Skip to content

Dumping SAM / SECURITY / SYSTEM registry hives with a Beacon Object File

Notifications You must be signed in to change notification settings

EncodeGroup/BOF-RegSave

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

About

Beacon Object File(BOF) for CobaltStrike that will acquire the necessary privileges and dump SAM - SYSTEM - SECURITY registry keys for offline parsing and hash extraction.

Instructions

CNA will register the command bof-regsave:

beacon> bof-regsave c:\temp\

By default the output will be saved in the following files:

samantha.txt - SAM
systemic.txt - SYSTEM
security.txt - SECURITY

You can modify the file names by changing entry.c.

Credits

Template & Makefile based on repo from @realoriginal

Reading material for BOF

CS Beacon Object Files

Aggressor-Script functions

Beacon Object Files - Luser Demo

A Developer's Introduction To Beacon Object Files

Github repos

https://github.com/rsmudge/ZeroLogon-BOF
https://github.com/rsmudge/CVE-2020-0796-BOF
https://github.com/trustedsec/CS-Situational-Awareness-BOF
https://github.com/tomcarver16/BOF-DLL-Inject
https://github.com/m57/cobaltstrike_bofs/
https://github.com/rvrsh3ll/BOF_Collection/
https://github.com/realoriginal/bof-NetworkServiceEscalate

Author

@leftp

About

Dumping SAM / SECURITY / SYSTEM registry hives with a Beacon Object File

Topics

Resources

Stars

Watchers

Forks