[must read] [link\git-repo - collections] Все что вы должны знать про Cobalt Strike.

[KAJIT]

cobaltstrike的相关资源汇总 / List of Awesome CobaltStrike Resources
[ https://github.com/zer0yu/Awesome-CobaltStrike ]

Contents​

• 0x00 Introduction
• 0x01 Articles & Videos
  • 1. Basic Knowledge
  • 2. Crack and Customisation
  • 3. Useful Trick
  • 4. CobaltStrike Hide
  • 5. CobaltStrike Analysis
  • 6. CobaltStrike Video
• 0x02 C2 Profiles
• 0x03 BOF
• 0x04 Aggressor Script
• 0x05 Related Tools
• 0x06 Related Resources

0x00 Introduction​

1. The first part is a collection of quality articles about CobaltStrike
2. The third part is about the integration of the new features BOF resources
3. This project is to solve the problem of not finding the right aggressor script or BOF when it is needed
4. If there is quality content that is not covered in this repo, welcome to submit pr

0x01 Articles & Videos​

1. Basic Knowledge​

1. Cobalt_Strike_wiki
2. Cobalt Strike Book
3. CobaltStrike4.0笔记
4. CobaltStrike相关网络文章集合
5. Cobalt Strike 外部 C2 之原理篇
6. Cobalt Strike 桌面控制问题的解决（以及屏幕截图等后渗透工具）
7. Cobalt Strike & MetaSploit 联动
8. Cobalt-Strike-CheatSheet
9. Cobalt Strike MITRE TTPs
10. Red Team Operations with Cobalt Strike (2019)

2. Crack and Customisation​

1. IntelliJ-IDEA修改cobaltstrike
2. CobaltStrike二次开发环境准备
3. Cobal Strike 自定义OneLiner
4. 通过反射DLL注入来构建后渗透模块（第一课）
5. Cobalt Strike Aggressor Script （第一课）
6. Cobalt Strike Aggressor Script （第二课）
7. Implementing Syscalls In The Cobaltstrike Artifact Kit
8. Cobalt Strike 4.0 认证及修补过程
9. 使用ReflectiveDLLInjection武装你的CobaltStrike
10. Bypass cobaltstrike beacon config scan
11. Tailoring Cobalt Strike on Target
12. COFFLOADER: BUILDING YOUR OWN IN MEMORY LOADER OR HOW TO RUN BOFS
13. Yet Another Cobalt Strike Stager: GUID Edition
14. Cobalt Strike4.3 破解日记
15. Cobalt Strike 进程创建与对应的 Syslog 日志分析

3. Useful Trick​

1. Cobalt Strike Spear Phish
2. run CS in win -- teamserver.bat
3. Remote NTLM relaying through CS -- related to CVE_2018_8581
4. Cobalt Strike Convet VPN
5. 渗透神器CS3.14搭建使用及流量分析
6. CobaltStrike生成免杀shellcode
7. CS-notes--一系列CS的使用技巧笔记
8. 使用 Cobalt Strike 对 Linux 主机进行后渗透
9. Cobalt Strike Listener with Proxy
10. Cobalt Strike Convet VPN
11. CS 4.0 SMB Beacon
12. Cobalt Strike 浏览器跳板攻击
13. Cobalt Strike 中 Bypass UAC
14. 一起探索Cobalt Strike的ExternalC2框架
15. 深入探索Cobalt Strike的ExternalC2框架
16. Cobalt Strike的特殊功能（external_C2）探究
17. A tale of .NET assemblies, cobalt strike size constraints, and reflection
18. AppDomain.AssemblyResolve
19. 从webshell建立代理上线不出网的内网机器
20. 在Cobalt Strike BOF中进行直接系统调用
21. Using Direct Syscalls in Cobalt Strike's Artifact Kit
22. Cobalt Strike Staging and Extracting Configuration Information

4. CobaltStrike Hide​

1. CobaltStrike证书修改躲避流量审查
2. CS 合法证书 + Powershell 上线
3. Cobalt Strike 团队服务器隐匿
4. 红队基础建设:隐藏你的C2 server
5. Cobalt Strike HTTP C2 Redirectors with Apache mod_rewrite
6. 深入研究cobalt strike malleable C2配置文件
7. A Brave New World: Malleable C2
8. How to Write Malleable C2 Profiles for Cobalt Strike
9. Randomized Malleable C2 Profiles Made Easy
10. 关于CobaltStrike的Stager被扫问题
11. Beacon Stager listener 去特征
12. 检测与隐藏Cobaltstrike服务器
13. 记一次cs bypass卡巴斯基内存查杀
14. Cobalt Strike – Bypassing C2 Network Detections

