Explore the world of Beacon Object Files (BOFs) and their applications in red-teaming operations through this informative conference talk. Delve into the Common Object File Format (COFF) and its role in compiler-generated files. Learn about beacon_inline_execute, a custom Windows COFF loader primarily used by Cobalt Strike, and its functionality in loading BOFs in-memory. Discover how BOFs can execute code on target machines without loading shellcode or injecting into remote processes, making them effective for bypassing AV/EDR protection and expanding C2 agent capabilities. Examine Coffee, a Rust-based COFF loader designed for BOFs, and understand its process of parsing object files, allocating memory, and executing code. Gain insights from speaker Rafael Felix, an experienced malware developer and researcher, on the inner workings of COFF format and BOFs in red-team operations.
Overview
Syllabus
Introduction to Beacon Object Files in the context of red-teaming operations - Rafael Felix -EKO2023
Taught by
Ekoparty Security Conference