├── README.md
└── get_opsec.py


/README.md:
--------------------------------------------------------------------------------
 1 | # opsec-aggressor
 2 | Aggressor script that gets the latest commands from CobaltStrikes opsec page and creates an aggressor script based on tool options.
 3 | 
 4 | Grabs latest commands from https://www.cobaltstrike.com/help-opsec and sets block/allow based on tool input. 
 5 | 
 6 | **Options of commands to block/allow are:**
 7 | 
 8 | - API-only
 9 | - House-keeping Commands
10 | - Inline Execute (BOF)
11 | - Post-Exploitation Jobs (Fork&Run)
12 | - Process Execution
13 | - Process Execution (cmd.exe)
14 | - Process Execution (powershell.exe)
15 | - Process Injection (Remote)
16 | - Process Injection (Spawn&Inject)
17 | - Service Creation
18 | 
19 | ## Credit
20 | 
21 | Thanks to bluescreenofjeff and _tifkin for the original [opsec aggressor scripts](https://github.com/bluscreenofjeff/AggressorScripts/tree/master/OPSEC%20Profiles). It was more better since it rewrote some of the dropdown options but it hasn't been updated in 4 years, much has changed since then. 
22 | 
23 | ## Usage 
24 | 
25 | ```
26 | usage: get_opsec.py [-h] [-c COMMANDS]
27 | 
28 | optional arguments:
29 |   -h, --help            show this help message and exit
30 |   -c COMMANDS, --commands COMMANDS
31 |                         Beacon commands to enable (comma delimted) Options: API-only House-keeping bof Post-Exploitation cmd.exe powershell.exe remote spawn&inject service
32 | ```
33 | 
34 | ## Example
35 | 
36 | ```
37 | $ python3 get_opsec.py -c API-only,House-keeping,bof,cmd.exe | tee opsec.cna
38 | #TTP: API-only
39 | %commands["cd"]="true";
40 | %commands["cp"]="true";
41 | %commands["connect"]="true";
42 | %commands["download"]="true";
43 | %commands["drives"]="true";
44 | %commands["exit"]="true";
45 | .
46 | .
47 | .
48 | #configuring the block commands
49 | foreach $key (sorta(keys(%commands))) {
50 |         if (%commands[$key] eq "block") {
51 |                 alias($key, {
52 |                         berror($1,"This command's execution has been blocked. Remove the opsec profile to run the command.");
53 |                 });
54 |         }
55 | }
56 | 
57 | #Adding the opsec command to check the current settings
58 | beacon_command_register("opsec", "Show the settings of the loaded opsec profile",
59 |         "Synopsis: opsec
60 | 
61 | " .
62 |         "Displays a list of command settings for the currently loaded opsec profile.");
63 | 
64 | alias("opsec",{
65 |         blog($1,"The current opsec profile has the following commands set to block/block: ");
66 |         foreach $key (sorta(keys(%commands))) {
67 |                 blog2($1,$key . " - " . %commands[$key]);
68 |         }
69 | });
70 | ```
71 | 
72 | 
73 | 


--------------------------------------------------------------------------------
/get_opsec.py:
--------------------------------------------------------------------------------
 1 | from bs4 import BeautifulSoup
 2 | import requests
 3 | import argparse
 4 | 
 5 | parser = argparse.ArgumentParser()
 6 | parser.add_argument('-c', '--commands', help='Beacon commands to enable (comma delimted)  Options: API-only House-keeping  bof Post-Exploitation cmd.exe  powershell.exe  remote  spawn&inject  service', type=str)
 7 | args = parser.parse_args()
 8 | my_list = [str(item) for item in args.commands.split(',')]
 9 | 
10 | result = requests.get("https://www.cobaltstrike.com/help-opsec")
11 | c = result.content
12 | 
13 | soup = BeautifulSoup(c, "lxml")
14 | 
15 | output = {}
16 | for i in soup.findAll('p', "list"):
17 |     k = i
18 |     v = i.findPrevious('h3').text
19 |     if v in output:
20 |         output[v] = output[v] + k.text
21 |     #v = [li.text for li in ul.findAll('li')]
22 |     else:
23 |         output[v] = k.text
24 | 
25 | #print(list(output.keys()))
26 | 
27 | for ttp in output.keys():
28 |     action = "block"
29 |     for element in my_list:
30 |         if element.lower() in ttp.lower():
31 |             action = "true"
32 |             break
33 |     print("#TTP: " + ttp)
34 |     #print(output[ttp] + "\n")
35 |     for line in str(output[ttp]).splitlines():
36 |         line = line.replace("*", "")
37 |         line = line.strip()
38 |         #string = str(line)
39 |         #print(string)
40 |         #for element in my_list:
41 |         #    if element in ttp:
42 |         print("%%commands[\"%s\"]=\"%s\";" % (line, action))
43 |         #    else:
44 |         #        print("%%commands[\"%s\"]=\"block\";" % line)
45 | 
46 | 
47 | rest = """
48 | #configuring the block commands
49 | foreach $key (sorta(keys(%commands))) {
50 |         if (%commands[$key] eq "block") {
51 |                 alias($key, {
52 |                         berror($1,"This command's execution has been blocked. Remove the opsec profile to run the command.");
53 |                 });
54 |         }
55 | }
56 | 
57 | #Adding the opsec command to check the current settings
58 | beacon_command_register("opsec", "Show the settings of the loaded opsec profile",
59 |         "Synopsis: opsec\n\n" .
60 |         "Displays a list of command settings for the currently loaded opsec profile.");
61 | 
62 | alias("opsec",{
63 |         blog($1,"The current opsec profile has the following commands set to block/block: ");
64 |         foreach $key (sorta(keys(%commands))) {
65 |                 blog2($1,$key . " - " . %commands[$key]);
66 |         }
67 | });
68 | """
69 | 
70 | print(rest)
71 | 


--------------------------------------------------------------------------------