Aggressor scripts for use with Cobalt Strike 3.0+
Clone or download
Latest commit 086da8f May 31, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Beaconpire Fixed to error message handling May 5, 2017
CCDC Temp script import error fix Mar 23, 2018
OPSEC Profiles Updated readme links Jan 23, 2018
LICENSE added license to repo Aug 16, 2017
README.md Update README.md May 30, 2018
apache-style-weblog-output.cna Updated blog post URL in code Aug 8, 2017
beacon_to_empire.cna updated script to use Java Swing GUI Apr 27, 2016
beaconestablishednote.cna added beacon established note script Dec 16, 2016
beaconid_note.cna added Beaconpire and beaconid_note Nov 29, 2016
checkin_jobs_context.cna initial checkin_jobs_context script commit Oct 20, 2016
eventlog-to-slack.cna Added eventlog-to-slack.cna and updated readme Apr 11, 2017
forcecheckin.cna added forcecheckin and ping_alias scripts Oct 18, 2016
mass-dcsync.cna Modified context menu Apr 19, 2017
mimikatz-every-30m.cna Added GUI to enable/disable the script Apr 11, 2017
mimikatz-timestamp-note-BETA.cna Added widgest to allowed source - thanks Qu1nn! Apr 6, 2017
ping_aliases.cna added forcecheckin and ping_alias scripts Oct 18, 2016
powershell.cna added ccdc scripts May 23, 2016
ps-window-alias.cna Ps-window-alias, sleep-down, and stale-beacon initial commits Sep 12, 2017
silver-tickets.cna Modified script to support multiple hashes per machine Apr 12, 2017
slack-notify-beacon.cna Added slack notification scripts for new beacons and certain webhits Aug 8, 2017
slack-notify-webhit.cna Added slack notification scripts for new beacons and certain webhits Aug 8, 2017
sleep-down-when-no-operators.cna Ps-window-alias, sleep-down, and stale-beacon initial commits Sep 12, 2017
sleeptimer.cna updated blog post URL Sep 6, 2016
stale-beacon-notifier.cna Added Stale Beacon Notifier Jan 23, 2018
timestamped_activitylog_export.cna added file save prompt Nov 15, 2016

README.md

AggressorScripts

Aggressor scripts for use with Cobalt Strike 3.0+

apache-style-weblog-output.cna - outputs weblog hits to an Apache-like access log file named weblog.log in Cobalt Strike's working directory

beacon_to_empire.cna - a script that leverages Powershell Empire's RESTful API to migrate sessions from a Beacon session on Cobalt Strike

beaconid_note.cna - set Beacon note to its ID on load and initial checkin (primarily useful when coding Aggressor scripts)

beaconestablishednote.cna - set Beacon note to the time it was established on initial checkin

Beaconpire - send Beacons to Empire and pull Empire Agents into Cobalt Strike

CCDC - a collection of scripts designed for use at CCDC

  • lulz.cna - includes some Blue Team annoyance functions: IE Popup (kiosk mode), Windows Alert (7+), Host Shutdown, Boo.exe (uploads/executes Boo), and Clippy popup (requires setup and Windows 7).
  • misc.cna - includes functions to stomp the host file with a chosen text file or add an entry to the existing host file.
  • sysinternals-killer.cna - Automatically kill common Blue Team processes, such as the Sysinternals tools, on launch

checkin_jobs_context.cna - adds context menu options to run "checkin" or "jobs" on Beacon session to help detect stale beacons in bulk

eventlog-to-slack.cna - script to send event log events to Slack. NOTE: Review code before deploying in production. Sensitive information (usernames, hostnames, teamserver IPs) will be sent to Slack.

forcecheckin.cna - forces an SMB Beacon to checkin after a specified frequency

mass-dcsync.cna - DCSync a line-separated list of users from a DC

mimikatz-every-30m.cna - runs mimikatz's "logonpasswords" alias every thirty minutes

mimikatz-timestamp-note-BETA.cna - POC script that adds a timestamp to the source column in new credentials. The script is considered BETA - it has not been field tested and has bugs.

OPSEC Profiles - limits the commands Cobalt Strike can execute while loaded. Used to reduce the chance of performing high-risk actions in mature target environments.

powershell.cna - adds context items for some common Powerup and Powerview functions. For this to work, you must put the PowerUp.ps1 and powerview.ps1 files in the same directory as this script

ping_aliases.cna - creates an alias for quick ping (one ping packet w/ shell) and smbscan (to portscan smb w/o ping)

ps-window-alias.cna - creates an alias to open the process browser pane for the current Beacon

silver-tickets.cna - monitors Beacon output for machine hashes and stores them in the cred store. Also adds a dialog box for generating a Silver Ticket from a gathered machine hash

slack-notify-beacon.cna - sends a generic alert to a chosen Slack channel via incoming webhook when a new Beacon is established(requires curl on team server)

slack-notify-webhit.cna - sends a generic alert to a chosen Slack channel via incoming webhook when a specific URI or URIs are requested (requires curl on team server)

sleep-down-when-no-operators.cna - increases the sleep interval on all Beacons when there are no operators logged in

sleeptimer.cna - automatically sets sleep intervals based on time (i.e. from 10p to 6a, sleep for 60s). Resets to 60s sleeps when the sleep interval ends.

stale-beacon-notifier.cna - sends a generic alert to a chosen Slack channel via incoming webhook when a Beacon's last checkin exceeds a specified time (requires curl on team server).

timestamped_activitylog_export.cna - Outputs all event and activity logs with human-readable timestamp to activitylog.txt in your working directory (runs on script load)

Other Aggressor Repos

Submissions

Please feel free to submit a Pull Request with fixes or improvements to any of the existing scripts; however, my intention is to only keep Aggressor scripts that I've written in this repo.

If you have an idea for a script and would like to submit it somewhere, consider adding it to Lee Kagan's Aggressor Scripts Collection repo.