List of Awesome CobaltStrike Resources

Stella Sebastian
Posted by Stella Sebastian September 30, 2021

superior_hosting_service

CobaltStrike

Awesome CobaltStrike

0x00 Introduction

  1. The first part is a collection of quality articles about CobaltStrike
  2. The third part is about the integration of the new features BOF resources
  3. This project is to solve the problem of not finding the right aggressor script or BOF when it is needed
  4. If there is quality content that is not covered in this repo, welcome to submit pr

0x01 Articles & Videos

1. Basic Knowledge

  1. Cobalt_Strike_wiki
  2. Cobalt Strike Book
  3. CobaltStrike4.0 notes
  4. CobaltStrike related web articles collection
  5. Cobalt Strike External C2 Principles
  6. Cobalt Strike desktop control problem resolution (and post-infiltration tools such as screenshots)
  7. Cobalt Strike & MetaSploit linkage
  8. Cobalt-Strike-CheatSheet
  9. Cobalt Strike MITRE TTPs
  10. Red Team Operations with Cobalt Strike (2019)

2. Crack and Customisation

  1. IntelliJ-IDEA modify cobaltstrike
  2. CobaltStrike secondary development environment preparation
  3. Cobal Strike Customize OneLiner
  4. Build post-penetration module through reflective DLL injection (Lesson 1)
  5. Cobalt Strike Aggressor Script (Lesson 1)
  6. Cobalt Strike Aggressor Script (Lesson 2)
  7. Implementing Syscalls In The Cobaltstrike Artifact Kit
  8. Cobalt Strike 4.0 certification and repair process
  9. Arm your CobaltStrike with ReflectiveDLLInjection
  10. Bypass cobaltstrike beacon config scan
  11. Tailoring Cobalt Strike on Target
  12. COFFLOADER: BUILDING YOUR OWN IN MEMORY LOADER OR HOW TO RUN BOFS
  13. Yet Another Cobalt Strike Stager: GUID Edition
  14. Cobalt Strike4.3 cracked diary
  15. Cobalt Strike process creation and corresponding Syslog log analysis

3. Useful Trick

  1. Cobalt Strike Spear Phish
  2. run CS in win — teamserver.bat
  3. Remote NTLM relaying through CS — related to CVE_2018_8581
  4. Cobalt Strike Convet VPN
  5. Construction, use and traffic analysis of the penetration artifact CS3.14
  6. CobaltStrike generates anti-kill shellcode
  7. CS-notes –A series of CS notes
  8. Use Cobalt Strike to post-infiltrate Linux hosts
  9. Cobalt Strike Listener with Proxy
  10. Cobalt Strike Convet VPN
  11. CS 4.0 SMB Beacon
  12. Cobalt Strike browser springboard attack
  13. Cobalt Strike 中 Bypass UAC
  14. Explore Cobalt Strike’s ExternalC2 framework together
  15. In-depth exploration of Cobalt Strike’s ExternalC2 framework
  16. Cobalt Strike’s special function (external_C2) exploration
  17. A tale of .NET assemblies, cobalt strike size constraints, and reflection
  18. AppDomain.AssemblyResolve
  19. Establish a proxy from the webshell to go online to the internal network machine that does not go out of the network
  20. Make direct system calls in Cobalt Strike BOF
  21. Using Direct Syscalls in Cobalt Strike’s Artifact Kit
  22. Cobalt Strike Staging and Extracting Configuration Information

4. CobaltStrike Hide

  1. CobaltStrike certificate modification to avoid traffic censorship
  2. CS legal certificate + Powershell online
  3. Cobalt Strike team server is hidden
  4. Red team infrastructure: hide your C2 server
  5. Cobalt Strike HTTP C2 Redirectors with Apache mod_rewrite
  6. In-depth study of the cobalt strike malleable C2 configuration file
  7. A Brave New World: Malleable C2
  8. How to Write Malleable C2 Profiles for Cobalt Strike
  9. Randomized Malleable C2 Profiles Made Easy
  10. About CobaltStrike’s Stager being scanned
  11. Beacon Stager listener to feature
  12. Detect and hide Cobaltstrike server
  13. Remember a cs bypass Kaspersky memory check and kill
  14. Cobalt Strike – Bypassing C2 Network Detections

5. CobaltStrike Analysis

  1. Volatility Plugin for Detecting Cobalt Strike Beacon. blog|Toolset
  2. Reverse analysis of Cobalt Strike installation backdoor
  3. Analyze the cobaltstrike c2 agreement
  4. Small tool to decrypt a Cobalt Strike auth file
  5. Cobalt Strike 的 ExternalC2
  6. Detecting Cobalt Strike Default Modules via Named Pipe Analysis
  7. Analysis of CobaltStrike Beacon Staging Server Scan
  8. Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
  9. Analyzing Cobalt Strike for Fun and Profit
  10. Cobalt Strike Remote Threads detection
  11. The art and science of detecting Cobalt Strike
  12. A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers
  13. How to detect Cobalt Strike activities in memory forensics
  14. Detecting Cobalt Strike by Fingerprinting Imageload Events
  15. The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration
  16. CobaltStrike – beacon.dll : Your No Ordinary MZ Header
  17. GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic
  18. Detecting Cobalt Strike beacons in NetFlow data
  19. Volatility Plugin for Detecting Cobalt Strike Beacon
  20. Easily Identify Malicious Servers on the Internet with JARM
  21. Cobalt Strike Beacon Analysis
  22. Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike
  23. Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike
  24. Hiding in the Cloud: Cobalt Strike Beacon C2 using Amazon APIs
  25. Identifying Cobalt Strike team servers in the wild
  26. Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature
  27. Operation Cobalt Kitty
  28. Detecting and Advancing In-Memory .NET Tradecraft
  29. Analysing Fileless Malware: Cobalt Strike Beacon
  30. IndigoDrop spreads via military-themed lures to deliver Cobalt Strike
  31. Cobalt Group Returns To Kazakhstan
  32. Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
  33. Azure Sentinel Quick-Deploy with Cyb3rWard0g’s Sentinel To-Go – Let’s Catch Cobalt Strike!
  34. Cobalt Strike stagers used by FIN6
  35. Malleable C2 Profiles and You
  36. C2 Traffic patterns including Cobalt Strike
  37. Cobalt Strike DNS Direct Egress Not That Far Away
  38. Detecting Exposed Cobalt Strike DNS Redirectors
  39. Example of Cleartext Cobalt Strike Traffic
  40. Cobaltstrike-Beacons analyzed
  41. Detect Cobalt Strike server through DNS protocol
  42. Detecting Cobalt Strike with memory signatures
  43. Obtaining the host field in CobaltStrike communication

6. CobaltStrike Video

  1. Malleable Memory Indicators with Cobalt Strike’s Beacon Payload
  2. STAR Webcast: Spooky RYUKy: The Return of UNC1878
  3. Excel 4.0 Macros Analysis – Cobalt Strike Shellcode Injection
  4. Profiling And Detecting All Things SSL With JA3

0x02 C2 Profiles

TypeNameDescriptionPopularityLanguage
ALLMalleable-C2-ProfilesOfficial Malleable C2 Profiles
ALLMalleable-C2-RandomizerThis script randomizes Cobalt Strike Malleable C2 profiles through the use of a metalanguage
ALLmalleable-c2Cobalt Strike Malleable C2 Design and Reference Guide
ALLC2concealerC2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.
ALLMalleableC2-ProfilesA collection of Cobalt Strike Malleable C2 profiles. now have Windows Updates Profile
ALLpyMalleableC2A Python interpreter for Cobalt Strike Malleable C2 profiles that allows you to parse, modify, build them programmatically and validate syntax.
ALL1135-CobaltStrike-ToolKitCobalt Strike’s Malleable C2 profile, designed to counter traffic analysis

