├── HelpColor.cna
├── LICENSE.md
├── README.md
└── images
    └── helpx_example.png


/HelpColor.cna:
--------------------------------------------------------------------------------
 1 | # HelpColor.cna
 2 | #
 3 | # Prints available beacon commands and colors each command based on its type
 4 | #
 5 | # Author: @jmoosdijk / Outflank
 6 | # Updates from @ZephrFish / Lares and @discoverscripts
 7 | #
 8 | # 2021-08-19 : v1.0: public release
 9 | #
10 | # Added BOF from https://github.com/anthemtotheego/InlineExecute-Assembly
11 | # Added BOFs from Situational Awareness & Hollow/Sec-inject
12 | 
13 | # register command
14 | beacon_command_register("helpx", "Lists available commands and colors each command based on its type",
15 | 	"lists available commands and colors each command based on its type.\n\n" .
16 | 	"Usage: helpx\n");
17 | 
18 | # command definition
19 | alias helpx {
20 |     # highlight the following commands
21 |     # CS built-in commands based on: https://www.cobaltstrike.com/help-opsec
22 | 
23 |     @ApiOnly_builtin = @("!", "cd", "clipboard", "connect", "cp", "download", "drives", "exit", "getprivs", "getuid", "history", "inline-execute", "jobkill", "kill", "link", "ls", "make_token", "mkdir", "mv", "ps", "pwd", "rev2self", "rm", "rportfwd", "rportfwd_local", "setenv", "socks", "steal_token", "unlink", "upload");
24 |     @ApiOnly_custom = @("ps-find");
25 |     @Bof_bofnet = @("bofnet_boo", "bofnet_execute", "bofnet_executeassembly", "bofnet_init", "bofnet_job", "bofnet_jobs", "bofnet_jobkill", "bofnet_jobstatus", "bofnet_list", "bofnet_listassemblies", "bofnet_load", "bofnet_loadbig", "bofnet_shutdown");
26 |     @Bof_builtin = @("getsystem", "kerberos_ccache_use", "kerberos_ticket_purge", "kerberos_ticket_use", "reg", "timestomp");
27 |     @Bof_custom = @("exitthread", "hollow", "inlineExecute-Assembly", "nanodump", "Psw", "sec-inject", "sec-shinject", "shovelng", "unhook");
28 |     @Bof_trustedsec_CS-Remote-OPs-BOF = @("adcs_request", "addusertogroup", "chromeKey", "clipboardinject", "conhost", "createremotethread", "ctray", "dde", "enableuser", "get_priv", "kernelcallbacktable", "lastpass", "ntcreatethread", "ntqueueapcthread", "office_tokens", "procdump", "ProcessDestroy", "ProcessListHandles", "reg_delete", "reg_save", "reg_set", "sc_config", "sc_create", "sc_delete", "sc_description", "sc_start", "sc_stop", "schtaskscreate", "schtasksdelete", "schtasksrun", "schtasksstop", "setthreadcontext", "setuserpass", "shspawnas", "svcctrl", "tooltip", "unexpireuser", "uxsubclassinfo");    
29 |     @Bof_trustedsec_CS-Situational-Awareness-BOF = @("adcs_enum", "adcs_enum_com", "adcs_enum_com2", "adv_audit_policies", "arp", "cacls", "dir", "domainenum", "driversigs", "enum_filter_driver", "enumLocalSessions", "env", "findLoadedModule", "get_password_policy", "ipconfig", "ldapsearch", "listdns", "list_firewall_rules", "listmods", "listpipes", "locale", "netGroupList", "netGroupListMembers", "netLocalGroupList", "netLocalGroupListMembers", "netLocalGroupListMembers2", "netloggedon", "netloggedon2", "netsession", "netsession2", "netshares", "netsharesAdmin", "netstat", "nettime", "netuptime", "netuse_add", "netuse_delete", "netuse_list", "netuser", "netview", "notepad", "nslookup", "probe", "reg_query", "reg_query_recursive", "regsession", "resources", "routeprint", "sc_enum", "sc_qc", "sc_qdescription", "sc_qfailure", "sc_query", "sc_qtriggerinfo", "schtasksenum", "schtasksquery", "tasklist", "uptime", "userenum", "vssenum", "whoami", "windowlist", "wmi_query");    
30 |     @Bof_Outflank_credpack = @("credpack-dumpertng", "credpack-handledupminidump", "credpack-passwordspy", "credpack-processdupminidump");
31 |     @Bof_Outflank_C2-Tool-Collection = @("AddMachineAccount", "Askcreds", "CVE-2022-26923", "DelMachineAccount", "Domaininfo", "GetMachineAccountQuota", "Kerberoast", "KerbHash", "Lapsdump", "PetitPotam", "psc", "psw", "psx", "psxx", "Smbinfo", "SprayAD", "StartWebClient", "Winver");
32 |     @DllSpawn_custom = @("HiddenDesktop", "psh", "psk", "psm", "Recon-AD-AllLocalGroups", "Recon-AD-Computers", "Recon-AD-Domain", "Recon-AD-Groups", "Recon-AD-LocalGroups", "Recon-AD-SPNs", "Recon-AD-Users", "Spray-AD");
33 |     @ForkRun_builtin = @("chromedump", "covertvpn", "dcsync", "execute-assembly", "hashdump", "logonpasswords", "mimikatz", "net", "portscan", "powerpick", "pth", "ssh", "ssh-key");
34 |     @ForkRun_custom = @("sharpgen", "shovel");
35 |     @ForkRunOrTargetExplictProcess_builtin = @("browserpivot", "desktop", "keylogger", "printscreen", "psinject", "screenshot", "screenwatch");
36 |     @Housekeeping_builtin = @("argue", "blockdlls", "cancel", "checkin", "clear", "downloads", "file_browser", "help", "jobs", "mode dns", "mode dns6", "mode dns-txt", "note", "powershell-import", "ppid", "process_browser", "sleep", "socks stop", "spawnto", "windows_error_code");
37 |     @Housekeeping_custom = @("helpx");
38 |     @ProcessExecution_builtin = @("execute", "run", "runas", "runasadmin", "runu");
39 |     @ProcessOrServiceCreation_builtin = @("jump", "powershell", "pth", "remote-exec", "shell");
40 |     @ProcessRemoteInject_builtin = @("dllinject", "dllload", "inject", "shinject");
41 |     @ProcessRemoteInject_custom = @("dumpert");
42 |     @ProcessSpawnAndInject_builtin = @("elevate", "shspawn", "spawn", "spawnas", "spawnu", "spunnel", "spunnel_local" );  
43 | 
44 |     # start printing to current beacon
45 |     blog($1, "Available beacon commands with command type highlighting\n");
46 |     blog($1, "\c3 GREEN: \tApiOnly, Housekeeping");
47 |     blog($1, "\c9 L-GREEN: \tBOF");
48 |     blog($1, "\c8 YELLOW: \tFork&Run, Fork&RunOrTargetExplictProcess, DllSpawn");
49 |     blog($1, "\c4 RED: \tProcessExecution, ProcessSpawnAndInject, ProcessRemoteInject, ProcessOrServiceCreation\n");
50 |     blog($1, "Command \t\t  Description");  
51 |     blog($1, "-------- \t\t  ------------");
52 | 
53 |     # command sorting subroutine 
54 |     sub caseInsensitiveCompare
55 |     {
56 |         $a = lc($1);
57 |         $b = lc($2);
58 |         
59 |         return $a cmp $b;
60 |     }
61 |     
62 |     @commandArray = beacon_commands();
63 |     @sortedCommandArray = sort(&caseInsensitiveCompare, @commandArray);
64 | 
65 |         # time to color commands based on their type
66 |         foreach $command (@sortedCommandArray) {
67 |             if(iff($command in @ApiOnly_builtin || $command in @ApiOnly_custom || $command in @Housekeeping_builtin || $command in @Housekeeping_custom,true,false))
68 |             {
69 |                 blog($1, "\c3$[25]command" . beacon_command_describe($command) . "\o");     # set command color to GREEN
70 |             }
71 |             else if(iff($command in @Bof_builtin || $command in @Bof_custom || $command in @Bof_trustedsec_CS-Situational-Awareness-BOF || $command in @Bof_trustedsec_CS-Remote-OPs-BOF || $command in @Bof_Outflank_credpack || $command in @Bof_Outflank_C2-Tool-Collection || $command in @Bof_bofnet,true,false))
