Cobalt Strike 4.13 introduced the BEACON_INLINE_EXECUTE Aggressor hook, which allows operators to intercept and modify Beacon Object Files (BOFs) before they are executed. Previously, operators had to use workarounds like alias_clear to override commands, but this new native hook provides a direct way to process raw BOF bytes. This facilitates the implementation of "BOF Cocktails," where tradecraft and evasion techniques are merged directly into post-exploitation tools.
The article demonstrates using the Crystal Palace tool to process BOFs via specification files. By utilizing this workflow, developers can instrument Windows API calls—such as OpenProcessToken—by merging custom hooks and libraries into the BOF. This allows for modular, automated transformation of BOF capabilities, reducing the reliance on the agent's loader for evasion and providing more flexibility for red team operations.
Top comments (0)