2025-07-10 | BOF | The-Z-Labs |  | bof-launcher | bof-launcher library - API for managing and executing BOFs on Windows (x64, x86) and Linux (x64, x86, aarch64, arm) in C/Zig/Rust/Go/C++ applications | win32-api: Re-work (wip).
| 218 | | |
2025-06-30 | BOF | Mr-Un1k0d3r |  | BOFCode | Bunch of BOF files | Merge pull request #1 from zurro/patch-1
Update README.md | 33 |
| |
2025-06-27 | Malleable-C2 | Cobalt-Strike |  | Malleable-C2-Profiles | Malleable C2 is a domain specific language to redefine indicators in Beacon's communication. This repository is a collection of Malleable C2 profiles that you may use. These profiles work with Cobalt Strike 3.x. | Merge pull request #9 from Cobalt-Strike/zurro-patch-1
Create README.md | 223 | | |
2025-06-25 | BOF | trustedsec |  | CS-Situational-Awareness-BOF | Situational Awareness commands implemented using Beacon Object Files | Initialize variables inside get_session_info
Fix #132
| 1477 |
| |
2025-06-12 | BOF | Cobalt-Strike |  | bof-vs | A Beacon Object File (BOF) template for Visual Studio | Merge remote-tracking branch 'origin/feat/boflinter'
| 226 | | |
2025-04-22 | BOF | CodeXTF2 |  | ScreenshotBOF | An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot downloaded in memory. | Merge pull request #16 from evilAdan0s/master
Adding the DPI awareness setting to fix incomplete screenshots | 435 | | |
2025-04-16 | Malleable-C2 | Tylous |  | SourcePoint | SourcePoint is a C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion. | v4.0 | 1147 | | |
2025-03-17 | BOF | Cobalt-Strike |  | bof_template | A Beacon Object File (BOF) is a compiled C program, written to a convention that allows it to execute within a Beacon process and use internal Beacon APIs. BOFs are a way to rapidly extend the Beacon agent with new post-exploitation features. | Updated beacon.h
| 195 | | |
2025-03-17 | Aggressor | Cobalt-Strike |  | callback_examples | This contains a number of examples demonstrating how to use callback functions in supported aggressor script functions | Merge pull request #1 from Cobalt-Strike/rel_411
Cobalt Strike release 4.11
- Added new example for dllinject which provides another example of using the new bread_pipe aggressor function.
- Updated the example commands to be added to a new command group 'Callback Examples' to provide an example the new beacon_command_group aggressor function and adding the new additional parameter to the beacon_command_register command to link the command to the command group. | 34 |
| |
2025-03-05 | Aggressor | nickvourd |  | CS-Aggressor-Kit | Homemade Aggressor scripts kit for Cobalt Strike | Update README.md | 69 | | |
2025-02-26 | BOF | trustedsec |  | CS-Remote-OPs-BOF | | add get_azure_token
| 1002 |
| |
2025-02-17 | BOF | rasta-mouse |  | SpawnWith | | Merge pull request #1 from 0xTriboulet/main
Fix for 32-bit | 107 |
| |
2024-11-26 | Logging | Patrick-DE |  | C2-logparser | Parses logs created by Cobalt Strike or Brute Ratel and creates an SQLite DB which can be used to create custom reports. | fixed errors in the ttps.csv
| 15 | | |
2024-10-23 | BOF | fortra |  | No-Consolation | A BOF that runs unmanaged PEs inline | Merge pull request #4 from Cerbersec/main
fix issue with --free-libs | 618 |
| |
2024-09-17 | BOF | fortra |  | nanodump | The swiss army knife of LSASS dumping | fix compilation issue
| 1965 |
| |
2024-09-04 | BOF | CCob |  | BOF.NET | A .NET Runtime for Cobalt Strike's Beacon Object Files | Create FUNDING.yml | 740 |
| |
2024-08-16 | Aggressor | 0xbad53c |  | OffSecOps-Arsenal | Aggressor script to automatically download and load an arsenal of open source and private Cobalt Strike tooling. | Merge pull request #1 from EvanMcBroom/main