72 |             {
73 |                 blog($1, "\c9$[25]command" . beacon_command_describe($command) . "\o");     # set command color to LIGHT GREEN
74 |             }
75 |             else if(iff($command in @ForkRun_builtin || $command in @ForkRun_custom || $command in @ForkRunOrTargetExplictProcess_builtin,true,false))
76 |             {
77 |                 blog($1, "\c8$[25]command" . beacon_command_describe($command) . "\o");     # set command color to YELLOW
78 |             }
79 |             else if($command in @DllSpawn_custom)
80 |             {
81 |                 blog($1, "\c8$[25]command" . beacon_command_describe($command) . "\o");     # set command color to YELLOW
82 |             }
83 |             else if(iff($command in @ProcessExecution_builtin || $command in @ProcessOrServiceCreation_builtin,true,false))
84 |             {
85 |                 blog($1, "\c4$[25]command" . beacon_command_describe($command) . "\o");     # set command color to RED
86 |             }
87 |             else if(iff($command in @ProcessRemoteInject_builtin || $command in @ProcessRemoteInject_custom || $command in @ProcessSpawnAndInject_builtin,true,false))
88 |             {
89 |                 blog($1, "\c4$[25]command" . beacon_command_describe($command) . "\o");     # set command color to RED
90 |             }
91 |             else 
92 |             {
93 |                 blog($1, "$[25]command" . beacon_command_describe($command));               # set command color to DEFAULT COLOR/NOT DEFINED
94 | 			}
95 | 		}	
96 | }
97 | 


--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
 1 | BSD 3-Clause License
 2 | 
 3 | Copyright (c) 2022, Outflank B.V.
 4 | All rights reserved.
 5 | 
 6 | Redistribution and use in source and binary forms, with or without
 7 | modification, are permitted provided that the following conditions are met:
 8 | 
 9 | 1. Redistributions of source code must retain the above copyright notice, this
10 |    list of conditions and the following disclaimer.
11 | 
12 | 2. Redistributions in binary form must reproduce the above copyright notice,
13 |    this list of conditions and the following disclaimer in the documentation
14 |    and/or other materials provided with the distribution.
15 | 
16 | 3. Neither the name of the copyright holder nor the names of its
17 |    contributors may be used to endorse or promote products derived from
18 |    this software without specific prior written permission.
19 | 
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # HelpColor #
 2 | Aggressor script that lists available Cobalt Strike beacon commands and colors them based on their type
 3 | 
 4 | * Colouring for built-in CS commands, based on: https://www.cobaltstrike.com/help-opsec
 5 | * Colouring of various custom BOFs/addons
 6 | 
 7 | ## Usage
 8 | 
 9 | ```
10 | helpx
11 | ```
12 | 
13 | Example:
14 | 
15 |   ![helpx_example](images/helpx_example.png)
16 | 
17 | 
18 | ## Credits
19 | Author: Jarno van de Moosdijk (@jmoosdijk) / Outflank
20 | 
21 | Inspired by ProcessColor.cna by Harley Lebeau (@r3dQu1nn): https://github.com/harleyQu1nn/AggressorScripts/blob/master/ProcessColor.cna
22 | 


--------------------------------------------------------------------------------
/images/helpx_example.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/outflanknl/HelpColor/e5e84edbfc5a28d31a7b24785eb98081378ba0eb/images/helpx_example.png


--------------------------------------------------------------------------------