0x03 BOF

TypeNameDescriptionPopularityLanguage
ALLBOF_CollectionVarious Cobalt Strike BOFs
ALLSituational Awareness BOFIts larger goal is providing a code example and workflow for others to begin making more BOF files. Blog
ALLbof_helperBeacon Object File (BOF) Creation Helper
ALLBOF-DLL-InjectBOF DLL Inject is a custom Beacon Object File that uses manual map DLL injection in order to migrate a dll into a process all from memory.
ALLcobaltstrike_bofsBOF spawns a process of your choice under a specified parent, and injects a provided shellcode file via QueueUserAPC().
ALLBOF-RegSaveBeacon Object File(BOF) for CobaltStrike that will acquire the necessary privileges and dump SAM – SYSTEM – SECURITY registry keys for offline parsing and hash extraction.
ALLCobaltStrike BOFDCOM Lateral Movement; WMI Lateral Movement – Win32_Process Create; WMI Lateral Movement – Event Subscription
ALLBOFsETW Patching; API Function Utility; Syscalls Shellcode Injection
DevbofThis is a template project for building Cobalt Strike BOFs in Visual Studio.
DevBOF.NETA .NET Runtime for Cobalt Strike’s Beacon Object Files.
Devbeacon-object-fileThe format, described by Mudge here, asks that the operator construct an COFF file using a mingw-w64 compiler or the msvc compiler that holds an symbol name indicating its entrypoint, and underlying function calls.
DevInlineWhispersDemonstrate the ability to easily use syscalls using inline assembly in BOFs.
DevWdToggleA Proof of Concept Cobalt Strike Beacon Object File which uses direct system calls to enable WDigest credential caching and circumvent Credential Guard (if enabled).
DevSituational Awareness BOFThis Repo intends to serve two purposes. First it provides a nice set of basic situational awareness commands implemented in BOF. This allows you to perform some checks on a host before you begin executing commands that may be more invasive.
DevMiniDumpWriteDumpCustom implementation of DbgHelp’s MiniDumpWriteDump function. Uses static syscalls to replace low-level functions like NtReadVirtualMemory.
DevCOFF LoaderThis is a quick and dirty COFF loader (AKA Beacon Object Files). Currently can run un-modified BOF’s so it can be used for testing without a CS agent running it. The only exception is that the injection related beacon compatibility functions are just empty.
AuxiliaryEnumCLR.cCobalt Strike BOF to identify processes with the CLR loaded with a goal of identifying SpawnTo / injection candidates.
AuxiliaryFindObjects-BOFA Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process handles.
AuxiliaryChromeKeyDumpBOF implementation of Chlonium tool to dump Chrome Masterkey and download Cookie/Login Data files
AuxiliarySleeperBOF to call the SetThreadExecutionState function to prevent host from Sleeping
AuxiliaryLSASSBeacon Object File to dump Lsass memory by obtaining a snapshot handle. Does MiniDumpWriteDump/NtReadVirtualMemory on SnapShot of LSASS instad of original LSASS itself hence evades some AV/EDR.
Auxiliarygetsystemget system by duplicating winlogon’s token.
AuxiliarySilent Lsass DumpSilent Lsass Dump
Auxiliaryunhook-bofThis is a Beacon Object File to refresh DLLs and remove their hooks.
AuxiliaryBeacon Health Check Aggressor ScriptThis aggressor script uses a beacon’s note field to indicate the health status of a beacon.
AuxiliaryRegistry BOFA beacon object file for use with cobalt strike v4.1+. Supports querying, adding, and deleting keys/values of local and remote registries.
AuxiliaryInlineExecute-AssemblyInlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module
AuxiliaryCredBanditCredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel. The memory dump is done by using NTFS transactions which allows us to write the dump to memory and the MiniDumpWriteDump API has been replaced with an adaptation of ReactOS’s implementation of MiniDumpWriteDump.
AuxiliaryInject AMSI BypassCobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection.
ExploitCVE-2020-0796-BOFSMBGhost LPE
ExploitZeroLogon-BOFZeroLogon
PersistenceSPAWNCobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing.

0x04 Aggressor Script

TypeNameDescriptionPopularityLanguage
BypassAVBypassAVUsed to quickly generate anti-virus executable files
BypassAVscrunBypassAV ShellCode Loader (Cobaltstrike/Metasploit) Useage
BypassAVbeacon-c2-gobeacon-c2-go (Cobaltstrike/Metasploit)
BypassAVC–Shellcodepython ShellCode Loader (Cobaltstrike&Metasploit) Useage
BypassAVDoge-LoaderCobalt Strike Shellcode Loader by Golang
BypassAVCS-LoaderCS avoid killing, including python version and C version
BypassAVCSSGCobalt Strike Shellcode Generator. Generates beacon stageless shellcode with exposed exit method, additional formatting, encryption, encoding, compression, multiline output, etc
BypassAVAlarisAlaris is a new and sneaky shellcode loader capable of bypassing most EDR systems as of today (02/28/2021). It uses several known TTP’s that help protect the malware and it’s execution flow.
BypassAVCarbonMonoxideEDR Evasion – Combination of SwampThing – TikiTorch
BypassAVbypassAV-1Conditionally triggered remote control VT 6/70 avoids domestic anti-virus and defender, Kaspersky and other mainstream anti-virus.
BypassAVScareCrowScareCrow is a payload creation framework for generating loaders for the use of side loading (not injection) into a legitimate Windows process (bypassing Application Whitelisting controls).
BypassAVDentA framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft’s WDAPT sensors.
BypassAVPEzorOpen-Source PE Packer.
BypassAVFuckThatPackerA simple python packer to easily bypass Windows Defender
BypassAVgoShellCodeByPassVTGo compile -race parameter to achieve VT free kill
BypassAVHouQingAdvanced AV Evasion Tool For Red Team Ops
BypassAVDesertFoxUse Golang to realize anti-virus loading of CobaltStrike and Metasploit shellcode, currently avoid anti-virus host security software such as Tinder, Avast, Tencent Security Manager, 360 Family Bucket.
BypassUACUAC-SilentCleanThis project implements a DLL planting technique to bypass UAC Always Notify and execute code in a high integrity process.
BypassUACcsload.netA cobaltStrike Shellcode loader, can bypass most of AV
Reconred-team-scriptsperform some rudimentary Windows host enumeration with Beacon built-in commands
Reconaggressor-powerviewAll functions listed in the PowerView about page are included in this with all arguments for each function. PowerView
ReconPowerView3-AggressorPowerView Aggressor Script for CobaltStrike PowerView
ReconAggressorScriptsSharphound-Aggressor- A user menu for the SharpHound ingestor
ReconServerScanHighly concurrent network scanning and service detection tools for collecting horizontal information on the intranet.
ReconTailorScanPort scanning + detection network card + ms17010 detection
ReconAggressiveProxyLetMeOutSharp will try to enumerate all available proxy configurations and try to communicate with the Cobalt Strike server over HTTP(s) using the identified proxy configurations.
ReconSpray-ADA Cobalt Strike tool to audit Active Directory user accounts for weak, well known or easy guessable passwords.
ReconLadonLadon is a multi-threaded plug-in comprehensive scanning artifact for large-scale network penetration, including port scanning, service identification, network assets, password blasting, high-risk vulnerability detection, and one-click GetShell. It supports batch A/B/C and cross- Network segment scan, support URL, host, domain name list scan.
ReconLadon for Cobalt StrikeLadon for Cobalt Strike
ReconRecon-ADRecon-AD, an AD recon tool based on ADSI and reflective DLL’s
ExploitXSS-Fishing2-CSAutomatically stop fishing in javascript after the fish is hooked
ExploitXSS-Phishingxss fishing, cna plug-in cooperates with php back-end to close
Exploitcustom_payload_generatorCobaltStrike3.0+ –> creates various payloads for Cobalt Strike’s Beacon. Current payload formats
ExploitCrossC2CrossC2 framework – Generator CobaltStrike’s cross-platform beacon
ExploitGECCGo External C2 Client implementation for cobalt strike.
ExploitCobaltstrike-MS17-010ms17-010 exploit tool and scanner.
ExploitAES-PowerShellCodeStandalone version of my AES Powershell payload for Cobalt Strike.
ExploitSweetPotato_CSCobaltStrike4.x –> SweetPotato
ExploitElevateKitprivilege escalation exploits
ExploitCVE-2018-4878CVE-2018-4878
ExploitAggressor-ScriptsThe only current public is UACBypass, whose readme can be found inside its associated folder.
ExploitCVE_2020_0796_CNALocal privilege escalation vulnerability based on ReflectiveDLLInjection
ExploitDDEAutoCSsetup our stage(d) Web Delivery attack
ExploitgeaconImplement CobaltStrike’s Beacon in Go (can be used in Linux)
ExploitSpoolSystemSpoolSystem is a CNA script for Cobalt Strike which uses the Print Spooler named pipe impersonation trick to gain SYSTEM privileges.
Persistencepersistence-aggressor-scriptpersistence-aggressor-script
PersistencePeinject_dllAbandon the winexec function, use the shellexecute function, the program flow is not stuck, and achieve real senselessness.
PersistenceTikiTorchTikiTorch follows the same concept(CACTUSTORCH) but has multiple types of process injection available, which can be specified by the user at compile time.
PersistenceCACTUSTORCHA JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it.
PersistenceUploadAndRunFrpUpload frpc and run frpc
Persistencepersistence-aggressor-scriptPersistence Aggressor Script
PersistenceAggressiveGadgetToJScriptAutomate the generation of payloads using the GadgetToJScript technique.
PersistenceFrpProPluginModified version of frp0.33, over-traffic detection, anti-kill, support for loading remote configuration files, plug-ins that can be used directly by cs
PersistenceAutomatic-permission-maintenanceCobaltStrike launches automatic permission maintenance plugin
Persistencecobalt-strike-persistenceThe user generates a Web Delivery type payload through the cobalt strike, and then loads this script to achieve the self-starting effect
PersistenceCobalt_Strike_CNACobaltStrike script that uses multiple WinAPIs to maintain permissions, including API setting system services, setting scheduled tasks, managing users, etc.
Auxiliarygenerate-rotating-beacon1. Generate a beacon for a given listener; 2. Host the file at a specified location;3. Monitor the weblog for fetching of the specified location;
AuxiliaryScareCrow-CobaltStrikeA Cobalt Strike script for ScareCrow payload generation. Works with all Loaders.
AuxiliaryAggressorScriptsCreateTicket; Seatbelt; SharpHound
AuxiliarySharpeningCobaltStrikeIn realtime compiling of dotnet v35/v40 exe/dll binaries + obfuscation with ConfuserEx on your linux cobalt strike server.
AuxiliaryCS_Mail_TipCobalt Strike host launches email reminder plug-in
AuxiliaryCobaltstrike-atexecUse mission plan for horizontal, need to communicate with port 135 and port 445
AuxiliarySharp-HackBrowserDataHackBrowserData tool of C#, convenient for direct memory loading in cs
AuxiliaryHackBrowserDataReflection module of HackBrowserData
Auxiliarycobalt_syncStandalone Cobalt Strike Operation Logging Aggressor script for Ghostwriter 2.0+
AuxiliarysamdumpCobalt Strike samdump
AuxiliarySharpeningCobaltStrikeIn realtime compiling of dotnet v35/v40 exe/dll binaries + obfuscation with ConfuserEx on your linux cobalt strike server.
AuxiliarySharpCompileSharpCompile is an aggressor script for Cobalt Strike which allows you to compile and execute C# in realtime.
AuxiliaryQuickrundownUtilizing QRD will allow an operator to quickly characterize what processes are both known and unknown on a host through the use of colors and notes about the processes displayed.
AuxiliaryNetUserThis tool achieves “net user” in Window API. I made this to be used with Cobalt Strike’s execute-assembly, so you can add users with memory loading
AuxiliaryFileSearchC++ enumerates the disk list, traverses the designated disk to search for specific types of files, including the reflection DLL version.
AuxiliaryPhant0m_cobaltstrikeThis script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
AuxiliaryNoPowerShellNoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms.
AuxiliaryEventLogMasterRDP EventLog Master
AuxiliaryANGRYPUPPYBloodhound Attack Path Execution for Cobalt Strike
AuxiliaryCobaltStrike_Script_Wechat_PushLaunch the WeChat reminder plug-in, remind through WeChat Server sauce
AuxiliaryCS-Aggressor-Scriptsslack and webhooks reminder
AuxiliaryAggressor-Scriptssurveying of powershell on targets (detecting powershell related information on the corresponding target)
Auxiliarycs-magicianImplements an events channel and job queue using Redis for Cobalt Strike.
AuxiliaryAggressorScriptsWhen viewing the process, the av process is marked in red
AuxiliaryBeaconatorBeaconator is an aggressor script for Cobalt Strike used to generate a raw stageless shellcode and packing the generated shellcode using PEzor.
AuxiliaryRavenCobaltStrike External C2 for Websockets
AuxiliaryCobaltStrikeParserPython parser for CobaltStrike Beacon’s configuration
AuxiliaryfakelogonscreenFakeLogonScreen is a utility to fake the Windows logon screen in order to obtain the user’s password.
AuxiliarySyncDogMake bloodhound sync with cobaltstrike.
Auxiliary360SafeBrowsergetpassThe CobaltStrike script that assists in capturing the password of the 360 ​​secure browser with one click, and decrypts the browser password offline by downloading the browser database and recording the key.
AuxiliarySharpDecryptPwdAnalyze some programs whose passwords have been saved on the Windwos system, including: Navicat, TeamViewer, FileZilla, WinSCP, Xmangager series products (Xshell, Xftp).
AuxiliaryList-GitHubAssemblyFetch a list of avaialble artifacts from the configured GitHub repo.
AuxiliaryExecuteAssemblyExecuteAssembly is an alternative of CS execute-assembly, built with C/C++ and it can be used to Load/Inject .NET assemblies by; reusing the host (spawnto) process loaded CLR Modules/AppDomainManager, Stomping Loader/.NET assembly PE DOS headers, Unlinking .NET related modules, bypassing ETW+AMSI, avoiding EDR hooks via NT static syscalls (x64) and hiding imports by dynamically resolving APIs via superfasthash hashing algorithm.
Auxiliaryaggrokatzaggrokatz is an Aggressor plugin extension for CobaltStrike which enables pypykatz to interface with the beacons remotely.
AuxiliaryZipperThis CobaltStrike tool allows Red teams to compress files and folders from local and UNC paths. This could be useful in situations where large files or folders need to be exfiltrated. After compressing a file or folder a random named zipfile is created within the user temp folder.
