Cobalt Strike

Inline-Execute

The recommended way to execute a Beacon Object File (BOF) is to wrap it around an Aggressor Script (.cna) by registering the command as an alias.

Executing object files directly using inline-execute can cause the beacon to crash, often due to a format string error. Take TrustedSec's dir BOF as an example, the expected format string is $zs.

If we attempt to execute the BOF with the wrong format string $s, the beacon process will crash.

Now if we execute it with the right format string, the BOF works as expected.