zer0yu
Awesome-CobaltStrike

List of Awesome CobaltStrike Resources

Last updated Jul 8, 2026
4.4k
Stars
764
Forks
0
Issues
+2
Stars/day
Attention Score
88
Language breakdown
No language data available.
Files click to expand
README

Awesome CobaltStrike Awesome CobaltStrike Awesome community

Contents

- 1. Basic Knowledge - 2. Crack and Customisation - 3. Useful Trick - 4. CobaltStrike Hide - 5. CobaltStrike Analysis - 6. CobaltStrike Video

0x00 Introduction

  • The first part is a collection of quality articles about CobaltStrike
  • The third part is about the integration of the new features BOF resources
  • This project is to solve the problem of not finding the right aggressor script or BOF when it is needed
  • If there is quality content that is not covered in this repo, welcome to submit pr

0x01 Articles & Videos

1. Basic Knowledge

2. Crack and Customisation

3. Useful Trick

4. CobaltStrike Hide

5. CobaltStrike Analysis

6. CobaltStrike Video

0x02 C2 Profiles

| Type | Name | Description | Popularity | Language | |:---:|:---:|:---:|:---:|:---:| | ALL | Malleable-C2-Profiles | Official Malleable C2 Profiles | | | | ALL | Malleable-C2-Randomizer | This script randomizes Cobalt Strike Malleable C2 profiles through the use of a metalanguage | | | | ALL | malleable-c2 | Cobalt Strike Malleable C2 Design and Reference Guide | | | | ALL | Malleable-C2-Profiles | A collection of profiles used in Cobalt Strike and Empire's Malleable C2 Listener. | | | | ALL | randomc2profile | Random C2 Profile Generator | | | | ALL | SourcePoint | SourcePoint is a C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion. | | | | ALL | C2concealer | C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike. | | | | ALL | MalleableC2-Profiles | A collection of Cobalt Strike Malleable C2 profiles. now have Windows Updates Profile | | | | ALL | MalleableC2-Profiles | Cobalt Strike - Malleable C2 Profiles. A collection of profiles used in different projects using Cobalt Strike | | | | ALL | pyMalleableC2 | A Python interpreter for Cobalt Strike Malleable C2 profiles that allows you to parse, modify, build them programmatically and validate syntax. | | | | ALL | 1135-CobaltStrike-ToolKit | Cobalt Strike的Malleable C2配置文件,被设计用来对抗流量分析 | | | | ALL | servicecobaltstrike | CobaltStrike profile | | | | ALL | CobaltNotion | A spin-off research project. Cobalt Strike x Notion collab 2022. | | | | ALL | Burp2Malleable | This is a quick python utility I wrote to turn HTTP requests from burp suite into Cobalt Strike Malleable C2 profiles. | | | | ALL | autoRebind | Automatically parse Malleable C2 profiled into CrossC2 rebinding library source code | | | | ALL | goMalleable | Malleable C2 profiles parser and assembler written in golang | | | | ALL | Malleable-CS-Profiles | A list of python tools to help create an OPSEC-safe Cobalt Strike profile. | | |

0x03 BOF

| Type | Name | Description | Popularity | Language | |:---:|:---:|:---:|:---:|:---:| | ALL | BOFCollection | Various Cobalt Strike BOFs | | | | ALL | cobaltstrike-bof-toolset | 收集网络中在cobaltstrike中使用的bof工具集。 | | | | ALL | Situational Awareness BOF | Its larger goal is providing a code example and workflow for others to begin making more BOF files. Blog | | | | ALL | bofhelper | Beacon Object File (BOF) Creation Helper | | | | ALL | BOF-DLL-Inject | BOF DLL Inject is a custom Beacon Object File that uses manual map DLL injection in order to migrate a dll into a process all from memory. | | | | ALL | cobaltstrikebofs | BOF spawns a process of your choice under a specified parent, and injects a provided shellcode file via QueueUserAPC(). | | | | ALL | BOF-RegSave | Beacon Object File(BOF) for CobaltStrike that will acquire the necessary privileges and dump SAM - SYSTEM - SECURITY registry keys for offline parsing and hash extraction. | | | | ALL | CobaltStrike BOF | DCOM Lateral Movement; WMI Lateral Movement - Win32Process Create; WMI Lateral Movement - Event Subscription | | | | ALL | BOFs | ETW Patching; API Function Utility; Syscalls Shellcode Injection | | | | ALL | Remote Operations BOF | This repo serves as an addition to our previously released SA Repo. Our original stance was that we would not release our tooling that modified other systems, and we would only provide information gathering tooling in a ready to go format. | | | | ALL | OperatorsKit | This repository contains a collection of tools that integrate with Cobalt Strike through Beacon Object Files (BOFs). | | | | Dev | bof | This is a template project for building Cobalt Strike BOFs in Visual Studio. | | | | Dev | NeedleSiftBOF | Strstr with user-supplied needle and filename as a BOF. | | | | Dev | Quser-BOF | Beacon Object Files Quser implementation using Windows API | | | | Dev | BOF.NET | A .NET Runtime for Cobalt Strike's Beacon Object Files. | | | | Dev | beacon-object-file | The format, described by Mudge here, asks that the operator construct an COFF file using a mingw-w64 compiler or the msvc compiler that holds an symbol name indicating its entrypoint, and underlying function calls. | | | | Dev | InlineWhispers | Demonstrate the ability to easily use syscalls using inline assembly in BOFs. | | | | Dev | WdToggle | A Proof of Concept Cobalt Strike Beacon Object File which uses direct system calls to enable WDigest credential caching and circumvent Credential Guard (if enabled). | | | | Dev | Situational Awareness BOF | This Repo intends to serve two purposes. First it provides a nice set of basic situational awareness commands implemented in BOF. This allows you to perform some checks on a host before you begin executing commands that may be more invasive. | | | | Dev | MiniDumpWriteDump | Custom implementation of DbgHelp's MiniDumpWriteDump function. Uses static syscalls to replace low-level functions like NtReadVirtualMemory. | | | | Dev | COFF Loader | This is a quick and dirty COFF loader (AKA Beacon Object Files). Currently can run un-modified BOF's so it can be used for testing without a CS agent running it. The only exception is that the injection related beacon compatibility functions are just empty. | | | | Dev | SelfDeletionBOF | BOF implementation of the research by @jonasLyk and the drafted PoC from @LloydLabs | | | | Dev | PE Import Enumerator BOF | This is a BOF to enumerate DLL files to-be-loaded by a given PE file. Depending on the number of arguments, this will allow an operator to either view a listing of anticipated imported DLL files, or to view the imported functions for an anticipated DLL. | | | | Dev | Visual-Studio-BOF-template | A Visual Studio template used to create Cobalt Strike BOFs | | | | Dev | BOF-Builder | C# .Net 5.0 project to build BOF (Beacon Object Files) in mass based on them all being in a folder directory struct somewhere. | | | | Dev | ELFLoader | This is a ELF object in memory loader/runner. The goal is to create a single elf loader that can be used to run follow on capabilities across all x8664 and x86 nix operating systems. | | | | Dev | Rust BOFs for Cobalt Strike | This took me like 4 days, but I got it working... rust core + alloc for Cobalt Strike BOFs. This is very much a PoC, but I'd love to see others playing around with it and contributing. | | | | Dev | CoffeeLdr | CoffeeLdr is a loader for so called Beacon Object Files. This project can be used for testing Beacon Object files without using the Cobalt Strike framework or can be used to give custom implants a way to execute BOFs that where designed for Cobalt strike. | | | | Dev | HalosGate Processlist Cobalt Strike BOF | Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes. | | | | Dev | PPLFaultDumpBOF | Takes the original PPLFault and the original included DumpShellcode and combinds it all into a BOF targeting cobalt strike. | | | | Dev | Winsocky | Winsocket implementation for Cobalt Strike. Used to communicate with the victim using winsockets instead of the traditional ways. | | | | Dev | bof-vs | A Beacon Object File (BOF) template for Visual Studio. | | | | Auxiliary | Defender Exclusions BOF | A BOF to determine Windows Defender exclusions. | | | | Auxiliary | ScreenShot-BOF | ScreenShot bof for Cobalt Strike . All in memory and no spawn/inject. | | | | Auxiliary | BofRoast | Beacon Object File repo for roasting Active Directory. | | | | Auxiliary | EnumCLR.c | Cobalt Strike BOF to identify processes with the CLR loaded with a goal of identifying SpawnTo / injection candidates. | | | | Auxiliary | PPEnum | Simple BOF to read the protection level of a process. | | | | Auxiliary | secinject | Section Mapping Process Injection (secinject): Cobalt Strike BOF | | | | Auxiliary | FindObjects-BOF | A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process handles. | | | | Auxiliary | Inject-assembly | Inject-assembly - Execute .NET in an Existing Process. This tool is an alternative to traditional fork and run execution for Cobalt Strike. The loader can be injected into any process, including the current Beacon. Long-running assemblies will continue to run and send output back to the Beacon, similar to the behavior of execute-assembly. | | | | Auxiliary | WhereAmiI | WhereAmiI - Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's. | | | Auxiliary | GetWebDAVStatus | Small project to determine if the Web Client service (WebDAV) is running on a remote system by checking for the presence of the DAV RPC SERVICE named pipe. | | | | Auxiliary | ChromeKeyDump | BOF implementation of Chlonium tool to dump Chrome Masterkey and download Cookie/Login Data files | | | | Auxiliary | Sleeper | BOF to call the SetThreadExecutionState function to prevent host from Sleeping | | | | Auxiliary | LSASS | Beacon Object File to dump Lsass memory by obtaining a snapshot handle. Does MiniDumpWriteDump/NtReadVirtualMemory on SnapShot of LSASS instad of original LSASS itself hence evades some AV/EDR. | | | | Auxiliary | getsystem | get system by duplicating winlogon's token. | | | | Auxiliary | Silent Lsass Dump | Silent Lsass Dump | | | | Auxiliary | unhook-bof | This is a Beacon Object File to refresh DLLs and remove their hooks. | | | | Auxiliary | Beacon Health Check Aggressor Script | This aggressor script uses a beacon's note field to indicate the health status of a beacon. | | | | Auxiliary | Registry BOF | A beacon object file for use with cobalt strike v4.1+. Supports querying, adding, and deleting keys/values of local and remote registries. | | | | Auxiliary | InlineExecute-Assembly | InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module | | | | Auxiliary | CredBandit | CredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel. The memory dump is done by using NTFS transactions which allows us to write the dump to memory and the MiniDumpWriteDump API has been replaced with an adaptation of ReactOS's implementation of MiniDumpWriteDump. | | | | Auxiliary | Inject AMSI Bypass | Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. | | | | Auxiliary | FirewallEnumeratorBOF | Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. | | | | Auxiliary | Detect-Hooks | Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR | | | | Auxiliary | unhook-bof | Remove API hooks from a Beacon process. | | | | Auxiliary | whereami | Cobalt Strike "Where Am I?" Beacon Object File | | | | Auxiliary | HOLLOW | EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode | | | | Auxiliary | BOFs | sendshellcodeviapipe;cat;wtsenumremote_processes | | | | Auxiliary | SCShell | SCShell is a fileless lateral movement tool that relies on ChangeServiceConfigA to run commands. | | | | Auxiliary | WinRMDLL | A while ago I produced CSharpWinRM which was alright, but I wanted to look at the WinRM C++ API properly. | | | | Auxiliary | LSASS Dumping With Foreign Handles | LSASS Dumping With Foreign Handles | | | | Auxiliary | PPLDump BOF | this is a fully-fledged BOF to dump an arbitrary protected process.(LSASS) | | | | Auxiliary | PortBender | PortBender is a TCP port redirection utility that allows a red team operator to redirect inbound traffic destined for one TCP port (e.g., 445/TCP) to another TCP port (e.g., 8445/TCP). | | | | Auxiliary | BOF2Shellcode | POC tool to convert a Cobalt Strike BOF into raw shellcode. | | | | Auxiliary | DLL Hijack Search Order BOF | DLL Hijack Search Order Enumeration BOF | | | | Auxiliary | InlineWhispers2 | Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2 | | | | Auxiliary | NetUser | 使用windows api添加用户,可用于net无法使用时 | | | | Auxiliary | BOF-Nim | 用Nim语言写BoF | | | | Auxiliary | Invoke-Bof | Load any Beacon Object File using Powershell! | | | | Auxiliary | Cobalt-Clip | Cobalt-clip is clipboard addons for cobaltstrike to interact with clipboard. With this you can dump, edit and monitor the content of q clipboard. | | | | Auxiliary | CoffLoader | Load and execute COFF files and Cobalt Strike BOFs in-memory | | | | Auxiliary | COFFLoader2 | Load and execute COFF files and Cobalt Strike BOFs in-memory | | | | Auxiliary | Process Protection Level Enumerator BOF | A Syscall-only BOF file intended to grab process protection attributes, limited to a handful that Red Team operators and pentesters would commonly be interested in. | | | | Auxiliary | ToggleTokenPrivilegesBOF | AAn (almost) syscall-only BOF file intended to either add or remove token privileges within the context of your current process. | | | | Auxiliary | Cobalt Strike BOF - Inject ETW Bypass | Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) | | | | Auxiliary | HandleKatzBOF | PIC your Katz! Say hello to HandleKatz, our position independent Lsass dumper abusing cloned handles, direct system calls and a modified version of minidumpwritedump() | | | | Auxiliary | tgtdelegation | tgtdelegation is a Beacon Object File (BOF) to obtain a usable TGT via the "TGT delegation trick" | | | | Auxiliary | nanodump | A Beacon Object File that creates a minidump of the LSASS process. | | | | Auxiliary | xPipe Cobalt Strike BOF (x64) | Cobalt Strike Beacon Object File (BOF) to list active Pipes & return their Owner & Discretionary Access Control List (DACL) permissions. | | | | Auxiliary | AddUser-Bof | Cobalt Strike BOF that Add an admin user | | | | Auxiliary | ServiceMove-BOF | Lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking | | | | Auxiliary | Detect-Hooks | Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR | | | | Auxiliary | MemReader BoF | MemReader Beacon Object File will allow you to search and extract specific strings from a target process memory and return what is found to the beacon output. | | | | Auxiliary | Readfile BoF | Not the prettiest code, short sweet and to the point and will allow you to read file contents to beacon output. | | | | Auxiliary | ChromiumKeyDump | BOF implementation of Chlonium tool to dump Chrome/Edge Masterkey and download Cookie/Login Data files | | | | Auxiliary | LdapSignCheck | Beacon Object File to scan a Domain Controller to see if LdapEnforceChannelBinding or LdapServerIntegrity has been modified to mitigate against relaying attacks. | | | | Auxiliary | DelegationBOF | This tool uses LDAP to check a domain for known abusable Kerberos delegation settings. Currently, it supports RBCD, Constrained, Constrained w/Protocol Transition, and Unconstrained Delegation checks. | | | | Auxiliary | RunOF | A tool to run object files, mainly beacon object files (BOF), in .Net. | | | | Auxiliary | KillDefenderBOF | Beacon Object File implementation of pwn1sher's KillDefender. | | | | Auxiliary | TokenStripBOF | TokenStrip is a Beacon Object File implementation of pwn1sher's KillDefender project utilizing syscalls via InlineWhispers. | | | | Auxiliary | BOF - RDPHijack | Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. | | | | Auxiliary | Koh | Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. | | | | Auxiliary | RDPHijack | Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. | | | | Auxiliary | KDStab | BOF combination of KillDefender and Backstab. | | | | Auxiliary | Token Vault BOF for Cobalt Strike | This Beacon Object File (BOF) creates in-memory storage for stolen/duplicated Windows access tokens. | | | | Auxiliary | ASRenum | Identify ASR rules, actions, and exclusion locations. | | | | Auxiliary | ThreadlessInject-BOF | BOF implementation of @EthicalChaos_'s ThreadlessInject project. A novel process injection technique with no thread creation, released at BSides Cymru 2023. | | | | Auxiliary | Inline-Execute-PE | Execute unmanaged Windows executables in CobaltStrike Beacons. This enables Operators to use many third party tools (Mimikatz, Dsquery, Sysinternals tools, etc) without needing to drop them to disk, reformat them to position independent code using a tool like Donut, or create a new process to run them. | | | | Auxiliary | BOFs | Subscribes to WNF notifications for a number of seconds. && Backdoors SCManager SDDL. | | | | Auxiliary | DomainPasswordSpray | Perform LDAP-based or Kerberos-based password spray using Windows API LogonUserSSPI. Skip disabled accounts, locked accounts and large BadPwdCount (if specified). | | | | Auxiliary | BOF-CredUI | Credentials Collection via CredUIPromptForWindowsCredentials | | | | Auxiliary | Cookie-Graber-BOF | C or BOF file to extract WebKit master key to decrypt user cookie. The C code can be used to compile an executable or a bof script for Cobalt Strike. | | | | Auxiliary | ScreenshotBOF | An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot downloaded in memory. | | | | Auxiliary | ScreenshotBOFPlus | Take a screenshot without injection for Cobalt Strike. I only made minor optimizations to the existing code, and made it support the ability to get a complete screenshot when global scaling is initiated on Windows. | | | | Auxiliary | Elevate-System-Trusted-BOF | This BOF can be used to elevate the current beacon to SYSTEM and obtain the TrustedInstaller group privilege. The impersonation is done through the SetThreadToken API. | | | | Auxiliary | Hidden Desktop BOF | Hidden Desktop (often referred to as HVNC) is a tool that allows operators to interact with a remote desktop session without the user knowing. | | | | Auxiliary | DropSpawn | DropSpawn is a CobaltStrike BOF used to spawn additional Beacons via a relatively unknown method of DLL hijacking. Works x86-x86, x64-x64, and x86-x64/vice versa. Use as an alternative to process injection. | | | | Auxiliary | Nanorobeus | COFF file (BOF) for managing Kerberos tickets. | | | | Auxiliary | SelfDel | Delete file regardless of whether the handle is used via SetFileInformationByHandle | | | | Auxiliary | GetWeChatBOF

🔗 More in this category

© 2026 GitRepoTrend · zer0yu/Awesome-CobaltStrike · Updated daily from GitHub