5. CobaltStrike Analysis​

1. Volatility Plugin for Detecting Cobalt Strike Beacon. blog|Toolset
2. 逆向分析Cobalt Strike安装后门
3. 分析cobaltstrike c2 协议
4. Small tool to decrypt a Cobalt Strike auth file
5. Cobalt Strike 的 ExternalC2
6. Detecting Cobalt Strike Default Modules via Named Pipe Analysis
7. 浅析CobaltStrike Beacon Staging Server扫描
8. Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
9. Analyzing Cobalt Strike for Fun and Profit
10. Cobalt Strike Remote Threads detection
11. The art and science of detecting Cobalt Strike
12. A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers
13. How to detect Cobalt Strike activities in memory forensics
14. Detecting Cobalt Strike by Fingerprinting Imageload Events
15. The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration
16. CobaltStrike - beacon.dll : Your No Ordinary MZ Header
17. GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic
18. Detecting Cobalt Strike beacons in NetFlow data
19. Volatility Plugin for Detecting Cobalt Strike Beacon
20. Easily Identify Malicious Servers on the Internet with JARM
21. Cobalt Strike Beacon Analysis
22. Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike
23. Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike
24. Hiding in the Cloud: Cobalt Strike Beacon C2 using Amazon APIs
25. Identifying Cobalt Strike team servers in the wild
26. Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature
27. Operation Cobalt Kitty
28. Detecting and Advancing In-Memory .NET Tradecraft
29. Analysing Fileless Malware: Cobalt Strike Beacon
30. IndigoDrop spreads via military-themed lures to deliver Cobalt Strike
31. Cobalt Group Returns To Kazakhstan
32. Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
33. Azure Sentinel Quick-Deploy with Cyb3rWard0g’s Sentinel To-Go – Let’s Catch Cobalt Strike!
34. Cobalt Strike stagers used by FIN6
35. Malleable C2 Profiles and You
36. C2 Traffic patterns including Cobalt Strike
37. Cobalt Strike DNS Direct Egress Not That Far Away
38. Detecting Exposed Cobalt Strike DNS Redirectors
39. Example of Cleartext Cobalt Strike Traffic
40. Cobaltstrike-Beacons analyzed
41. 通过DNS协议探测Cobalt Strike服务器
42. Detecting Cobalt Strike with memory signatures
43. CobaltStrike通信中host字段的获取

6. CobaltStrike Video​

1. Malleable Memory Indicators with Cobalt Strike's Beacon Payload
2. STAR Webcast: Spooky RYUKy: The Return of UNC1878
3. Excel 4.0 Macros Analysis - Cobalt Strike Shellcode Injection
4. Profiling And Detecting All Things SSL With JA3

0x02 C2 Profiles​

Type​	Name​	Description​
ALL​	Malleable-C2-Profiles​	Official Malleable C2 Profiles​
ALL​	Malleable-C2-Randomizer​	This script randomizes Cobalt Strike Malleable C2 profiles through the use of a metalanguage​
ALL​	malleable-c2​	Cobalt Strike Malleable C2 Design and Reference Guide​
ALL​	C2concealer​	C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.​
ALL​	MalleableC2-Profiles​	A collection of Cobalt Strike Malleable C2 profiles. now have Windows Updates Profile​
ALL​	pyMalleableC2​	A Python interpreter for Cobalt Strike Malleable C2 profiles that allows you to parse, modify, build them programmatically and validate syntax.​
ALL​	1135-CobaltStrike-ToolKit​	Cobalt Strike的Malleable C2配置文件，被设计用来对抗流量分析​

