CobaltStrike相关资源文章汇总Awesome CobaltStrike

CobaltStrike相关资源文章汇总Awesome CobaltStrike

0x00 前言

  1. 第一部分是关于CobaltStrike优质文章的集合
  2. 关于新特性BOF资源的整合
  3. 解决要用的时候找不到合适aggressor script或者BOF的问题
  4. 如果有本repo没有涉及的优质内容,欢迎大家提交pr

Cobalt Strike 截图简介

Cobalt Strike主界面
与目标桌面交互
键盘记录
可塑C2工具
足够多可用的信标
强大的脚本

0x01 相关文章合集

1. 基础知识参考

  1. Cobalt_Strike_wiki
  2. CobaltStrike4.0笔记
  3. CobaltStrike相关网络文章集合
  4. Cobalt Strike 外部 C2【一、原理篇】
  5. Cobalt Strike 桌面控制问题的解决(以及屏幕截图等后渗透工具)
  6. Cobalt Strike & MetaSploit 联动

2. 破解以及定制参考

  1. IntelliJ-IDEA修改cobaltstrike
  2. CobaltStrike二次开发环境准备
  3. Cobal Strike 自定义OneLiner
  4. 通过反射DLL注入来构建后渗透模块(第一课)
  5. Cobalt Strike Aggressor Script (第一课)
  6. Cobalt Strike Aggressor Script (第二课)

3. 使用技巧参考

  1. Cobalt Strike Spear Phish
  2. run CS in win — teamserver.bat
  3. Remote NTLM relaying through CS — related to CVE_2018_8581
  4. Cobalt Strike Convet VPN
  5. 渗透神器CS3.14搭建使用及流量分析
  6. CobaltStrike生成免杀shellcode
  7. CS-notes–一系列CS的使用技巧笔记
  8. 使用 Cobalt Strike 对 Linux 主机进行后渗透
  9. Cobalt Strike Listener with Proxy
  10. Cobalt Strike Convet VPN
  11. CS 4.0 SMB Beacon
  12. Cobalt Strike 浏览器跳板攻击
  13. Cobalt Strike 中 Bypass UAC

4. CobaltStrike隐匿参考

  1. CobaltStrike证书修改躲避流量审查
  2. CS 合法证书 + Powershell 上线
  3. Cobalt Strike 团队服务器隐匿

5. CobaltStrike分析参考

  1. Volatility Plugin for Detecting Cobalt Strike Beacon. blog|Toolset
  2. 逆向分析Cobalt Strike安装后门
  3. 分析cobaltstrike c2 协议
  4. Small tool to decrypt a Cobalt Strike auth file

0x02 C2 Profiles

Type名称描述
ALLMalleable-C2-ProfilesOfficial Malleable C2 Profiles
ALLMalleable-C2-RandomizerThis script randomizes Cobalt Strike Malleable C2 profiles through the use of a metalanguage
ALLmalleable-c2Cobalt Strike Malleable C2 Design and Reference Guide
ALLC2concealerC2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.

0x03 BOF

Type名称描述
ALLBOF_CollectionVarious Cobalt Strike BOFs
ALLSituational Awareness BOFIts larger goal is providing a code example and workflow for others to begin making more BOF files. Blog
ALLQueueUserAPC_PPIDBOF spawns a process of your choice under a specified parent, and injects a provided shellcode file via QueueUserAPC().
ALLbof_helperBeacon Object File (BOF) Creation Helper

0x04 Aggressor Script

Type名称描述
BypassAVBypassAV用于快速生成免杀的可执行文件
BypassAVscrunBypassAV ShellCode Loader (Cobaltstrike/Metasploit) Useage
BypassAVbeacon-c2-gobeacon-c2-go (Cobaltstrike/Metasploit)
BypassAVC–Shellcodepython ShellCode Loader (Cobaltstrike&Metasploit) Useage
Reconred-team-scriptsperform some rudimentary Windows host enumeration with Beacon built-in commands
Reconaggressor-powerviewAll functions listed in the PowerView about page are included in this with all arguments for each function. PowerView
ReconPowerView3-AggressorPowerView Aggressor Script for CobaltStrike PowerView
ReconAggressorScriptsSharphound-Aggressor- A user menu for the SharpHound ingestor
ReconServerScan内网横向信息收集的高并发网络扫描、服务探测工具。
ExploitXSS-Fishing2-CS鱼儿在cs上线后自动收杆 / Automatically stop fishing in javascript after the fish is hooked
ExploitXSS-Phishingxss钓鱼,cna插件配合php后端收杆
Exploitcustom_payload_generatorCobaltStrike3.0+ –> creates various payloads for Cobalt Strike’s Beacon. Current payload formats
ExploitCrossC2CrossC2 framework – Generator CobaltStrike’s cross-platform beacon
ExploitGECCGo External C2 Client implementation for cobalt strike.
ExploitCobaltstrike-MS17-010ms17-010 exploit tool and scanner.
ExploitAES-PowerShellCodeStandalone version of my AES Powershell payload for Cobalt Strike.
ExploitSweetPotato_CSCobaltStrike4.x –> SweetPotato
ExploitElevateKitprivilege escalation exploits
ExploitCVE-2018-4878CVE-2018-4878
ExploitAggressor-ScriptsThe only current public is UACBypass, whose readme can be found inside its associated folder.
ExploitCVE_2020_0796_CNA基于ReflectiveDLLInjection实现的本地提权漏洞
ExploitDDEAutoCSsetup our stage(d) Web Delivery attack
ExploitgeaconImplement CobaltStrike’s Beacon in Go (can be used in Linux)
Persistencepersistence-aggressor-scriptpersistence-aggressor-script
PersistencePeinject_dll弃用winexec函数,使用shellexecute函数,程序流不在卡顿,达到真正的无感。
PersistenceTikiTorchTikiTorch follows the same concept(CACTUSTORCH) but has multiple types of process injection available, which can be specified by the user at compile time.
PersistenceCACTUSTORCHA JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it.
PersistenceUploadAndRunFrp上传frpc并且运行frpc
Persistencepersistence-aggressor-scriptPersistence Aggressor Script
AuxiliaryCobaltstrike-atexec利用任务计划进行横向,需要与135端口、445端口进行通信
AuxiliarySharpCompileSharpCompile is an aggressor script for Cobalt Strike which allows you to compile and execute C# in realtime.
AuxiliaryQuickrundownUtilizing QRD will allow an operator to quickly characterize what processes are both known and unknown on a host through the use of colors and notes about the processes displayed.
AuxiliaryPhant0m_cobaltstrikeThis script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
AuxiliaryNoPowerShellNoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms.
AuxiliaryEventLogMasterRDP EventLog Master
AuxiliaryANGRYPUPPYBloodhound Attack Path Execution for Cobalt Strike
AuxiliaryCobaltStrike_Script_Wechat_Push上线微信提醒的插件,通过微信Server酱提醒
AuxiliaryCS-Aggressor-Scriptsslack and webhooks reminder
AuxiliaryAggressor-Scriptssurveying of powershell on targets (在对应的目标上检测powershell的相关信息)
Auxiliarycs-magikImplements an events channel and job queue using Redis for Cobalt Strike.
AuxiliaryAggressorScripts查看进程的时候讲av进程标注为红色
AuxiliaryRavenCobaltStrike External C2 for Websockets
AuxiliaryCobaltStrikeParserPython parser for CobaltStrike Beacon’s configuration
AuxiliaryfakelogonscreenFakeLogonScreen is a utility to fake the Windows logon screen in order to obtain the user’s password.
AuxiliarySyncDogMake bloodhound sync with cobaltstrike.
