Course Reviewed
Review written: March 2025
Course Format:
This course is online.
Course Materials:
The course materials include text as well as downloadable materials.
Class size:
The class size is just for you.
Lab Environment
There is not a lab environment, but there are instructions on how to setup your own environment.
Estimated cost:
At the time of this review, the course price was listed as follows (Check the web site for actual prices!)
£199.00
About the Course:
From their website: "This course provides instruction on writing Beacon Object Files (BOFs) for use in Cobalt Strike and other C2 frameworks."
My motivation:
I found myself in a situation where I needed a Beacon Object File (BOF) and could not find one on GitHub. I used several different AIs, over the course of weeks, to get mostly working code, and then I spent a whole of time making the aggressor script to go along with the code. This was a very frustrating experience, and I wanted to learn more and this was the course I needed to help motivate me to learn a whole lot more.
My Review:
If you look closely at the Certificate of Completion, you will notice that I first finished the course in December of 2024, but this review wasn't done until March 2025. The reason is really simple, I needed to go through the materials a few times, trying to organize my thoughts and grasp the concepts more thoroughly, before writing this review and I am still not sure I am at a point to do the materials justice.
Welcome
This section is short and sweet, with a quick Introduction, a note from the Author, a video on how to use the course, software requirements for the course and a small survey.
I had installed a Kali Linux virtual machine, and a Windows 10 virtual machine for use in my own lab setup. However, if you don't already have them, they do provide links for you to download an evaluation copy of Windows 11 Enterprise and/or Kali Linux. Cobalt Strike is optional, but very nice to have for testing if you have access to a copy.
Environment Setup
This is a short section on how to setup your Windows and Kali environments. As mentioned earlier, I used Windows 10 and Kali Linux virtual machines and apart me actually setting up the virtual machines, the longest part of the setup progress was the Visual Studios 2022 download/install and even that seemed a whole lot faster than it normally is.
Introduction to BOF Development
This section provides the background and basics of BOFs. It also has quick introductions to the Windows API, COFFLoader, as well as developing BOFs on Windows and Linux. Each section is short, easy to read and easy to understand. I really like the quick hands-on instructions it provides so that you can follow along in your environment. There is enough information in each section to get you started on your BOF development journey, and plenty of links if you want, or need, more information right now or later on down the line.
The BOF Development on Linux section starts you on your first BOF project on Linux. I followed along with the materials and hand typed the content, making a few spelling mistakes along the way which made for easy troubleshooting, and then the MakeFile I had to add tabs in place of the spaces for the indents, but apart for my mistakes, it was super easy to follow along and understand.
The BOF Development on Windows section is a very long and very detailed. It starts by stepping you through the 'BOF_Course' project that you created during the Windows Environment Setup section which is the "Cobalt Strike bof-vs release" file you added to Visual Studios before creating the project. Next, this section steps you through the process of creating a new BOF in clear, easy to follow, steps. It goes through problems that come up and how to solve them and covers creating tests and how to edit the BOF template as well as the BOF code you are creating. There is a lot of information in this section, and a lot of things going on, but I found it easy to follow and I came out with a better understanding of Visual Studios, BOFs and since I tend to make lots of mistakes and typos, I got to work on my troubleshooting skills.
Aggressor Scripting is the final part of this module. This section steps you through writing an aggressor script for project1 created in the BOF Development on Linux section and then tweaking that script for project2 created in the BOF Development on Windows section. When I wrote my first BOF, I wasn't really aware that I needed an aggressor script to go with it, but as it turns out, I not only needed one, but I needed some super complex logic inside the script. This section mentions learning to read other aggressor scripts and pulling code from them, and that is pretty much what I did (I found a script with something close enough to what I wanted that I could modify to my needs).
Quick note that has nothing to do with the course content, but you may experience this too: It was during the BOF Development on Windows section that I had to reconnect my VM to the internet (for some odd reason). And, as luck would have it, all the software wanted updates to include Visual Studios. After the update, none of the BOF stuff would compile or run. It was a quick and super easy fix. I downloaded the latest "Cobalt Strike bof-vs release" zip file, moved it to the correct folder, and I was back in business. Keep this in mind if your environment is touching the internet and updates and stuff stops working.
Practical 1: Rasomware Simulator
This is a fun module that covers exactly what the title states.... simulating ransomware. When a customer asks for the red team to provide a real world type effect during an engagement, simulated ransomware can be a big eye opener. Just to be clear, the goal of this BOF isn't to harm the customer's computer, nor is it to change a large amount of things, things that an operator, or operators, would need to revert before the end of the engagement, but rather the goal of this BOF is to perform enough modifications to the customer's computer as to make it believable that the machine was hit with ransomware. With this in mind, the module starts by laying out goals and a plan for how the BOF will accomplish those goals.