0x03 BOF​

Type​	Name​	Description​
ALL​	BOF_Collection​	Various Cobalt Strike BOFs​
ALL​	Situational Awareness BOF​	Its larger goal is providing a code example and workflow for others to begin making more BOF files. Blog​
ALL​	bof_helper​	Beacon Object File (BOF) Creation Helper​
ALL​	BOF-DLL-Inject​	BOF DLL Inject is a custom Beacon Object File that uses manual map DLL injection in order to migrate a dll into a process all from memory.​
ALL​	cobaltstrike_bofs​	BOF spawns a process of your choice under a specified parent, and injects a provided shellcode file via QueueUserAPC().​
ALL​	BOF-RegSave​	Beacon Object File(BOF) for CobaltStrike that will acquire the necessary privileges and dump SAM - SYSTEM - SECURITY registry keys for offline parsing and hash extraction.​
ALL​	CobaltStrike BOF​	DCOM Lateral Movement; WMI Lateral Movement - Win32_Process Create; WMI Lateral Movement - Event Subscription​
ALL​	BOFs​	ETW Patching; API Function Utility; Syscalls Shellcode Injection​
Dev​	bof​	This is a template project for building Cobalt Strike BOFs in Visual Studio.​
Dev​	BOF.NET​	A .NET Runtime for Cobalt Strike's Beacon Object Files.​
Dev​	beacon-object-file​	The format, described by Mudge here, asks that the operator construct an COFF file using a mingw-w64 compiler or the msvc compiler that holds an symbol name indicating its entrypoint, and underlying function calls.​
Dev​	InlineWhispers​	Demonstrate the ability to easily use syscalls using inline assembly in BOFs.​
Dev​	WdToggle​	A Proof of Concept Cobalt Strike Beacon Object File which uses direct system calls to enable WDigest credential caching and circumvent Credential Guard (if enabled).​
Dev​	Situational Awareness BOF​	This Repo intends to serve two purposes. First it provides a nice set of basic situational awareness commands implemented in BOF. This allows you to perform some checks on a host before you begin executing commands that may be more invasive.​
Dev​	MiniDumpWriteDump​	Custom implementation of DbgHelp's MiniDumpWriteDump function. Uses static syscalls to replace low-level functions like NtReadVirtualMemory.​
Dev​	COFF Loader​	This is a quick and dirty COFF loader (AKA Beacon Object Files). Currently can run un-modified BOF's so it can be used for testing without a CS agent running it. The only exception is that the injection related beacon compatibility functions are just empty.​
Auxiliary​	EnumCLR.c​	Cobalt Strike BOF to identify processes with the CLR loaded with a goal of identifying SpawnTo / injection candidates.​
Auxiliary​	FindObjects-BOF​	A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process handles.​
Auxiliary​	ChromeKeyDump​	BOF implementation of Chlonium tool to dump Chrome Masterkey and download Cookie/Login Data files​
Auxiliary​	Sleeper​	BOF to call the SetThreadExecutionState function to prevent host from Sleeping​
Auxiliary​	LSASS​	Beacon Object File to dump Lsass memory by obtaining a snapshot handle. Does MiniDumpWriteDump/NtReadVirtualMemory on SnapShot of LSASS instad of original LSASS itself hence evades some AV/EDR.​
Auxiliary​	getsystem​	get system by duplicating winlogon's token.​
Auxiliary​	Silent Lsass Dump​	Silent Lsass Dump​
Auxiliary​	unhook-bof​	This is a Beacon Object File to refresh DLLs and remove their hooks.​
Auxiliary​	Beacon Health Check Aggressor Script​	This aggressor script uses a beacon's note field to indicate the health status of a beacon.​
Auxiliary​	Registry BOF​	A beacon object file for use with cobalt strike v4.1+. Supports querying, adding, and deleting keys/values of local and remote registries.​
Auxiliary​	InlineExecute-Assembly​	InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module​
Auxiliary​	CredBandit​	CredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel. The memory dump is done by using NTFS transactions which allows us to write the dump to memory and the MiniDumpWriteDump API has been replaced with an adaptation of ReactOS's implementation of MiniDumpWriteDump.​
Auxiliary​	Inject AMSI Bypass​	Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection.​
Exploit​	CVE-2020-0796-BOF​	SMBGhost LPE​
Exploit​	ZeroLogon-BOF​	ZeroLogon​
Persistence​	SPAWN​	Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing.​

 

[KAJIT]

