Raphael rsmudge
rsmudge
/ checkit.cna
Created
September 18, 2020 16:44
Fire a beacon_revisited event when we get a checkin event that occurs some window of time (e.g., 60s here) after the last checkin event. Keep in mind checkin is only fired on task acknowledgement. If you set the window to 8 hours and don't interact with the Beacon for 8 hours--you'll fire revisited.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global('%checkins'); | |
| on beacon_checkin { | |
| local('$last'); | |
| if ($1 in %checkins) { | |
| $last = %checkins[$1]; | |
| # has it been 1m since the last task acknowledgement? | |
| if (($3 - $last) > 60000) { |
rsmudge
/ ms16-032.cna
Created
July 29, 2016 04:11
Quick and dirty script to integrate ms16-032 into Cobalt Strike and its workflows.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Quick script to integrate ms16-032 attack into Cobalt Strike's Beacon | |
| # | |
| # 0. the &beacon_host_script function was added in Cobalt Strike 3.4 (you need CS 3.4 or later) | |
| # 1. grab MS16-032.ps1 | |
| # https://gist.githubusercontent.com/benichmt1/af52401c7f2d6984dea6ba60b44aa1aa/raw/bc6f579e694fc9a752e1a1dd95886c464f575ee7/MS16-032.ps1 | |
| # 2. store it with this script | |
| # 3. Use 'ms16-032 "listener name"' or 'ms16-032' from Beacon to run this attack | |
| # logic to run this particular attack | |
| sub exploit { |
rsmudge
/ callany.cna
Last active
July 21, 2020 20:46
Create a hidden Beacon console and pass a command+args to it for execution.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import aggressor.windows.BeaconConsole; | |
| import java.awt.event.ActionEvent; | |
| # $1 = beacon ID | |
| # $2 = command + args to run [as if you typed it in the console] | |
| sub beacon_input_command { | |
| local('$event'); | |
| # we make the console a static var because each console we create subscribes to a bunch of stuff | |
| # and requires a manual step [normally performed by a Window close event] to clean up these things. |
rsmudge
/ oneliner.cna
Created
July 7, 2016 21:07
How to host a large script via Beacon and grab it with a one-liner that connects to localhost.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # host a PowerShell script on a one-off web server via Beacon. | |
| # | |
| # Why? Generate one-liners for length constrained command execution opportunities | |
| # | |
| # NOTE: this uses internal APIs and is subject to break in the next release. Don't hate! | |
| # if there's interest in this capability, I can build an official API for it. | |
| import common.*; | |
| import beacon.*; |
rsmudge
/ safedelete.cna
Created
September 1, 2017 16:56
Override default file browser popup in Cobalt Strike to prompt user when they try to delete a file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # safe delete in file browser right-click menu | |
| # | |
| popup_clear("filebrowser"); | |
| popup filebrowser { | |
| item "&Download" { | |
| local('$file'); | |
| foreach $file ($3) { | |
| bdownload($1, "$2 $+ \\ $+ $file"); |
rsmudge
/ getenv.cna
Last active
December 11, 2019 19:45
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Aggressor Script means to parse/use environment vars in a Beacon session. | |
| # | |
| global('%bvars'); | |
| # request environment variables for every new Beacon that comes in. | |
| on beacon_initial { | |
| # ideally, we'd have a bshell that could take callbacks. We don't have | |
| # this yet. Eventually though, we will. |
rsmudge
/ tokenToEmail.cna
Created
March 31, 2017 21:58
This script demonstrates how to change Cobalt Strike's WEB_HIT and PROFILER_HIT hooks to resolve a phishing token to an email address.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # This script overrides WEB_HIT and PROFILER_HIT from default.cna to | |
| # resolve the id var (token) to an email | |
| # | |
| # https://www.cobaltstrike.com/aggressor-script/cobaltstrike.html | |
| # | |
| # method, uri, addr, ua, response, size, handler, when | |
| set WEB_HIT { | |
| local('$out $now $method $uri $addr $ua $response $size $handler $when $params'); |
rsmudge
/ getexplorer.cna
Created
March 18, 2016 20:47
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # getexplorerpid($bid, &callback); | |
| sub getexplorerpid { | |
| bps($1, lambda({ | |
| local('$pid $name $entry'); | |
| foreach $entry (split("\n", $2)) { | |
| ($name, $pid) = split("\\s+", $entry); | |
| if ($name eq "explorer.exe") { | |
| # $1 is our Beacon ID, $pid is the PID of explorer.exe | |
| [$callback: $1, $pid]; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # getexplorerpid($bid, &callback); | |
| sub getanypid { | |
| bps($1, lambda({ | |
| local('$pid $name $entry'); | |
| foreach $entry (split("\n", $2)) { | |
| ($name, $pid) = split("\\s+", $entry); | |
| if ($name eq $proc) { | |
| # $1 is our Beacon ID, $pid is the PID of $proc | |
| [$callback: $1, $proc, $pid]; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # demonstrate an example of inversion-of-control with Aggressor Script | |
| # | |
| # co-routine, | |
| sub bot { | |
| # run pwd and get the output. | |
| bpwd($bid); | |
| when("beacon_output_alt", $this); | |
| yield; |