This repository contains BOFs (Beacon Object Files) designed for various red team and offensive security engagements. The end goal is to have a toolkit of BOFs that we can run interchangeably when looking to orchestrate large scale recon or actions.
| BOF | Use |
|---|---|
| app_count | Counts the number of installed applications via the registry, de-duplicates, and prints. Applied to a large number of beacons, allows us to infer things about a device based on app count differences. |
| netjoin_query | Queries Windows domain join information and workstation details, identifying if the system is domain-joined or in a workgroup. |
| window_list | Enumerates the titles of all visible windows on the current user's desktop, optionally including Process IDs (PIDs). |
| wevt_logon_enum | Enumerates recent Security log (successful/failed) logon events (Event IDs 4624,4625,4672) via the wevtapi API and prints remote workstation name/IP plus the target username. |
| BOF | Use |
|---|---|
| amsi_etw_detect | Checks for AMSI and ETW presence in the current process by detecting loaded DLLs and ETW-related exports. Useful for picking targets with less security activity when applied broadly. |
| wsc_status | Queries Windows Security Center health status, including Anti-Virus, Firewall, Anti-Spyware, WSC Service, Auto-Update, Internet Settings, and User Account Control. |
| asr_status | Enumerates Windows Defender Attack Surface Reduction (ASR) rules from registry locations to identify which ASR rules are configured, their enforcement state (Block/Audit/Warn/Disabled), and the policy source (Intune/MDM vs Group Policy). |
| BOF | Use |
|---|---|
| user_idle | Gets user idle time since last input and GUI resource usage (GDI/USER handles) in the current process for timing intelligence. |
| BOF | Use |
|---|---|
| window_handles_enum | Enumerates window handles across all system processes and uses a legitimate window handle to access the clipboard. |
| clipboard_grab | Retrieves text data from the Windows clipboard using Win32 APIs and returns the contents to the callback. Original Code Credits: @rvrsh3ll |
| BOF | Use |
|---|---|
| bitlocker_status | Enumerates BitLocker encryption status, policy configurations, and recovery key backup locations by scanning registry keys. |
| applocker_policy | Enumerates AppLocker policy configurations, rule collections, and enforcement modes by scanning the relevant registry keys. |
| aad_ca_policy | Enumerates Azure Active Directory Conditional Access policies and related security configurations by scanning registry keys for policy enforcement settings and MFA requirements. |
| aad_compliance_status | Checks Azure Active Directory device compliance status and retrieves Intune/MDM enrollment information by querying registry keys for MDM enrollments and compliance state. |
| wef_detect | Detects Windows Event Forwarding (WEF) configuration, which indicates centralized logging. If found, indicates security events are being forwarded to a central server. |
| BOF | Use |
|---|---|
| schtask_enum | Enumerates scheduled tasks on Windows systems using the Task Scheduler COM interface. Provides a summary of tasks including their state, schedule, and configuration without overwhelming the beacon with XML data. Original Source: TrustedSec CS-Situational-Awareness-BOF |
DISCLAIMER: The creators and contributors of this repository accept no liability for any loss, damage, or consequences resulting from the use of the information or code contained in this repo. By utilizing this repo, you acknowledge and accept full responsibility for your actions. Use at your own risk.