This course provides instruction on writing Beacon Object Files (BOFs) for use in Cobalt Strike and other C2 frameworks. It begins with the set up of development environments on both Windows and Linux before introducing the Windows API and Cobalt Strike's Aggressor language. Students will learn various tips, techniques, and strategies while following step-by-step instructions to create 3 operation-ready BOFs that can be added to their toolkits.

The practical examples that students work through grow increasingly complex as the course progresses. They begin with the creation of an original ransomware simulation BOF and its unit tests, before moving on to converting an open-source UAC bypass tool to BOF format, and finally exploring how BOFs and position-independent code (PIC) can be combined to create long-running in-Beacon-process tasks.


Course Curriculum

    1. Introduction

      FREE PREVIEW

    2. Author's Note

    3. How to use this course

    4. Software Requirements

    5. Before we begin...

    1. Windows Environment Setup

    2. Linux Environment Setup

    3. Resources

    1. Background and Basics

    2. Windows API

    3. COFFLoader

    4. BOF Development on Linux

    5. BOF Development on Windows

      FREE PREVIEW

    6. Aggressor Scripting

    1. Introduction

      FREE PREVIEW

    2. Initial Setup

    3. Finding the Desktop folder

    4. Code Download

    5. Changing the Wallpaper and Leaving the Ransom Note

    6. Code Download

    7. Renaming Files

    8. Code Download

    9. Aggressor Script

    10. Code Download

    11. Closing

    1. Introduction

      FREE PREVIEW

    2. Initial Setup

    3. Code Review, Testing, and Analysis

    4. Initial Port of Code

    5. Code Download

    6. Replacing Resource Functionality

    7. Code Download

    8. Offensive Tradecraft

    9. Code Download

    10. Code Cleanup

    11. Code Download

    12. Aggressor Script

    13. Code Download

    14. Closing

    15. Resources

    1. Introduction

      FREE PREVIEW

    2. Initial Setup

    3. Introduction to Stardust

    4. Calling Beacon APIs from Stardust

    5. Code Download

    6. Integrating Stardust into the BOF

    7. Code Download

    8. Monitoring for New Logins

    9. Code Download

    10. Dumping TGTs Automagically

    11. Code Download

    12. Patching BOF Arguments

    13. Code Download

    14. Teardown and Cleanup

    15. Code Download

    16. Aggressor Script

    17. Code Download

    18. Dancing with Sleep Mask

    19. Code Download

    20. Closing

    21. Resources

About this course

  • £199.00
  • 63 lessons

FAQ

  • Does this course include lab access?

    No, students are expected to build their own development environment using the instructions and resources provided in the course.

  • Is Cobalt Strike required?

    No. While access to Cobalt Strike will enable students to get the most out of this course, it is not strictly required nor will it be provided. The course leverages a modified version of TrustedSec's COFFLoader project to allow students to run BOFs without access to a C2 framework.

  • What prerequisite knowledge do I need?

    This course assumes basic familiarity with red team topics/tools like Kerberos/Rubeus, UAC, and process injection. Some basic familiarity with C and/or C++ is recommended (e.g. what does malloc do, understand conditional logic, etc)

  • Is there an exam for this course?

    There is no exam, but you can earn a certificate of course completion by finishing all the chapters.

Reviews

5 star rating

Worth It

Dwayne Dever

I think this course offers tremendous value for both the time and money spent. I enjoyed working through the material and found it to be a very comprehens...

Read More

I think this course offers tremendous value for both the time and money spent. I enjoyed working through the material and found it to be a very comprehensive introduction to BOF development. Some might even say it is "dense," which I happen to appreciate. In fact, that was the most compelling aspect of the course for me. This course was not simply a collection of bullet points and flowcharts. It delves into the underlying questions, integrates relevant external material, and doesn't shy away from expanding on topics to ensure they are fully covered (e.g., PIC/Reflective DLLs). This course kept the material engaging, on-point, and well-paced, I never felt lost in the details. As a result, I came out the other side with a significantly increased understanding of the concepts, not just a rote knowledge of which, "buttons to push". If you're interested in learning how to spin up real-world, functional Beacon Object Files to support your Red Teaming efforts, this course will get you there.

Read Less

Instructor

Instructor Alex Reid

Alex began his career in offensive security as a member of the United States Navy Red Team, where he worked as a technical lead and advanced capabilities developer. He has contributed numerous open-source tools and research blogs to the information security community to include Teamsphisher, GraphStrike, Inline-Execute-PE, and MemFiles.