0x04 Aggressor Script​

Type​	Name​	Description​
BypassAV​	BypassAV​	用于快速生成免杀的可执行文件​
BypassAV​	scrun​	BypassAV ShellCode Loader (Cobaltstrike/Metasploit) Useage​
BypassAV​	beacon-c2-go​	beacon-c2-go (Cobaltstrike/Metasploit)​
BypassAV​	C--Shellcode​	python ShellCode Loader (Cobaltstrike&Metasploit) Useage​
BypassAV​	Doge-Loader​	Cobalt Strike Shellcode Loader by Golang​
BypassAV​	CS-Loader​	CS免杀,包括python版和C版本的​
BypassAV​	CSSG​	Cobalt Strike Shellcode Generator. Generates beacon stageless shellcode with exposed exit method, additional formatting, encryption, encoding, compression, multiline output, etc​
BypassAV​	Alaris​	Alaris is a new and sneaky shellcode loader capable of bypassing most EDR systems as of today (02/28/2021). It uses several known TTP’s that help protect the malware and it’s execution flow.​
BypassAV​	CarbonMonoxide​	EDR Evasion - Combination of SwampThing - TikiTorch​
BypassAV​	bypassAV-1​	条件触发式远控 VT 6/70 免杀国内杀软及defender、卡巴斯基等主流杀软.​
BypassAV​	ScareCrow​	ScareCrow is a payload creation framework for generating loaders for the use of side loading (not injection) into a legitimate Windows process (bypassing Application Whitelisting controls).​
BypassAV​	Dent​	A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.​
BypassAV​	PEzor​	Open-Source PE Packer.​
BypassAV​	FuckThatPacker​	A simple python packer to easily bypass Windows Defender​
BypassAV​	goShellCodeByPassVT​	Go编译-race参数实现VT全免杀​
BypassAV​	HouQing​	Advanced AV Evasion Tool For Red Team Ops​
BypassAV​	DesertFox​	使用Golang实现免杀加载CobaltStrike和Metasploit的shellcode，目前免杀火绒、Avast、腾讯安全管家、360全家桶等主机安全软件。​
BypassUAC​	UAC-SilentClean​	This project implements a DLL planting technique to bypass UAC Always Notify and execute code in a high integrity process.​
BypassUAC​	csload.net​	A cobaltStrike Shellcode loader, can bypass most of AV​
Recon​	red-team-scripts​	perform some rudimentary Windows host enumeration with Beacon built-in commands​
Recon​	aggressor-powerview​	All functions listed in the PowerView about page are included in this with all arguments for each function. PowerView​
Recon​	PowerView3-Aggressor​	PowerView Aggressor Script for CobaltStrike PowerView​
Recon​	AggressorScripts​	Sharphound-Aggressor- A user menu for the SharpHound ingestor​
Recon​	ServerScan​	内网横向信息收集的高并发网络扫描、服务探测工具。​
Recon​	TailorScan​	端口扫描+探测网卡+ms17010探测​
Recon​	AggressiveProxy​	LetMeOutSharp will try to enumerate all available proxy configurations and try to communicate with the Cobalt Strike server over HTTP(s) using the identified proxy configurations.​
Recon​	Spray-AD​	A Cobalt Strike tool to audit Active Directory user accounts for weak, well known or easy guessable passwords.​
Recon​	Ladon​	Ladon一款用于大型网络渗透的多线程插件化综合扫描神器，含端口扫描、服务识别、网络资产、密码爆破、高危漏洞检测以及一键GetShell，支持批量A段/B段/C段以及跨网段扫描，支持URL、主机、域名列表扫描。​
Recon​	Ladon for Cobalt Strike​	Ladon for Cobalt Strike(巨龙拉冬套件)​
Recon​	Recon-AD​	Recon-AD, an AD recon tool based on ADSI and reflective DLL’s​
Exploit​	XSS-Fishing2-CS​	鱼儿在cs上线后自动收杆 / Automatically stop fishing in javascript after the fish is hooked​
Exploit​	XSS-Phishing​	xss钓鱼，cna插件配合php后端收杆​
Exploit​	custom_payload_generator​	CobaltStrike3.0+ --> creates various payloads for Cobalt Strike's Beacon. Current payload formats​
Exploit​	CrossC2​	CrossC2 framework - Generator CobaltStrike's cross-platform beacon​
Exploit​	GECC​	Go External C2 Client implementation for cobalt strike.​
Exploit​	Cobaltstrike-MS17-010​	ms17-010 exploit tool and scanner.​
Exploit​	AES-PowerShellCode​	Standalone version of my AES Powershell payload for Cobalt Strike.​
