Skip to content

Instantly share code, notes, and snippets.

@rsmudge
Created March 31, 2017 21:58
Show Gist options
  • Save rsmudge/c82c02b02347e0153c78024b9f64abd0 to your computer and use it in GitHub Desktop.
Save rsmudge/c82c02b02347e0153c78024b9f64abd0 to your computer and use it in GitHub Desktop.
This script demonstrates how to change Cobalt Strike's WEB_HIT and PROFILER_HIT hooks to resolve a phishing token to an email address.
#
# This script overrides WEB_HIT and PROFILER_HIT from default.cna to
# resolve the id var (token) to an email
#
# https://www.cobaltstrike.com/aggressor-script/cobaltstrike.html
#
# method, uri, addr, ua, response, size, handler, when
set WEB_HIT {
local('$out $now $method $uri $addr $ua $response $size $handler $when $params');
($method, $uri, $addr, $ua, $response, $size, $handler, $params, $when) = @_;
$now = dstamp($when);
$out = "$now visit from\cE:\o $addr";
# add in our email address
if ($params['id'] ne "") {
$out .= " (" . tokenToEmail($params['id']) . ")";
}
$out .= "\n";
$out .= "\tRequest\cE:\o $method $uri $+ \n";
if ($handler ne "") {
$out .= "\t $+ $handler $+ \n";
}
else {
$out .= "\tResponse\cE:\c4 $response $+ \n";
}
$out .= "\t $+ $ua $+ \n";
if (size($params) > 0) {
local('$key $value');
$out .= "\t= Form Data=\n";
foreach $key => $value ($params) {
$out .= "\t $+ $[10]key = $value $+ \n";
}
}
return "$out $+ \n";
}
set PROFILER_HIT {
local('$out $app $ver');
$out = "\c9[+]\o $1 $+ / $+ $2 [" . tokenToEmail($5) . "] Applications";
foreach $app => $ver ($4) {
$out .= "\n\t $+ $[25]app $ver";
}
return "$out $+ \n\n";
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment