Muz1K1zuM

Muz1K1zuM / UnderlayCopy_bof

Public

BOF for Havoc that copies locked Windows files (SAM, SYSTEM, NTDS.dit) via raw MFT parsing — no VSS, no Registry APIs, no PowerShell

19
0
69% credibility
Found Apr 05, 2026 at 19 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
C
AI Summary

A command for the Havoc security framework that duplicates locked Windows system files by directly accessing disk storage areas.

How It Works

1
🔍 Discover the secret copier

You learn about a clever tool that lets you duplicate files the computer is actively using, like important system records, without the usual roadblocks.

2
📥 Add it to your security dashboard

You easily slip the tool into your security testing control center, making a new command available with a quick load.

3
💻 Pick the target computer

You choose the Windows machine you've already connected to, where the locked file you need is stored.

4
Tell it what to copy

You simply name the locked file and a safe spot for the duplicate, then hit go—it feels effortless.

5
🔒 It sneaks and copies

Quietly, the tool dives into the disk to grab the file's pieces and builds a perfect twin elsewhere.

Duplicate ready for review

Congratulations, you now hold a fresh copy of the locked file, all set for your security inspection.

Sign up to see the full architecture

4 more

Sign Up Free

Star Growth

See how this repo grew from 19 to 19 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is UnderlayCopy_bof?

UnderlayCopy_bof is a C-based Beacon Object File (BOF) for Havoc C2 that copies locked Windows files like SAM, SYSTEM, SECURITY hives, and NTDS.dit by parsing the NTFS MFT and reading raw volume sectors. It sidesteps VSS snapshots, Registry APIs, and PowerShell entirely, letting you dump credential stores from admin contexts without spawning noisy processes. Load the Havoc script, then run `stealthcopy ` from your agent console to grab files to a temp path for exfil.

Why is it gaining traction?

In the bof collection github scene—think havoc bof github or cobaltstrike bof github alternatives—this stands out for its tiny detection surface: no AMSI, no script logging, just SeBackupPrivilege and direct disk reads. Red teamers dig the OPSEC edge over PowerShell ports or tools like mimikatz bof github, especially for NTDS.dit grabs on DCs without SYSTEM. Pairs well with github bof template workflows, buildable via mingw-w64 for quick deploys.

Who should use this?

Red team operators and pentesters running Havoc C2 who need to extract SAM hashes or domain creds from locked files during engagements. Ideal for ops targeting NTFS volumes where VSS is monitored or Credential Guard blocks lsass dumps. Skip if you're on non-C: drives or need ADS support—stick to github bof net basics like whoami bof github for simpler recon.

Verdict

Solid pick for stealthy file copies in Havoc ops, with clear docs and build instructions boosting usability despite 19 stars and a 0.70% credibility score signaling early maturity. Test in labs first; lacks broad validation but delivers on low-priv MFT-based dumps where alternatives falter.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.