Exploit​	SweetPotato_CS​	CobaltStrike4.x --> SweetPotato​
Exploit​	ElevateKit​	privilege escalation exploits​
Exploit​	CVE-2018-4878​	CVE-2018-4878​
Exploit​	Aggressor-Scripts​	The only current public is UACBypass, whose readme can be found inside its associated folder.​
Exploit​	CVE_2020_0796_CNA​	基于ReflectiveDLLInjection实现的本地提权漏洞​
Exploit​	DDEAutoCS​	setup our stage(d) Web Delivery attack​
Exploit​	geacon​	Implement CobaltStrike's Beacon in Go (can be used in Linux)​
Exploit​	SpoolSystem​	SpoolSystem is a CNA script for Cobalt Strike which uses the Print Spooler named pipe impersonation trick to gain SYSTEM privileges.​
Persistence​	persistence-aggressor-script​	persistence-aggressor-script​
Persistence​	Peinject_dll​	弃用winexec函数，使用shellexecute函数，程序流不在卡顿，达到真正的无感。​
Persistence​	TikiTorch​	TikiTorch follows the same concept(CACTUSTORCH) but has multiple types of process injection available, which can be specified by the user at compile time.​
Persistence​	CACTUSTORCH​	A JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it.​
Persistence​	UploadAndRunFrp​	上传frpc并且运行frpc​
Persistence​	persistence-aggressor-script​	Persistence Aggressor Script​
Persistence​	AggressiveGadgetToJScript​	Automate the generation of payloads using the GadgetToJScript technique.​
Persistence​	FrpProPlugin​	frp0.33修改版,过流量检测,免杀,支持加载远程配置文件可用于cs直接使用的插件​
Persistence​	Automatic-permission-maintenance​	CobaltStrike 上线自动权限维持插件​
Persistence​	cobalt-strike-persistence​	使用者通过cobalt strike生成Web Delivery类型的payload，然后加载此脚本可以到达自启动效果​
Persistence​	Cobalt_Strike_CNA​	使用多种WinAPI进行权限维持的CobaltStrike脚本，包含API设置系统服务，设置计划任务，管理用户等。​
Auxiliary​	generate-rotating-beacon​	1. Generate a beacon for a given listener; 2. Host the file at a specified location;3. Monitor the weblog for fetching of the specified location;​
Auxiliary​	ScareCrow-CobaltStrike​	A Cobalt Strike script for ScareCrow payload generation. Works with all Loaders.​
Auxiliary​	AggressorScripts​	CreateTicket; Seatbelt; SharpHound​
Auxiliary​	SharpeningCobaltStrike​	In realtime compiling of dotnet v35/v40 exe/dll binaries + obfuscation with ConfuserEx on your linux cobalt strike server.​
Auxiliary​	CS_Mail_Tip​	Cobalt Strike主机上线邮件提醒插件​
Auxiliary​	Cobaltstrike-atexec​	利用任务计划进行横向，需要与135端口、445端口进行通信​
Auxiliary​	Sharp-HackBrowserData​	C#的HackBrowserData工具，方便在cs中直接内存加载​
Auxiliary​	HackBrowserData​	HackBrowserData的反射模块​
Auxiliary​	cobalt_sync​	Standalone Cobalt Strike Operation Logging Aggressor script for Ghostwriter 2.0+​
Auxiliary​	samdump​	Cobalt Strike samdump​
Auxiliary​	SharpeningCobaltStrike​	In realtime compiling of dotnet v35/v40 exe/dll binaries + obfuscation with ConfuserEx on your linux cobalt strike server.​
Auxiliary​	SharpCompile​	SharpCompile is an aggressor script for Cobalt Strike which allows you to compile and execute C# in realtime.​
Auxiliary​	Quickrundown​	Utilizing QRD will allow an operator to quickly characterize what processes are both known and unknown on a host through the use of colors and notes about the processes displayed.​
Auxiliary​	NetUser​	This tool achieves "net user" in Window API. I made this to be used with Cobalt Strike's execute-assembly，所以可以内存加载添加用户​
Auxiliary​	FileSearch​	C++枚举磁盘列表、遍历指定盘搜索特定类型文件包括反射DLL版本。​
Auxiliary​	Phant0m_cobaltstrike​	This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.​
Auxiliary​	NoPowerShell​	NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms.​
Auxiliary​	EventLogMaster​	RDP EventLog Master​
Auxiliary​	ANGRYPUPPY​	Bloodhound Attack Path Execution for Cobalt Strike​
Auxiliary​	CobaltStrike_Script_Wechat_Push​	上线微信提醒的插件,通过微信Server酱提醒​
​	​	​
​	​	​

​

 

[KAJIT]

Auxiliary​	CobaltStrike_Script_Wechat_Push​	上线微信提醒的插件,通过微信Server酱提醒​
Auxiliary​	CS-Aggressor-Scripts​	slack and webhooks reminder​
Auxiliary​	Aggressor-Scripts​	surveying of powershell on targets (在对应的目标上检测powershell的相关信息)​
Auxiliary​	cs-magik​	Implements an events channel and job queue using Redis for Cobalt Strike.​
Auxiliary​	AggressorScripts​	查看进程的时候讲av进程标注为红色​
Auxiliary​	Beaconator​	Beaconator is an aggressor script for Cobalt Strike used to generate a raw stageless shellcode and packing the generated shellcode using PEzor.​
Auxiliary​	Raven​	CobaltStrike External C2 for Websockets​
Auxiliary​	CobaltStrikeParser​	Python parser for CobaltStrike Beacon's configuration​
Auxiliary​	fakelogonscreen​	FakeLogonScreen is a utility to fake the Windows logon screen in order to obtain the user's password.​
Auxiliary​	SyncDog​	Make bloodhound sync with cobaltstrike.​
Auxiliary​	360SafeBrowsergetpass​	一键辅助抓取360安全浏览器密码的CobaltStrike脚本，通过下载浏览器数据库、记录密钥来离线解密浏览器密码。​
Auxiliary​	SharpDecryptPwd​	对密码已保存在 Windwos 系统上的部分程序进行解析,包括：Navicat,TeamViewer,FileZilla,WinSCP,Xmangager系列产品（Xshell,Xftp)。​
Auxiliary​	List-GitHubAssembly​	Fetch a list of avaialble artifacts from the configured GitHub repo.​
Auxiliary​	ExecuteAssembly​	ExecuteAssembly is an alternative of CS execute-assembly, built with C/C++ and it can be used to Load/Inject .NET assemblies by; reusing the host (spawnto) process loaded CLR Modules/AppDomainManager, Stomping Loader/.NET assembly PE DOS headers, Unlinking .NET related modules, bypassing ETW+AMSI, avoiding EDR hooks via NT static syscalls (x64) and hiding imports by dynamically resolving APIs via superfasthash hashing algorithm.​
Auxiliary​	aggrokatz​	aggrokatz is an Aggressor plugin extension for CobaltStrike which enables pypykatz to interface with the beacons remotely.​
Auxiliary​	Zipper​	This CobaltStrike tool allows Red teams to compress files and folders from local and UNC paths. This could be useful in situations where large files or folders need to be exfiltrated. After compressing a file or folder a random named zipfile is created within the user temp folder.​
Auxiliary​	CobaltStrike Helpmsg CNA​	This cna contains error messages for Win32 error codes, HRESULT defintions, and NTSTATUS definitions. This cna can be helpful for those operating out of linux/mac clients without access to the net.exe program, or as a quick way to looking hresult/ntstatus codes without having to do a google search.​
Synthesis​	Erebus​	CobaltStrike4.x --> Erebus CobaltStrike后渗透测试插件​
Synthesis​	CSplugins​	CobaltStrike后渗透测试插件集合​
Synthesis​	Cobalt-Strike-Aggressor-Scripts​	CobaltStrike后渗透测试插件集合 Usage​
Synthesis​	AggressorScripts​	Aggressor scripts for use with Cobalt Strike 3.0+​
Synthesis​	RedTeamTools​	RedTeamTools for use with Cobalt Strike​
Synthesis​	cobalt-arsenal​	Aggressor Scripts for Cobalt Strike 4.0+​
Synthesis​	MoveKit​	The aggressor script handles payload creation by reading the template files for a specific execution type. intro​
Synthesis​	StayKit​	The aggressor script handles payload creation by reading the template files for a specific execution type. intro​
Synthesis​	AggressorScripts​	AggressorScripts​
Synthesis​	AggressorScripts​	Collection of Aggressor scripts for Cobalt Strike 3.0+ pulled from multiple sources​
Synthesis​	AggressorScripts​	AggressorScripts​
Synthesis​	Aggressor-VYSEC​	Contains a bunch of CobaltStrike Aggressor Scripts​
Synthesis​	AggressorAssessor​	AggressorAssessor​
Synthesis​	AggressorAssessor​	AggressorAssessor​
Synthesis​	aggressor-scripts​	Collection of Cobalt Strike Aggressor Scripts​
Synthesis​	梼杌​	基于cobalt strike平台的红队自动化框架​
Synthesis​	Aggressor-scripts​	This is just a random collection of Aggressor Scripts I've written for Cobalt Strike 3.x. (其中有一个debug脚本比较好用)​
Synthesis​	Aggressor-Script​	Collection of Aggressor Scripts for Cobalt Strike(主要包含了提权和权限维持脚本)​
Synthesis​	Aggressor-Script​	Aggressor Script, Kit, Malleable C2 Profiles, External C2 and so on​
Synthesis​	aggressor_scripts_collection​	Collection of various aggressor scripts for Cobalt Strike from awesome people. Will be sure to update this repo with credit to each person.​
Synthesis​	CobaltStrike-ToolKit​	googlesearch.profile and script related to AD.​
Synthesis​	Arsenal​	Cobalt Strike 3.13 Arsenal Kit​
Synthesis​	cobalt-arsenal​	My collection of battle-tested Aggressor Scripts for Cobalt Strike 4.0+​
Synthesis​	aggressor_scripts​	A collection of useful scripts for Cobalt Strike.(powershell.cna;bot.cna;dcom_lateral_movement.cna;ElevateKit)​
Synthesis​	aggressor​	creating tunnels with netsh; changed default to bit.ly redirect to mcdonalds;using powershell to kill parent process;​
Synthesis​	CobaltStrikeCNA​	A collection of scripts - from various sources - see script for more info.​
Synthesis​	AggressorScripts​	Highlights selected processes from the ps command in beacon;Loads various aliases into beacon;sets a few defaults for scripts to be used later..​
Synthesis​	AggressorAssessor​	从C2生成到横向移动的全辅助脚本套件​
Synthesis​	AggressorCollection​	Collection of awesome Cobalt Strike Aggressor Scripts. All credit due to the authors​
Synthesis​	Cobaltstrike-Aggressor-Scripts-Collection​	The collection of tested cobaltstrike aggressor scripts.​
Synthesis​	aggressorScripts​	CobaltStrike AggressorScripts for the lazy​
Synthesis​	cobalt_strike_extension_kit​	集成了SharpHound,SharpRDP,SharpWMI等在内的各种内网工具，使用AggressorScripts构建workflow​
Synthesis​	cobaltstrike​	具备域管理员定位、域信息收集、权限维持、内网扫描、数据库hash dump、Everything内网搜索文件等功能的插件集合​
Synthesis​	365CobaltStrike​	兼容CobaltStrike4.0的插件集合​
Synthesis​	Cobalt-Strike​	内容有横向移动、密码抓取、权限提升、权限维持等,尽可能将内网渗透中常用到的东西整理一下,方便使用​
Synthesis​	CSPlugins​	一个对Cobaltstrike第三方插件进行收集的项目，持续更新。​
Synthesis​	CobaltStrike-xor​	third-party --> vnc_x86_dll and vnc_x64_dll​
Synthesis​	Z1-AggressorScripts​	适用于Cobalt Strike 3.x & 4.x 的内网渗透插件集合​
Synthesis​	csplugin​	导入PowerView脚本，和常见的功能使用​
Synthesis​	CSplugins​	涉及工作目录、信息收集、凭据获取、权限维持、权限提升、用户相关、RDP相关、防火墙相关、域渗透、powershell相关、内网穿透、内网探测、远程文件下载、痕迹清除的综合型插件系统​
Synthesis​	SharpUtils​	A collection of C# utilities intended to be used with Cobalt Strike's execute-assembly.​
Synthesis​	SharpToolsAggressor​	内网渗透中常用的c#程序整合成cs脚本，直接内存加载。持续更新~​
Synthesis​	C.Ex​	CobaltStrike Plugin to start and utilize Cobalt Strike (locally or remotely) from within Sifter​

 

[KAJIT]

0x05 Related Tools​

Type​	Name​	Description​
AntiCobaltStrike​	cobaltstrike_brute​	Cobalt Strike Team Server Password Brute Forcer​
AntiCobaltStrike​	CobaltStrikeScan​	Scan files or process memory for Cobalt Strike beacons and parse their configuration.​
AntiCobaltStrike​	grab_beacon_config​	Simple PoC script to scan and acquire CobaltStrike Beacon configurations.​
AntiCobaltStrike​	C2-JARM​	通过ssl实现所产生的JARM hash来识别不同的c2，例如CobaltStrike​
AntiCobaltStrike​	JARM​	JARM fingerprints scanner​
AntiCobaltStrike​	DetectCobaltStomp​	A quick(and perhaps dirty!) PoC tool to detect Module Stomping as implemented by Cobalt Strike with moderate to high confidence​
AntiCobaltStrike​	cobaltstrike​	Code and yara rules to detect and analyze Cobalt Strike​
AntiCobaltStrike​	CS_Decrypt​	解密可以帮助你理解cs beacon通信原理，但注意密钥是在本地teamserver中​
AntiCobaltStrike​	CS Scripts​	parse_beacon_keys.py 对 .cobaltstrike.beacon_keys 文件的解析工具​
AntiCobaltStrike​	PyBeacon​	A collection of scripts for dealing with Cobalt Strike beacons in Python Resources​
AntiCobaltStrike​	cobaltstrikescan​	Detecting CobaltStrike for Volatility​
AntiCobaltStrike​	CobaltStrikeForensic​	Toolset for research malware and Cobalt Strike beacons​
AntiCobaltStrike​	DuckMemoryScan​	A simple tool to find backdoors including but not limited to iis hijacking, fileless Trojan, bypass AV shellcode.​
AntiCobaltStrike​	CobaltSplunk Splunk Application​	CobaltSplunk is a Splunk Application that knows how to 1) ingest Cobalt Strike related logs and parse them properly, 2) display useful operational dashboards, 3) display relevant reports.​
AntiCobaltStrike​	BeaconHunter​	Behavior based monitoring and hunting tool built in C# tool leveraging ETW tracing. Blue teamers can use this tool to detect and respond to potential Cobalt Strike beacons. Red teamers can use this tool to research ETW bypasses and discover new processes that behave like beacons.​
AntiCobaltStrike​	CobaltStrikeDetected​	40行代码检测到大部分CobaltStrike的shellcode​
Anti-AntiCobaltStrike​	bypass-beacon-config-scan​	Bypass cobaltstrike beacon config scan for 4.1​
BypassAV​	Cooolis-ms​	Cooolis-ms是一个包含了Metasploit Payload Loader、Cobalt Strike External C2 Loader、Reflective DLL injection的代码执行工具，它的定位在于能够在静态查杀上规避一些我们将要执行且含有特征的代码，帮助红队人员更方便快捷的从Web容器环境切换到C2环境进一步进行工作。​
BypassAV​	UrbanBishopLocal​	A port of FuzzySecurity's UrbanBishop project for inline shellcode execution.​
BypassAV​	SecondaryDevCobaltStrike​	CobaltStrike after second development, can bypass Kaspersky, Norton, McAfee, etc.​
BypassAV​	CrossNet-Beta​	In the red team operation, the phishing executable file is generated by using the white utilization, to bypass AV and automatically judging the network environment. can bypass 360 and huorong​
BypassAV​	EVA​	FUD shellcode Injector​
BypassAV​	BypassAV​	用golang来打包生成后门，具备一定的免杀能力​
Analysis​	Beacon​	Open Source Cobalt Strike Beacon. Unreleased, in research stages​
Analysis​	Linco2​	模拟Cobalt Strike的Beacon与C2通信过程，实现了基于HTTP协议的Linux C2，客户端可以通过curl就能下发Beacon任务。​
Analysis​	beacon-object-files​	This repository contains miscellaneous examples of Cobalt Strike Beacon object file extensions.​
Auxiliary​	C2ReverseProxy​	When you encounter a non-networked environment during penetration, you can use this tool to establish a reverse proxy channel so that the beacons generated by CobaltStrike can bounce back to the CobaltStrike server.​
Auxiliary​	Cobalt strike custom 404 page​	You can find the CS service through 404 pages.​
Auxiliary​	StageStrike​	A custom Cobalt Strike stager written in C.. is how the project started.​
Auxiliary​	CS_SSLGen​	sslgen will install a letsencrypt certificate and create a Cobalt Strike keystore from it.​
Auxiliary​	CobaltPatch​	Cobalt Strike Malleable Profile Inline Patch Template: A Position Independent Code (PIC) Code Template For Creating Shellcode That Can Be Appended In Stage / Post-Ex Blocks. Made for C Programmers​
Auxiliary​	pycobalt​	Cobalt Strike Malleable Profile Inline Patch Template: A Position Independent Code (PIC) Code Template For Creating Shellcode That Can Be Appended In Stage / Post-Ex Blocks. Made for C Programmers.​
Auxiliary​	redshell​	An interactive command prompt that executes commands through proxychains and automatically logs them on a Cobalt Strike team server.​
Auxiliary​	CobaltStrikeToGhostWriter​	Log converter from CS logs to a CSV in Ghostwriter's operation log format.​
Auxiliary​	Ansible-Cobalt-Strike​	An Ansible role to install cobalt-strike on debian based architectures, let's be honest it's for kali.​
Auxiliary​	cobaltstrike_runtimeconfig​	A POC showing how to modify Cobalt Strike beacon at runtime​
Auxiliary​	pystinger​	Pystinger implements SOCK4 proxy and port mapping through webshell. It can be directly used by cobalt strike for session online.​
Auxiliary​	ansible-role-cobalt-strike​	An Ansible role for installing Cobalt Strike.​
Auxiliary​	CrossNet​	In the red team operation, the phishing executable file is generated by using the white utilization, avoiding killing and automatically judging the network environment.​
Auxiliary​	BypassAddUser​	Bypass AV to add users​
Synthesis​	redi​	Automated script for setting up CobaltStrike redirectors (nginx reverse proxy, letsencrypt)​
Synthesis​	cs2modrewrite​	Automatically Generate Rulesets for Apache mod_rewrite or Nginx for Intelligent HTTP C2 Redirection​
Synthesis​	RedWarden​	Flexible CobaltStrike Malleable Redirector​
Synthesis​	Apache Mod_Rewrite Terrafrom Automation​	Bash scripts that take variables from the user and then call terraform scripts to automate standing up apache2 with mod_rewrite in front of C2 servers. Right now, this repo supports standing up redirectors in Linode or Digital Ocean, and I have different scripts for standing up http redirectors versus https redirectors. Since the mod_rewrite redirector setup scripts use a user agent value and optionally a bearer token, these redirectors are not C2 dependent and can work for any C2 that uses http or https.​
Synthesis​	Red-EC2​	Deploy RedTeam Specific EC2 via ansible.​
Synthesis​	Rapid Attack Infrastructure​	Red Team Infrastructure... Quick... Fast... Simplified.​
Synthesis​	RedCommander​	Creates two Cobalt Strike C2 servers (DNS and HTTPS), with redirectors, and RedELK in Amazon AWS. Minimal setup required! Companion Blog here​
Synthesis​	CobaltPatch​	Cobalt Strike Malleable Profile Inline Patch Template: A Position Independent Code (PIC) Code Template For Creating Shellcode That Can Be Appended In Stage / Post-Ex Blocks. Made for C Programmers​
Synthesis​	CPLResourceRunner​	Run shellcode(Cobalt Strike) from resource​
Dev​	vscode-language-aggressor​	This is a Visual Studio Code (VSC) extension that aims to provide: An implement of the Sleep and Cobalt Strike (CS) Aggressor grammar; and The definition of Cobalt Strike functions' prototype​
Dev​	PayloadAutomation​	Payload Automation is a collection of Python classes for automating payload development, testing, opsec checking, and deployment with Cobalt Strike.​
Crack​	CSAgent​	CobaltStrike 4.x通用白嫖及汉化加载器，采用javaagent+javassist的方式动态修改jar包，可直接加载原版cobaltstrike.jar，理论上支持到目前为止的所有4.x版本​

0x06 Related Resources​

Type​	Name​	Description​
DATA​	SilasCutler JARM Scan CobaltStrike Beacon Config.json​	SilasCutler JARM Scan CobaltStrike Beacon Config​
DATA​	Cobalt Strike hashes​	This page shows some basic information the Yara rule CobaltStrike including corresponding malware samples.​
DATA​	List of Cobalt Strike servers​	List of Cobalt Strike servers​
DATA​	CobaltStrike samples pass=infected​	CobaltStrike samples​
DATA​	List of spawns from exposed Cobalt Strike C2​	List of spawns from exposed Cobalt Strike C2​
DATA​	C2IntelFeeds​	Automatically created C2 Feeds based of Censys​
YARA​	apt_cobaltstrike​	Cobalt Strike Yara​
YARA​	apt_cobaltstrike_evasive​	Cobalt Strike Yara​
YARA​	rules​	Cobalt Strike Yara​
Rules​	suricata-rules​	Suricata IDS rules used to detect the red team penetration/malicious behavior, support testing CobaltStrike/MSF/Empire/DNS tunnels/Weevely scorpion/mining/rebound/kitchen/ice shell/ICMP tunnel, etc​

 

[DreamLords]

можно ж было просто линкануть на гитхаб

 

[Snam]

ORCA666 нормальный типок "был" (

4ego bil ??

 

[KAJIT]

ORCA666 нормальный типок "был" (

RIP. Общались. Хорошоий парняга и хороший спец был

...и с юмор у него все было как надо)

можно ж было просто линкануть на гитхаб

бро если б ты парсил гит видел бы с какой скоростью боты гита трут выложеные эксплоиты. Иногда репо не живет и 5секунд.
да - это не эксплоиты, но решил так сохранить

 

[r1z]

RIP. We talked. Good guy and good specialist was
Посмотреть вложение 27750
... and with humor everything was as it should be)


Bro, if you parsed the git, you would see at what speed the bots of the gita rub the laid out exploits. Sometimes the repo doesn't live even 5 seconds.
yes - these are not exploits, but I decided to keep it this way

LOL

 

[blacrabbit]

List of Awesome CobaltStrike Resources - Penetration Testing Tools, ML and Linux Tutorials

Awesome CobaltStrike 0x00 Introduction The first part is a collection of quality articles about CobaltStrike The third part is about the integration of the

reconshell.com

 

[zverovod]

https://zer0daylab.com/conti_gang/5.Cobalt%20Strike.rar

тут сам кобальт если кому нужно

 

[TheWinnieThePooh1337]

Damn bruh, this is some good stuff