This blog post proposes a new design for Beacon Object File (BOF) portable executables aimed at enhancing integration with C2 platforms. The proposed design addresses existing challenges in BOF maintenance and execution, particularly by introducing support for C++ and exception handling, promoting ease of development and deployment for C2 vendors. Affected: C2 platforms, BOF developers
Keypoints :
- The new BOF PE design facilitates both standalone and C2 environment execution.
- It enables full support for C++ and exceptions, improving code structure.
- Resolves symbol resolution issues inherent in complex BOFs.
- Streamlines code maintenance compared to traditional BOF designs.
- Integrates seamlessly with the Beacon API, simplifying output and argument handling.
- The new design allows multiple source files and libraries for better code reuse.
- It introduces a simpler loader design that improves symbol resolution at compile time.
- Offers a variety of PE files demonstrating different capabilities and sizes for flexibility.
MITRE Techniques :
- TA0002 – Execution: BOF PE files execute within a C2 environment using Beacon APIs.
- TA0005 – Defense Evasion: BOF PE files can execute without disk write operations to maintain operational security.
- TA0021 – Credential Access: BOF PE design may support operations that involve credential handling if integrated into a relevant workflow.
Indicator of Compromise :
- [File] c:bofsmybof.exe
- [File] bof-pe
- [File] beacon.dll
- [File] tiny-pe
- [File] c-pe
- [File] cpp-pe
Full Story: https://www.netspi.com/blog/technical-blog/network-pentesting/the-future-of-beacon-object-files/