AlertOnNewIp.py

gistfile1.txt

#!/usr/bin/env python
# Super dirty python3 scripts that alerts Cobalt Strike operator using pushover when a new IP is found amoung network interface on beacon
# Aggressor script for triggering this : https://gist.github.com/Flangvik/c31b26129743be699133dc9dab9c02c5
import argparse
from datetime import datetime
from base64 import b64encode,b64decode
from pushover import init, Client
from os import path

parser = argparse.ArgumentParser(description='beacon info')
parser.add_argument('--user')
parser.add_argument('--data')
parser.add_argument('--computer')
args = parser.parse_args()

#Replace the below keys, pushover.net
pushover_user_key = "<redacted>"
pushover_app_key = "<redacted>"


beaconuser = args.user
computer = args.computer
data = args.data

def pushovernotifications(user):
    init(pushover_app_key)
    Client(pushover_user_key).send_message("VPN!", title=user)

didCsvExists = path.exists("/<fullpath>/ip_logs_all_beacons.csv")

f = open("/<fullpath>/ip_logs_all_beacons.csv", "a+")

if not didCsvExists:
     f.write("Type;Timestamp;User;Hostname;IP\n")
ipAdresser = b64decode(data).decode('UTF-16LE').split('\n')
for ip in ipAdresser:
    if ip:
        f.write("LOG;%s;%s;%s;%s\n" % (datetime.utcnow().strftime("%d/%m/%Y %H:%M:%S"),beaconuser, computer, ip.split()[0]))
        #Edit this based on the subnet of your beacons "home network"
        if(ip.split('.')[0] != "192"):
            pushovernotifications(beaconuser)
            f.write("ALERT;%s;%s;%s;%s\n" % (datetime.utcnow().strftime("%d/%m/%Y %H:%M:%S"),beaconuser, computer, ip.split()[0]))

f.close()

Aggressor script for triggering this : https://gist.github.com/Flangvik/c31b26129743be699133dc9dab9c02c5