Skip to main content

Summary

Execute a Beacon Object File (BOF) with the specified arguments. This object file must first be cached in the agent using the register_coff command before being executed. The RunOF.dll ia now automatically obtained from mythic if Apollo does not have it loaded in its file store already.

Arguments

execoff

Object File

The name of the object file to execute. This must match the file name used with register_file or register_coff.

Function

Function of the object file to call, usually ‘go’.

TimeOut

Maximum time (in seconds) that the object file should run.

Arguments (optional)

Arguments to pass to the function, using the following format: -s:123 or int16:123 -i:123 or int32:123 -z:hello or string:hello -Z:hello or wchar:hello -b:abc== or base64:abc==

Usage

execute_coff -Coff [coff_name] -Function [go] -Timeout [30] [-Arguments [arguments]]
Example 
execute_coff -Coff dir.x64.o -Function go -Timeout 30 -Arguments wchar:C:\\

MITRE ATT&CK Mapping

  • T1027

Detailed Summary

The execute_coff command uses a Object File loader to execute object files within a new thread and returning output back to the agent using the implementation of Beacon functions.

Resources