Reference: Public BOF Repositories Catalog
This catalog organizes public Beacon Object File (BOF) repositories into four key categories: Toolkit Collections, Lists of BOFs, Smaller BOF Packs, and Other BOFs. Use this as a quick reference to find curated toolkits, comprehensive lists, bite‑sized BOF bundles, or explore the broader ecosystem.
🧰 BOF Collections
These repositories contain a variety of BOFs covering multiple functions, often organized as a suite or kit.
| Project |
Description |
Stars |
Last commit |
| CS-Situational-Awareness-BOF |
Network and host enumeration commands (ipconfig, arp, netstat) as BOFs for stealthy reconnaissance |
 |
 |
| C2-Tool-Collection |
Outflank’s red team toolkits including multiple BOFs for various operations |
 |
 |
| CS-Remote-OPs-BOF |
Remote ops BOFs for files, tokens, impersonation and lateral movement |
 |
 |
| OperatorsKit |
This repository contains a collection of Beacon Object Files (BOFs) that integrate with Cobalt Strike. |
 |
 |
| BOFs |
Beacon Object Files (BOFs) for Cobalt Strike and Havoc C2. Implementations of Active Directory attacks and post-exploitation techniques. |
 |
 |
| LDAP-Bof-Collection |
Collection of many ldap bofs for domain enumeration and privilege escalation. Created for use with the Adaptix C2. |
 |
 |
| PostEx-Arsenal |
Arsenal of post-exploitation BOF modules including BrowserDump, Clipdump, LateralMov, Screenshot, Slackdump, and more |
 |
 |
| BusyBOF |
Busybox-style BOFs for *nix post-exploitation — reimplements Unix utilities for stripped environments (Docker, K8s, minimal VMs) |
 |
 |
Click to view commands from trustedsec/CS-Situational-Awareness-BOF
These are commands available in the `TrustedSec/CS-Situational-Awareness-BOF` repo as per 2026-01-26.
Note that you cannot click them from this repo, you have to visit the repo itself to view each BOF in detail.
*Content manually copied from the TrustedSec repository. Please refer to the original for the most up-to-date information.*
## Available commands
|Commands|Usage|Notes|
|--------|-----|-----|
|adcs_enum | adcs_enum| Enumerate CAs and templates in the AD using Win32 functions|
|adcs_enum_com | adcs_enum_com| Enumerate CAs and templates in the AD using ICertConfig COM object|
|adcs_enum_com2 | adcs_enum_com2| Enumerate CAs and templates in the AD using IX509PolicyServerListManager COM object|
|adv_audit_policies | adv_audit_policies| Retrieve advanced security audit policies|
|arp | arp| List ARP table|
|cacls|cacls [filepath]| List user permissions for the specified file, wildcards supported|
|dir| dir [directory] [/s]| List files in a directory. Supports wildcards (e.g. "C:\Windows\S*") unlike the CobaltStrike `ls` command|
|driversigs| driversigs| Enumerate installed services Imagepaths to check the signing cert against known AV/EDR vendors|
|enum_filter_driver| enum_filter_driver [opt:computer]| Enumerate filter drivers|
|enumLocalSessions| enumLocalSessions| Enumerate currently attached user sessions both local and over RDP|
|env| env| List process environment variables|
|findLoadedModule| findLoadedModule [modulepart] [opt:procnamepart]| Find what processes \*modulepart\* are loaded into, optionally searching just \*procnamepart\*|
|get_dpapi_system| get_dpapi_system | Get the DPAPI_SYSTEM key and bootkey |
|get_password_policy| get_password_policy [hostname]| Get target server or domain's configured password policy and lockouts|
|get_session_info| get_session_info | prints out information related to the current users logon session |
|ipconfig| ipconfig| List IPv4 address, hostname, and DNS server|
|ldapsearch| ldapsearch [--attributes] [--count] [--scope] [--hostname] [--dn] [--ldaps] | Execute LDAP searches (NOTE: specify *,ntsecuritydescriptor as attribute parameter if you want all attributes + base64 encoded ACL of the objects, this can then be resolved using BOFHound. Could possibly break pagination, although everything seemed fine during testing.)|
|ldapsecuritycheck| ldapsecuritycheck [opt:dc]| Check LDAP signing and LDAPS channel binding requirements on domain controllers. Performs authentication tests to detect security configurations.|
|listdns| listdns| List DNS cache entries. Attempt to query and resolve each|
|list_firewall_rules| list_firewall_rules| List Windows firewall rules|
|listmods| listmods [opt: pid]| List process modules (DLL). Target current process if PID is empty. Complement to driversigs to determine if our process was injected by AV/EDR|
|listpipes| listpipes| List named pipes|
|locale| locale| List system locale language, locale ID, date, time, and country|
|netGroupList| netGroupList [opt: domain]| List groups from the default or specified domain|
|netGroupListMembers| netGroupListMembers [groupname] [opt: domain]| List group members from the default or specified domain|
|netLocalGroupList| netLocalGroupList [opt: server]| List local groups from the local or specified computer|
|netLocalGroupListMembers| netLocalGroupListMembers [groupname] [opt: server]| List local groups from the local or specified computer|
|netLocalGroupListMembers2| netLocalGroupListMembers2 [opt: groupname] [opt: server]| Modified version of `netLocalGroupListMembers` that supports BOFHound|
|netloggedon| netloggedon [hostname]| Return users logged on the local or remote computer|
|netloggedon2| netloggedon2 [opt: hostname]| Modified version of `netloggedon` that supports BOFHound|
|netsession| netsession [opt:computer]| Enumerate sessions on the local or specified computer|
|netsession2| netsession2 [opt:computer] [opt:resolution method] [opt:dns server]| Modified version of `netsession` that supports BOFHound|
|netshares| netshares [hostname]| List shares on the local or remote computer|
|netstat| netstat| TCP and UDP IPv4 listing ports|
|nettime| nettime [hostname]| Display time on remote computer|
|netuptime| netuptime [hostname]| Return information about the boot time on the local or remote computer|
|netuser| netuser [username] [opt: domain]| Get info about specific user. Pull from domain if a domainname is specified|
|netuse_add| netuse_add [sharename] [opt:username] [opt:password] [opt:/DEVICE:devicename] [opt:/PERSIST] [opt:/REQUIREPRIVACY]| Bind a new connection to a remote computer|
|netuse_delete| netuse_delete [device\|\|sharename] [opt:/PERSIST] [opt:/FORCE]| Delete the bound device / sharename]|
|netuse_list| netuse_list [opt:target]| List all bound share resources or info about target local resource|
|netview| netview| List reachable computers in the current domain|
|nslookup| nslookup [hostname] [opt:dns server] [opt: record type]| Make a DNS query.
DNS server is the server you want to query (do not specify or 0 for default)
record type is something like A, AAAA, or ANY. Some situations are limited due to observed crashes|
|md5| md5 [filename]| Hash filename using md5|
|probe| probe [host] [port]| Check if a specific port is open|
|regsession| regsession [opt: hostname]| Return logged on user SIDs by enumerating HKEY_USERS. BOFHound compatible|
|reg_query| [opt:hostname] [hive] [path] [opt: value to query]| Query a registry value or enumerate a single key|
|reg_query_recursive| [opt:hostname] [hive] [path]| Recursively enumerate a key starting at path|
|resources| resources| List memory usage and available disk space on the primary hard drive|
|routeprint| routeprint| List IPv4 routes|
|sc_enum| sc_enum [opt:server]| Enumerate services for qc, query, qfailure, and qtriggers info|
|sc_qc| sc_qc [service name] [opt:server]| sc qc impelmentation in BOF|
|sc_qdescription| sc_qdescription [service name] [opt: server]| sc qdescription implementation in BOF|
|sc_qfailure| sc_qfailure [service name] [opt:server]| Query a service for failure conditions|
|sc_qtriggerinfo| sc_qtriggerinfo [service name] [opt:server]| Query a service for trigger conditions|
|sc_query| sc_query [opt: service name] [opt: server]| sc query implementation in BOF|
|schtasksenum| schtasksenum [opt: server]| Enumerate scheduled tasks on the local or remote computer|
|schtasksquery| schtasksquery [opt: server] [taskpath]| Query the given task on the local or remote computer|
|sha1| sha1 [filename]| Hash filename using sha1|
|sha256| sha256 [filename]| Hash filename using sha256|
|tasklist| tasklist [opt: server]| List running processes including PID, PPID, and ComandLine (uses wmi)|
|uptime| uptime| List system boot time and how long it has been running|
|useridletime| useridletime| Shows how long the user as been idle, displayed in seconds, minutes, hours and days.|
|vssenum| vssenum [hostname] [opt:sharename]| Enumerate Shadow Copies on some Server 2012+ servers|
|whoami| whoami| List whoami /all|
|windowlist| windowlist [opt:all]| List visible windows in the current user session|
|wmi_query| wmi_query query [opt: server] [opt: namespace]| Run a wmi query and display results in CSV format|
</details>
Click to view commands from outflanknl/C2-Tool-Collection
These are commands available in the `outflanknl/C2-Tool-Collection` repo as per 2026-01-26.
Note that you cannot click them from this repo, you have to visit the repo itself to view each BOF in detail.
*Content manually copied from the repository. Please refer to the original for the most up-to-date information.*
## Available commands
|Name|Decription|
|----|----------|
|**[AddMachineAccount](BOF/AddMachineAccount)**|Abuse default Active Directory machine quota settings (ms-DS-MachineAccountQuota) to add rogue machine accounts.|
|**[Askcreds](BOF/Askcreds)**|Collect passwords by simply asking.|
|**[CVE-2022-26923](BOF/CVE-2022-26923)**|CVE-2022-26923 Active Directory (ADCS) Domain Privilege Escalation exploit.|
|**[Domaininfo](BOF/Domaininfo)**|Enumerate domain information using Active Directory Domain Services.|
|**[FindObjects](BOF/FindObjects)**|Enumerate processes for specific loaded modules or process handles.|
|**[Kerberoast](BOF/Kerberoast)**|List all SPN enabled user/service accounts or request service tickets (TGS-REP) which can be cracked offline using HashCat.|
|**[KerbHash](BOF/KerbHash)**|Hash password to kerberos keys (rc4_hmac, aes128_cts_hmac_sha1, aes256_cts_hmac_sha1, and des_cbc_md5).|
|**[Klist](BOF/Klist)**|Displays a list of currently cached Kerberos tickets.|
|**[Lapsdump](BOF/Lapsdump)**|Dump LAPS passwords from specified computers within Active Directory.|
|**[PetitPotam](BOF/PetitPotam)**|BOF implementation of the PetitPotam attack published by [@topotam77](https://twitter.com/topotam77).|
|**[Psc](BOF/Psc)**|Show detailed information from processes with established TCP and RDP connections.|
|**[Psw](BOF/Psw)**|Show window titles from processes with active windows.|
|**[Psx](BOF/Psx)**|Show detailed information from all processes running on the system and provides a summary of installed security products and tools.|
|**[Psm](BOF/Psm)**|Show detailed information from a specific process id (loaded modules, tcp connections e.g.).|
|**[Psk](BOF/Psk)**|Show detailed information from the windows kernel and loaded driver modules and provides a summary of installed security products (AV/EDR drivers).|
|**[ReconAD](BOF/ReconAD)**|Use ADSI to query Active Directory objects and attributes.|
|**[Smbinfo](BOF/Smbinfo)**|Gather remote system version info using the NetWkstaGetInfo API without having to run the Cobalt Strike port (tcp-445) scanner.|
|**[SprayAD](BOF/SprayAD)**|Perform a fast Kerberos or LDAP password spraying attack against Active Directory.|
|**[StartWebClient](BOF/StartWebClient)**|Start the WebClient Service programmatically from user context using a service trigger.|
|**[WdToggle](BOF/WdToggle)**|Patch lsass to enable WDigest credential caching and to circumvent Credential Guard (if enabled).|
|**[Winver](BOF/Winver)**|Display the version of Windows that is running, the build number and patch release (Update Build Revision).|
***Others***
|Name|Decription|
|----|----------|
|**[PetitPotam](Other/PetitPotam)**|Reflective DLL implementation of the PetitPotam attack published by [@topotam77](https://twitter.com/topotam77)|
|**[RemotePipeList](Other/RemotePipeList)**|.NET tool to enumerate remote named pipes|
Click to view commands from trustedsec/CS-Remote-OPs-BOF
These are commands available in the `trustedsec/CS-Remote-OPs-BOF` repo as per 2026-01-26.
Note that you cannot click them from this repo, you have to visit the repo itself to view each BOF in detail.
*Content manually copied from the repository. Please refer to the original for the most up-to-date information.*
## Available commands
|Command|Notes|
|-------|-----|
|adcs_request| Request an enrollment certificate|
|adcs_request_on_behalf| Request an enrollment certificate on behalf of another user|
|adduser| Add specified user to a machine|
|addusertogroup| Add specified user to a group|
|ask_mfa| Displays a fake Microsoft Authenticator approval dialog with the specified number|
|chromeKey| Decrypt the provided base64 encoded Chrome key|
|enableuser| Enable and unlock the specified user account|
|get_azure_token| Attempts to complete an OAuth codeflow grant against azure using saved logins |
|get_priv| Activate the specified token privledge, more for non-cobalt strike users|
|global_unprotect| Locates and Decrypts GlobalProtect config files converted from: [GlobalUnProtect](https://github.com/rotarydrone/GlobalUnProtect/tree/409d64b097e0a928a5545051e40e1566e9c26bd0)|
|lastpass | Search Chrome, brave memory for LastPass passwords and data|
|make_token_cert| impersonates a user using the altname of a .pfx file |
|office_tokens| Collect Office JWT Tokens from any Office process|
|procdump| Dump the specified process to the specified output file|
|ProcessDestroy| Close handle(s) in a process|
|ProcessListHandles| List all open handles in a specified process|
|reg_delete| Delete a registry key|
|reg_save| Save a registry hive to disk|
|reg_set| Set / create a registry key|
|sc_config| Configure an existing service|
|sc_create| Create a new service|
|sc_delete| Delete an existing service|
|sc_failure| Configures the actions upon failure of an existing service|
|sc_description| Modify an existing services description|
|sc_start| Start an existing service|
|sc_stop| Stop an existing service|
|schtaskscreate| Create a new scheduled task (via xml definition)|
|schtasksdelete| Delete an existing scheduled task|
|schtasksrun| Start a scheduled task|
|schtasksstop| Stop a running scheduled task|
|setuserpass| Set a user's password|
|shspawnas| A misguided attempt at injecting code into a newly spawned process|
|shutdown| Shutdown or reboot a local or remote computer, with or without a warning/message
|slack_cookie| Collect the Slack authentication cookie from a Slack process|
|unexpireuser| Set a user account to never expire|
|ghost_task| Add/Delete a ghost task.
Click to view commands from REDMED-X/OperatorsKit
These are commands available in the `REDMED-X/OperatorsKit` repo as per 2026-01-26.
Note that you cannot click them from this repo, you have to visit the repo itself to view each BOF in detail.
*Content manually copied from the repository. Please refer to the original for the most up-to-date information.*
## Available commands
|Name|Description|
|----|----------|
|**[AddExclusion](KIT/AddExclusion)**|Add a new exclusion to Windows Defender for a folder, file, process or extension.|
|**[AddFirewallRule](KIT/AddFirewallRule)**|Add a new inbound/outbound firewall rule.|
|**[AddLocalCert](KIT/AddLocalCert)**|Add a (self signed) certificate to a specific local computer certificate store.|
|**[AddTaskScheduler](KIT/AddTaskScheduler)**|Create a scheduled task on the current- or remote host.|
|**[BlindEventlog](KIT/BlindEventlog)**|Blind Eventlog by suspending its threads.|
|**[CaptureNetNTLM](KIT/CaptureNetNTLM)**|Capture the NetNTLMv2 hash of the current user.|
|**[CredPrompt](KIT/CredPrompt)**|Start persistent credential prompt in an attempt to capture user credentials.|
|**[DelExclusion](KIT/DelExclusion)**|Delete an exclusion from Windows Defender for a folder, file, process or extension.|
|**[DelFirewallRule](KIT/DelFirewallRule)**|Delete a firewall rule.|
|**[DelLocalCert](KIT/DelLocalCert)**|Delete a local computer certificate from a specific store.|
|**[DelTaskScheduler](KIT/DelTaskScheduler)**|Delete a scheduled task on the current- or a remote host.|
|**[DllComHijacking](KIT/DllComHijacking)**|Leverage DLL Hijacking by instantiating a COM object on a target host |
|**[DllEnvHijacking](KIT/DllEnvHijacking)**|BOF implementation of DLL environment hijacking.|
|**[EnumDotnet](KIT/EnumDotnet)**|Enumerate processes that most likely have .NET loaded.|
|**[EnumDrives](KIT/EnumDrives)**|Enumerate drive letters and type.|
|**[EnumExclusions](KIT/EnumExclusions)**|Check the AV for excluded files, folders, extentions and processes.|
|**[EnumFiles](KIT/EnumFiles)**|Search for matching files based on a word, extention or keyword in the file content.|
|**[EnumHandles](KIT/EnumHandles)**|Enumerate "process" and "thread" handle types between processes.|
|**[EnumLib](KIT/EnumLib)**|Enumerate loaded module(s) in remote process(es).|
|**[EnumLocalCert](KIT/EnumLocalCert)**|Enumerate all local computer certificates from a specific store.|
|**[EnumRWX](KIT/EnumRWX)**|Enumerate RWX memory regions in a target process.|
|**[EnumSecProducts](KIT/EnumSecProducts)**|Enumerate security products (like AV/EDR) that are running on the current/remote host.|
|**[EnumShares](KIT/EnumShares)**|Enumerate remote shares and your access level using a predefined list with hostnames.|
|**[EnumSysmon](KIT/EnumSysmon)**|Verify if Sysmon is running by checking the registry and listing Minifilter drivers.|
|**[EnumTaskScheduler](KIT/EnumTaskScheduler)**|Enumerate all scheduled tasks in the root folder.|
|**[EnumWebClient](KIT/EnumWebClient)**|Find hosts with the WebClient service running based on a list with predefined hostnames.|
|**[EnumWSC](KIT/EnumWSC)**|List what security products are registered in Windows Security Center.|
|**[ExecuteCrossSession](KIT/ExecuteCrossSession)**|Execute a binary in the context of another user via COM cross-session interaction|
|**[ForceLockScreen](KIT/ForceLockScreen)**|Force the lock screen of the current user session.|
|**[HideFile](KIT/HideFile)**|Hide a file or directory by setting it's attributes to systemfile + hidden.|
|**[IdleTime](KIT/IdleTime)**|Check current user activity based on the user's last input.|
|**[InjectPoolParty](KIT/InjectPoolParty)**|Inject beacon shellcode and execute it via Windows Thread Pools.|
|**[KeyloggerRawInput](KIT/KeyloggerRawInput)**|Keylogger based on RegisterRawInputDevices.|
|**[LoadLib](KIT/LoadLib)**|Load an on disk present DLL via RtlRemoteCall API in a remote process.|
|**[PSremote](KIT/PSremote)**|Enumerate all running processes on a remote host.|
|**[PasswordSpray](KIT/PasswordSpray)**|Validate a single password against multiple accounts using kerberos authentication.|
|**[SilenceSysmon](KIT/SilenceSysmon)**|Silence the Sysmon service by patching its capability to write ETW events to the log.|
|**[SystemInfo](KIT/SystemInfo)**|Enumerate system information via WMI (limited use case).|
|**[WiFiPasswords](KIT/WiFiPasswords)**|Enumerates all saved SSID's, then retrieves each AP's stored plaintext password.|
## 📚 Lists of BOFs
These pages primarily serve as curated lists or collections of links to *other* BOF repositories, rather than containing BOF code themselves.
*Note*: This project has already scraped and included all BOFs from these lists.
| Project | Description | Stars | Last commit |
|---------|-------------|-------|-------------|
| [Awesome-CobaltStrike](https://github.com/zer0yu/Awesome-CobaltStrike?tab=readme-ov-file#0x03-bof) | Includes a massive list of public BOF projects |  |  |
| [BofAllTheThings](https://github.com/N7WEra/BofAllTheThings) | Master curated list of public BOF repos with categorization and documentation |  |  |
| [CobaltStrike_BOF_Collections](https://github.com/wsummerhill/C2_RedTeam_CheatSheets/blob/main/CobaltStrike/BOF_Collections.md) | Useful BOFs collected and used during red team ops |  |  |
| [BOFs](https://github.com/BOFs/BOFs) | General-purpose Beacon Object Files repository |  |  |
| [BOF-CobaltStrike](https://github.com/hrtywhy/BOF-CobaltStrike) | Cobalt Strike BOFs used during red team engagements |  |  |
| [DPAPI_BOF](https://github.com/Bhanunamikaze/DPAPI_BOF) | SharpDPAPI ported to Cobalt Strike BOFs — 19 self-contained BOFs for DPAPI credential triage |  |  |
---
## 🤏 Smaller BOF Packs
Repositories typically containing a small number (e.g., 3-4) of specific BOFs or a collection to target one specific technology (like Kerberos).
*Note*: I've used AI to make python script to make a *best effort* attempt at extracting and including list of BOFs from each repo for easy reference.
| Project | Description | Includes | Stars | Last commit |
|---------|-------------|----------|-------|-------------|
| [Adrenaline](https://github.com/atomiczsec/Adrenaline) | Collection of BOFs created for red team/adversary engagements. Created to be small and interchangeable, for quick recon or eventing. |  |  |
| [BofArsenal](https://github.com/xRedCodex/BofArsenal) | The most extensive collection of BOFs (Beacon Object Files) tailored for Red Teams using C++23 |  |  |
| [BOF_Collection](https://github.com/rvrsh3ll/BOF_Collection) | Various Cobalt Strike BOFs (Collection) | `dumpwifi.c`, `enumwifi`, `GetClipboard.c`, `GetClipboard.o`, `GetDomainInfo.c`, `GetDomainInfo.o`, `PortScan.c`, `RegistryPersistence.c`, `RegistryPersistence.o` |  |  |
| [BOFs](https://github.com/ajpc500/BOFs) | General BOF collection from ajpc500, including a useful Curl BOF | `BeaconSpawnTemporaryProcess`, `check_function`, `Create`, `Fetch`, `Inject`, `inject_dll.c`, `Patch`, `Read`, `read_function`, `Unhook` |  |  |
| [PrivKit](https://github.com/mertdas/PrivKit) | PrivKit is a simple beacon object file that detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS. | `cfile.c`, `ofile.o`, `tokenprivileges.o` |  |  |
| [UAC-BOF-Bonanza](https://github.com/icyguider/UAC-BOF-Bonanza) | Collection of UAC Bypass Techniques Weaponized as BOFs | `AcquireModernLicenseWithPreviousId`, `All`, `CmstpElevatedCOM`, `ColorDataProxy`, `DisplayCalibrator`, `EditionUpgradeManager`, `entry.c`, `LaunchDccw`, `make`, `RegistryShellCommand`, `Required`, `SetRegistryStringValue`, `ShellExec`, `SilentCleanupWinDir`, `SspiUacBypass`, `TrustedPathDLLHijack` |  |  |
| [SQL-BOF](https://github.com/Tw1sm/SQL-BOF) | Library of BOFs to interact with SQL servers | `Available`, `sql-1434udp`, `sql-adsi`, `sql-agentcmd`, `sql-agentstatus`, `sql-checkrpc`, `sql-clr`, `sql-columns`, `sql-databases`, `sql-disableclr`, `sql-disableole`, `sql-disablerpc`, `sql-disablexp`, `sql-enableclr`, `sql-enableole`, `sql-enablerpc`, `sql-enablexp`, `sql-impersonate`, `sql-info`, `sql-links`, `sql-olecmd`, `sql-query`, `sql-rows`, `sql-search`, `sql-smb`, `sql-tables`, `sql-users`, `sql-whoami`, `sql-xpcmd` |  |  |
| [Kerbeus-BOF](https://github.com/RalfHacker/Kerbeus-BOF) | Kerberos abuse toolkit implemented as BOF (Rubeus-style) | `asktgs`, `asktgt`, `changepw`, `CS-Situational-Awareness-BOF`, `describe`, `dump`, `FORWARDABLE`, `hash`, `kerberoasting`, `klist`, `msds-allowedtodelegateto`, `must`, `nanorobeus`, `ptt`, `purge`, `renew`, `Rubeus`, `tgtdeleg`, `triage`, `TrustedToAuthForDelegation` |  |  |
| [BRC4-BOF-Artillery](https://github.com/paranoidninja/BRC4-BOF-Artillery) | Brute Ratel-focused BOF utilities | `BR-Remote-Ops`, `BRc4-Generic`, `Generic`, `Kerbeus`, `Kerbeus-BOF`, `Operators-Kit`, `OperatorsKit`, `ThreadPoolInjection` |  |  |
| [CobaltStrike-BOF](https://github.com/Yaxser/CobaltStrike-BOF) | Collection of BOFs for learning Cobalt Strike internals | `DCOM Lateral Movement`, `WMI Lateral Movement` |  |  |
| [BOFs](https://github.com/Wanssss1/BOFs) | BOFs for Cobalt Strike and Havoc C2, focusing on Active Directory attacks and post-exploitation techniques | |  |  |
| [PBOF](https://github.com/jaytiwari05/PBOF) | Collection of custom BOF (Beacon Object Files) for red team operations — focused on stealth, performance, and low-level C development. | |  |  |
| [ldap_bofs](https://github.com/muhammadmehdi1656/ldap_bofs) | LDAP proxying BOFs with helper scripts for implementation and setup | |  |  |
| [BOF-pack-1](https://github.com/jsecu/BOF-pack-1) | A care package of useful bofs for red team engagments | Includes `GetAppLockerPolicy`, `TokenElevate` and `PrivChanger`. |  |  |
| [MagicBOFs](https://github.com/Yeeb1/MagicBOFs) | A themed set of Beacon Object Files inspired by Magic: The Gathering |`curl`, `DropOfHoney`, `Mimikatz`, `TappingAtTheWindow`, `tspatch.c`, `WarpWorld` |  |  |
| [BOFCode](https://github.com/Mr-Un1k0d3r/BOFCode) | A collection of general-purpose BOFs | multiple: `elevate_pid`, `env`, etc. |  |  |
| [aad-bofs](https://github.com/kozmer/aad-bofs) | AzureAD-focused Beacon Object Files | `imds_management_token`, `request_aad_prt` |  |  |
| [QoL-BOFs](https://github.com/ZephrFish/QoL-BOFs) | Curated BOFs with submodules for cloning and use | `BOF-patchit`, `ChromeKatz`, `Cobalt-Clip`, `cobaltstrike-cat-bof`, `Contributions`, `Defender-Exclusions-Creator`, `EDREnum`, `inject-assembly`, `InlineExecute-Assembly`, `Kerbeus-BOF`, `Koh`, `MiniDumpWriteDump`, `nanorobeus`, `PrivKit`, `QoL-BOFs`, `ScreenshotBOF`, `SilentLsassDump`, `Simplified`, `SQL-BOF`, `tgtdelegation`, `Uses`, `WdToggle`, `whereami`, `xPipe` |  |  |
| [proctools](https://github.com/mlcsec/proctools) | Extract information and dump sensitive strings from processes via BOFs | `__chkstk`, `company`, `Inline-Execute-PE`, `internal`, `kill`, `legal`, `private`, `procargs`, `procargs-BOF.c`, `procargs-BOF.o`, `procargs.c`, `procinfo`, `procinfo-BOF.c`, `procinfo-BOF.o`, `prockill`, `prockill-BOF.c`, `prockill-BOF.o`, `procsearch`, `procsearch-BOF.c`, `procsearch-BOF.o`, `product`, `searches`, `special` |  |  |
| [BOF_Files](https://github.com/ricardojoserf/BOF_Files) | Repository to gather personal BOF developments | `NestedZipper`, `Zipper` |  |  |
| [BOFs](https://github.com/JamesCooteUK/BOFs) | Personal collection of Beacon Object Files | `sharefolder_create`, `sharefolder_delete` |  |  |
| [cobaltstrike_bofs](https://github.com/m57/cobaltstrike_bofs) | Collection of BOFs used with Cobalt Strike | `Dump`, `SeBackupPrivilege` |  |  |
| [BOFs](https://github.com/guervild/BOFs) | Collection of BOFs by guervild, including a SilentLsassDump | `CredEnum`, `WindowsVault` |  |  |
| [CS-BOFs](https://github.com/pwn1sher/CS-BOFs) | Collection of Cobalt Strike BOFs | `defender-exclusions`, `get-loggedon`, `get-system`, `lsass` |  |  |
| [BOFs](https://github.com/RiccardoAncarani/BOFs) | Miscellaneous BOFs like `cat` | `cat`, `NOTE`, `send_shellcode_via_pipe`, `unhook`, `wts_enum_remote_processes` |  |  |
| [bofs](https://github.com/ndur0/bofs) | Home Directory path modification via LDAP | `aka`, `dcsync`, `decrypt`, `separate`, `use` |  |  |
| [BOF_All_Things](https://github.com/Patrick0x41/BOF_All_Things) | Beacon Object Files (BOF) for Cobalt Strike | `detect-hooks` |  |  |
| [bof-collection](https://github.com/crypt0p3g/bof-collection) | General collection of BOFs for Cobalt Strike | `BOF.o`, `ES_CONTINUOUS`, `ES_SYSTEM_REQUIRED`, `FoBOF.o`, `MinGW`, `Sleeping`, `Visual`, `x64.o` |  |  |
| [BeaconObjectFile](https://github.com/chrispentester/BeaconObjectFile) | BOF Collection by chrispentester. | `Compile`, `Load`, `Run` |  |  |
| [BOFs](https://github.com/dust-life/BOFs) | Beacon Object Files collection by dust-life. | `BSOD`, `EnablePriv` |  |  |
| [cobaltstrike-bof-toolset](https://github.com/3as0n/cobaltstrike-bof-toolset) | Collection of BOF tools for Cobalt Strike (Chinese description) | `https` |  |  |
| [bof-collection](https://github.com/matro7sh/bof-collection) | Collection of beacon object file (Cobalt strike) by matro7sh. | `getAV.c`, `getAV.o`, `PathToFile.o`, `RegCloseKey` |  |  |
| [BasicBOFs](https://github.com/r00t0v3rr1d3/BasicBOFs) | A collection of assorted BOFs by r00t0v3rr1d3. | `touch` |  |  |
| [BOF](https://github.com/aahmad097/BOF) | Beacon-Object-Files collection by aahmad097. | `luser` |  |  |
| [Cobalt-BOFs-and-CNA](https://github.com/Nagomez97/Cobalt-BOFs-and-CNA) | Cobalt BOFs and CNA collection by Nagomez97. | `beacon.o`, `Fobeacon.o` |  |  |
| [BOF-Learning](https://github.com/Workingdaturah/BOF-Learning) | Cobalt Strike BOFS | `Get-OSInfo`, `NetSessionEnum` |  |  |
| [Beacon-Object-File-Library](https://github.com/Ap3x/Beacon-Object-File-Library) | A library of different Beacon Object Files in Visual Studio Solution | `EnumDeviceDrivers`, `FileExfiltrationUrlEncoded`, `Ipconfig`, `RegistryPersistence`, `TimeStomp`, `WhoAmI` |  |  |
| [bof_collection](https://github.com/beune/bof_collection) | BOFs using Remote Registry Protocol for registry/file enumeration and patch level detection | `hklm_exists`, `disk_exists`, `patchlevel` |  |  |
---
## C2 specific BOFs
This category includes BOFs that were written specifically for a C2 framework that is not Cobalt Strike, like Havoc or Sliver.
| Project | Description | Stars | Last commit |
|---------|-------------|-------|-------------|
| [PersisTask-BOF-AdaptixC2](https://github.com/giovannicolonna/PersisTask-BOF-AdaptixC2) | PersisTask BOF for Adaptixc2 |  |  |
| [BRC_BOFS](https://github.com/0xMorph3us/BRC_BOFS) | [No description provided] |  |  |
| [havoc-privkit](https://github.com/p4p1/havoc-privkit) | A port of privkit beacon object files for havoc. |  |  |
| [Havoc-BOF-Development](https://github.com/CyberSecurityUP/Havoc-BOF-Development) | Havoc BOF Development examples/collection. |  |  |
| [Havoc_uac_sspi_bof](https://github.com/Sh4N4C1/Havoc_uac_sspi_bof) | UAC bypass using SSPI (BOF for Havoc) |  |  |
| [hello-world-bof-havoc-c2](https://github.com/100daysofredteam/hello-world-bof-havoc-c2) | Minimalistic beacon object file for Havoc C2. |  |  |
| [detect-hooks](https://github.com/zimnyaa/detect-hooks) | Port of Detect-Hooks for Sliver C2 |  |  |
| [sliver-bof-hello-world](https://github.com/1mansh0w/sliver-bof-hello-world) | Hello World BOF for Sliver C2. |  |  |
| [armory](https://github.com/FarrimWildaxe/armory) | BOF Armory for Sliver C2. |  |  |
| [tgtdelegation (fork) ](https://github.com/sliverarmory/tgtdelegation) | BOF to obtain a TGT via delegation trick (forked) for Sliver |  |  |
| [bof-collection](https://github.com/NioZow/bof-collection) | BOF collection by NioZow. Includes keylogger, sammy, token-vault, window list (havoc) |  |  |
| [tgtdeleg](https://github.com/zimnyaa/tgtdeleg) | https://github.com/connormcgarr/tgtdelegation for use with sliver |  |  |
| [SliverBOFs](https://github.com/Steve0ro/SliverBOFs) | My collection of BOFs used for Sliver-C2 |  |  |
| [havoc-PoolParty](https://github.com/Cipher7/havoc-PoolParty) | Windows Thread Pool Injection Havoc Implementation |  |  |
| [Remote-BOF-Runner](https://github.com/pard0p/Remote-BOF-Runner) | Havoc extension framework for remote execution of BOFs using a PIC loader made with Crystal Palace |  |  |
| [DCSync-Bof](https://github.com/P0142/DCSync-Bof) | BOF to dump domain credentials via DRSGetNCChanges, for the Adaptix C2 |  |  |
| [LSAdump-BOF](https://github.com/shashinma/LSAdump-BOF) | Adaptix BOF for credential extraction — dumps LSA secrets, SAM hashes, and cached domain credentials |  |  |
| [NBTscan-BOF](https://github.com/shashinma/NBTscan-BOF) | Adaptix BOF for NetBIOS reconnaissance — discovers names, MAC addresses, and services of Windows hosts |  |  |
| [VaultDumpBOF](https://github.com/MeirV2-2/VaultDumpBOF) | Adaptix BOF to harvest Windows Vaults and Generic Credentials via thread impersonation and DPAPI |  |  |
| [CredEnumBOF](https://github.com/0x2LFA/CredEnumBOF) | Sliver BOF to enumerate Windows Credential Manager entries via CredEnumerateW |  |  |
| [PersistenceBOF](https://github.com/zachmarmolejo/PersistenceBOF) | Scheduled Task Persistence BOF for Havoc C2 |  |  |
| [EDR-Enum-BOF](https://github.com/DarksBlackSk/EDR-Enum-BOF) | EDR/AV enumeration BOF ported to AdaptixC2 — detects 444 signatures across 48 security vendors |  |  |
| [Adaptix-inject-auto](https://github.com/Svinopesik/Adaptix-inject-auto) | Auto-injection BOF for AdaptixC2 — injects into system processes like svchost.exe and winlogon.exe |  |  |
| [Keylogger-BOF](https://github.com/DarksBlackSk/Keylogger-BOF) | Async keylogger BOF for AdaptixC2 using WH_KEYBOARD_LL hook with shared memory IPC |  |  |
| [LSAWhisperer-BOF](https://github.com/Art-Fakt/LSAWhisperer-BOF) | Port of LSA-Whisperer by Evan McBroom / SpecterOps to the Adaptix C2 BOF framework |  |  |
| [NOFILTER-NFEXEC](https://github.com/y637F9QQ2x/NOFILTER-NFEXEC) | Havoc C2 BOF — WFP kernel-space SYSTEM escalation + command execution with indirect syscalls, patchless AMSI/ETW bypass, and return address spoofing |  |  |
| [PSIMPORT](https://github.com/y637F9QQ2x/PSIMPORT) | Havoc C2 BOF — Cobalt Strike powershell-import equivalent with patchless AMSI/ETW bypass |  |  |
| [BLINDSPOT](https://github.com/y637F9QQ2x/BLINDSPOT) | Havoc C2 BOF — detect running security products |  |  |
| [MUTESONAR](https://github.com/y637F9QQ2x/MUTESONAR) | Havoc C2 BOF — host enumeration without spawning cmd.exe or PowerShell |  |  |
| [RegPwnBRc4BOF](https://github.com/n0isegat3/RegPwnBRc4BOF) | Brute Ratel C4 BOF for CVE-2026-24291 registry symlink race condition LPE |  |  |
| [havoc-wallpaper-BOF](https://github.com/b3at1/havoc-wallpaper-BOF) | Havoc C2 BOF — change the user's desktop wallpaper |  |  |
| [BAADTokenBroker](https://github.com/temp43487580/BAADTokenBroker) | Sliver BOF for Microsoft Entra ID device-bound keys — PRT cookies, TGTs, and NT hashes |  |  |
| [UnderlayCopy_bof](https://github.com/Muz1K1zuM/UnderlayCopy_bof) | Havoc BOF to copy locked files (SAM, SYSTEM, NTDS.dit) via raw MFT parsing — no VSS or PowerShell |  |  |
| [kslkatz_bof](https://github.com/Muz1K1zuM/kslkatz_bof) | Havoc BOF — KslD.sys BYOVD credential extraction from lsass via physical memory |  |  |
| [Collection-BOF-Adaptix](https://github.com/DarksBlackSk/Collection-BOF-Adaptix) | Adaptix BOF collection — WiFi, clipboard, EDR enum, keylogger, ghost_task, service control |  |  |
---
## 🧩 Other BOFs
This category includes single-purpose BOFs, specialized tools, loaders, templates, frameworks, exploit implementations, specific technique implementations, forks, and any other BOF projects not fitting the categories above.
*Not sorted in any specific order.*
| Project | Description | Stars | Last commit |
|---------|-------------|-------|-------------|
| [dumpguard_bof](https://github.com/0xedh/dumpguard_bof) | Beacon Object File (BOF) port of DumpGuard for extracting NTLMv1 hashes from sessions on modern Windows systems. |  |  |
| [dcsync-bof](https://github.com/kozmer/dcsync-bof) | DCSync BOF implementation based on DCSyncer, mimikatz, and SharpKatz |  |  |
| [RelayInformer](https://github.com/zyn3rgy/RelayInformer) | Python and BOF utilites to the determine EPA enforcement levels of popular NTLM relay targets from the offensive perspective |  |  |
| [the-one-wsl-bof](https://github.com/MayerDaniel/the-one-wsl-bof) | One WSL BOF to rule them all |  |  |
| [ESC1-unPAC](https://github.com/RayRRT/ESC1-unPAC) | A Beacon Object File (BOF) that performs the complete ESC1 attack chain in a single execution: certificate request with arbitrary SAN (+SID), PKINIT authentication, and NT hash extraction via UnPAC-the-hash. |  |  |
| [ClipboardStealBOF](https://github.com/incursi0n/ClipboardStealBOF) | An alternative to the builtin clipboard feature in Cobalt Strike that adds the capability to enable/disable and dump the clipboard history. |  |  |
| [cSessionHop](https://github.com/jhalon/cSessionHop) | Beacon Object File (BOF) for Windows Session Hijacking via IHxHelpPaneServer COM |  |  |
| [inlineExecute](https://github.com/loland/inlineExecute) | Cobalt Strike BOF |  |  |
| [portscanbof](https://github.com/fyxme/portscanbof) | A Port Scanning BOF (COFF) that replicates Cobalt Strike's Port Scanning functionality. Also includes a ping scanner. |  |  |
| [BOF-PE](https://github.com/NetSPI/BOF-PE) | An example reference design for a proposed BOF PE |  |  |
| [Northwave BOF-PE](https://github.com/NorthwaveSecurity/BOF-PE) | Northwave's BOF-PE implementations. Notably, an improved ldapsearch BOF. |  |  |
| [BOF_RunPe](https://github.com/NtDallas/BOF_RunPe) | BOF to run PE in Cobalt Strike Beacon without console creation |  |  |
| [sw2-secinject](https://github.com/ScriptIdiot/sw2-secinject) | Section Mapping Process Injection modified with SysWhisper2 (sw2-secinject): Cobalt Strike BOF |  |  |
| [teams-cookies-bof](https://github.com/TierZeroSecurity/teams-cookies-bof) | BOF to steal Teams cookies |  |  |
| [COMHijackBOF](https://github.com/mwnickerson/COMHijackBOF) | [No description provided] |  |  |
| [Cryo](https://github.com/seraphimprotocol/Cryo) | Beacon Object File (BOF) that utilizes the Early Cryo Bird Injection technique in order to perform shellcode injection through frozen job objects. |  |  |
| [CS-DriverQuery-BOF](https://github.com/0x73/CS-DriverQuery-BOF) | Cobalt Strike Beacon Object File to enumerate Windows system drivers via WMI |  |  |
| [OC2-BOF-Collection](https://github.com/matsmi7h/OC2-BOF-Collection) | Collection of Beacon Object Files (BOFs) that are compatible with OC2 |  |  |
| [BadTakeover-BOF](https://github.com/logangoins/BadTakeover-BOF) | Beacon Object File (BOF) for Using the BadSuccessor Technique for Account Takeover |  |  |
| [ClearEventlogBOF](https://github.com/mertdas/ClearEventlogBOF) | Clear Event Logs |  |  |
| [ChromeHistory_bof](https://github.com/mabangde/ChromeHistory_bof) | 获取chrome 浏览器记录 |  |  |
| [SheepClone](https://github.com/RealRedTeam/SheepClone) | A BOF to stealthly dump LSASS |  |  |
| [GhostKatz](https://github.com/RainbowDynamix/GhostKatz) | Dump LSASS via physical memory read primitives in vulnerable kernel drivers |  |  |
| [BOFKatz](https://github.com/KrakenEU/BOFKatz) | Beacon Object File implementation of mimikatz leveraging the Process Hollowing technique |  |  |
| [BOF_Spawn](https://github.com/NtDallas/BOF_Spawn) | Cobalt Strike BOF for beacon/shellcode injection using fork & run technique with Draugr synthetic stack frames |  |  |
| [WerDump](https://github.com/M1ndo/WerDump) | A Beacon Object File (BOF) for Havoc/CS to Bypass PPL and Dump Lsass |  |  |
| [ClipboardHistoryThief-BOF](https://github.com/matsmi7h/ClipboardHistoryThief-BOF) | Beacon Object File (BOF) to extract all persistent clipboard history data from clipboard service process memory |  |  |
| [ldap_bofs](https://github.com/garrettfoster13/ldap_bofs) | Random BOFs for LDAP tradecraft |  |  |
| [killerPID-BOF](https://github.com/TierZeroSecurity/killerPID-BOF) | BOF to terminate a process via PID as argument |  |  |
| [SilentHarbor-BOF](https://github.com/ibaiC/SilentHarbor-BOF) | SafeHarbor revamped with Direct Syscalls using InlineWhispers3 |  |  |
| [PortscannerBOF](https://github.com/0xrobinso/PortscannerBOF) | Scan ports via Beacon Object File |  |  |