AuxiliaryCobaltStrike Helpmsg CNAThis cna contains error messages for Win32 error codes, HRESULT defintions, and NTSTATUS definitions. This cna can be helpful for those operating out of linux/mac clients without access to the net.exe program, or as a quick way to looking hresult/ntstatus codes without having to do a google search.
SynthesisErebusCobaltStrike4.x –> Erebus CobaltStrike post penetration test plugin
SynthesisCSpluginsCobaltStrike post penetration testing plug-in collection
SynthesisCobalt-Strike-Aggressor-ScriptsCobaltStrike post penetration testing plug-in collection Usage
SynthesisAggressorScriptsAggressor scripts for use with Cobalt Strike 3.0+
SynthesisRedTeamToolsRedTeamTools for use with Cobalt Strike
Synthesiscobalt-arsenalAggressor Scripts for Cobalt Strike 4.0+
SynthesisMoveKitThe aggressor script handles payload creation by reading the template files for a specific execution type. intro
SynthesisStayKitThe aggressor script handles payload creation by reading the template files for a specific execution type. intro
SynthesisAggressorScriptsAggressorScripts
SynthesisAggressorScriptsCollection of Aggressor scripts for Cobalt Strike 3.0+ pulled from multiple sources
SynthesisAggressorScriptsAggressorScripts
SynthesisAggressor-VYSECContains a bunch of CobaltStrike Aggressor Scripts
SynthesisAggressorAssessorAggressorAssessor
SynthesisAggressorAssessorAggressorAssessor
Synthesisaggressor-scriptsCollection of Cobalt Strike Aggressor Scripts
Synthesis梼杌Red team automation framework based on cobalt strike platform
SynthesisAggressor-scriptsThis is just a random collection of Aggressor Scripts I’ve written for Cobalt Strike 3.x. (One of the debug scripts is easier to use)
SynthesisAggressor-ScriptCollection of Aggressor Scripts for Cobalt Strike (mainly contains scripts for privilege escalation and privilege maintenance)
SynthesisAggressor-ScriptAggressor Script, Kit, Malleable C2 Profiles, External C2 and so on
Synthesisaggressor_scripts_collectionCollection of various aggressor scripts for Cobalt Strike from awesome people. Will be sure to update this repo with credit to each person.
SynthesisCobaltStrike-ToolKitgooglesearch.profile and script related to AD.
SynthesisArsenalCobalt Strike 3.13 Arsenal Kit
Synthesiscobalt-arsenalMy collection of battle-tested Aggressor Scripts for Cobalt Strike 4.0+
Synthesisaggressor_scriptsA collection of useful scripts for Cobalt Strike.(powershell.cna;bot.cna;dcom_lateral_movement.cna;ElevateKit)
Synthesisaggressorcreating tunnels with netsh; changed default to bit.ly redirect to mcdonalds;using powershell to kill parent process;
SynthesisCobaltStrikeCNAA collection of scripts – from various sources – see script for more info.
SynthesisAggressorScriptsHighlights selected processes from the ps command in beacon;Loads various aliases into beacon;sets a few defaults for scripts to be used later..
SynthesisAggressorAssessorFully assisted script suite from C2 generation to lateral movement
SynthesisAggressorCollectionCollection of awesome Cobalt Strike Aggressor Scripts. All credit due to the authors
SynthesisCobaltstrike-Aggressor-Scripts-CollectionThe collection of tested cobaltstrike aggressor scripts.
SynthesisaggressorScriptsCobaltStrike AggressorScripts for the lazy
Synthesiscobalt_strike_extension_kitIntegrate various intranet tools including SharpHound, SharpRDP, SharpWMI, etc., and use AggressorScripts to build workflow
SynthesiscobaltstrikeA collection of plug-ins with functions such as domain administrator positioning, domain information collection, permission maintenance, intranet scanning, database hash dump, and everything intranet search files
Synthesis365CobaltStrikeA collection of plugins compatible with CobaltStrike4.0
SynthesisCobalt-StrikeThe content includes horizontal movement, password capture, permission elevation, permission maintenance, etc., as far as possible, organize the things commonly used in intranet penetration, and make it easy to use
SynthesisCSPluginsA collection of third-party plug-ins for Cobaltstrike, which is continuously updated.
SynthesisCobaltStrike-xorthird-party –> vnc_x86_dll and vnc_x64_dll
SynthesisZ1-AggressorScriptsA collection of intranet penetration plugins for Cobalt Strike 3.x & 4.x
SynthesiscspluginImport PowerView scripts and use common functions
SynthesisCSpluginsComprehensive plug-ins involving working directory, information collection, credential acquisition, permission maintenance, permission escalation, user-related, RDP-related, firewall-related, domain penetration, powershell-related, intranet penetration, intranet detection, remote file download, and trace removal system
SynthesisSharpUtilsA collection of C# utilities intended to be used with Cobalt Strike’s execute-assembly.
SynthesisSharpToolsAggressorC# programs commonly used in intranet penetration are integrated into cs scripts and loaded directly into memory. Continuously update~
SynthesisC.ExCobaltStrike Plugin to start and utilize Cobalt Strike (locally or remotely) from within Sifter

