Introduction

Preface, introduction to Beacon Object Files and their uses.

"Beacon Object Files", or "BOFs", is a term popularized by the industry-defining Command and Control (C2) framework, Cobalt Strike. They act as a modular plugin system for Cobalt Strike's Beacons, allowing dynamic code execution of Object Files, specifically ones that follow the Common Object File Format, or COFF. BOFs enable the operator to write their own custom functionality into a C2's agent, without modifying the source code. For example, TrustedSec's collection of BOFs allows for common post-exploitation actions, such as retrieving information about a logged-on user including group membership, and privileges. This can be leveraged through their whoami BOF.

These tools are widely used for their customizability, ease of use, and compatibility with nearly every modern C2 framework, including not just Cobalt Strike, but also the likes of Havoc, Brute Ratel, Sliver, and many more.

Beacon Object Files provide a convenient interface to provide output to a C2 operator, parse data, and perform common tasks, through a library (usually a header file) called the Beacon API. The most common one used today is beacon.h, a C header file that contains the definitions, but not the implementations of different Beacon API functions. There's a good reason for this; we'll get to that momentarily. Some of the most commonly used Beacon API functions include BeaconPrintf, used to format output to the C2 operator's console, BeaconDataParse, used to parse arguments passed to the BOF, and BeaconIsAdmin, which should be able to check whether the infected process the BOF was loaded into is elevated or not. There are many more Beacon API functions than these few, and they're crucial for a BOF to work, usually shared across all implementations of a BOF/COFF loader, regardless of the associated C2 framework.