Async BOFs – “Wake Me Up, Before You Go Go”
Asynchronous BOFs: Enabling New Use Cases for Red Team Operators
The introduction of Beacon Object Files (BOFs) by Cobalt Strike in 2020 revolutionized the capabilities of red team operators and developers, offering a standardized interface for operator code to run within, and interact with, an implant. However, the current BOF standard was designed for synchronous operations, limiting its potential applications.
Asynchronous BOFs Execution Would Enable New Red Team Capabilities
Within this blog Cornelis (@Cneelis) and I introduce the concept and initial design of real-time monitoring for events (e.g. sleep until an admin logs in, sleep until a user starts his password vault) for Beacon Object Files. This new asynchronous design allows operators to roll out a network of sensors and stream these events to the C2 server for further processing – all while the implant is sleepmasked.
Tags: Async, AsyncBOF, BeaconWakeup, BOF, Monitoring, RedTreat, SleepMask