SilentHarvest BOF
This is a BOF implementation of Furkan Göksel's SilentNimvest project, which is in turn based on the SilentHarvest research by Haidar. It's effectively another registry-only credential dumper, replicating hashdump capabilities as well as retrieving secrets stored in the HKLM\SECURITY\Policy\Secrets subkeys. Old capabilities with a "new" "sneaky" way of delivering. Only requires SeBackupPrivilege (e.g. Administrator, doesn't require SYSTEM as it would normally).
Usage

Decrypt Recovered Cached Domain Credentials
Store the returned hashes in a file and then provide it along with your favorite word list to hashcat

Limitations
This tool does not implement functionality to enable the SeBackupPrivilege in your Beacon token. That is the responsibility of the operator, either through the getprivs command or by implementing the code.
This BOF only supports newer (Win 2016 / Win 10 and above) machines which implement AES encryption in their secret keeping. The legacy RC4 mechanism is not currently supported but would make for a great pull request from someone who has the time/desire.
This tool is NOT intended to be a port of, or achieve feature parity with, Mimikatz. There are several complexities/possible scenarios that are not implemented, like smart card credential support, that would similarly make great PR's.
Compilation
This tool was written without the use of normal BOF API declarations (e.g. a bofdefs.h file). As outlined in this blog post by Matt Ehrnschwender, it's possible to use objcopy to patch the proper symbols of format DLL$API into the BOF post-compilation. The Makefile for this tool calls objcopy, passing an imports_silentharvestXX.txt file containing the proper symbol replacements which then renders the BOF usable.
I have written a tool called BOFPatcher that automates this process. This allows users to write BOFs as normal C without worrying about cumbersome API declarations:

This tool is available to those who purchase my BOF Development and Tradecraft course.
Credits
- Haidar for publishing the original SilentHarvest blog post.
- Furkan Göksel's for his SilentNimvest tool which served as a template when writing this version.
- The AdaptixC2 team for their hashdump implementation which was referenced and utilized
- Big shoutout to Benjamin Delpy for his work on Mimikatz(https://github.com/gentilkiwi/mimikatz). It was my first time going through the source code in any serious capacity, and especially remembering that Claude et al. didn't exist all those years ago its just astoundingly impressive what he put together.
- rescatux's chntpw repo.
- Journey1's RemoteSamDecrypt repo.