| [bring-your-own-host-bof](https://github.com/ohxeighty/bring-your-own-host-bof) | Fake "backed" .NET execution (ala xforcered's being a good CLR host) + BOF inline execution + Schizophrenic code quality |  |  |
| [wambam-bof](https://github.com/grayhatkiller/wambam-bof) | [No description provided] |  |  |
| [TBRES-unprotect](https://github.com/sakkis91/TBRES-unprotect) | Cobalt Strike BOF to fetch tokens from Token Broker cache |  |  |
| [cIdentifyServiceDependencies_BOF](https://github.com/EspressoCake/cIdentifyServiceDependencies_BOF) | Beacon Object File (BOF) for identifying dependent child services of a given parent. |  |  |
| [SafeHarbor-BOF](https://github.com/ibaiC/SafeHarbor-BOF) | Safe Harbor is a BOF that streamlines process reconnaissance for red team operations by identifying trusted, low-noise targets to maintain stealth and robust OPSEC. |  |  |
| [com_d11](https://github.com/mannyfred/com_d11) | Direct3D 11 Screenshot BOF |  |  |
| [dnstool-bof](https://github.com/slemire/dnstool-bof) | BOF to manage Active Directory Integrated DNS (ADIDNS) |  |  |
| [blind](https://github.com/ZephrFish/blind) | A BOF for patching AMSI, ETW and NtTraceEvent aka Sysmon using Trampolines |  |  |
| [VulnDriverScan-BOF](https://github.com/0x3rhy/VulnDriverScan-BOF) | List local vulnerable driver services |  |  |
| [PrintSpoofer-BOF](https://github.com/SlimeOnSecurity/PrintSpoofer-BOF) | [No description provided] |  |  |
| [LNKgenerator-BOF](https://github.com/KingOfTheNOPs/LNKgenerator-BOF) | BOF for creating LNKs |  |  |
| [SigmaPotato-BOF](https://github.com/m4rvxpn/SigmaPotato-BOF) | SigmaPotato BOF Implementation |  |  |
| [certdump](https://github.com/elephacking/certdump) | Beacon Object File (BOF) for dumping certificates (and, when possible, private keys) on Windows |  |  |
| [BOF-APC-HOLLOW](https://github.com/le-jordon/BOF-APC-HOLLOW) | Update HOLLOW by boku for rwx memroy |  |  |
| [cmstp_uac_bypass_bof](https://github.com/tehstoni/cmstp_uac_bypass_bof) | [No description provided] |  |  |
| [finduserhooks-bof](https://github.com/ostrichgolf/finduserhooks-bof) | FindUserHooks is a BOF used to discover user-land hooks placed by EDR solutions in all loaded modules. |  |  |
| [WFPEnum](https://github.com/CUHKJason/WFPEnum) | Simple bof implementation to enumerate WFP filter and sublayer |  |  |
| [EnableEFS](https://github.com/buldansec/EnableEFS) | Enable EFS service as low priv user (PE & BOF) |  |  |
| [chrome-abe-decryption-bof](https://github.com/mendacus/chrome-abe-decryption-bof) | A Beacon Object File for decrypting Chrome App-Bound Encryption masterkeys in-memory via Cobalt Strike |  |  |
| [theHandler BOF](https://github.com/ColeHouston/theHandler-BOF) | BOF to dump process memory with handle manipulation features using Bring Your Own Vulnerable Driver (BYOVD). |  |  |
| [Backstap](https://github.com/Fauzan-Aldi/Backstap) | Beacon Object File implementation of Yaxser's Backstab (Potential variant/fork). |  |  |
| [Enumeration-of-Buffer-Overflow-Protections](https://github.com/Fauzan-Aldi/Enumeration-of-Buffer-Overflow-Protections) | BOF to calculate system processes and identify their respective protection levels. |  |  |
| [BofRoast](https://github.com/cube0x0/BofRoast) | BOFs for roasting Kerberos tickets in AD environments |  |  |
| [BOFs](https://github.com/rookuu/BOFs) | MiniDumpWriteDump BOF |  |  |
| [nanodump](https://github.com/fortra/nanodump) | Dump LSASS memory without touching disk or spawning a new process |  |  |
| [No-Consolation](https://github.com/fortra/No-Consolation) | Executes unmanaged PEs inline without allocating a console window or spawning conhost.exe |  |  |
| [CredManBOF](https://github.com/jsecu/CredManBOF) | Dumps saved credentials from Windows Credential Manager |  |  |
| [PPLDump_BOF](https://github.com/EspressoCake/PPLDump_BOF) | Dump memory from Protected Processes like LSASS by bypassing PPL protection |  |  |
| [NoteThief](https://github.com/trainr3kt/NoteThief) | Recover unsaved Notepad data from memory |  |  |
| [Cookie-Monster-BOF](https://github.com/KingOfTheNOPs/cookie-monster) | Steal browser cookies for edge, chrome and firefox through a BOF! |  |  |
| [SharpHunter](https://github.com/lintstar/SharpHunter) | Automated host information hunting tool for Windows |  |  |
| [ScreenshotBOF](https://github.com/CodeXTF2/ScreenshotBOF) | Takes in-memory screenshots using WinAPI without fork & run |  |  |
| [checkUAC-BOF](https://github.com/cl4ym0re/checkUAC-BOF) | BOF to check UAC status before bypassing it |  |  |
| [InlineExecuteEx](https://github.com/0xTriboulet/InlineExecuteEx) | A BOF that's a BOF Loader. Implements COFFLoader in Cobalt Strike |  |  |
| [Inline-EA](https://github.com/EricEsquivel/Inline-EA) | BOF for evasive .NET assembly execution |  |  |
| [cli4bofs](https://github.com/The-Z-Labs/cli4bofs) | Command-line interface for running BOFs |  |  |
| [WebcamBOF](https://github.com/CodeXTF2/WebcamBOF) | Capture webcam images and stream them back via memory |  |  |
| [Inline-Run-PE](https://github.com/7uckzero/Inline-Run-PE) | Inject unmanaged PE into Beacon's memory and run it |  |  |
| [Example-BOF](https://github.com/blakefle/Example-BOF) | BOF using MiniDumpWriteDump to dump LSASS memory |  |  |
| [WindowSpy](https://github.com/CodeXTF2/WindowSpy) | Targeted surveillance via active window capture and beaconing |  |  |
| [Draugr](https://github.com/NtDallas/Draugr) | BOF using synthetic stackframes |  |  |
| [ADSIsearch](https://github.com/EricEsquivel/ADSIsearch) | Query Active Directory using ADSI and NetMgmt APIs via BOF |  |  |
| [SignalKeyBOF](https://github.com/0xRedpoll/SignalKeyBOF) | BOF to decrypt Signal Desktop chat logs |  |  |
| [patchwerk](https://github.com/boku7/patchwerk) | BOF that overwrites Nt* syscall stubs with clean versions (hook evasion) |  |  |
| [enumpwshhistbof](https://github.com/fyxme/enumpwshhistbof) | Enumerates PowerShell history for sensitive info using BOF |  |  |
| [bof-winrm-plugin-jump](https://github.com/FalconForceTeam/bof-winrm-plugin-jump) | Plugin BOF for WinRM lateral movement |  |  |
| [BOF-Timestomp](https://github.com/BKLockly/BOF-Timestomp) | Modify file timestamps with BOF |  |  |
| [Spoof-Execute_Bof](https://github.com/0x3rhy/Spoof-Execute_Bof) | PPID spoofing execution via BOF |  |  |
| [Get-NetNTLM](https://github.com/KingOfTheNOPs/Get-NetNTLM) | Internal Monologue technique implemented as a BOF |  |  |
| [EDRSilencerBOF](https://github.com/0x3rhy/EDRSilencerBOF) | Silences EDR hooks using BOF-based techniques |  |  |
| [bof-minimal_win_x64](https://github.com/The-Z-Labs/bof-minimal_win_x64) | Minimal Win64 BOF using bof-launcher |  |  |
| [getlapsbof](https://github.com/Savsanta/getlapsbof) | Cobalt Strike BOF to retrieve and decrypt Microsoft Windows LAPS V2 or Microsoft Entra/AzureAD LAPS passwords |  |  |
| [filehashbof](https://github.com/SavSanta/filehashbof) | Perform hashing (MD5/SHA1/SHA256) with Win32 API via BOF |  |  |
| [PersisTask-BOF](https://github.com/nickzer0/PersisTask-BOF) | Create scheduled tasks using COM objects via BOF |  |  |
| [Enumprotections_BOF](https://github.com/Octoberfest7/Enumprotections_BOF) | Enumerate system protection levels with BOF |  |  |
| [smbtakeover](https://github.com/zyn3rgy/smbtakeover) | Unbind port 445 on Windows using BOF and Python3 |  |  |
| [CopyUnlocker-BOF](https://github.com/AonCyberLabs/CopyUnlocker-BOF) | Port of GhostPack's LockLess tool to a Beacon Object File |  |  |
| [EDRSilencer-BOF](https://github.com/AonCyberLabs/EDRSilencer-BOF) | Port of the EDRSilencer tool to BOF format |  |  |
| [BOF.NET (fork)](https://github.com/williamknows/BOF.NET) | A .NET Runtime for Cobalt Strike's Beacon Object Files (forked from CCob) |  |  |
| [EDREnum-BOF](https://github.com/mlcsec/EDREnum-BOF) | Identify common EDR processes, directories, and services (Invoke-EDRChecker as BOF) |  |  |
| [sleepmask-vs](https://github.com/Cobalt-Strike/sleepmask-vs) | A simple Sleepmask BOF example |  |  |
| [enumhandles_BOF](https://github.com/Octoberfest7/enumhandles_BOF) | Enumerate open handles using a BOF |  |  |
| [NtDumpBOF](https://github.com/deh00ni/NtDumpBOF) | Dump NT objects using BOF |  |  |
| [Toggle_Token_Privileges_BOF](https://github.com/EspressoCake/Toggle_Token_Privileges_BOF) | Syscall BOF to modify process token privileges |  |  |
| [CVE-2024-26229-BOF](https://github.com/apkc/CVE-2024-26229-BOF) | BOF implementations for CVE-2024-26229 in CS and BruteRatel |  |  |
| [BOF_Beginner](https://github.com/b4rth0v5k1/BOF_Beginner) | Beginner introduction to Cobalt Strike BOF development |  |  |
| [Cookie-and-Handle-Stealer](https://github.com/Mr-Un1k0d3r/Cookie-and-Handle-Stealer) | Extract WebKit master key and decrypt cookies using BOF |  |  |
| [ADSyncDump-BOF](https://github.com/Paradoxis/ADSyncDump-BOF) | A port of Dirk-Jan Mollema's adconnectdump.py / ADSyncDecrypt into a Beacon Object File (BOF) with zero dependencies. |  |  |
| [BOF-entra-authcode-flow](https://github.com/sudonoodle/BOF-entra-authcode-flow) | Beacon Object File (BOF) to obtain AzureAD/Microsoft Entra tokens via authcode flow. |  |  |
| [aad_prt_bof](https://github.com/wotwot563/aad_prt_bof) | Azure PRT token interaction via BOF |  |  |
| [append_BOF](https://github.com/carlnykvist/append_BOF) | BOF to append text to a file |  |  |
| [ASRenum-BOF](https://github.com/mlcsec/ASRenum-BOF) | Identify ASR rules, actions, and exclusion locations via BOF |  |  |
| [bofhound](https://github.com/fortalice/bofhound) | Generate BloodHound-compatible JSON from ldapsearch logs |  |  |
| [rust_bof](https://github.com/wumb0/rust_bof) | Cobalt Strike BOFs written in Rust using core and alloc crates |  |  |
| [ThreadlessInject-BOF](https://github.com/iilegacyyii/ThreadlessInject-BOF) | Threadless process injection BOF based on @_EthicalChaos_ research |  |  |
| [PoolPartyBof](https://github.com/0xEr3bus/PoolPartyBof) | BOF implementation of PoolParty injection technique |  |  |
| [BOF-enumfiles](https://github.com/wsummerhill/BOF-enumfiles) | C++ BOF to enumerate file types useful for post-exploitation |  |  |
| [MemReader_BoF](https://github.com/trainr3kt/MemReader_BoF) | BOF for reading memory regions of processes |  |  |
