《深入理解Cobalt Strike》

这里记录收集优秀的CobaltStrike内容，包括优秀的资源工具或优秀的项目代码等。本项目大部分工具都未检测是否存在后门，务必在虚拟机下运行。CobaltStrike思想是攻击者的进步。作者：0e0w

本项目创建时间为2021年8月3日。最近的一次更新时间为2022年7月18日。

• 01-CobaltStrike资源
• 02-CobaltStrike程序
• 03-CobaltStrike功能
• 04-CobaltStrike扩展
• 05-CobaltStrike研究
• 06-CobaltStrike魔改
• 07-CobaltStrike免杀
• 08-CobaltStrike参考

01-CobaltStrike资源

• https://github.com/search?q=CobaltStrike
• https://github.com/topics/cobalt-strike
• https://github.com/topics/cobaltstrike

一、官方手册

• https://download.cobaltstrike.com/downloads/csmanual44.pdf

二、基础教程

• https://wiki.wgpsec.org/knowledge/intranet/Cobalt-Strike.html

三、视频教程

四、其他资源

• https://github.com/S1ckB0y1337/Cobalt-Strike-CheatSheet
• https://github.com/cisagov/ansible-role-cobalt-strike
• https://github.com/hattmo/c2profilejs
• https://github.com/jan-call/Cobaltstrike-Plugins
• https://github.com/REW-sploit/REW-sploit
• https://github.com/geemion/Khepri
• 【知识回顾】Cobalt Strike 4.0 认证及修补过程
• CobaltStrike4.0无Hook蛮力Cracked License思路
• https://github.com/Tw1sm/HTTPS-MalleableC2-Config
• https://github.com/bashexplode/cs2webconfig
• https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence
• https://github.com/cisagov/teamserver-packer
• https://github.com/Cerbersec/DomainBorrowingC2
• https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
• https://github.com/XRSec/Docker-CobaltStrike
• https://wbglil.gitbook.io/cobalt-strike
• https://github.com/akkuman/EvilEye
• https://github.com/wsummerhill/CobaltStrike_RedTeam_CheatSheet
• https://github.com/splunk/melting-cobalt
• https://github.com/AlphabugX/csOnvps
• https://github.com/warhorse/ansible-role-cobaltstrike-docker
• https://github.com/kluo84/CS-notes
• https://github.com/lovechoudoufu/cobaltstrike4.4_cdf
• https://www.anquanke.com/post/id/269539
• https://github.com/rmartinsanta/cs-dns-parser
• https://github.com/outflanknl/C2-Tool-Collection
• https://xz.aliyun.com/t/11404
• https://tttang.com/archive/1631
• https://xz.aliyun.com/t/11508
• https://tttang.com/archive/1662

02-CobaltStrike程序

• https://github.com/izj007/CrackSleeve
• https://github.com/mai1zhi2/CobaltstrikeSource
• https://mp.weixin.qq.com/s/kdcqMoPv5f8tlkrk7s5PYA
• https://mp.weixin.qq.com/s/D2q_8mi6wqk18Ox1QDcfxw
• https://github.com/nice0e3/Cobaltstrike_4.3_Source

03-CobaltStrike功能

04-CobaltStrike扩展

• https://github.com/zer0yu/Awesome-CobaltStrike
• https://www.cobaltstrike.com/aggressor-script/index.html
• https://payloads.online/archivers/2020-03-02/4/
• http://sleep.dashnine.org/manual/
• https://github.com/Cobalt-Strike/community_kit
• https://cobalt-strike.github.io/community_kit

一、Malleable-C2

• https://github.com/Tylous/SourcePoint
• https://github.com/FortyNorthSecurity/C2concealer
• https://github.com/threatexpress/malleable-c2
• https://github.com/vestjoe/cobaltstrike_services
• https://github.com/threatexpress/cs2modrewrite
• https://github.com/Cobalt-Strike/Malleable-C2-Profiles
• https://github.com/rsmudge/Malleable-C2-Profiles
• https://github.com/threatexpress/random_c2_profile
• https://github.com/BC-SECURITY/Malleable-C2-Profiles
• https://github.com/D00Movenok/goMalleable
• https://github.com/Peithon/JustC2file

二、External-C2

• https://github.com/Und3rf10w/external_c2_framework
• https://github.com/mdsecactivebreach/Browser-ExternalC2
• https://github.com/SpiderLabs/DoHC2
• https://github.com/outflanknl/external_c2
• https://github.com/rasta-mouse/ExternalC2.NET
• https://github.com/Flangvik/CobaltBus
• https://github.com/wikiZ/RedGuard

三、UDRL：User Defined Reflective Loader

• https://github.com/mgeeky/ElusiveMice
• https://github.com/SecIdiot/TitanLdr
• https://github.com/boku7/CobaltStrikeReflectiveLoader