Fixes syntax errors. | 25 | | |
2024-08-13 | Aggressor | RedSiege |  | AggressorAssessor | Aggressor scripts for phases of a pen test or red team assessment | Update README.md | 184 | | |
2024-04-29 | BOF | Mr-Un1k0d3r |  | Cookie-and-Handle-Stealer | C or BOF file to extract WebKit master key to decrypt user cookie | Update handle-stealer.c | 202 |
| |
2024-03-25 | BOF | m3rcer |  | Chisel-Strike | A .NET XOR encrypted cobalt strike aggressor implementation for chisel to utilize faster proxy and advanced socks5 capabilities. | Update README.md | 456 |
| |
2024-03-18 | Aggressor | outflanknl |  | HelpColor | Agressor script that lists available Cobalt Strike beacon commands and colors them based on their type | Merge pull request #10 from leebaird/master
Added new TrustedSec SA and Remote Ops BOFs | 207 | | |
2024-03-15 | Malleable-C2 | RedSiege |  | C2concealer | C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike. | Update profile.py branding | 1075 | | |
2024-01-02 | Aggressor | RCStep |  | CSSG | Cobalt Strike Shellcode Generator | Added Beacon syscalls and http library selections | 657 |
| |
2023-12-05 | BOF | trainr3kt |  | MemReader_BoF | | search specific strings...no more array | 46 | | |
2023-11-22 | UDRL | boku7 |  | BokuLoader | A proof-of-concept Cobalt Strike Reflective Loader which aims to recreate, integrate, and enhance Cobalt Strike's evasion features! | Merge pull request #33 from 0xbad53c/main
Add strreps for SMB, TCP and DNS | 1340 | | |
2023-11-08 | Malleable-C2 | threatexpress |  | malleable-c2 | Cobalt Strike Malleable C2 Design and Reference Guide | cs4.9 updates (#19)
| 1697 | | |
2023-10-27 | BOF | outflanknl |  | C2-Tool-Collection | A collection of tools which integrate with Cobalt Strike (and possibly other C2 frameworks) through BOF and reflective DLL loading techniques. | DetailedOSInfo
| 1257 | | |
2023-09-28 | UDRL | kyleavery |  | AceLdr | Cobalt Strike UDRL for memory scanner evasion. | bug fixes
| 945 | | |
2023-09-05 | BOF | rasta-mouse |  | SCMUACBypass | | Add CNA and updated readme
| 100 | | |
2023-07-29 | Aggressor | Und3rf10w |  | Aggressor-scripts | Aggressor scripts I've made for Cobalt Strike | added matrix-hookshot cna | 408 | | |
2023-07-25 | BOF | ceramicskate0 |  | BOF-Builder | C# .Net 5.0 project to build BOF (Beacon Object Files) in mass | Update README.md | 28 | | |
2023-07-20 | BOF | mandiant |  | msi-search | | Replaced Write-Host with Write-Output | 282 |
| |
2023-07-12 | UDRL | mgeeky |  | ElusiveMice | Cobalt Strike User-Defined Reflective Loader with AV/EDR Evasion in mind | Merge pull request #5 from v1stra/master
Updated elusiveMice.c to work with `make` out of the box | 467 |
| |
2023-06-30 | Aggressor | harleyQu1nn |  | AggressorScripts | Collection of Aggressor scripts for Cobalt Strike 3.0+ pulled from multiple sources | Merge pull request #16 from 0xAsh/master
Fix Syntax errors + Big logic bug | 1510 | | |
2023-05-10 | BOF | rasta-mouse |  | PPEnum | Simple BOF to read the protection level of a process | Add files
| 115 |
| |
2023-05-03 | BOF | outflanknl |  | FindObjects-BOF | A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific loaded modules or process handles. | MovedRepo
| 272 | | |
2023-05-03 | BOF | outflanknl |  | WdToggle | A Beacon Object File (BOF) for Cobalt Strike which uses direct system calls to enable WDigest credential caching. | MovedRepo
| 219 | | |