| [bleWebDAVClient-BOF](https://github.com/KingOfTheNOPs/EnableWebDAVClient-BOF) | Enable WebDAV client service via BOF on x64 Windows |  |  |
| [CS-auto_inject-BOF](https://github.com/0x73/CS-auto_inject-BOF) | Auto-inject BOF into target processes unattended |  |  |
| [ThreadlessInject_BOF](https://github.com/ewby/ThreadlessInject_BOF) | WIP port of ThreadlessInject technique to BOF |  |  |
| [blackout-reloaded](https://github.com/tijme/blackout-reloaded) | BOF to kill anti-malware-protected processes via vulnerable driver |  |  |
| [InlineExecute-Assembly](https://github.com/anthemtotheego/InlineExecute-Assembly) | Execute .NET assemblies inline using BOF instead of fork&run |  |  |
| [pybof](https://github.com/rkbennett/pybof) | Python wrapper module to execute BOFs |  |  |
| [nanorobeus](https://github.com/wavvs/nanorobeus) | BOF for Kerberos ticket management |  |  |
| [SelfDel-BOF](https://github.com/seventeenman/SelfDel-BOF) | Delete files even when handles are open using SetFileInformationByHandle |  |  |
| [Defender_Exclusions-BOF](https://github.com/EspressoCake/Defender_Exclusions-BOF) | Query current Windows Defender exclusions via BOF |  |  |
| [AddDefenderExclusions-BOF](https://github.com/Like0x/AddDefenderExclusions-BOF) | BOF to add exclusions to Windows Defender |  |  |
| [DropSpawn_BOF](https://github.com/Octoberfest7/DropSpawn_BOF) | Use DLL hijacking to spawn new Beacon sessions via BOF |  |  |
| [ScreenshotBOFPlus](https://github.com/baiyies/ScreenshotBOFPlus) | Take screenshots without injection via BOF |  |  |
| [PPLFaultDumpBOF](https://github.com/trustedsec/PPLFaultDumpBOF) | Dump LSASS from PPL-protected processes using BOF |  |  |
| [kernel-mii](https://github.com/tijme/kernel-mii) | BOF foundation for kernel exploitation using CVE-2021-21551 |  |  |
| [BOF-RunPE](https://github.com/MrAle98/BOF-RunPE) | BOF to load and run unmanaged PE files from memory |  |  |
| [SharpHound4Cobalt](https://github.com/Hypnoze57/SharpHound4Cobalt) | C# collector for BloodHound adapted for BOF.NET use |  |  |
| [Elevate-System-Trusted-BOF](https://github.com/Mr-Un1k0d3r/Elevate-System-Trusted-BOF) | Privilege escalation via trusted system token using BOF |  |  |
| [KDStab](https://github.com/Octoberfest7/KDStab) | Combine KillDefender and Backstab as a stealthy BOF |  |  |
| [Quser-BOF](https://github.com/netero1010/Quser-BOF) | Implements quser.exe functionality via WinAPI and BOF |  |  |
| [whereami](https://github.com/boku7/whereami) | Uses handwritten shelcode to return environment strings without touching any DLLs |  |  |
| [halosgate-ps](https://github.com/boku7/halosgate-ps) | Uses custom ASM HalosGate & HellsGate syscaller to list processes |  |  |
| [injectAmsiBypass](https://github.com/boku7/injectAmsiBypass) | Bypass AMSI in a remote process with BOF-based code injection |  |  |
| [spawn](https://github.com/boku7/spawn) | Spawn sacrificial process, inject shellcode, and evade hooks |  |  |
| [xPipe](https://github.com/boku7/xPipe) | List Windows named pipes and return ownership/DACL info |  |  |
| [HOLLOW](https://github.com/boku7/HOLLOW) | EarlyBird process hollowing technique implemented in BOF |  |  |
| [DumpThatLSASS-Bof](https://github.com/0x3rhy/DumpThatLSASS-Bof) | Patch ETW and dump LSASS memory |  |  |
| [PersistBOF](https://github.com/N4kedTurtle/PersistBOF) | Automate common persistence techniques using BOF |  |  |
| [cobaltstrike-cat-bof](https://github.com/tvgdb/cobaltstrike-cat-bof) | BOF implementation of the Unix cat command |  |  |
| [adduserbysamr-bof](https://github.com/AgeloVito/adduserbysamr-bof) | Add user to local group via SAMR API using BOF |  |  |
| [BOF-CredUI](https://github.com/Hagrid29/BOF-CredUI) | Invoke Windows credential prompt using CredUIPromptForWindowsCredentials |  |  |
| [AddUser-Bof](https://github.com/0x3rhy/AddUser-Bof) | Add a local admin user using BOF |  |  |
| [cmstplua-uac-bypass](https://github.com/tijme/cmstplua-uac-bypass) | Bypass UAC via CMSTPLUA COM interface using BOF |  |  |
| [BOF-patchit](https://github.com/ScriptIdiot/BOF-patchit) | Patch AMSI/ETW in memory for x64 processes using BOF |  |  |
| [ClipboardWindow-Inject](https://github.com/BronzeTicket/ClipboardWindow-Inject) | Process injection via CLIPBRDWNDCLASS BOF |  |  |
| [cs-token-vault](https://github.com/Henkru/cs-token-vault) | In-memory token vault implemented in BOF |  |  |
| [EventViewerBypassUacBof](https://github.com/Libraggbond/EventViewerBypassUacBof) | Bypass UAC using EventViewer via BOF |  |  |
| [BOF-Nim](https://github.com/byt3bl33d3r/BOF-Nim) | Beacon Object Files written in Nim |  |  |
| [BOF-Zig](https://github.com/byt3bl33d3r/BOF-Zig) | Beacon Object Files written in Zig |  |  |
| [RDPHijack-BOF](https://github.com/netero1010/RDPHijack-BOF) | Hijack local/remote RDP sessions using WinStationConnect API |  |  |
| [KillDefender_BOF](https://github.com/Octoberfest7/KillDefender_BOF) | BOF implementation of pwn1sher's KillDefender |  |  |
| [Readfile_BoF](https://github.com/trainr3kt/Readfile_BoF) | Simple BOF to read file content |  |  |
| [freeBokuLoader](https://github.com/S4ntiagoP/freeBokuLoader) | Simple BOF that frees user data runtime libraries (UDRLs) |  |  |
| [SysWhispers2BOF](https://github.com/FalconForceTeam/SysWhispers2BOF) | Script to use SysWhispers2 from within Cobalt Strike BOFs |  |  |
| [JumpSession_BOF](https://github.com/Octoberfest7/JumpSession_BOF) | Create Beacon sessions in different user sessions |  |  |
| [EventViewerUAC_BOF](https://github.com/Octoberfest7/EventViewerUAC_BOF) | UAC bypass using Event Viewer deserialization |  |  |
| [DelegationBOF](https://github.com/Crypt0s/DelegationBOF) | BOF for Kerberos delegation abuse |  |  |
| [bof_helper](https://github.com/dtmsecurity/bof_helper) | Helper framework for building Cobalt Strike BOFs |  |  |
| [ZeroLogon-BOF](https://github.com/rsmudge/ZeroLogon-BOF) | Exploitation of ZeroLogon via BOF |  |  |
| [unhook-bof](https://github.com/Cobalt-Strike/unhook-bof) | Remove API hooks from Beacon process |  |  |
| [Backstab_BOF](https://github.com/Octoberfest7/Backstab_BOF) | Implementation of Yaxser’s Backstab as a BOF |  |  |
| [ServiceMove-BOF](https://github.com/netero1010/ServiceMove-BOF) | Lateral movement via DLL hijacking in Windows Perception Simulation Service |  |  |
| [KillDefenderBOF (fork)](https://github.com/redteam88/KillDefenderBOF) | Forked PoC of KillDefender as a BOF |  |  |
| [secinject](https://github.com/apokryptein/secinject) | Section mapping injection via BOF |  |  |
| [tgtdelegation](https://github.com/connormcgarr/tgtdelegation) | Get usable TGT via TGT delegation trick using BOF |  |  |
| [DLL_Version_Enumeration_BOF](https://github.com/EspressoCake/DLL_Version_Enumeration_BOF) | Enumerate version info for DLLs associated with Beacon process |  |  |
| [InlineWhispers](https://github.com/outflanknl/InlineWhispers) | Direct System Call support in Cobalt Strike BOFs |  |  |
| [DLL-Exports-Extraction-BOF](https://github.com/EspressoCake/DLL-Exports-Extraction-BOF) | Extract DLL export symbols with NTFS transaction support |  |  |
| [DLL-Hijack-Search-Order-BOF](https://github.com/EspressoCake/DLL-Hijack-Search-Order-BOF) | BOF for enumerating DLL hijack search order |  |  |
| [DLL_Imports_BOF](https://github.com/EspressoCake/DLL_Imports_BOF) | Parse PE file imports via BOF and extract DLL symbols |  |  |
| [HandleKatz_BOF](https://github.com/EspressoCake/HandleKatz_BOF) | BOF port of research by @thefLinkk and @codewhitesec for LSASS credential dumping |  |  |
| [Firewall_Walker_BOF](https://github.com/EspressoCake/Firewall_Walker_BOF) | BOF for interacting with Windows software firewall COM objects |  |  |
| [Self_Deletion_BOF](https://github.com/EspressoCake/Self_Deletion_BOF) | Self-deletion BOF based on research by @jonasLyk and @LloydLabs |  |  |
| [injectEtwBypass](https://github.com/boku7/injectEtwBypass) | Inject ETW Bypass into a remote process using syscalls (HellsGate/HalosGate) |  |  |
| [Needle_Sift_BOF](https://github.com/EspressoCake/Needle_Sift_BOF) | BOF that uses strstr() with user-supplied needle and filename |  |  |
| [BOF-ForeignLsass](https://github.com/alfarom256/BOF-ForeignLsass) | Access and dump LSASS from a foreign session |  |  |
| [TrustedPath-UACBypass-BOF](https://github.com/netero1010/TrustedPath-UACBypass-BOF) | Trusted path UAC bypass using DCOM objects without invoking cmd.exe |  |  |
| [Detect-Hooks](https://github.com/anthemtotheego/Detect-Hooks) | Detect userland API hooks by AV/EDR using BOF (original) |  |  |
| [Detect-Hooks (fork)](https://github.com/xforcered/Detect-Hooks) | Fork of Detect-Hooks by xforcered |  |  |
| [CredBandit](https://github.com/anthemtotheego/CredBandit) | Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel |  |  |
| [CredBandit (fork)](https://github.com/xforcered/CredBandit) | Fork of CredBandit for process memory dumping via syscalls |  |  |
| [bof-registry](https://github.com/ausec-it/bof-registry) | Query and modify Windows Registry from a Beacon |  |  |
| [extps-cobalt-strike-bof](https://github.com/thesnoom/extps-cobalt-strike-bof) | Extended process list BOF with search functionality |  |  |
| [BOF-RegSave](https://github.com/EncodeGroup/BOF-RegSave) | Dump SAM, SECURITY, and SYSTEM registry hives with BOF |  |  |
| [CVE-2020-0796-BOF](https://github.com/rsmudge/CVE-2020-0796-BOF) | Exploitation of CVE-2020-0796 (SMBGhost) via BOF |  |  |
| [BOF-DLL-Inject](https://github.com/tomcarver16/BOF-DLL-Inject) | Manual DLL injection using Cobalt Strike BOFs |  |  |
| [bof-NetworkServiceEscalate](https://github.com/j0urney1/bof-NetworkServiceEscalate) | Abuse Shared Logon Session ID Issue for escalation to SYSTEM |  |  |
| [OSCE](https://github.com/dhn/OSCE) | Exploits from OSCE prep — may include legacy BOFs |  |  |
| [CobaltWhispers](https://github.com/NVISOsecurity/CobaltWhispers) | Direct syscall-based BOFs for injection, memory allocation, and shellcode loading |  |  |
| [HiddenDesktop](https://github.com/WKL-Sec/HiddenDesktop) | BOF to interact with hidden desktops for stealthy GUI operations. |  |  |
