├── Execute_Assembly └── Filesize_Maximum_Check.cna ├── IoCs └── headless_display_iocs.cna ├── Phishing ├── getMessageBoxStatistics.cna └── realtimePhishInfo.cna └── README.md /Execute_Assembly/Filesize_Maximum_Check.cna: -------------------------------------------------------------------------------- 1 | ############################## 2 | # # 3 | # Author: @the_bit_diddler # 4 | # Date: September 17, 2021 # 5 | # # 6 | ############################## 7 | 8 | 9 | beacon_command_register( 10 | "sane-execute-assembly", 11 | "Calculate the current size of your file for execute-assembly, and fail early if too large.", 12 | "Synopsis: sane-execute-assembly /path/to/file [args...]" 13 | ); 14 | 15 | 16 | alias sane-execute-assembly { 17 | local('$fileSize'); 18 | local('$upperFileSizeBoundary'); 19 | local('$handle'); 20 | local('$file_data'); 21 | 22 | $upperFileSizeBoundary = 1000000; # User-defined, for now. 23 | 24 | if ( size(@_) <= 1 ) { 25 | beacon_command_detail("sane-execute-assembly"); 26 | return; 27 | } else { 28 | $fileSize = double(lof($2)); 29 | 30 | if ( ($fileSize >= (double($upperFileSizeBoundary) * 0.95)) || (double($upperFileSizeBoundary) == 0) ) { 31 | berror($1, "Filesize is Too Large!\nCurrent Size: " . int($fileSize) . "\nCurrent Acceptable Maximum: " . int(double($upperFileSizeBoundary) * 0.95) ); 32 | return; 33 | } else { 34 | $handle = openf($2); 35 | $file_data = readb($handle, -1); 36 | closef($handle); 37 | 38 | local('$executeAssemblyArgs'); 39 | if ( size(@_) >= 3 ) { 40 | $executeAssemblyArgs = join(" ", sublist(@_, 2)); 41 | } else { 42 | $executeAssemblyArgs = ""; 43 | } 44 | 45 | bexecute_assembly($1, $2, $executeAssemblyArgs); 46 | } 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /IoCs/headless_display_iocs.cna: -------------------------------------------------------------------------------- 1 | ############################################# 2 | # Author: Justin Lucas (@the_bit_diddler) # 3 | # Date: April 01, 2021 # 4 | ############################################# 5 | 6 | ################################# 7 | # Notes: This script would be a # 8 | # good candidate to run # 9 | # in a headless state, # 10 | # preferably in a TMUX # 11 | # or screen session # 12 | # # 13 | # E.g. ./agscript ... # 14 | # # 15 | # From the Event Log you # 16 | # may query the events: # 17 | # !hashes # 18 | ################################# 19 | global('%beaconIOCs'); 20 | %beaconIOCs = %(); 21 | 22 | 23 | command displayhashes { 24 | println(displayIOCs()); 25 | } 26 | 27 | 28 | sub displayIOCs { 29 | local('$cData'); 30 | local('$dString'); 31 | 32 | $dString = ""; 33 | $dString = $dString . "\r\n\r\n"; 34 | $dString = $dString . "Assessment IoC Assistant:"; 35 | $dString = $dString . "\r\n"; 36 | $dString = $dString . "-------------------------"; 37 | $dString = $dString . "\r\n\r\n"; 38 | foreach $cData (keys(%beaconIOCs)) { 39 | $dString = $dString . "Associated MD5 Hash: " . $cData; 40 | $dString = $dString . "\r\n"; 41 | local('$curData'); 42 | foreach $curData (%beaconIOCs[$cData]) { 43 | $dString = $dString . $curData . "\r\n"; 44 | } 45 | $dString = $dString . "\r\n\r\n"; 46 | } 47 | 48 | return $dString; 49 | } 50 | 51 | 52 | on beacon_indicator { 53 | local('$eIP $iIP $cUser $cName $fName $fHash $fTime'); 54 | $eIP = binfo($1, 'external'); 55 | $iIP = binfo($1, 'internal'); 56 | $cName = $2; 57 | $cUser = binfo($1, 'user'); 58 | $fName = split(' ', $3)[-1]; 59 | $fHash = split(' ', $3)[1]; 60 | $fTime = dstamp($4); 61 | 62 | if (split(' ', $3)[0] hasmatch 'file') { 63 | if ($fHash !in keys(%beaconIOCs)) { 64 | %beaconIOCs[$fHash] = @(); 65 | } 66 | 67 | local('$cString'); 68 | $cString = "Filename: " . $fName; 69 | $cString = $cString . "\t" . "Datetime: " . $fTime; 70 | $cString = $cString . "\t" . "Host: " . $cName; 71 | $cString = $cString . "\t" . "Internal_IP: " . $iIP; 72 | $cString = $cString . "\t" . "User_Owner: " . $cUser; 73 | 74 | add(%beaconIOCs[$fHash], $cString); 75 | } 76 | } 77 | 78 | on event_public { 79 | if ($2 ismatch '!hashes') { 80 | privmsg($1, displayIOCs()); 81 | } 82 | } 83 | -------------------------------------------------------------------------------- /Phishing/getMessageBoxStatistics.cna: -------------------------------------------------------------------------------- 1 | ################################# 2 | # Author: Justin Lucas # 3 | # Company: Ingressive # 4 | # Date: August 2, 2021 # 5 | ################################# 6 | 7 | ################################### 8 | # Usage: # 9 | # - Load this CNA after # 10 | # launching your campaign # 11 | # - Help Menu -> # 12 | # General_Phish_Info # 13 | ################################### 14 | sub generatePopup { 15 | local('$archive'); 16 | local('$count'); 17 | local('%filament'); 18 | local('$currentString'); 19 | 20 | $count = 0; 21 | %filament = %(); 22 | 23 | foreach $archive (archives()) { 24 | if ($archive['type'] eq 'webhit') { 25 | if ('token' in keys($archive)) { 26 | if ($archive['token'] !in keys(%filament)) { 27 | %filament[$archive['token']] = 1; 28 | } else { 29 | %filament[$archive['token']] = %filament[$archive['token']] + 1; 30 | } 31 | } 32 | } 33 | } 34 | 35 | foreach $archive (keys(%filament)) { 36 | $count = $count + 1; 37 | } 38 | 39 | $currentString = ""; 40 | $currentString .= "Unique: " . $count . "\t"; 41 | 42 | $count = 0; 43 | foreach $archive (keys(%filament)) { 44 | $count = $count + %filament[$archive]; 45 | } 46 | $currentString .= "Total: " . $count; 47 | 48 | show_message($currentString); 49 | } 50 | 51 | popup help { 52 | separator(); 53 | item("&General_Phish_Info", { generatePopup(); }); 54 | separator(); 55 | } 56 | -------------------------------------------------------------------------------- /Phishing/realtimePhishInfo.cna: -------------------------------------------------------------------------------- 1 | ############################################# 2 | # Author: Justin Lucas (@the_bit_diddler) # 3 | # Date: September 1, 2021 # 4 | ############################################# 5 | 6 | # Declare global variables 7 | global('%information'); 8 | global('$count'); 9 | 10 | # Guarantee variables are zeroed out/null'd 11 | %information = %(); 12 | $count = 0; 13 | 14 | # Numeric sorting function for the callback to sort() 15 | sub sortTimes { 16 | return $1 <=> $2; 17 | } 18 | 19 | on web_hit { 20 | local('$currentEndpointURL'); 21 | local('$headless'); 22 | 23 | $currentEndpointURL = 'REPLACE_ME_WITH_YOUR_URL_PATH'; 24 | $headless = 0; # Change to 1 if you plan to use agscript on your TeamServer 25 | 26 | if ($2 hasmatch '$currentEndpointURL') { 27 | $count = $count + 1; 28 | 29 | if ($3 !in keys(%information)) { 30 | %information[$3] = %( time => @($9) ); 31 | } else { 32 | add(%information[$3]['time'], $9); 33 | } 34 | 35 | local('$currentString'); 36 | $currentString = "\n"; 37 | $currentString .= "Host Phish Hit: " . $3 . "\n"; 38 | $currentString .= "Time: " . dstamp($9) . "\n"; 39 | $currentString .= "Current Endpoint Count: " . size(%information[$3]['time']) . "\n"; 40 | $currentString .= "First Click: " . dstamp(sort(&sortTimes, %information[$3]['time'])[0]) . "\n"; 41 | $currentString .= "Current Click: " . dstamp($9) . "\n"; 42 | $currentString .= "Total Phish Clicks To Date: " . $count . "\n"; 43 | 44 | if ($headless >= 0) { 45 | say($currentString); 46 | } else { 47 | println($currentString); 48 | } 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Aggressor_Scripts 2 | A compilation of Aggressor/Sleep scripts for operational purposes that I've made. 3 | --------------------------------------------------------------------------------