0x05 Related Tools

TypeNameDescriptionPopularityLanguage
AntiCobaltStrikecobaltstrike_bruteCobalt Strike Team Server Password Brute Forcer
AntiCobaltStrikeCobaltStrikeScanScan files or process memory for Cobalt Strike beacons and parse their configuration.
AntiCobaltStrikegrab_beacon_configSimple PoC script to scan and acquire CobaltStrike Beacon configurations.
AntiCobaltStrikeC2-JARMJARM hash generated by ssl implementation to identify different c2, such as CobaltStrike
AntiCobaltStrikeJARMJARM fingerprints scanner
AntiCobaltStrikeDetectCobaltStompA quick(and perhaps dirty!) PoC tool to detect Module Stomping as implemented by Cobalt Strike with moderate to high confidence
AntiCobaltStrikecobaltstrikeCode and yara rules to detect and analyze Cobalt Strike
AntiCobaltStrikeCS_DecryptDecryption can help you understand the principle of cs beacon communication, but note that the key is in the local teamserver
AntiCobaltStrikeCS Scriptsparse_beacon_keys.py A parsing tool for .cobaltstrike.beacon_keys files
AntiCobaltStrikePyBeaconA collection of scripts for dealing with Cobalt Strike beacons in Python Resources
AntiCobaltStrikecobaltstrikescanDetecting CobaltStrike for Volatility
AntiCobaltStrikeCobaltStrikeForensicToolset for research malware and Cobalt Strike beacons
AntiCobaltStrikeDuckMemoryScanA simple tool to find backdoors including but not limited to iis hijacking, fileless Trojan, bypass AV shellcode.
AntiCobaltStrikeCobaltSplunk Splunk ApplicationCobaltSplunk is a Splunk Application that knows how to 1) ingest Cobalt Strike related logs and parse them properly, 2) display useful operational dashboards, 3) display relevant reports.
AntiCobaltStrikeBeaconHunterBehavior based monitoring and hunting tool built in C# tool leveraging ETW tracing. Blue teamers can use this tool to detect and respond to potential Cobalt Strike beacons. Red teamers can use this tool to research ETW bypasses and discover new processes that behave like beacons.
AntiCobaltStrikeCobaltStrikeDetected40 lines of code detected most of CobaltStrike’s shellcode
Anti-AntiCobaltStrikebypass-beacon-config-scanBypass cobaltstrike beacon config scan for 4.1
BypassAVCooolis-msCooolis-ms is a code execution tool that includes Metasploit Payload Loader, Cobalt Strike External C2 Loader, and Reflective DLL injection. It is positioned to evade some of the code that we will execute and contains features in the static detection and killing, to help red team personnel It is more convenient to switch from the Web container environment to the C2 environment for further work.
BypassAVUrbanBishopLocalA port of FuzzySecurity’s UrbanBishop project for inline shellcode execution.
BypassAVSecondaryDevCobaltStrikeCobaltStrike after second development, can bypass Kaspersky, Norton, McAfee, etc.
BypassAVCrossNet-BetaIn the red team operation, the phishing executable file is generated by using the white utilization, to bypass AV and automatically judging the network environment. can bypass 360 and huorong
BypassAVEVAFUD shellcode injector
BypassAVBypassAVUse golang to package and generate the backdoor, which has certain anti-virus capabilities
AnalysisBeaconOpen Source Cobalt Strike Beacon. Unreleased, in research stages
AnalysisLinco2Simulates the communication process between Cobalt Strike’s Beacon and C2, and realizes Linux C2 based on HTTP protocol. The client can issue Beacon tasks through curl.
Analysisbeacon-object-filesThis repository contains miscellaneous examples of Cobalt Strike Beacon object file extensions.
AuxiliaryC2ReverseProxyWhen you encounter a non-networked environment during penetration, you can use this tool to establish a reverse proxy channel so that the beacons generated by CobaltStrike can bounce back to the CobaltStrike server.
AuxiliaryCobalt strike custom 404 pageYou can find the CS service through 404 pages.
AuxiliaryStageStrikeA custom Cobalt Strike stager written in C.. is how the project started.
AuxiliaryCS_SSLGensslgen will install a letsencrypt certificate and create a Cobalt Strike keystore from it.
AuxiliaryCobaltPatchCobalt Strike Malleable Profile Inline Patch Template: A Position Independent Code (PIC) Code Template For Creating Shellcode That Can Be Appended In Stage / Post-Ex Blocks. Made for C Programmers