2023-04-12 | Aggressor | Cobalt-Strike |  | sleep_python_bridge | This project is 'bridge' between the sleep and python language. It allows the control of a Cobalt Strike teamserver through python without the need for for the standard GUI client. NOTE: This project is very much in BETA. The goal is to provide a playground for testing and is in no way an officially support feature. Perhaps this could be something added in the future to the core product. | Merge pull request #11 from Cobalt-Strike/payload_gen_updates
Payload gen updates | 185 | | |
2023-04-06 | Malleable-C2 | CodeXTF2 |  | Burp2Malleable | Quick python utility I wrote to turn HTTP requests from burp suite into Cobalt Strike Malleable C2 profiles | fixed #5
| 390 | | |
2023-03-27 | BOF | Mr-Un1k0d3r |  | Elevate-System-Trusted-BOF | | Add files via upload | 158 |
| |
2023-03-23 | BOF | Octoberfest7 |  | KDStab | BOF combination of KillDefender and Backstab | Fix CNA help menu
| 169 |
| |
2023-03-23 | BOF | mertdas |  | PrivKit | PrivKit is a simple beacon object file that detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS. | Merge pull request #1 from molatho/main
Added makefile | 426 |
| |
2023-03-13 | BOF | boku7 |  | whereami | Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's. | Extra checking | 180 | | |
2023-03-08 | BOF | boku7 |  | HOLLOW | EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode | Merge pull request #4 from boku7/add-license-1
Create LICENSE.md | 285 |
| |
2023-03-08 | BOF | boku7 |  | injectAmsiBypass | Cobalt Strike BOF - Bypass AMSI in a remote process with code injection. | Merge pull request #1 from boku7/add-license-1
Create LICENSE.md | 380 | | |
2023-03-08 | BOF | boku7 |  | spawn | Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing. | Merge pull request #2 from boku7/add-license-1
Create LICENSE.md | 462 |
| |
2023-03-07 | BOF | N4kedTurtle |  | PersistBOF | A BOF to automate common persistence tasks for red teamers | Update README.md | 282 | | |
2023-03-04 | BOF | Octoberfest7 |  | Inline-Execute-PE | Execute unmanaged Windows executables in CobaltStrike Beacons | Fix CNA for interactive beacons
| 683 |
| |
2023-02-24 | BOF | Yaxser |  | CobaltStrike-BOF | Collection of beacon BOF written to learn windows and cobaltstrike | Update README.md | 354 |
| |
2023-01-19 | Malleable-C2 | threatexpress |  | cs2modrewrite | Convert Cobalt Strike profiles to modrewrite scripts | Merge pull request #9 from chrismaddalena/master
Linter Clean-up | 606 | | |
2023-01-05 | Mallealbe-C2 | threatexpress |  | random_c2_profile | Cobalt Strike random C2 Profile generator | Update readme
| 661 | | |
2022-12-05 | BOF | crypt0p3g |  | bof-collection | Collection of Beacon Object Files (BOF) for Cobalt Strike | ChromiumKeyDump bug fixes
| 178 | | |
2022-10-28 | Malleable-C2 | xx0hcd |  | Malleable-C2-Profiles | Cobalt Strike - Malleable C2 Profiles. A collection of profiles used in different projects using Cobalt Strike https://www.cobaltstrike.com/. | Create ursnif_ransomware.profile | 826 | | |
2022-10-07 | Infrastructure | mgeeky |  | RedWarden | Cobalt Strike C2 Reverse proxy that fends off Blue Teams, AVs, EDRs, scanners through packet inspection and malleable profile correlation | Changes.
| 978 | | |
2022-10-01 | BOF | ScriptIdiot |  | BOF-patchit | An all-in-one Cobalt Strike BOF to patch, check and revert AMSI and ETW for x64 process. Both syscalls and dynamic resolve versions are available. | Update README.md | 135 |
| |
2022-09-23 | Aggressor | EspressoCake |  | RecreateCSDownloadsTree | Generation of TOML metadata for recreating directory structures from Cobalt Strike Beacon downloads. | Initial commit.
