This is just a random collection of Aggressor Scripts I've written for Cobalt Strike 3.x.
Please note that most of them could probably use some tweaking to better suit your environment/tactics.
Shoot me any questions and feel free to submit a pull request for any improvements you may have!
I make use of git submodules, so clone this repo with git clone --recursive
If you didn't follow my instructions and already cloned the repo, go to the root of the repo and run git submodule update --init --recursive
Most of the useful scripts here are organized in kits. All you have to do is load the KitLoader.cna script, and it will automatically load all other kits (execpt the DebugKit).
- AnnoyKit
Actions in this kit center around miscellaneous fun thta generally involve messing with the user
- AntiForensicsKit
Actions in this kit center around antiforensics. If it slows an investigator down, it likely belongs in this kit. We all know antiforensics is best forensics.
- CredKit
Actions in this kit center around credential theft, be it via memory scraping or reading files in. If it involves stealing passwords, it should be here.
- DebugKit
This kit is limited to actions that I use for development and debugging, and thus is not loaded with the rest of them.
- EnumKit
Actions in this kit center around host and network enumeration. Credential enumeration actions should go in CredKit instead.
- PersistKit
Actions in this kit center around endpoint persistence. Examples include backdoor service creation, backdoor process creation, etc
- PrivEscKit
Actions in this kit center around endpoint privilege escalation. Actions that involve forceful scanning (powerup.ps1, unix-privesc-check) should go in the apporiate section
inveigh/
Runs Inveigh against the selected machine(s) for a specified amount of time. This does automatically enable LLMNR and NBNS spoofing.
Pushover/
Pushover support for Cobalt Strike, ridiculously useful.
See pushover-cs for instructions.