SynthesisErebusCobaltStrike4.x –> Erebus CobaltStrike后渗透测试插件
SynthesisCobalt-Strike-Aggressor-ScriptsCobaltStrike后渗透测试插件集合 Usage
SynthesisAggressorScriptsAggressor scripts for use with Cobalt Strike 3.0+
SynthesisRedTeamToolsRedTeamTools for use with Cobalt Strike
Synthesiscobalt-arsenalAggressor Scripts for Cobalt Strike 4.0+
SynthesisMoveKitThe aggressor script handles payload creation by reading the template files for a specific execution type. intro
SynthesisStayKitThe aggressor script handles payload creation by reading the template files for a specific execution type. intro
SynthesisAggressorScriptsAggressorScripts
SynthesisAggressorScriptsCollection of Aggressor scripts for Cobalt Strike 3.0+ pulled from multiple sources
SynthesisAggressorScriptsAggressorScripts
SynthesisAggressor-VYSECContains a bunch of CobaltStrike Aggressor Scripts
SynthesisAggressorAssessorAggressorAssessor
SynthesisAggressorAssessorAggressorAssessor
Synthesisaggressor-scriptsCollection of Cobalt Strike Aggressor Scripts
SynthesisAggressor-scriptsThis is just a random collection of Aggressor Scripts I’ve written for Cobalt Strike 3.x. (其中有一个debug脚本比较好用)
SynthesisAggressor-ScriptCollection of Aggressor Scripts for Cobalt Strike(主要包含了提权和权限维持脚本)
SynthesisAggressor-ScriptAggressor Script, Kit, Malleable C2 Profiles, External C2 and so on
Synthesisaggressor_scripts_collectionCollection of various aggressor scripts for Cobalt Strike from awesome people. Will be sure to update this repo with credit to each person.
SynthesisCobaltStrike-ToolKitgooglesearch.profile and script related to AD.
SynthesisArsenalCobalt Strike 3.13 Arsenal Kit
Synthesiscobalt-arsenalMy collection of battle-tested Aggressor Scripts for Cobalt Strike 4.0+
Synthesisaggressor_scriptscode execution via DCOM;the privilege escalation techniques included in ElevateKit;etc.
Synthesisaggressor_scriptscode execution via DCOM;the privilege escalation techniques included in ElevateKit;etc.
Synthesisaggressorcreating tunnels with netsh; changed default to bit.ly redirect to mcdonalds;using powershell to kill parent process;
SynthesisCobaltStrikeCNAA collection of scripts – from various sources – see script for more info.
SynthesisAggressorScriptsHighlights selected processes from the ps command in beacon;Loads various aliases into beacon;sets a few defaults for scripts to be used later..
SynthesisAggressorAssessor从C2生成到横向移动的全辅助脚本套件
SynthesisAggressorCollectionCollection of awesome Cobalt Strike Aggressor Scripts. All credit due to the authors
SynthesisCobaltstrike-Aggressor-Scripts-CollectionThe collection of tested cobaltstrike aggressor scripts.
SynthesisaggressorScriptsCobaltStrike AggressorScripts for the lazy
Synthesiscobalt_strike_extension_kit集成了SharpHound,SharpRDP,SharpWMI等在内的各种内网工具,使用AggressorScripts构建workflow

0x05 Related Tools

Type名称描述
AntiCScobaltstrike_bruteCobalt Strike Team Server Password Brute Forcer
AuxiliaryredshellAn interactive command prompt that executes commands through proxychains and automatically logs them on a Cobalt Strike team server.
AuxiliaryAnsible-Cobalt-StrikeAn Ansible role to install cobalt-strike on debian based architectures, let’s be honest it’s for kali.
SynthesisrediAutomated script for setting up CobaltStrike redirectors (nginx reverse proxy, letsencrypt)
Synthesiscs2modrewriteAutomatically Generate Rulesets for Apache mod_rewrite or Nginx for Intelligent HTTP C2 Redirection
SynthesisRed-EC2Deploy RedTeam Specific EC2 via ansible.)

0x06 Source Code

Type名称描述
Sourcecobalt-strike-sourceCobalt Strike 3.12 Source Code (Decompiled and Fixed)

from