Strstr with user-supplied needle and filename as a BOF.

Last update: Nov 9, 2022

Related tags

Miscellaneous Needle_Sift_BOF

Overview

Needle_Sift_BOF

What is this?

Strstr with user-supplied needle and filename as a BOF.

Why?

Why not? Supply what you want, and don't worry about downloading an entire file that may/may not have what you're looking for.

How do I run this?

In this case, you have two options:
1. Use the existing, compiled object file, located in the dist directory (AKA proceed to major step two)
2. Compile from source via the Makefile
  1. cd src
  2. make clean
  3. make
Load the Aggressor file, in the Script Manager, located in the dist directory
Within a provided Beacon, beacon> needle_sift PATH_TO_FILE_OF_INTEREST STRING_TO_SEARCH_FOR (e.g. needle_sift C:\Users\User\sensitive_file.txt Password)

Any known downsides?

We're still using the Win32 API and Dynamic Function Resolution. This is for you to determine as far as "risk"
There's a user-defined cap on what we want the total length of a line to be. (I didn't want to do anything with a heap allocation, and favored some semblance of stability)
This is currently case-sensitive as I didn't come across a more agnostic solution

A faithful transposition of the key features/functionality of @itm4n's PPLDump project as a BOF.

PPLDump BOF Who worked on this? Justin Lucas (@the_bit_diddler) Brad Campbell (@hackersoup) What is this? Jokingly, an exercise of my own personal san

124 Dec 28, 2022

DLL Hijack Search Order Enumeration BOF

DLL Hijack Search Order BOF What is this? This is a Cobalt Strike BOF file, meant to use two arguments (path to begin, and a DLL filename of interest)

121 Dec 13, 2022

DLL Exports Extraction BOF with optional NTFS transactions.

DLL Exports Extraction BOF What is this? This is a Cobalt Strike BOF file, meant to use two or three arguments (path to DLL, and/or a third argument [

56 Nov 9, 2022

POC tool to convert CobaltStrike BOF files to raw shellcode

BOF2Shellcode POC tool to convert a Cobalt Strike BOF into raw shellcode. Introduction This code was written as part of a blog tutorial on how to conv

132 Dec 30, 2022

A BOF to parse the imports of a provided PE-file, optionally extracting symbols on a per-dll basis.

PE Import Enumerator BOF What is this? This is a BOF to enumerate DLL files to-be-loaded by a given PE file. Depending on the number of arguments, thi

78 Dec 1, 2022

A BOF for enumerating version information for DLLs associated for a Beacon process.

DLL Image Resource Version Enumeration BOF What is this? This is a Cobalt Strike BOF file (a mildly massaged port of @N4k3dTurtl3's existing PoC , mea

10 Nov 5, 2022

A BOF to interact with COM objects associated with the Windows software firewall.

Firewall_Enumerator_BOF What is this? This is meant as a supplement to interact with the Windows firewall via COM interfaces. Did you derive inspirati

97 Dec 7, 2022

Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions

xPipe Cobalt Strike BOF (x64) Cobalt Strike Beacon Object File (BOF) to list active Pipes & return their Owner & Discretionary Access Control List (DA

65 Nov 9, 2022

BOF implementation of chlonium tool to dump Chrome/Edge Masterkey

ChromiumKeyDump BOF implementation of Chlonium tool to dump Chrome/Edge Masterkey. Forked from https://github.com/crypt0p3g/bof-collection Setup How t

2 Feb 12, 2022

Strstr with user-supplied needle and filename as a BOF.

Related tags

Overview

Needle_Sift_BOF

What is this?

Why?

How do I run this?

Any known downsides?

You might also like...

A faithful transposition of the key features/functionality of @itm4n's PPLDump project as a BOF.

DLL Hijack Search Order Enumeration BOF

DLL Exports Extraction BOF with optional NTFS transactions.

POC tool to convert CobaltStrike BOF files to raw shellcode

A BOF to parse the imports of a provided PE-file, optionally extracting symbols on a per-dll basis.

A BOF for enumerating version information for DLLs associated for a Beacon process.

A BOF to interact with COM objects associated with the Windows software firewall.

Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions

BOF implementation of chlonium tool to dump Chrome/Edge Masterkey

Owner

Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

BOF implementation of the research by @jonasLyk and the drafted PoC from @LloydLabs

A BOF port of the research of @thefLinkk and @codewhitesec

CredBandit - Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel

Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes

Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)