A base template is provided as your starting point, and from there you move to "Finding the Desktop folder" and the process to accomplish this. If you look at the course outline, you see 'Code Download' where you can download the code which you should have at the completion of the section if you don't want to step through the whole process outlined manually.
Similarly, the Changing the Wallpaper and Leaving the Ransom Note, Renaming Files and Aggressor Script sections are followed by Code Download where you can download the code as it should be at the end of each section.
Going through each section is critical because it shows how you might implement an API call, run into errors, and then proceed to resolve those errors. I really liked how the tests were setup for a normal user, SYSTEM, Local Service, and Network Service and then tested. It was also helpful to see the "re-writing and re-organizing code" detailed in the process.
The Aggressor Script section, like the previous modules, covers taking a template and modifying it for the specific BOF that was written.
The Closing section mentions some issues found when testing in Cobalt Strike, and recommendations on what to do if you intend to use this BOF on an actual red team engagement. And finally, there are some "extra mile" tasks if you are motivated enough to attempt to accomplish them.
Practical 2: Iscsipl.exe UAC Bypass
This module starts a bit differently. The goal of this module is to convert a standalone executable, from its source code, to a BOF and since this is just conversion of existing code, there isn't a focus on Debug and UnitTest.
There is a review of the existing code and what it does, as well as a nice summary of the program, and finally the requirements/considerations for converting the executable to a BOF are discussed.
As in the previous module, each coding section is followed by code download opportunities, which will allow you to obtain the code as it should be at the completion of the section.
The sections step you through code changes that need to be made and then explains why those changes are required. The Offensive Tradecraft section discusses ways to keep the message blocks from opening on the user's desktop when the BOF is run, where the DLLs are written to on disk and how to come up with an alternate way of writing the DLLs than modifying the user's path and then restoring the user's path after execution, and finally it explores allowing the operator to add their own custom DLL.
The Aggressor Script section, like the previous modules, covers taking a template and modifying it for the specific BOF that was written, but it also goes into testing the aggressor script, finding an error, and troubleshooting in order to resolve the error.
The Closing section gives some "extra mile" tasks on further improving the BOF.
Practical 3: TGT Auto-Harvester
This module covers "creating long-running in-process capabilities through the use of BOFs and position-independent code (PIC)." Practical 1 and Practical 2 were both developed under Windows, but Practical 3 takes the opportunity to create the BOF under Linux. UnitTest will again not be focused on during the module. Stardust by 5pider, found in the Cracked5pider GitHub repo, plays a major role in this module.
After a brief introduction and initial setup section, the Introduction to Stardust section explores the "global variables" feature of the project. This is followed by Calling Beacon APIs from Stardust and Integrating Stardust into the BOF.
With Stardust integrated into the BOF, the next sections deal with the function of the BOF itself to include monitoring for logins and dumping TGTs. There are a lot of moving parts to each of these sections, but the good news is, you don't have to use a single pass to learn them all. You can stop, come back later, review and revisit the sections, or just the specific areas of sections, until you understand things well enough to continue.
The Aggressor Script section, like the previous modules, covers taking a template and modifying it for the specific BOF that was written.
Next up is the Dancing with Sleep Mask section. This section deals with Cobalt Strike only as COFFLoader doesn't support a sleep mask functionality, and the section also requires x64dbg to follow along. This is very advanced section with a lot of information. Without going into a lot of details, sleep mask will obfuscate beacon in memory while sleeping and this will break functionality created up until this point. This section shows a way to get around the issues caused by the beacon being obfuscated while sleeping. I am really glad that near the end of the section the recommendation was made to test the program with sleep_mask set back to false, showing that every time you make a change you need to test for various situations you might encounter.
The Closing section gives some "extra mile" tasks on further improving the BOF.
Update 1: BOFPatcher
This section covers how to write a BOF without the Dynamic Function Resolution (DFR) statements that the first part of the course covers using. As the author states, "you can appreciate how much of a convenience this would be" assuming you have gone through the full course up to this point. With the BOFPatcher tool, you now have the ability to write a BOF as normal C.
Next Steps
The final section is a list of resources for you to continue your learning journey.
Misc:
There is a lot of great information in this course.
The Exam:
There is no exam for this class, but there is a Certificate of Completion if you complete all the modules.
The CoC:
My two cents:
I really liked the information presented. I loved the flow and the ever-increasing complexity of things. I have gone through this material several times now and I still don't understand everything as well as I would like. I guess that just means I need to go through it a few more times. I also loved the Aggressor Script sections because they taught me a number of things that I didn't know before.
As I prepare to write my next BOF, let us see if I can take lessons learned from this course and make a much better BOF than I did the first time. If nothing else, my next Aggressor Scripts will be a whole lot better than my first few were.