AuxiliarypycobaltCobalt Strike Malleable Profile Inline Patch Template: A Position Independent Code (PIC) Code Template For Creating Shellcode That Can Be Appended In Stage / Post-Ex Blocks. Made for C Programmers.
AuxiliaryredshellAn interactive command prompt that executes commands through proxychains and automatically logs them on a Cobalt Strike team server.
AuxiliaryCobaltStrikeToGhostWriterLog converter from CS logs to a CSV in Ghostwriter’s operation log format.
AuxiliaryAnsible-Cobalt-StrikeAn Ansible role to install cobalt-strike on debian based architectures, let’s be honest it’s for kali.
Auxiliarycobaltstrike_runtimeconfigA POC showing how to modify Cobalt Strike beacon at runtime
AuxiliaryvertingerPystinger implements SOCK4 proxy and port mapping through webshell. It can be directly used by cobalt strike for session online.
Auxiliaryansible-role-cobalt-strikeAn Ansible role for installing Cobalt Strike.
AuxiliaryCrossNetIn the red team operation, the phishing executable file is generated by using the white utilization, avoiding killing and automatically judging the network environment.
AuxiliaryBypassAddUserBypass AV to add users
SynthesisrediAutomated script for setting up CobaltStrike redirectors (nginx reverse proxy, letsencrypt)
Synthesiscs2modrewriteAutomatically Generate Rulesets for Apache mod_rewrite or Nginx for Intelligent HTTP C2 Redirection
SynthesisRedWardenFlexible CobaltStrike Malleable Redirector
SynthesisApache Mod_Rewrite Terrafrom AutomationBash scripts that take variables from the user and then call terraform scripts to automate standing up apache2 with mod_rewrite in front of C2 servers. Right now, this repo supports standing up redirectors in Linode or Digital Ocean, and I have different scripts for standing up http redirectors versus https redirectors. Since the mod_rewrite redirector setup scripts use a user agent value and optionally a bearer token, these redirectors are not C2 dependent and can work for any C2 that uses http or https.
SynthesisRed-EC2Deploy RedTeam Specific EC2 via ansible.
SynthesisRapid Attack InfrastructureRed Team Infrastructure… Quick… Fast… Simplified.
SynthesisRedCommanderCreates two Cobalt Strike C2 servers (DNS and HTTPS), with redirectors, and RedELK in Amazon AWS. Minimal setup required! Companion Blog here
SynthesisCobaltPatchCobalt Strike Malleable Profile Inline Patch Template: A Position Independent Code (PIC) Code Template For Creating Shellcode That Can Be Appended In Stage / Post-Ex Blocks. Made for C Programmers
SynthesisCPLResourceRunnerRun shellcode(Cobalt Strike) from resource
Devvscode-language-aggressorThis is a Visual Studio Code (VSC) extension that aims to provide: An implement of the Sleep and Cobalt Strike (CS) Aggressor grammar; and The definition of Cobalt Strike functions’ prototype
DevPayloadAutomationPayload Automation is a collection of Python classes for automating payload development, testing, opsec checking, and deployment with Cobalt Strike.
CrackCSAgentCobaltStrike 4.x is a universal white prostitution and Chinese loader, which uses javaagent+javassist to dynamically modify the jar package, which can directly load the original cobaltstrike.jar, and theoretically supports all 4.x versions so far.

0x06 Related Resources

TypeNameDescriptionPopularity
DATASilasCutler JARM Scan CobaltStrike Beacon Config.jsonSilasCutler JARM Scan CobaltStrike Beacon Config
DATACobalt Strike hashesThis page shows some basic information the Yara rule CobaltStrike including corresponding malware samples.
DATAList of Cobalt Strike serversList of Cobalt Strike servers
DATACobaltStrike samples pass=infectedCobaltStrike samples
DATAList of spawns from exposed Cobalt Strike C2List of spawns from exposed Cobalt Strike C2
DATAC2IntelFeedsAutomatically created C2 Feeds based of Censys
WOUNDapt_cobaltstrikeCobalt Strike Room
WOUNDapt_cobaltstrike_evasiveCobalt Strike Room
WOUNDrulesCobalt Strike Room
Rulessuricata-rulesSuricata IDS rules used to detect the red team penetration/malicious behavior, support testing CobaltStrike/MSF/Empire/DNS tunnels/Weevely scorpion/mining/rebound/kitchen/ice shell/ICMP tunnel, etc
Github Link
AV-evading undetectable payload delivery tool
Tags: