├── .github
└── workflows
│ ├── ci.yml
│ ├── gitguardian.yml
│ └── release.yml
├── .gitignore
├── .yamllint
├── LICENSE
├── README.md
├── defaults
└── main.yml
├── handlers
└── main.yml
├── images
└── cs_logo.png
├── meta
└── main.yml
├── molecule
└── default
│ ├── converge.yml
│ ├── molecule.yml
│ └── verify.yml
├── tasks
├── cobaltstrike-ag.yml
├── cobaltstrike.yml
├── dependences.yml
├── main.yml
└── setup.yml
├── templates
└── clean.profile.j2
├── tests
├── inventory
└── test.yml
└── vars
└── main.yml
/.github/workflows/ci.yml:
--------------------------------------------------------------------------------
1 | ---
2 | name: CI
3 | 'on':
4 | pull_request:
5 | push:
6 | branches:
7 | - master
8 | schedule:
9 | - cron: "30 5 * * 2"
10 |
11 | defaults:
12 | run:
13 | working-directory: 'warhorse.cobaltstrike_docker'
14 |
15 | jobs:
16 |
17 | lint:
18 | name: Lint
19 | runs-on: ubuntu-latest
20 | steps:
21 | - name: Check out the codebase.
22 | uses: actions/checkout@v2
23 | with:
24 | path: 'warhorse.cobaltstrike_docker'
25 |
26 | - name: Set up Python 3.
27 | uses: actions/setup-python@v2
28 | with:
29 | python-version: '3.x'
30 |
31 | - name: Install test dependencies.
32 | run: pip3 install yamllint
33 |
34 | - name: Lint code.
35 | run: |
36 | yamllint .
37 |
38 | molecule:
39 | name: Molecule
40 | runs-on: ubuntu-latest
41 | strategy:
42 | matrix:
43 | distro:
44 | - ubuntu2004
45 | - debian10
46 |
47 | steps:
48 | - name: Check out the codebase.
49 | uses: actions/checkout@v2
50 | with:
51 | path: 'warhorse.cobaltstrike_docker'
52 |
53 | - name: Set up Python 3.
54 | uses: actions/setup-python@v2
55 | with:
56 | python-version: '3.x'
57 |
58 | - name: Install test dependencies.
59 | run: pip3 install ansible molecule[docker] docker
60 |
61 | - name: Install role dependencies.
62 | run: ansible-galaxy install --roles-path /roles geerlingguy.docker geerlingguy.pip
63 |
64 | - name: Run Molecule tests.
65 | run: molecule test
66 | env:
67 | PY_COLORS: '1'
68 | ANSIBLE_FORCE_COLOR: '1'
69 | MOLECULE_DISTRO: ${{ matrix.distro }}
--------------------------------------------------------------------------------
/.github/workflows/gitguardian.yml:
--------------------------------------------------------------------------------
1 | name: GitGuardian scan
2 |
3 | on: [push, pull_request]
4 |
5 | jobs:
6 | scanning:
7 | name: GitGuardian scan
8 | runs-on: ubuntu-latest
9 | steps:
10 | - name: Checkout
11 | uses: actions/checkout@v2
12 | with:
13 | fetch-depth: 0 # fetch all history so multiple commits can be scanned
14 | - name: GitGuardian scan
15 | uses: GitGuardian/gg-shield-action@master
16 | env:
17 | GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
18 | GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
19 | GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
20 | GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
21 | GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
--------------------------------------------------------------------------------
/.github/workflows/release.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # This workflow requires a GALAXY_API_KEY secret present in the GitHub
3 | # repository or organization.
4 | #
5 | # See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
6 | # See: https://github.com/ansible/galaxy/issues/46
7 |
8 | name: Release
9 | 'on':
10 | push:
11 | tags:
12 | - '*'
13 |
14 | defaults:
15 | run:
16 | working-directory: 'warhorse.cobaltstrike_docker'
17 |
18 | jobs:
19 |
20 | release:
21 | name: Release
22 | runs-on: ubuntu-latest
23 | steps:
24 | - name: Check out the codebase.
25 | uses: actions/checkout@v2
26 | with:
27 | path: 'warhorse.cobaltstrike_docker'
28 |
29 | - name: Set up Python 3.
30 | uses: actions/setup-python@v2
31 | with:
32 | python-version: '3.x'
33 |
34 | - name: Install Ansible.
35 | run: pip3 install ansible-core
36 |
37 | - name: Trigger a new import on Galaxy.
38 | run: >-
39 | ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }}
40 | $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .autogit
2 | # Compiled Object files, Static and Dynamic libs (Shared Objects)
3 | *.o
4 | *.a
5 | *.so
6 |
7 | # Folders
8 | _obj
9 | _test
10 |
11 | # Architecture specific extensions/prefixes
12 | *.[568vq]
13 | [568vq].out
14 |
15 | *.cgo1.go
16 | *.cgo2.c
17 | _cgo_defun.c
18 | _cgo_gotypes.go
19 | _cgo_export.*
20 |
21 | _testmain.go
22 |
23 | *.exe
24 | *.test
25 | *.prof
26 |
27 | # WebStorm
28 | *.iml
29 |
30 | # Directory-based project format:
31 | .idea/
32 | .idea/workspace.xml
33 | **/.idea/workspace.xml
34 |
35 | # mac hidden files
36 | .DS_Store
37 |
38 | #other
39 | node_modules/
40 | bower_components/
41 | .tmp
42 | .sass-cache
43 | builds/**/images/*
44 | *.ogg
45 | *.mp3
46 | *.mp4
47 | *.io
48 | TODO.txt
49 |
50 | # security / ssl
51 | *.pem
52 | *.xxjson
--------------------------------------------------------------------------------
/.yamllint:
--------------------------------------------------------------------------------
1 | ---
2 | # Based on ansible-lint config
3 | extends: default
4 |
5 | rules:
6 | braces:
7 | max-spaces-inside: 1
8 | level: error
9 | brackets:
10 | max-spaces-inside: 1
11 | level: error
12 | colons:
13 | max-spaces-after: -1
14 | level: error
15 | commas:
16 | max-spaces-after: -1
17 | level: error
18 | comments: disable
19 | comments-indentation: disable
20 | document-start: disable
21 | empty-lines:
22 | max: 3
23 | level: error
24 | hyphens:
25 | level: error
26 | indentation: disable
27 | key-duplicates: enable
28 | line-length: disable
29 | new-line-at-end-of-file: disable
30 | new-lines:
31 | type: unix
32 | trailing-spaces: disable
33 | truthy: disable
34 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | The MIT License (MIT)
2 |
3 | Copyright (c) 2021 Ralph May
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy of
6 | this software and associated documentation files (the "Software"), to deal in
7 | the Software without restriction, including without limitation the rights to
8 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
9 | the Software, and to permit persons to whom the Software is furnished to do so,
10 | subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
17 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
18 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
19 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | Ansible Cobalt Strike (Docker)
2 | =========
3 |
4 | [](https://github.com/warhorse/ansible-role-cobaltstrike-docker/actions?query=workflow%3ACI)
5 | [](https://galaxy.ansible.com/warhorse/cobaltstrike_docker)
6 | [](https://galaxy.ansible.com/warhorse/cobaltstrike_docker)
7 | [](https://galaxy.ansible.com/warhorse/cobaltstrike_docker)
8 | 
9 | 
10 |
11 | 
12 |
13 | Install Cobalt Strike in (Docker)
14 |
15 | This role is part of the Warhorse Automation Framework. This role can be used with Warhorse or as a standalone role.
16 |
17 | Docker Image
18 | -------------
19 |
20 | [ghcr.io/warhorse/docker-cobaltstrike](https://github.com/warhorse/docker-cobaltstrike)
21 |
22 | Role Variables
23 | --------------
24 |
25 | A list of all the variables can be found in ./defaults/main.yml.
26 |
27 | `cs_dir` - Cobalt Strike container directory
28 |
29 | `cs_ports` - Cobalt Strike container ports
30 |
31 | `cs_hostname` - Cobalt Strike container hostname
32 |
33 | `cs_container_name` - Cobalt Strike container name
34 |
35 | `cs_key` - Cobalt Strike teamserver license key (REQUIRED)
36 |
37 | `cs_password` - Cobalt Strike teamserver password (REQUIRED)
38 |
39 | `cs_exp_date` - Cobalt Strike becaon expiration date (REQUIRED)
40 |
41 | `cs_profile_location` - Location of your Cobalt Strike profile file
42 |
43 | `cs_docker_network` Cobalt Strike container docker network
44 |
45 |
46 | Dependencies
47 | ------------
48 |
49 | ```shell
50 | ansible-galaxy install geerlingguy.docker geerlingguy.pip
51 | ```
52 |
53 | Install
54 | ------------
55 |
56 | ```shell
57 | ansible-galaxy install warhorse.cobaltstrike_docker
58 | ```
59 |
60 | Example Playbook
61 | ----------------
62 |
63 | ```yaml
64 | - hosts: servers
65 | roles:
66 | - { role: warhorse.cobaltstrike_docker }
67 | ```
68 |
69 | Example Vars
70 | ----------------
71 |
72 | ```yaml
73 | cs_hostname: "cobaltstrike"
74 | cs_container_name: "cobaltstrike"
75 | cs_key: '000-000-000-000-000'
76 | cs_password: 'Password'
77 | cs_exp_date: '2020-12-20'
78 | cs_profile_location: 'clean.profile.j2'
79 | cs_docker_network: "cobaltstrike"
80 | cs_dir: '/opt/docker/cobaltstrike'
81 | cs_ports:
82 | - "50050:50050"
83 | - "80:80"
84 | - "443:443"
85 | ```
86 |
87 | License
88 | -------
89 |
90 | MIT/BSD
91 |
92 | Author Information
93 | ------------------
94 |
95 | Ralph May
96 |
--------------------------------------------------------------------------------
/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | cs_hostname: "cobaltstrike"
3 | cs_container_name: "cobaltstrike"
4 | cs_key: ''
5 | cs_password: ''
6 | cs_exp_date: ''
7 | cs_profile: 'malleable'
8 | cs_profile_location: 'clean.profile.j2'
9 |
10 | cs_docker_labels: {}
11 | cs_docker_image: "ghcr.io/warhorse/docker-cobaltstrike:master"
12 | cs_docker_network: "cobaltstrike"
13 | cs_network_ipam_temp: "{{ cs_network_ipam | default({}) }}"
14 | cs_network_ipam_subnet: "{{
15 | cs_network_ipam_temp.subnet
16 | | default('172.16.1.0/24')
17 | }}"
18 | cs_network_ipam_gateway: "{{
19 | cs_network_ipam_temp.gateway
20 | | default('172.16.1.1')
21 | }}"
22 | cs_network_ipam_iprange: "{{
23 | cs_network_ipam_temp.iprange
24 | | default('172.16.1.0/24')
25 | }}"
26 |
27 | cs_dir: '/opt/docker/cobaltstrike'
28 | cs_ports:
29 | - "50050:50050"
30 |
--------------------------------------------------------------------------------
/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart cobaltstrike
3 | docker_container:
4 | name: "{{ cs_container_name }}"
5 | restart: yes
--------------------------------------------------------------------------------
/images/cs_logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/warhorse/ansible-role-cobaltstrike-docker/efde7cc481f6c7187b89a70fdabc2fb38645fa5f/images/cs_logo.png
--------------------------------------------------------------------------------
/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | role_name: cobaltstrike_docker
3 | author: warhorse
4 | description: Installs Cobalt Strike Teamserver in Docker
5 | company: Warhorse
6 |
7 | issue_tracker_url: https://github.com/warhorse/ansible-role-cobaltstrike-docker/issues
8 |
9 | license: BSD-3-Clause
10 |
11 | min_ansible_version: 2.1
12 |
13 | platforms:
14 | - name: Debian
15 | versions:
16 | - all
17 | - name: Ubuntu
18 | versions:
19 | - all
20 |
21 | galaxy_tags:
22 | - security
23 | - cobaltstrike
24 | - c2
25 | - hacking
26 |
27 | dependencies:
28 | - geerlingguy.docker
29 | - geerlingguy.pip
30 |
--------------------------------------------------------------------------------
/molecule/default/converge.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Converge
3 | hosts: all
4 | pre_tasks:
5 | - name: Update apt cache.
6 | apt: update_cache=yes cache_valid_time=600
7 | when: ansible_os_family == 'Debian'
8 |
9 | - name: Wait for systemd to complete initialization.
10 | command: systemctl is-system-running
11 | register: systemctl_status
12 | until: >
13 | 'running' in systemctl_status.stdout or
14 | 'degraded' in systemctl_status.stdout
15 | retries: 30
16 | delay: 5
17 | when: ansible_service_mgr == 'systemd'
18 | changed_when: false
19 | failed_when: systemctl_status.rc > 1
20 |
21 | roles:
22 | - role: warhorse.cobaltstrike_docker
--------------------------------------------------------------------------------
/molecule/default/molecule.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependency:
3 | name: galaxy
4 | driver:
5 | name: docker
6 | platforms:
7 | - name: instance
8 | image: geerlingguy/docker-ubuntu2004-ansible:latest
9 | command: ${MOLECULE_DOCKER_COMMAND:-""}
10 | volumes:
11 | - /sys/fs/cgroup:/sys/fs/cgroup:ro
12 | privileged: true
13 | pre_build_image: true
14 | provisioner:
15 | name: ansible
16 | # playbooks:
17 | # converge: ${MOLECULE_PLAYBOOK:-playbook.yml}
18 | scenario:
19 | name: default
20 | verifier:
21 | name: testinfra
22 |
--------------------------------------------------------------------------------
/molecule/default/verify.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # This is an example playbook to execute Ansible tests.
3 |
4 | - name: Verify
5 | hosts: all
6 | gather_facts: false
7 | tasks:
8 | - name: Example assertion
9 | assert:
10 | that: true
11 |
--------------------------------------------------------------------------------
/tasks/cobaltstrike-ag.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Ensures cobaltstrike dir exists
3 | file:
4 | path: '{{ item }}'
5 | state: directory
6 | with_items:
7 | - '{{ cs_dir }}'
8 | - '{{ cs_dir }}/profiles'
9 |
10 | - name: Adding profile file
11 | template:
12 | src: "{{ cs_profile_location }}"
13 | dest: "{{ cs_dir }}/profiles/{{ cs_profile }}.profile"
14 | mode: 0600
15 | notify:
16 | - restart cobaltstrike
17 |
18 | - name: Cobaltstrike
19 | docker_container:
20 | name: "{{ cs_container_name }}"
21 | image: "{{ cs_docker_image }}"
22 | pull: yes
23 | state: started
24 | hostname: "{{ cs_hostname }}"
25 | restart_policy: unless-stopped
26 | published_ports: "{{ cs_ports }}"
27 | labels: '{{ cs_docker_labels }}'
28 | volumes:
29 | - "{{ cs_dir }}:/opt/cobaltstrike"
30 | env:
31 | COBALTSTRIKE_KEY: '{{ cs_key }}'
32 | COBALTSTRIKE_PASS: '{{ cs_password }}'
33 | COBALTSTRIKE_EXP: '{{ cs_exp_date }}'
34 | COBALTSTRIKE_PROFILE: '{{ cs_profile }}'
35 | networks:
36 | - name: '{{ cs_docker_network }}'
37 | purge_networks: true
--------------------------------------------------------------------------------
/tasks/cobaltstrike.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Ensures cobaltstrike dir exists
3 | file:
4 | path: '{{ item }}'
5 | state: directory
6 | with_items:
7 | - '{{ cs_dir }}'
8 | - '{{ cs_dir }}/profiles'
9 |
10 | - name: Adding profile file
11 | template:
12 | src: "{{ cs_profile_location }}"
13 | dest: "{{ cs_dir }}/profiles/{{ cs_profile }}.profile"
14 | mode: 0600
15 | notify:
16 | - restart cobaltstrike
17 |
18 | - name: Cobaltstrike
19 | docker_container:
20 | name: "{{ cs_container_name }}"
21 | image: "{{ cs_docker_image }}"
22 | pull: yes
23 | state: started
24 | hostname: "{{ cs_hostname }}"
25 | restart_policy: unless-stopped
26 | published_ports: "{{ cs_ports }}"
27 | labels: '{{ cs_docker_labels }}'
28 | volumes:
29 | - "{{ cs_dir }}:/opt/cobaltstrike"
30 | env:
31 | COBALTSTRIKE_KEY: '{{ cs_key }}'
32 | COBALTSTRIKE_PASS: '{{ cs_password }}'
33 | COBALTSTRIKE_EXP: '{{ cs_exp_date }}'
34 | COBALTSTRIKE_PROFILE: '{{ cs_profile }}'
35 | networks:
36 | - name: '{{ cs_docker_network }}'
37 | purge_networks: true
--------------------------------------------------------------------------------
/tasks/dependences.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Update apt
3 | apt:
4 | update_cache: yes
5 |
6 | - name: Install pydocker
7 | pip:
8 | name: docker
--------------------------------------------------------------------------------
/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Install Dependances
3 | include_tasks: "{{ item }}.yml"
4 | with_items:
5 | - dependences
6 |
7 | - name: Setup
8 | include_tasks: "{{ item }}.yml"
9 | with_items:
10 | - setup
11 |
12 | - name: Create Containers
13 | include_tasks: "{{ item }}.yml"
14 | with_items:
15 | - cobaltstrike
--------------------------------------------------------------------------------
/tasks/setup.yml:
--------------------------------------------------------------------------------
1 | - name: 'setup : create cobaltstrike network'
2 | become: true
3 | docker_network:
4 | name: '{{ cs_docker_network }}'
5 | ipam_config:
6 | - subnet: '{{ cs_network_ipam_subnet }}'
7 | gateway: '{{ cs_network_ipam_gateway }}'
8 | iprange: '{{ cs_network_ipam_iprange }}'
--------------------------------------------------------------------------------
/templates/clean.profile.j2:
--------------------------------------------------------------------------------
1 | #clean template profile - no comments, cleaned up, hopefully easier to build new profiles off of.
2 | #updated with 4.3 options
3 | #xx0hcd
4 |
5 | ###Global Options###
6 | set sample_name "clean.profile";
7 |
8 | set sleeptime "37500";
9 | set jitter "33";
10 | set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36";
11 | set data_jitter "50";
12 |
13 | set host_stage "false";
14 |
15 | ###DNS options###
16 | dns-beacon {
17 | # Options moved into 'dns-beacon' group in 4.3:
18 | set dns_idle "8.8.8.8";
19 | set dns_max_txt "220";
20 | set dns_sleep "0";
21 | set dns_ttl "1";
22 | set maxdns "255";
23 | set dns_stager_prepend ".wwwds.";
24 | set dns_stager_subhost ".e2867.dsca.";
25 |
26 | # DNS subhost override options added in 4.3:
27 | set beacon "d-bx.";
28 | set get_A "d-1ax.";
29 | set get_AAAA "d-4ax.";
30 | set get_TXT "d-1tx.";
31 | set put_metadata "d-1mx";
32 | set put_output "d-1ox.";
33 | set ns_response "zero";
34 | }
35 |
36 | ###SMB options###
37 | set pipename "ntsvcs##";
38 | set pipename_stager "scerpc##";
39 | set smb_frame_header "";
40 |
41 | ###TCP options###
42 | set tcp_port "8000";
43 | set tcp_frame_header "";
44 |
45 | ###SSH options###
46 | set ssh_banner "Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-1065-aws x86_64)";
47 | set ssh_pipename "SearchTextHarvester##";
48 |
49 | ###SSL Options###
50 | #https-certificate {
51 | #set keystore "your_store_file.store";
52 | #set password "your_store_pass";
53 | #}
54 |
55 | https-certificate {
56 | set C "US";
57 | set CN "whatever.com";
58 | set L "California";
59 | set O "whatever LLC.";
60 | set OU "local.org";
61 | set ST "CA";
62 | set validity "365";
63 | }
64 |
65 | #code-signer {
66 | #set keystore "your_keystore.jks";
67 | #set password "your_password";
68 | #set alias "server";
69 | #}
70 |
71 | ###HTTP-Config Block###
72 | http-config {
73 | set headers "Server, Content-Type";
74 | header "Server" "nginx";
75 |
76 | set trust_x_forwarded_for "false";
77 |
78 | set block_useragents "curl*,lynx*,wget*";
79 | }
80 |
81 | #set headers_remove "image/x-xbitmap, image/pjpeg, application/vnd";
82 |
83 | ###HTTP-GET Block###
84 | http-get {
85 |
86 | set uri "/login /config /admin";
87 |
88 | #set verb "POST";
89 |
90 | client {
91 |
92 | header "Host" "whatever.com";
93 | header "Connection" "close";
94 |
95 |
96 | metadata {
97 | #base64
98 | base64url;
99 | #mask;
100 | #netbios;
101 | #netbiosu;
102 | #prepend "TEST123";
103 | append ".php";
104 |
105 | parameter "file";
106 | #header "Cookie";
107 | #uri-append;
108 |
109 | #print;
110 | }
111 |
112 | parameter "test1" "test2";
113 | }
114 |
115 | server {
116 | #header "Server" "nginx";
117 |
118 | output {
119 |
120 | netbios;
121 | #netbiosu;
122 | #base64;
123 | #base64url;
124 | #mask;
125 |
126 | prepend "content=";
127 |
128 | append "\n\n";
129 |
130 | print;
131 | }
132 | }
133 | }
134 |
135 | ###HTTP-GET VARIANT###
136 | http-get "variant_name_get" {
137 |
138 | set uri "/uri1 /uri2 /uri3";
139 |
140 | #set verb "POST";
141 |
142 | client {
143 |
144 | header "Host" "whatever.com";
145 | header "Connection" "close";
146 |
147 |
148 | metadata {
149 |
150 | base64url;
151 | append ".php";
152 |
153 | parameter "file";
154 | #header "Cookie";
155 | #uri-append;
156 |
157 | #print;
158 | }
159 |
160 | parameter "test1" "test2";
161 | }
162 |
163 | server {
164 | #header "Server" "nginx";
165 |
166 | output {
167 |
168 | netbios;
169 |
170 | prepend "content=";
171 |
172 | append "\n\n";
213 |
214 | print;
215 | }
216 | }
217 | }
218 |
219 | ###HTTP-POST VARIANT###
220 | http-post "variant_name_post" {
221 |
222 | set uri "/Uri1 /Uri2 /Uri3";
223 | set verb "GET";
224 | #set verb "POST";
225 |
226 | client {
227 |
228 | header "Host" "whatever.com";
229 | header "Connection" "close";
230 |
231 | output {
232 | base64url;
233 | parameter "testParam";
234 | }
235 |
236 | id {
237 | base64url;
238 | parameter "id";
239 |
240 | }
241 | }
242 |
243 | server {
244 | #header "Server" "nginx";
245 |
246 | output {
247 | netbios;
248 |
249 | prepend "content=";
250 |
251 | append "\n\n";
279 | print;
280 | }
281 |
282 | }
283 | }
284 |
285 |
286 | ###Malleable PE/Stage Block###
287 | stage {
288 | set checksum "0";
289 | set compile_time "25 Oct 2016 01:57:23";
290 | set entry_point "170000";
291 | #set image_size_x86 "6586368";
292 | #set image_size_x64 "6586368";
293 | #set name "WWanMM.dll";
294 | set userwx "false";
295 | set cleanup "true";
296 | set sleep_mask "true";
297 | set stomppe "true";
298 | set obfuscate "true";
299 | set rich_header "";
300 |
301 | #new 4.2. options
302 | #set allocator "HeapAlloc";
303 | #set magic_mz_x86 "MZRE";
304 | #set magic_mz_x64 "MZAR";
305 | #set magic_pe "PE";
306 |
307 | set sleep_mask "true";
308 | set smartinject "true";
309 |
310 | set module_x86 "wwanmm.dll";
311 | set module_x64 "wwanmm.dll";
312 |
313 | transform-x86 {
314 | prepend "\x90\x90\x90";
315 | strrep "ReflectiveLoader" "";
316 | strrep "beacon.dll" "";
317 | }
318 |
319 | transform-x64 {
320 | prepend "\x90\x90\x90";
321 | strrep "ReflectiveLoader" "";
322 | strrep "beacon.x64.dll" "";
323 | }
324 |
325 | #string "something";
326 | #data "something";
327 | stringw "something";
328 | }
329 |
330 | ###Process Inject Block###
331 | process-inject {
332 |
333 | set allocator "NtMapViewOfSection";
334 |
335 | set min_alloc "16700";
336 |
337 | set userwx "false";
338 |
339 | set startrwx "true";
340 |
341 | transform-x86 {
342 | prepend "\x90\x90\x90";
343 | }
344 | transform-x64 {
345 | prepend "\x90\x90\x90";
346 | }
347 |
348 | execute {
349 | #CreateThread;
350 | #CreateRemoteThread;
351 |
352 | CreateThread "ntdll.dll!RtlUserThreadStart+0x1000";
353 |
354 | SetThreadContext;
355 |
356 | NtQueueApcThread-s;
357 |
358 | #NtQueueApcThread;
359 |
360 | CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000";
361 |
362 | RtlCreateUserThread;
363 | }
364 | }
365 |
366 | ###Post-Ex Block###
367 | post-ex {
368 |
369 | set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe";
370 | set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe";
371 |
372 | set obfuscate "true";
373 |
374 | set smartinject "true";
375 |
376 | set amsi_disable "true";
377 |
378 | #new 4.2 options
379 | set thread_hint "ntdll.dll!RtlUserThreadStart";
380 | set pipename "DserNamePipe##";
381 | set keylogger "SetWindowsHookEx";
382 |
383 | }
--------------------------------------------------------------------------------
/tests/inventory:
--------------------------------------------------------------------------------
1 | localhost
2 |
3 |
--------------------------------------------------------------------------------
/tests/test.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 | remote_user: root
4 | roles:
5 | - ansible-role-cobaltstrike-docker
6 |
--------------------------------------------------------------------------------
/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for ansible-role-cobaltstrike
--------------------------------------------------------------------------------