Visual Studio Cobalt Strike BOF Template - Visualized by ASATA

*New Signal: Visual Studio Cobalt Strike BOF Template - Visualized by ASATA* ASATA has become interested (because of growing human momentum) and ingested a repo (securifybv/Visual-Studio-BOF-template) which streamlines the offensive extensibility of Cobalt Strike through templating Beacon Object Files, or BOFs. ASATA has profiled Windows functions and parameters within these templates and example code by MITRE ID type, articulating the different offensive behaviors they represent. The recent (~1 year) trend of porting Windows tradecraft to BOFs is making tradecraft more accessible to less sophisticated operators – this repo exemplifies that. Some of the very same COM interfaces we have been investigating (based on ASATA offensive trend analytics) have been put into this template’s example functionality. Something we learned while investigating this repo is the ability to utilize a COM interface (IAppIdPolicyHandler) to enumerate AppLockerPolicy, instead of PowerShell Get-AppLockerPolicy.  This is actually a quite obscure tactic (in our dataset anyway) as we only show one instance of it while searching across a million offensively called Windows functions.
 
BOF Templates: https://github.com/securifybv/Visual-Studio-BOF-template
 
AppLocker Policy Enumeration in C (Blog): https://ntamonsec.blogspot.com/2020/08/applocker-policy-enumeration-in-c.html
 

 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam