Aggressor scripts for use with Cobalt Strike 3.0+
apache-style-weblog-output.cna - outputs weblog hits to an Apache-like access log file named weblog.log in Cobalt Strike's working directory
beacon_to_empire.cna - a script that leverages Powershell Empire's RESTful API to migrate sessions from a Beacon session on Cobalt Strike
beaconid_note.cna - set Beacon note to its ID on load and initial checkin (primarily useful when coding Aggressor scripts)
beaconestablishednote.cna - set Beacon note to the time it was established on initial checkin
Beaconpire - send Beacons to Empire and pull Empire Agents into Cobalt Strike
CCDC - a collection of scripts designed for use at CCDC
- lulz.cna - includes some Blue Team annoyance functions: IE Popup (kiosk mode), Windows Alert (7+), Host Shutdown, Boo.exe (uploads/executes Boo), and Clippy popup (requires setup and Windows 7).
- misc.cna - includes functions to stomp the host file with a chosen text file or add an entry to the existing host file.
- sysinternals-killer.cna - Automatically kill common Blue Team processes, such as the Sysinternals tools, on launch
checkin_jobs_context.cna - adds context menu options to run "checkin" or "jobs" on Beacon session to help detect stale beacons in bulk
eventlog-to-slack.cna - script to send event log events to Slack. NOTE: Review code before deploying in production. Sensitive information (usernames, hostnames, teamserver IPs) will be sent to Slack.
forcecheckin.cna - forces an SMB Beacon to checkin after a specified frequency
mass-dcsync.cna - DCSync a line-separated list of users from a DC
mimikatz-every-30m.cna - runs mimikatz's "logonpasswords" alias every thirty minutes
mimikatz-timestamp-note-BETA.cna - POC script that adds a timestamp to the source column in new credentials. The script is considered BETA - it has not been field tested and has bugs.
OPSEC Profiles - limits the commands Cobalt Strike can execute while loaded. Used to reduce the chance of performing high-risk actions in mature target environments.
powershell.cna - adds context items for some common Powerup and Powerview functions. For this to work, you must put the PowerUp.ps1 and powerview.ps1 files in the same directory as this script
ping_aliases.cna - creates an alias for quick ping (one ping packet w/ shell) and smbscan (to portscan smb w/o ping)
ps-window-alias.cna - creates an alias to open the process browser pane for the current Beacon
silver-tickets.cna - monitors Beacon output for machine hashes and stores them in the cred store. Also adds a dialog box for generating a Silver Ticket from a gathered machine hash
slack-notify-beacon.cna - sends a generic alert to a chosen Slack channel via incoming webhook when a new Beacon is established(requires curl on team server)
slack-notify-webhit.cna - sends a generic alert to a chosen Slack channel via incoming webhook when a specific URI or URIs are requested (requires curl on team server)
sleep-down-when-no-operators.cna - increases the sleep interval on all Beacons when there are no operators logged in
sleeptimer.cna - automatically sets sleep intervals based on time (i.e. from 10p to 6a, sleep for 60s). Resets to 60s sleeps when the sleep interval ends.
stale-beacon-notifier.cna - sends a generic alert to a chosen Slack channel via incoming webhook when a Beacon's last checkin exceeds a specified time (requires curl on team server).
timestamped_activitylog_export.cna - Outputs all event and activity logs with human-readable timestamp to activitylog.txt in your working directory (runs on script load)
Other Aggressor Repos
Please feel free to submit a Pull Request with fixes or improvements to any of the existing scripts; however, my intention is to only keep Aggressor scripts that I've written in this repo.
If you have an idea for a script and would like to submit it somewhere, consider adding it to Lee Kagan's Aggressor Scripts Collection repo.