| [ChromeKatz](https://github.com/Meckazin/ChromeKatz) | A BOF implementation for dumping credentials stored by the Chrome browser. |  |  |
| [Koh](https://github.com/GhostPack/Koh) | The Token Stealer BOF from GhostPack for capturing and manipulating Windows access tokens. |  |  |
| [FriendlyFireBOF](https://github.com/ibaiC/FriendlyFireBOF) | BOF designed to interact with EDR components, potentially for disabling or tampering. |  |  |
| [DataInject-BOF](https://github.com/iilegacyyii/DataInject-BOF) | A BOF for injecting arbitrary data into target processes. |  |  |
| [Winsocky](https://github.com/WKL-Sec/Winsocky) | Winsocket implementation for Cobalt Strike communication |  |  |
| [ScreenShot-BOF](https://github.com/qwqdanchun/ScreenShot-BOF) | Alternative Screenshot BOF |  |  |
| [PPEnum](https://github.com/rasta-mouse/PPEnum) | Simple BOF to read the protection level of a process |  |  |
| [FindObjects-BOF](https://github.com/outflanknl/FindObjects-BOF) | Enumerate processes for specific modules or process handles using syscalls |  |  |
| [inject-assembly](https://github.com/kyleavery/inject-assembly) | Execute .NET in an Existing Process (alternative to fork & run) |  |  |
| [GetWebDAVStatus](https://github.com/G0ldenGunSec/GetWebDAVStatus) | Determine if Web Client service (WebDAV) is running on a remote system |  |  |
| [SCShell](https://github.com/Mr-Un1k0d3r/SCShell) | Fileless lateral movement tool using ChangeServiceConfigA (May use BOF) |  |  |
| [winrmdll](https://github.com/mez-0/winrmdll) | WinRM C++ API interaction (Likely DLL, potentially used with BOF loader) |  |  |
| [PortBender](https://github.com/praetorian-inc/PortBender) | TCP port redirection utility (Tool, likely uses driver, not strictly BOF) |  |  |
| [NetUser](https://github.com/lengjibo/NetUser) | Add user via Windows API (Chinese description) |  |  |
| [Process_Protection_Level_BOF](https://github.com/EspressoCake/Process_Protection_Level_BOF) | Syscall-only BOF to grab process protection attributes |  |  |
| [LdapSignCheck](https://github.com/cube0x0/LdapSignCheck) | Scan DC for LDAP signing/integrity settings |  |  |
| [DelegationBOF](https://github.com/IcebreakerSecurity/DelegationBOF) | Check domain for abusable Kerberos delegation settings via LDAP |  |  |
| [BOFs (snovvcrash)](https://github.com/snovvcrash/BOFs) | WNF notification subscription & SCManager SDDL Backdoor |  |  |
| [BOF-SprayAD](https://github.com/Hagrid29/BOF-SprayAD) | LDAP/Kerberos based password spray BOF |  |  |
| [Cookie-Graber-BOF](https://github.com/Mr-Un1k0d3r/Cookie-Graber-BOF) | Extract WebKit master key to decrypt user cookies |  |  |
| [GetWeChatBOF (in BOFTools)](https://github.com/pyroxenites/BOFTools/tree/main/GetWeChatBOF) | BOF to get WeChat information (specific version, part of BOFTools collection) |  | |
| [ShadowRDP](https://github.com/c3r3br4t3/ShadowRDP) | BOF and GUI tool for Remote Assistance / Shadow RDP connection |  |  |
| [kernel-mii (Northwave)](https://github.com/NorthwaveSecurity/kernel-mii) | BOF foundation for kernel exploitation using CVE-2021-21551 |  |  |
| [CVE-2023-36874_BOF](https://github.com/Octoberfest7/CVE-2023-36874_BOF) | Weaponized BOF for CVE-2023-36874 Windows Error Reporting LPE |  |  |
| [PersistBOF](https://github.com/IcebreakerSecurity/PersistBOF) | Automate persistence mechanisms (Print Monitor, Time Provider, etc.) |  |  |
| [amd-ryzen-master-driver-v17-exploit](https://github.com/tijme/amd-ryzen-master-driver-v17-exploit) | Cobalt Strike (CS) Beacon Object File (BOF) for kernel exploitation using AMD's Ryzen Master Driver (version 17). |  |  |
| [cThreadHijack](https://github.com/connormcgarr/cThreadHijack) | Beacon Object File (BOF) for remote process injection via thread hijacking. |  |  |
| [BOF_dumpclip](https://github.com/topotam/BOF_dumpclip) | Beacon Object Files to dump content of clipboard. |  |  |
| [sandbox-process-bof](https://github.com/RobertDiep/sandbox-process-bof) | A Beacon Object File (BOF) to sandbox a process. |  |  |
| [KillDefenderBOF](https://github.com/Cerbersec/KillDefenderBOF) | Beacon Object File PoC implementation of KillDefender (Potential variant/fork). |  |  |
| [TokenStripBOF](https://github.com/nick-frischkorn/TokenStripBOF) | Beacon Object File to delete token privileges and lower the integrity level to untrusted for a specified process. |  |  |
| [SuspendEventLogBOF](https://github.com/nick-frischkorn/SuspendEventLogBOF) | Beacon Object File to locate and suspend the threads hosting the Event Log service. |  |  |
| [bofs](https://github.com/stufus/bofs) | Miscellaneous Cobalt Strike Beacon Object Files by stufus. |  |  |
| [BOF-RemoteRegSave](https://github.com/Hagrid29/BOF-RemoteRegSave) | Cobalt Strike Beacon Object File (BOF) that uses RegConnectRegistryA + RegOpenKeyExA API to dump registry hives on remote computer. |  |  |
| [ServiceSetSD-Bof](https://github.com/0x3rhy/ServiceSetSD-Bof) | Beacon Object file set service security descriptor. |  |  |
| [memlist-bof](https://github.com/VirtualSamuraii/memlist-bof) | Simple BOF to list the modules loaded in memory for a specified process. |  |  |
| [BOF-DCOMPotato-PrintNotify](https://github.com/Hagrid29/BOF-DCOMPotato-PrintNotify) | BOF that obtains SYSTEM privilege with SeImpersonate privilege via DCOM call of PrintNotify. |  |  |
| [Introduction-to-BOF](https://github.com/D4rkCorp/Introduction-to-BOF) | A demo repository for a blog post on Introduction to Beacon Object Files. |  |  |
| [CobaltStrikeBOFs](https://github.com/Und3rf10w/CobaltStrikeBOFs) | Beacon Object Files used for Cobalt Strike by Und3rf10w. |  |  |
| [ChangeWallpaper-BOF](https://github.com/KingOfTheNOPs/ChangeWallpaper-BOF) | Cobalt Strike Beacon Object File to change the user's desktop wallpaper. |  |  |
| [Mockingjay_BOF](https://github.com/ewby/Mockingjay_BOF) | BOF Conversion of the Mockingjay Process Injection Technique. |  |  |
| [fileSearcher](https://github.com/MaorSabag/fileSearcher) | A simple BOF (Beacon Object File) to search files in the system. |  |  |
| [CVE-2024-35250-BOF](https://github.com/yinsel/CVE-2024-35250-BOF) | Beacon Object File (BOF) implementation for CVE-2024-35250 (Chinese description). |  |  |
| [samdump-bof](https://github.com/0x3rhy/samdump-bof) | Beacon Object File Dump sam file (Potential variant/fork). |  |  |
| [WhatsAppKeyBOF](https://github.com/0xRedpoll/WhatsAppKeyBOF) | A BOF to retrieve decryption keys for WhatsApp Desktop and a utility script to decrypt the databases. |  |  |
| [Enable-EFS-BOF](https://github.com/carlisleet/Enable-EFS-BOF) | Enable EFS BOF. |  |  |
| [bof-modules](https://github.com/mr-r3bot/bof-modules) | BOF for C2 framework by mr-r3bot. |  |  |
| [CVE-2024-35250-BOF](https://github.com/ro0tmylove/CVE-2024-35250-BOF) | Cobalt Strike BOF for CVE-2024-35250 (Chinese description, likely duplicate). |  |  |
| [Spawn_bof](https://github.com/ASkyeye/Spawn_bof) | BOF Spawn process using NtCreateUserProcess with ppid spoofing/block dll policy. |  |  |
| [NetView-BOF](https://github.com/0x3rhy/NetView-BOF) | NetView BOF. |  |  |
| [ReadRemoteProcessCommandline_BOF](https://github.com/EspressoCake/ReadRemoteProcessCommandline_BOF) | Read command line of a remote process BOF. |  |  |
| [hookdetection-bof](https://github.com/0xflagplz/hookdetection-bof) | BOF of MrEmpy's NTapi Hook Detector. |  |  |
| [terminator_bof](https://github.com/BambiZombie/terminator_bof) | Generic BOF by BambiZombie (Chinese description). |  |  |
| [locate-bof](https://github.com/gatariee/locate-bof) | A BOF for locating files (like Unix 'locate'). |  |  |
| [addschtask_bof](https://github.com/BambiZombie/addschtask_bof) | Generic BOF for creating scheduled tasks (Chinese description). |  |  |
| [getloggedonBOF](https://github.com/0xSH4RKS/getloggedonBOF) | Gets logged on users on a remote machine using remote registry enumeration. |  |  |
| [DirectX9-Screenshot-BOF](https://github.com/0xflagplz/DirectX9-Screenshot-BOF) | Taking Screenshots with DirectX9 BOF. |  |  |
| [BackupBOF](https://github.com/freefallerr/BackupBOF) | A BOF utilising SeBackupPrivilege to export reg keys. |  |  |
| [TimeStomp_bof](https://github.com/RobotOperator/TimeStomp_bof) | Timestomps a target file to match a source file (Potential variant/fork). |  |  |
| [ivanti-cve-2023-35080-privilege-escalation-bof](https://github.com/tijme/ivanti-cve-2023-35080-privilege-escalation-bof) | Ivanti Secure Access privilege escalation BOF (CVE-2023-35080). |  |  |
| [stoplooking](https://github.com/zimnyaa/stoplooking) | A simple BOF that disables some logging with NtSetInformationProcess. |  |  |
| [wtsimpersonate_bof](https://github.com/zimnyaa/wtsimpersonate_bof) | WTSImpersonator BOF port. |  |  |
| [self_delete_bof](https://github.com/AgeloVito/self_delete_bof) | BOF implementation of delete self poc for locked/running files (Potential variant/fork). |  |  |
| [NerfDefender](https://github.com/HaydoW/NerfDefender) | BOF and C++ implementation of the Windows Defender sandboxing technique. |  |  |
| [BOFRunPortable](https://github.com/9bie/BOFRunPortable) | BOF memory run exe (Chinese description). |  |  |
| [CS-DropSpawn_BOF](https://github.com/gmh5225/CS-DropSpawn_BOF) | CobaltStrike BOF to spawn Beacons using DLL Application Directory Hijacking (Potential variant/fork). |  |  |
| [getsystem-bof](https://github.com/parzel/getsystem-bof) | BOF to execute shellcode as SYSTEM via PPID spoofing. |  |  |
| [BOF-NPPSPY](https://github.com/VoldeSec/BOF-NPPSPY) | Porting of NPPSPY to BOF for MitM user logon process. |  |  |
| [PatchlessInlineExecute-Assembly](https://github.com/VoldeSec/PatchlessInlineExecute-Assembly) | Porting of InlineExecute-Assembly BOF with patchless AMSI/ETW bypass using hardware breakpoint. |  |  |
| [kerbof](https://github.com/funnybananas/kerbof) | Kerberos BOFs inspired and heavily adapted from nanorobeus and rubeus. |  |  |
| [Service-Bof](https://github.com/0x3rhy/Service-Bof) | Beacon obj file Create or Delete Service. |  |  |
| [Evidence_BOF](https://github.com/carlnykvist/Evidence_BOF) | Collect evidence BOF. |  |  |
| [PPLDump_BOF](https://github.com/fenalik/PPLDump_BOF) | Transposition of @itm4n's PPLDump project as a BOF (Potential variant/fork). |  |  |
| [Timestamp_BOF](https://github.com/carlnykvist/Timestamp_BOF) | Timestamp BOF (Potential variant/fork). |  |  |
| [bof-adopt](https://github.com/slemire/bof-adopt) | BOF implementation of Adopt. Spawns a process from a process. |  |  |
| [BOF-klist](https://github.com/CUHKJason/BOF-klist) | A simple BOF implementation of klist using Windows API. |  |  |
| [AskCreds-CS](https://github.com/GeorgePatsias/AskCreds-CS) | A BOF tool to collect passwords using CredUIPromptForWindowsCredentialsName. |  |  |
| [dump-hives-BOF](https://github.com/erberkan/dump-hives-BOF) | Dump SAM, SYSTEM and SECURITY hives under C:\ drive (Potential variant/fork). |  |  |
| [ACG-BOF](https://github.com/timwhitez/ACG-BOF) | Preventing 3rd Party DLLs from Injecting into your Malware using Arbitrary Code Guard BOF. |  |  |
| [SyscallPack](https://github.com/epichoxha/SyscallPack) | BOF and Shellcode for full DLL unhooking using dynamic syscalls. |  |  |
| [ntdll-refresher-hook-removal-bof](https://github.com/js0ncheng/ntdll-refresher-hook-removal-bof) | NTDLL refresher hook removal BOF. |  |  |
| [pdq-bof](https://github.com/dru1d-foofus/pdq-bof) | bof for pdq deploy credential decryption - thx garrett <3 |  |  |
| [RpcDump-BOF](https://github.com/l00sy4/RpcDump-BOF) | Beacon Object File that mimics Impacket's rpcdump|  |  |
| [LocklessBof](https://github.com/antroguy/LocklessBof) | A Beacon Object File (BOF) implementation of Lockless by HarmJ0y, designed to enumerate open file handles and facilitate the fileless download of locked files. Within this project, you'll find two BOFs: LocklessEnum and LocklessDownload.|  |  |
| [aggrokatz](https://github.com/sec-consult/aggrokatz) | Aggrokatz is an aggressor plugin extension for Cobalt Strike which enables pypykatz to interface with the beacons remotely and allows it to parse LSASS dump files and registry hive files to extract credentials and other secrets stored without downloading the file and without uploading any suspicious code to the beacon. |  |  |
| [NtCreateUserProcessBOF](https://github.com/dmcxblue/NtCreateUserProcessBOF) | An Aggressor Script that utilizes NtCreateUserProcess to run binaries |  |  |
| [BypassCredGuard-BOF](https://github.com/0x3rhy/BypassCredGuard-BOF) | BypassCredGuard CS BOF |  |  |
| [bof-winrm-client](https://github.com/FalconForceTeam/bof-winrm-client) | Cobalt Strike BOF that implements a WinRM shell client using Windows APIs. |  |  |
| [DataBetweenBOF](https://github.com/bitBossBBQ/DataBetweenBOF) | PoC for tracking and updating data between BOF runs on the same beacon. |  |  |
| [Ghosting-BOF](https://github.com/qigpig/Ghosting-BOF) | 主要用于隐藏进程真实路径,进程带windows真签名 |  |  |
| [BOF-BypassUAC](https://github.com/theomilan3/BOF-BypassUAC) | 一个BypassUAC的BOF用来bypass Windows Defender。(请给我加个星,谢谢。) |  |  | Quick and dirty reimplementation of Get-LdapCurrentUser.ps1 by Lee Christensen (@tifkin_) as a BOF |  |  |
| [createprocess-bof](https://github.com/MayerDaniel/createprocess-bof) | Simple bof that calls CreateProcess to start executables |  |  |
| [seclogon_execute_bof](https://github.com/BambiZombie/seclogon_execute_bof) | 一个普通的BOF用来执行程序 |  |  |
| [bypass_uac_bof](https://github.com/BambiZombie/bypass_uac_bof) | 一个普通的BOF用来BypassUAC |  |  |
| [Defender-Exclusions-Creator-BOF](https://github.com/EspressoCake/Defender-Exclusions-Creator-BOF) | A BOF to add or remove Windows Defender exclusions: |  |  |
| [BOF](https://github.com/vaq130/BOF) | Firewall_Enumerator_BOF |  |  |
| [winrmsh](https://github.com/219adlab/winrmsh) | BOF of winrm shell |  |  |
| [logon_monitor](https://github.com/thatwinterquiet/logon_monitor) | A BOF to regularly check for active users on a target. |  |  |
| [RAIWhateverTrigger](https://github.com/klezVirus/RAIWhateverTrigger) | A BOF implementation of RAITrigger for system coercions. |  |  |
| [sekken-enum](https://github.com/Nomad0x7/sekken-enum) | Active Directory Web Services (ADWS) enumeration BOF |  |  |
| [msi_lateral_mv](https://github.com/werdhaihai/msi_lateral_mv) | Lateral Movement BOF with MSI ODBC Driver Install |  |  |
| [ColdWer](https://github.com/0xsh3llf1r3/ColdWer) | Cobalt Strike BOF to freeze EDR/AV processes and dump LSASS using WerFaultSecure.exe PPL bypass |  |  |
| [nix_bof_template](https://github.com/outflanknl/nix_bof_template) | Beacon Object File (BOF) Template for Linux |  |  |
| [Cobaltstrike_BOFLoader](https://github.com/CodeXTF2/Cobaltstrike_BOFLoader) | Open source port/reimplementation of the Cobalt Strike BOF Loader |  |  |
| [bof_template](https://github.com/CodeXTF2/bof_template) | BOF template with boflink and mutator kit support |  |  |
| [CS-EDR-Enumeration](https://github.com/VirtualAlllocEx/CS-EDR-Enumeration) | Cobalt Strike Aggressor Script for identifying security products — six enumeration methods rated by noise level |  |  |
| [Async_BOFs](https://github.com/9Insomnie/Async_BOFs) | Async BOF framework for running event-detecting monitoring tasks that report back to Cobalt Strike |  |  |
| [DPAPI-BOF](https://github.com/toneillcodes/DPAPI-BOF) | DPAPI hunting and parsing BOF for Cobalt Strike |  |  |
| [linux-bof-loader](https://github.com/jm33-m0/linux-bof-loader) | Standalone C implementation of a BOF loader for Linux x86-64 |  |  |
| [ListModulesBOF](https://github.com/CodeXTF2/ListModulesBOF) | BOF to list loaded modules in a process |  |  |
| [bof-clipboard-monitor](https://github.com/justJackiee/bof-clipboard-monitor) | BOF for monitoring clipboard contents |  |  |
| [coercer_bof](https://github.com/robhughes72/coercer_bof) | Authentication coercion BOF |  |  |
| [enumlochost](https://github.com/damaidec/enumlochost) | Situational awareness BOF for local host enumeration during pentests |  |  |
| [lsawhisper-bof](https://github.com/dazzyddos/lsawhisper-bof) | A Beacon Object File (BOF) that talks directly to Windows authentication packages through the LSA untrusted/trusted client interface, without touching LSASS process memory. |  |  |
| [PEREDBOEMPATAT-BOF](https://github.com/TailoredSecOps/PEREDBOEMPATAT-BOF) | LocalPotato NTLM reflection exploit (CVE-2023-21746) as a Cobalt Strike Beacon Object File |  |  |
| [RegPwnBOF](https://github.com/Flangvik/RegPwnBOF) | Registry symlink race condition LPE exploit (CVE-2026-24291) as a Cobalt Strike BOF |  |  |
| [toastnotify-bof](https://github.com/brmkit/toastnotify-bof) | abusing windows toast notifications for fun and user manipulation |  |  |
| [BOF-IPMIHash](https://github.com/sudonoodle/BOF-IPMIHash) | BOF to capture an IPMI 2.0 RAKP password hash |  |  |
| [trustme](https://github.com/Meowmycks/trustme) | BOF to impersonate TrustedInstaller via DISM API trigger and thread impersonation |  |  |
| [SilentChrome-BOF](https://github.com/ChoiSG/SilentChrome-BOF) | BOF to silently install browser extensions into Chrome or Edge by modifying Preferences files |  |  |
| [VeeamDumper-BOF](https://github.com/MWR-CyberSec/VeeamDumper-BOF) | Credential extraction BOF for Veeam Backup & Replication and Veeam One |  |  |
---
## Not on Github
These are BOFs not found on GitHub, but on Gitlab or other places.
| Project | Description | Stars | Last commit |
|---------|-------------|-------|-------------|
| [BOF-Adios](https://gitlab.com/nephosec/bof-adios) | BOF Adios is based on the (awesome) work from Nerdworks Blogorama, which you can find here: https://blogorama.nerdworks.in/selfdeletingexecutables/ | |  |
| [BOF-JobControl](https://gitlab.com/nephosec/bof-jobcontrol) | Tamper with processes to limit their bandwidth, CPU, etc. |  |  |
---
## Supporting Tools (Not BOFs Themselves)
These are BOF related tools that are not BOFs themselves.
| Project | Description | Stars | Last commit |
|---------|-------------|-------|-------------|
| [HelpColor](https://github.com/outflanknl/HelpColor) | A utility to add color support to the help output of Cobalt Strike BOFs. |  |  |
| [bofhound](https://github.com/coffeegist/bofhound) | Tool to generate BloodHound-compatible JSON data from LDAP logs, often used in conjunction with reconnaissance BOFs. |  |  |
| [bin2shell](https://github.com/l0n3m4n/bin2shell) | Convert binaries to shellcode formats including BOF loader |  |  |
| [BOFRyptor](https://github.com/securifybv/BOFRyptor) | Assembly-level obfuscation/loader utilities for BOFs |  |  |
| [Bof2PIC](https://github.com/timwhitez/Bof2PIC) | Convert BOF/COFF to shellcode (PIC) using Golang |  |  |
| [InlineWhispers2](https://github.com/Sh0ckFR/InlineWhispers2) | Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2 |  |  |
| [InlineWhispers3](https://github.com/tdeerenberg/InlineWhispers3) | InlineWhispers3 is an updated version of InlineWhispers2, designed to work with Indirect System Calls in Cobalt Strike's Beacon Object Files (BOFs) using SysWhispers3. This tool helps changing SysWhispers3 generated files to be BOF compatible. |  |  |
| [llvmpass_for_bof](https://github.com/h0li3/llvmpass_for_bof) | A simple llvm pass used in BOF compiling |  |  |
| [lnkcreate_bofnet](https://github.com/inzlain/lnkcreate_bofnet) | BOF.NET class for creating LNK files |  |  |
| [BOF-Builder](https://github.com/ceramicskate0/BOF-Builder) | .NET 5.0 tool to mass-build BOFs |  |  |
| [SharpMailBOF](https://github.com/xenoscr/SharpMailBOF) | A BOF.NET program to split a file into smaller chunks and email it via a specified SMTP relay. |  |  |
| [BOFMask](https://github.com/passthehashbrowns/BOFMask) | BOFMask is a proof-of-concept for masking Cobalt Strike's Beacon payload while executing a Beacon Object File (BOF). |  |  |
| [BOFMask (fork)](https://github.com/xforcered/BOFMask) | Fork of passthehashbrowns’ BOFMask project |  |  |
| [Shoggoth](https://github.com/frkngksl/Shoggoth) | Shoggoth: Asmjit Based Polymorphic Encryptor |  |  |
| [wpd_com](https://github.com/mannyfred/wpd_com) | Windows Portable Device COM BOF for enumerating and listing files on connected portable devices |  |  |
---