• This repository has been archived on 14/Dec/2023
  • Stars
    star
    307
  • Rank 136,109 (Top 3 %)
  • Language
    PowerShell
  • License
    Other
  • Created over 7 years ago
  • Updated over 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Bloodhound Attack Path Automation in CobaltStrike

ANGRYPUPPY


Bloodhound Attack Path Execution for Cobalt Strike

Authors:

Calvin Hedler (@001SPARTaN) and Vincent Yiu (@vysecurity)

Special Thanks:

  • armitagehacker: Raphael Mudge for the COBALTSTRIKE framework
  • wald0: Andy Robbins: Large amounts of assistance with Cypher queries

Beta Testers:

  • bspence7337
  • rasta_mouse
  • st3r30byt3
  • merrillmatt011
  • plissken
  • benheise
  • nuttsmare

And more! We had initially attempted to keep track but now there's way too many of you :)

Change Log:

  • [11/07/2017]: Initial push
  • [13/07/2017]: Finished Automated Attack Logic
  • [14/07/2017]: Revamp to polling mode attack logic
  • [15/07/2017]: Revamp code
  • [16/07/2017]: Added import JSON and aliasing

Getting Started:

ANGRYPUPPY is a tool for BloodHound attack path execution in Cobalt Strike.

Before you use ANGRYPUPPY, you will require two things:

Once you have obtained these, clone the ANGRYPUPPY repository. Due to limitations in Aggressor's Java import, we have included PowerShell and Linux/MacOS shell scripts to make the appropriate changes to the path we are importing json.jar from.

Once you have run the appropriate script for your operating system, you're ready to get started.

ANGRYPUPPY assumes that you will have a foothold on the target network. Once you have a foothold on the target network, run BloodHound collection, and import the data into BloodHound. After that, you must identify the attack path that you wish to use, for which purpose we've included the cypher beacon alias. Typing cypher will generate Cypher queries for all the users and computers that you have access to in Cobalt Strike, and post them to the event log. If any of these users or computers have a valid attack path to Domain Admin, these Cypher queries will return the best path. Paste the appropriate Cypher query into BloodHound's "raw query" field, and you will see the attack path displayed.

With a valid attack path displayed in BloodHound, you must export this to a json file, so that ANGRYPUPPY can import it. This file can go anywhere, and ANGRYPUPPY will prompt you for it when you run the command.

After that, simply run the angrypuppy beacon alias in any of your active sessions. ANGRYPUPPY will prompt you for the path to your graph, the lateral movement method, and the listener. ANGRYPUPPY will then parse the BloodHound attack path, and automatically execute, based on the nodes in the attack path. For every User node, ANGRYPUPPY will run Mimikatz on the last Computer node, and for every Computer node, ANGRYPUPPY will use the last User node's credentials and move to the next Computer node.

Currently, ANGRYPUPPY supports psexec, psexec_psh, wmi, or winrm lateral movement methods. We are planning to add the DCOM lateral movement method in the future.

Video:

ANGRYPUPPY - Development: https://youtu.be/yxQ8Q8itZao

To-do:

  • Access Control List attack path automation with automated fixing
  • Rework to use BloodHound REST API, automate end-to-end
  • Implement DCOM lateral movement

More Repositories

1

RedTips

Red Team Tips as posted by @vysecurity on Twitter
1,015
star
2

LinkedInt

LinkedIn Recon Tool
Python
941
star
3

DomLink

A tool to link a domain with registered organisation names and emails, to other domains.
Python
781
star
4

DomainFrontingLists

A list of Domain Frontable Domains by CDN
532
star
5

morphHTA

morphHTA - Morphing Cobalt Strike's evil.HTA
Python
500
star
6

IPFuscator

IPFuscator - A tool to automatically generate alternative IP representations
Python
238
star
7

Aggressor-VYSEC

PowerShell
195
star
8

CVE-2017-8759

CVE-2017-8759 - A vulnerability in the SOAP WDSL parser.
174
star
9

ps1-toolkit

Obfuscated Penetration Testing PowerShell scripts
PowerShell
123
star
10

genHTA

Generates anti-sandbox analysis HTA files without payloads
Python
114
star
11

CVE-2018-4878

Aggressor Script to launch IE driveby for CVE-2018-4878
88
star
12

checkO365

checkO365 is a tool to check if a target domain is using O365
Python
84
star
13

CobaltSplunk

Splunk Dashboard for CobaltStrike logs
Python
83
star
14

ATT-CK_Analysis

Repository for my ATT&CK analysis research.
Python
70
star
15

FSharp-Shellcode

F# Implementation to spawn shellcode
F#
45
star
16

Invoke-ProcessScan

Gives context to a system. Uses EQGRP shadow broker leaked list to give some descriptions to processes.
PowerShell
42
star
17

AzureAppC2

A script that can be deployed to Azure App for C2 / Proxy / Redirector
Python
27
star
18

basicAuth

Basic Auth Phish page
PHP
25
star
19

ShellcodeConversion

A collection of shell code conversion scripts that I have written over time for repetitive tasks
Python
18
star
20

RDPInception

A script to attack users who are RDPing into a machine and recurse this attack. For security testers and attack simulations.
Batchfile
18
star
21

Office365TenantsList

Office365 Tenants List
16
star
22

WindfarmDynamite-CNA

CobaltStrike Aggressor Script to utilise FuzzySec's Windows Notification Framework Research to Spawn a Shell under Explorer.exe
15
star
23

EmpireAMSI

PowerShell
13
star
24

DoH-Servers

DNS over HTTPS Servers
12
star
25

BadIP

Bad Security Vendor IPs
Shell
10
star
26

wepwnise

A generator to weaponize Macro payloads that can evade EMET and utilises native VB migration.
Python
9
star
27

PWNDB

Parse PWNDB
Python
8
star
28

autovpn

Easily connect to a VPN in a country of your choice
Go
7
star
29

CloudServiceLists

Tenants list for each cloud service.
6
star
30

CVE-2020-0796

CVE-2020-0796 - Working PoC - 20200313
6
star
31

vysecurity

6
star
32

PacketParser

A cap/pcap packet parser to make life easier when performing stealth/passive reconnaissance.
Python
5
star
33

SCTPersistence

Create COM Objects backed by Scripts, not DLLs
JavaScript
5
star
34

nuclei-templates-notags

5
star
35

CVE-2021-40444

3
star
36

DriverVulnCheck

Takes Bruteratel `drivers` output and checks it against loldrivers.io
Python
3
star
37

Linkedin_Connect_NEWUI

A Python Script that controls Selenium to automate the process of connecting on LinkedIn
Python
2
star
38

malleable-profiles

2
star
39

IIS_exploit

Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
Python
2
star
40

test-conf

1
star
41

Archive

Archive
1
star
42

vysecurity.github.io

HTML
1
star
43

DomainFrontingProxies

A list of Domain Fronting Proxies that are known to permit or break Domain Fronting
1
star
44

HOLYWATER

1
star
45

nextjs-blog-theme

1
star