This article discusses the evolution of "BOF Cocktails" within Cobalt Strike, focusing on the integration of evasion tradecraft directly into Beacon Object Files (BOFs). Previously, operators had to rely on complex workarounds like alias_clear to intercept BOF execution. However, with the release of Cobalt Strike 4.13, a native Aggressor hook called BEACON_INLINE_EXECUTE has been introduced, allowing for seamless manipulation of BOF bytes before they are sent to the Beacon agent.
The author demonstrates how to leverage this new hook using the Crystal Palace framework and specification files. By utilizing these tools, operators can instrument calls to Windows APIs—such as OpenProcessToken—by merging external hooks and libraries into the BOF at runtime. This modular approach enables the creation of more resilient post-exploitation tools that include their own defensive bypasses and logging mechanisms without relying on the primary loader.
Top comments (0)