四、BOFs：Beacon Object Files

• https://github.com/BOFs/BOFs
• https://github.com/Cerbersec/KillDefenderBOF

五、Aggressor Scripts

• https://github.com/topics/aggressor
• https://github.com/001SPARTaN/aggressor_scripts
• https://github.com/0x727/AggressorScripts_0x727
• https://github.com/harleyQu1nn/AggressorScripts
• https://github.com/bluscreenofjeff/AggressorScripts
• https://github.com/jordanpotti/opsec-aggressor
• https://github.com/mgeeky/cobalt-arsenal
• https://github.com/Cobalt-Strike/beacon_health_check
• https://github.com/RCStep/CSSG
• https://github.com/Verizon/redshell
• https://github.com/EspressoCake/Aggressor_Scripts
• https://github.com/darkoperator/vscode-language-aggressor
• https://github.com/threatexpress/cobaltstrike_payload_generator
• https://github.com/outflanknl/HelpColor
• https://github.com/capt-meelo/Beaconator
• https://github.com/NVISOsecurity/cobalt-strike-notifier
• https://github.com/FortyNorthSecurity/AggressorAssessor
• https://github.com/outflanknl/Dumpert
• https://github.com/killswitch-GUI/CobaltStrike-ToolKit
• https://github.com/Und3rf10w/Aggressor-scripts
• https://github.com/vysecurity/Aggressor-VYSEC
• https://github.com/rasta-mouse/Aggressor-Script
• https://github.com/422926799/csplugin
• https://github.com/Peco602/cobaltstrike-aggressor-scripts
• 上线提醒
• CS_Mail_Tip
• WeChatPush
• https://github.com/Daybr4ak/C2ReverseProxy
• https://github.com/teamssix/dingding_cs_notice
• https://github.com/lintstar/CS-PushPlus
• https://github.com/lintstar/CS-ServerChan
• 持久上线
• https://github.com/0xthirteen/StayKit
• https://github.com/TheKingOfDuck/XSS-Fishing2-CS
• https://github.com/yanghaoi/CobaltStrike_CNA
• https://github.com/improsec/SharpEventPersist
• https://github.com/Richard-Tang/Tomcat2CS
• 虚拟上线
• https://github.com/Doneone/happy_cs
• 权限提升
• weichi
• ElevateKit
• Aggressor-Script
• SweetPotato_CS
• 漏洞扫描
• CVE-2018-4878
• CVE-2020-0796
• MS17-010
• 流量隧道
• UploadAndRunFrp
• 痕迹清理
• EventLogMaster
• Phant0m_cobaltstrike
• 近源攻击
• https://github.com/AdminTest0/badusb_cobaltstrike

六、Kit

• 神器獬廌
• 梼杌
• LSTAR
• Erebus
• 巨龙拉冬
• Ladon
• CrossC2
• https://github.com/darkr4y/geacon
• https://github.com/RedTeamWing/WingKit
• Cobalt-Strike-Aggressor-Scripts
• https://github.com/wafinfo/cobaltstrike
• https://github.com/Adminisme/ServerScan
• https://github.com/SeaOf0/CSplugins
• https://github.com/k1d0ne/cobaltstrike_plugin

七、其他内容

• https://github.com/bitsadmin/nopowershell
• https://github.com/vysecurity/ANGRYPUPPY
• https://github.com/TheKingOfDuck/XSS-Fishing2-CS
• https://github.com/timwhitez/XSS-Phishing
• https://github.com/alphaSeclab/cobalt-strike
• https://github.com/bitsadmin/fakelogonscreen
• https://github.com/Al1ex/CSPlugins
• https://github.com/josephkingstone/cobalt_strike_extension_kit
• https://github.com/isafe/cobaltstrike_brute
• https://github.com/ryanohoro/csbruter
• https://github.com/1135/1135-CobaltStrike-ToolKit
• https://github.com/cube0x0/SharpeningCobaltStrike
• https://github.com/Cliov/Arsenal
• https://github.com/outflanknl/Zipper
• https://github.com/outflanknl/Spray-AD
• https://github.com/Apr4h/CobaltStrikeScan
• https://github.com/SecIdiot/CobaltPatch
• https://github.com/Rvn0xsy/Cobaltstrike-atexec
• https://github.com/aleenzz/Cobalt_Strike_wiki
• https://teamssix.com/year/201023-192553.html
• https://github.com/Lz1y/SyncDog
• https://github.com/Freakboy/CobaltStrike
• https://github.com/Daybr4ak/C2ReverseProxy
• https://github.com/rasta-mouse/Aggressor-Script
• https://github.com/EncodeGroup/AggressiveGadgetToJScript
• https://github.com/bytecod3r/Cobaltstrike-Aggressor-Scripts-Collection
• https://github.com/Sifter-Ex/cPlug
• https://github.com/rsmudge/cortana-scripts
• https://github.com/dcsync/pycobalt
• https://github.com/uknowsec/SharpToolsAggressor
• https://www.cnblogs.com/backlion/p/14000269.html
• https://github.com/hayasec/360SafeBrowsergetpass
• https://github.com/S1ckB0y1337/Cobalt-Strike-CheatSheet
• https://github.com/sk3w/beacon-object-files
• https://xz.aliyun.com/t/8557
• https://www.freebuf.com/articles/web/255876.html
• https://github.com/Ridter/cs_custom_404
• https://github.com/medasz/CobaltStrike4.0
• https://github.com/c1y2m3/FileSearch
• https://github.com/bopin2020/NetUser
• https://github.com/qigpig/bypass-beacon-config-scan
• https://github.com/slaeryan/DetectCobaltStomp
• https://github.com/breakid/SharpUtils
• https://github.com/rmikehodges/cs-ssl-gen
• https://github.com/Rvn0xsy/Cobaltstrike-atexec
• https://github.com/z1un/Z1-AggressorScripts
• https://github.com/Te-k/cobaltstrike
• https://github.com/S1ckB0y1337/Cobalt-Strike-CheatSheet
• https://github.com/RedXRanger/StageStrike
• https://github.com/outflanknl/Zipper
• https://github.com/Ridter/CS_Chinese_support
• https://github.com/0xthirteen/MoveKit
• https://github.com/SecIdiot/Beacon
• https://github.com/xx0hcd/Malleable-C2-Profiles
• https://github.com/Ridter/cs_custom_404
• https://github.com/nccgroup/pybeacon
• https://github.com/Skactor/cs-scripts
• https://www.svenbeast.com/post/ny5NkDd40
• https://github.com/j5s/Automatic-permission-maintenance
• https://github.com/mgeeky/RedWarden
• https://github.com/Lz1y/GECC
• https://github.com/Daybr4ak/C2ReverseProxy
• https://github.com/Twi1ight/CSAgent
• https://github.com/ORCA666/Cobalt-Wipe
• https://github.com/xorrior/raven
• https://github.com/xinbailu/TiEtwAgent
• https://github.com/GeorgePatsias/ScareCro
• https://github.com/burpheart/CS_mock
• https://github.com/huoji120/CobaltStrikeDetected
• https://github.com/Mikasazero/Cobalt-Strike
• https://github.com/D1sAbl4/samdump
• https://github.com/ASkyeye/CobaltPatch
• https://github.com/boku7/halosgate-ps
• https://github.com/CCob/BeaconEye
• https://github.com/Sentinel-One/CobaltStrikeParser
• https://github.com/hariomenkel/CobaltSpam
• https://github.com/cisagov/ansible-role-cobalt-strike
• https://github.com/dcsync/pycobalt
• https://github.com/optiv/Registry-Recon
• https://github.com/wgpsec/Automatic-permission-maintenance
• https://github.com/Kara-4search/APC_ShellcodeExecution_CSharp
• https://github.com/fitzgeralddaniel/HTTP_File_Covert_Channel
• https://github.com/med0x2e/SigFlip
• https://github.com/mstxq17/CVE-2021-1675_RDL_LPE
• https://github.com/CPO-EH/SharpZeroLogon
• https://github.com/wikiZ/service_cobaltstrike
• https://github.com/chryzsh/ansible-role-cobalt-strike
• https://github.com/kingz40o/Aggressor_dingding
• https://github.com/howmp/CobaltStrikeDetect
• https://github.com/JUICY00000/HellLoader
• https://github.com/Peithon/JustC2file
• https://github.com/Yihsiwei/SearchForCS
• https://github.com/hlldz/Phant0m
• https://github.com/JDArmy/RPCSCAN
• https://github.com/CrossC2/CrossC2Kit
• https://github.com/Cracked5pider/KaynStrike

05-CobaltStrike研究

一、逆向分析

• https://github.com/verctor/Cobalt_Homework

二、源码阅读

三、程序特征

• https://github.com/WBGlIl/Beacon_re
• https://github.com/NoOne-hub/Beacon.dll

06-CobaltStrike魔改

为什么需要魔改？需要魔改那些内容？如何进行程序魔改？

一、特征修改

二、流量免杀

三、功能添加

四、其他魔改

• https://mp.weixin.qq.com/s/AePKPUDnBUr4WbJqvPCleg
• https://github.com/Yang0615777/SecondaryDevCobaltStrike
• https://github.com/mai1zhi2/SharpBeacon
• https://github.com/HKirito/GoogleAuth
• https://github.com/Cobalt-Strike/sleep_python_bridge

07-CobaltStrike免杀

一、流量免杀

• https://github.com/timwhitez/Doge-CSBridge

二、上线免杀

• https://github.com/0e0w/BypassAV
• https://github.com/hack2fun/BypassAV
• https://github.com/Cliov/Arsenal
• https://github.com/Gality369/CS-Loader
• https://github.com/timwhitez/Doge-Loader
• https://paper.seebug.org/1349/
• https://github.com/t3hbb/NSGenCS
• https://github.com/GeorgePatsias/ScareCrow-CobaltStrike
• https://wiki.ioin.in/url/G7PK
• https://github.com/novysodope/Myloader

08-CobaltStrike参考

• https://www.cobaltstrike.com