This is just a random collection of Aggressor Scripts I've written for Cobalt Strike 3.x.
Please note that most of them could probably use some tweaking to better suit your environment/tactics.
Shoot me any questions and feel free to submit a pull request for any improvements you may have!
Using this repository
I make use of git submodules, so clone this repo with
git clone --recursive
If you didn't follow my instructions and already cloned the repo, go to the root of the repo and run
git submodule update --init --recursive
Actions in this kit center around miscellaneous fun that generally involve messing with the user
Actions in this kit center around antiforensics. If it slows an investigator down, it likely belongs in this kit. We all know antiforensics is best forensics.
Actions in this kit center around credential theft, be it via memory scraping or reading files in. If it involves stealing passwords, it should be here.
This kit is limited to actions that I use for development and debugging, and thus is not loaded with the rest of them.
Actions in this kit center around host and network enumeration. Credential enumeration actions should go in CredKit instead.
Actions in this kit center around endpoint persistence. Examples include backdoor service creation, backdoor process creation, etc
Actions in this kit center around endpoint privilege escalation. Actions that involve forceful scanning (powerup.ps1, unix-privesc-check) should go in the apporiate section
- ThirdParty This is is just a random collection of .cna scripts that other people have created that I like to use. I just have it loaded with kitloader for conveience. There may be changes to the third party scripts to better integerate with my workflow.
Runs Inveigh against the selected machine(s) for a specified amount of time. This does automatically enable LLMNR and NBNS spoofing.
Adds interoperability between Cobalt Strike and Ebowla. I plan on making this process much more integrated and automated, but at this time, you can generate an Ebowla payload within Cobalt Strike by going to
Attacks -> Generate Ebowla Payload. See ewbowla-interop.cna for instructions.
Pushover support for Cobalt Strike, ridiculously useful.
See pushover-cs for instructions.
These are reporting (.rpt) scripts created for Cobalt Strike.