowserData的反射模块 |  |  |
| Auxiliary | [cobalt_sync](https://github.com/GhostManager/cobalt_sync) | Standalone Cobalt Strike Operation Logging Aggressor script for Ghostwriter 2.0+ |  |  |
| Auxiliary | [samdump](https://github.com/D1sAbl4/samdump) | Cobalt Strike samdump |  |  |
| Auxiliary | [CallBackDump](https://github.com/seventeenman/CallBackDump) | 能过卡巴、核晶、defender等杀软的dump lsass进程工具 |  |  |
| Auxiliary | [SharpeningCobaltStrike](https://github.com/cube0x0/SharpeningCobaltStrike) | In realtime compiling of dotnet v35/v40 exe/dll binaries + obfuscation with ConfuserEx on your linux cobalt strike server. |  |  |
| Auxiliary | [SharpCompile](https://github.com/SpiderLabs/SharpCompile) | SharpCompile is an aggressor script for Cobalt Strike which allows you to compile and execute C# in realtime. |  |  |
| Auxiliary | [Quickrundown](https://github.com/icebearfriend/Quickrundown) | Utilizing QRD will allow an operator to quickly characterize what processes are both known and unknown on a host through the use of colors and notes about the processes displayed. |  |  |
| Auxiliary | [NetUser](https://github.com/bopin2020/NetUser) | This tool achieves "net user" in Window API. I made this to be used with Cobalt Strike's execute-assembly,所以可以内存加载添加用户