| 9 | | |
2022-09-09 | RDLL | ScriptIdiot |  | SysmonQuiet | RDLL for Cobalt Strike beacon to silence sysmon process | Merge pull request #2 from ScriptIdiot/1.1
1.1 | 89 |
| |
2022-09-08 | Aggressor | CodeXTF2 |  | cobaltstrike-headless | Aggressorscript that turns the headless aggressor client into a (mostly) functional cobalt strike client. | Merge pull request #1 from adamsvoboda/main
| 149 | | |
2022-08-23 | Aggressor | Verizon |  | redshell | An interactive command prompt for red teaming and pentesting. Automatically pushes commands through SOCKS4/5 proxies via proxychains. Optional Cobalt Strike integration pulls beacon SOCKS4/5 proxies from the team server. Automatically logs activities to a local CSV file and a Cobalt Strike team server (if configured). | Added support for Cobalt Strike SOCKS5 proxies
Added checks for SOCKS server connections and authentication
Added automated prompt changes based on context
Added a switch to the config command to show/hide secrets
Updated intro banner
| 216 | | |
2022-08-18 | BOF | Henkru |  | cs-token-vault | In-memory token vault BOF for Cobalt Strike | Fix upper part handling
| 144 | | |
2022-07-21 | BOF | Sh0ckFR |  | InlineWhispers2 | Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2 | Fixed InlineWhispers2 with the old version of SysWhispers (new version will be updated later) | 186 | | |
2022-07-08 | BOF | netero1010 |  | RDPHijack-BOF | Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. | Add files via upload | 304 |
| |
2022-06-22 | External-C2 | Und3rf10w |  | external_c2_framework | Python api for usage with cobalt strike's External C2 specification | add credits to @xychix
I can't believe I didn't do this before, I really regret not doing this earlier | 241 | | |
2022-06-17 | Aggressor | mgeeky |  | cobalt-arsenal | My collection of battle-tested Aggressor Scripts for Cobalt Strike 4.0+ | Merge pull request #3 from mgeeky/add-code-of-conduct-1
Create CODE_OF_CONDUCT.md | 1085 |
| |
2022-05-30 | BOF | erberkan |  | dump-hives-BOF | Dump SAM, SYSTEM and SECURITY hives under C:\ drive. | fixed minor things
| 6 |
| |
2022-05-23 | Aggressor | EspressoCake |  | DynamicTabRename | CNA that interacts with a JAR file to dynamically rename GUI tabs within Cobalt Strike from a JSON file. | First commit.
| 24 | | |
2022-05-14 | Aggressor | EspressoCake |  | BeaconDownloadSync | | Create option to specify download location, per TeamServer.
| 94 | | |
2022-05-12 | BOF | trainr3kt |  | Readfile_BoF | | update to only alloc filesize
| 21 | | |
2022-05-09 | Aggressor | NVISOsecurity |  | pyCobaltHound | pyCobaltHound is an Aggressor script extension for Cobalt Strike which aims to provide a deep integration between Cobalt Strike and Bloodhound. | Create LICENSE | 137 | | |
2022-05-06 | BOF | Octoberfest7 |  | EventViewerUAC_BOF | Beacon Object File implementation of Event Viewer deserialization UAC bypass | Merge pull request #1 from Octoberfest7/add-license-1
Create LICENSE | 131 | | |
2022-05-04 | BOF | Crypt0s |  | DelegationBOF | | Merge pull request #1 from ceramic-skate0/patch-1
Update Makefile | 141 | | |
2022-03-24 | Aggressor | ScriptIdiot |  | BeaconNotifier-Discord | Cobalt strike CNA script to notify you via Discord whenever there is a new beacon. | Update notify.cna | 34 | | |
2022-03-13 | BOF | Cobalt-Strike |  | unhook-bof | Remove API hooks from a Beacon process. | Merge pull request #2 from S4ntiagoP/master
add syscalls, change compiler to MinGW | 57 |
| |
2022-02-23 | BOF | netero1010 |  | ServiceMove-BOF | New lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution. | Dirty POC sample code for hid.dll in C++ | 294 |
| |
2022-01-08 | BOF | kyleavery |  | inject-assembly | Inject .NET assemblies into an existing process | small fix - thanks to @C5pider | 498 | | |
2022-01-07 | BOF | apokryptein |  | secinject | Section Mapping Process Injection (secinject): Cobalt Strike BOF | Update secinject.cna | 97 |
| |
2022-01-03 | Aggressor | Peco602 |  | cobaltstrike-aggressor-scripts | A collection of Cobalt Strike Aggressor scripts. | Create LICENSE | 98 |
| |
2021-12-23 | Malleable-C2 | vestjoe |  | cobaltstrike_services | AutoStart teamserver and listeners with services | Update readme.md | 74 | | |
2021-11-26 | BOF | connormcgarr |  | tgtdelegation | tgtdelegation is a Beacon Object File (BOF) to obtain a usable TGT via the "TGT delegation trick" | Update tgtdelegation.c | 172 |
| |
2021-11-23 | BOF | EspressoCake |  | DLL_Version_Enumeration_BOF | A BOF for enumerating version information for DLLs associated for a Beacon process. | Initial push.
