Voidmaw

A new technique that can be used to #bypass memory scanners. This can be useful in hiding problematic code (such as reflective loaders implemented by C2 beacons) or other problematic executables that will be flagged by the antimalware programs(such as mimikatz).

Process Inject Kit

This is a port of Cobalt Strike's Process Inject Kit from C to the C++ BOF template.

rasta-mouse/process-inject-kit
Port of Cobalt Strike's Process Inject Kit

https://github.com/rasta-mouse/process-inject-kit

Various resources to enhance Cobalt Strike's functionality and its ability to evade antivirus/EDR detection


URL：https://github.com/RedefiningReality/Cobalt-Strike

SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating or breaking the existing signature.

https://github.com/med0x2e/SigFlip

Patchwerk

Cobalt Strike BOF that finds all the Nt*system call stubs within NTDLL and overwrites the memory with clean stubs (user land hook evasion). This way we can use the NTAPIs from our implant code, and if EDR check the call stack it will have originated from NTDLL. It’s pretty much the same as the original unhook by Raph Mudge, but this way there's no need to map ntdll.dll from disk or open handles to remote processes.

• Uses HellsGate & HalosGate to call direct syscalls for NtOpenProcess, NtWriteVirtualMemory, and NtProtectVirtualMemory.
• Has custom GetModuleHandle & GetProcAddress(getSymbolAddress) written in C and ASM to evade hooks on kernel32.
• If patching table of current process, does not use NtOpenProcess. Just uses hProc = (HANDLE)-1; instead.

StringReaper

CobaltStrike BOF designed to carve strings out of remote process memory. This tool allows operators to carve ASCII and UTF-16 strings from targeted processes, making it effective for retrieving JWT tokens, credentials, and other sensitive data directly from memory. Over the past 3 years i've had great success in using this tool on engagements. Saves time when oping from a C2 where you don't want to have to wait on a full process dump or deal with download size issues.

AWS Cobalt Redirector : Streamlining Red Team Operations With Automated C2 Infrastructure

https://kalilinuxtutorials.com/aws-cobalt-redirector/

Cobalt Strike 4.11: Shhhhhh, Beacon is Sleeping….
#cobaltstrike

Cobalt Strike 4.11 is now available. This release introduces a novel Sleepmask, a novel process injection technique, new out-of-the-box obfuscation options for Beacon, asynchronous BOFs, and a DNS over HTTPS (DoH) Beacon. Additionally, we have overhauled Beacon’s reflective loader and there are numerous QoL updates. Out-of-the-Box Evasion Overhaul The focus of this release (and the [...]

via Cobalt Strike Blog (author: William Burgess)

Go-based C2 server inspired by Cobalt Strike; seamless agent control, web UI, and Malleable Profile support. Fast, extensible, and secure for red-team ops.

https://github.com/armin-hg/NewCobaltstrikeTeamServer

Implementation of the concept of asynchronous Beacon Object Files. It provides a framework for running asynchronous monitoring tasks that can detect events and report back to the Cobalt Strike team server.

https://github.com/9Insomnie/async_bof

Robust Cobalt Strike shellcode loader with multiple advanced evasion features

https://github.com/Meowmycks/koneko

Evasion-Kit for Cobalt Strike

https://github.com/rasta-mouse/Crystal-Kit

Beacon Object File (BOF) for Using the BadSuccessor Technique for Account Takeover

After Microsoft patched Yuval Gordon’s BadSuccessor privilege escalation technique, BadSuccessor returned with another blog from Yuval, briefly mentioning to the community that attackers can still abuse dMSAs to take over any object where we have a write primitive. This mention did not gather significant attention from the community, leaving an operational gap for dMSA related tooling and attention. This blog dives into why dMSA abuse is still a problem, the release of a new Beacon object file (BOF) labeled BadTakeover, plus additions to SharpSuccessor, all to show that BadSuccessor’s impact as a technique (not a vulnerability) will still hold a lasting effect.

https://github.com/logangoins/BadTakeover-BOF

https://specterops.io/blog/2025/10/20/the-near-return-of-the-king-account-takeover-using-the-badsuccessor-technique/

Execute PE files in-memory using Cobalt Strike's Beacon, eliminating child processes and consoles for stealthy operations and efficient output handling.


https://github.com/evelyn67a/BOF_RunPe