| 15 |
| |
2021-11-17 | BOF | securifybv |  | Visual-Studio-BOF-template | A Visual Studio template used to create Cobalt Strike BOFs | fixed typo in readme
| 308 | | |
2021-11-07 | BOF | trainr3kt |  | NoteThief | Grab unsaved Notepad contents with a Beacon Object File | Update README.md | 51 | | |
2021-11-05 | BOF | EspressoCake |  | DLL-Exports-Extraction-BOF | DLL Exports Extraction BOF with optional NTFS transactions. | Update with fallback in case of NTFS failure.
Update with fallback in case of NTFS failure.
Update to stderr descriptor to appropriately convey success/failure.
Move freeing of formatp data structure to point of dispersing output to clean calls. | 82 |
| |
2021-11-03 | BOF | EspressoCake |  | DLL-Hijack-Search-Order-BOF | DLL Hijack Search Order Enumeration BOF | Added helper context in event of no key match.
| 147 |
| |
2021-10-28 | BOF | EspressoCake |  | DLL_Imports_BOF | A BOF to parse the imports of a provided PE-file, optionally extracting symbols on a per-dll basis. | Added verbose help, and optional filter needle for loaded DLL name(s).
| 85 |
| |
2021-10-12 | BOF | EspressoCake |  | HandleKatz_BOF | A BOF port of the research of @thefLinkk and @codewhitesec | Prettier format, use helper function for formatted/buffered prints to Beacon.
| 98 |
| |
2021-10-10 | BOF | EspressoCake |  | Firewall_Walker_BOF | A BOF to interact with COM objects associated with the Windows software firewall. | Update README.md | 103 |
| |
2021-10-06 | Aggressor | jordanpotti |  | opsec-aggressor | Aggressor script that gets the latest commands from CobaltStrikes web site and creates an aggressor script based on tool options. | Update README.md | 21 | | |
2021-10-03 | BOF | EspressoCake |  | Self_Deletion_BOF | BOF implementation of the research by @jonasLyk and the drafted PoC from @LloydLabs | Push of local code.
| 182 |
| |
2021-09-29 | Aggressor | Cobalt-Strike |  | beacon_health_check | This aggressor script uses a beacon's note field to indicate the health status of a beacon. | Update beaconhealth.cna
spelling | 142 | | |
2021-09-28 | BOF | boku7 |  | injectEtwBypass | CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) | Merge pull request #1 from Sh0ckFR/main
Fixed the compilation warning and added a success message | 284 |
| |
2021-09-27 | BOF | EspressoCake |  | Needle_Sift_BOF | Strstr with user-supplied needle and filename as a BOF. | Merge branch 'main' of github.com:EspressoCake/Needle_Sift_BOF into main
| 32 |
| |
2021-09-24 | BOF | EspressoCake |  | PPLDump_BOF | A faithful transposition of the key features/functionality of @itm4n's PPLDump project as a BOF. | First push.
| 140 | | |
2021-09-20 | BOF | jsecu |  | CredManBOF | | Update CredMan.cna | 94 |
| |
2021-09-17 | Aggressor | EspressoCake |  | Aggressor_Scripts | A compilation of Aggressor/Sleep scripts for operational purposes that I've made. | Added sanity check for current filesize in Execute-Assembly.
| 11 | | |
2021-09-14 | BOF | EspressoCake |  | Toggle_Token_Privileges_BOF | Syscall BOF to arbitrarily add/detract process token privilege rights. | Update README.md | 58 |
| |
2021-09-14 | BOF | RiccardoAncarani |  | BOFs | Collection of Beacon Object Files (BOFs) for shells and lols | add API unhook BOF
| 119 |
| |
2021-09-11 | Aggressor | mez-0 |  | winrmdll | C++ WinRM API via Reflective DLL | + dll
| 145 |
| |
2021-08-30 | Aggressor | darkoperator |  | vscode-language-aggressor | Cobalt Strike Aggressor extension for Visual Studio Code | Update CHANGELOG.md | 134 | | |
2021-08-30 | BOF | EspressoCake |  | Process_Protection_Level_BOF | | Update README.md | 59 |
| |