AceLdr – Cobalt Strike UDRL For Memory Scanner Evasion

A position-independent reflective loader for Cobalt Strike. Zero results from Hunt-Sleeping-Beacons, BeaconHunter, BeaconEye, Patriot, Moneta, PE-sieve, or MalMemDetect.  Features Easy to Use Import a single CNA script before generating shellcode. Dynamic Memory Encryption Creates a new heap for any allocations from Beacon and encrypts entries before sleep. Code Obfuscation and Encryption Changes the memory containingRead More

RDPHijack-BOF – Cobalt Strike Beacon Object File (BOF) That Uses WinStationConnect API To Perform Local/Remote RDP Session Hijacking

Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. With a valid access token / kerberos ticket (e.g., golden ticket) of the session owner, you will be able to hijack the session remotely without dropping any beacon/tool on the target server. To enumerate sessions locally/remotely, you could useRead More

Chisel-Strike – A .NET XOR Encrypted Cobalt Strike Aggressor Implementation For Chisel To Utilize Faster Proxy And Advanced Socks5 Capabilities

A .NET XOR encrypted cobalt strike aggressor implementation for chisel to utilize faster proxy and advanced socks5 capabilities. Why write this? In my experience I found socks4/socks4a proxies quite slow in comparison to its socks5 counterparts and a lack of implementation of socks5 in most C2 frameworks. There is a C# wrapper around the goRead More

C2concealer – Command Line Tool That Generates Randomized C2 Malleable Profiles For Use In Cobalt Strike

C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike. Installation chmod u+x Building Docker image docker build -t C2concealer . Running with Docker docker container run -it -v <cobalt_strike_location>:/usr/share/cobaltstrike/ C2concealer –hostname –variant 3 Example Usage Usage: $ C2concealer –hostname –variant 3Flags: (optional) –hostname TheRead More

LDAPFragger – Command And Control Tool That Enables Attackers To Route Cobalt Strike Beacon Data Over LDAP

LDAPFragger is a Command and Control tool that enables attackers to route Cobalt Strike beacon data over LDAP using user attributes. For background information, read the release blog: Dependencies and installation Compiled with .NET 4.0, but may work with older and newer .NET frameworks as well Usage Active Directory domain –ldaps: Use LDAPS insteadRead More

CobaltBus – Cobalt Strike External C2 Integration With Azure Servicebus, C2 Traffic Via Azure Servicebus

Cobalt Strike External C2 Integration With Azure Servicebus, C2 traffic via Azure Servicebus Setup Create an Azure Service Bus Create a Shared access policy (Connection string) that can only Send and Listen Edit the static connectionString variable in Beacon C# projects to match the “Primary Connection String” value for the Shared access policy created inRead More

StayKit – Cobalt Strike Kit For Persistence

StayKit is an extension for Cobalt Strike persistence by leveraging the execute_assembly function with the SharpStay .NET assembly. The aggressor script handles payload creation by reading the template files for a specific execution type. IMPORTANT: To use the script a user will only need to load the StayKit.cna aggressor script. Additionally, the SharpStay assembly willRead More

Registry-Recon – Cobalt Strike Aggressor Script That Performs System/AV/EDR Recon

Cobalt Strike Aggressor Script that Performs System/AV/EDR Recon. Author: Jess Hires Description As a red-team practitioner, we are often using tools that attempt to fingerprint details about a compromised system, preferably in the most stealthy way possible. Some of our usual tooling for this started getting flagged by EDR products, due to the use ofRead More

Melting-Cobalt – A Cobalt Strike Scanner That Retrieves Detected Team Server Beacons Into A JSON Object

A tool to hunt/mine for Cobalt Strike beacons and “reduce” their beacon configuration for later indexing. Hunts can either be expansive and internet wide using services like SecurityTrails, Shodan, or ZoomEye or a list of IP’s. Getting started Install melting-cobalt Configure your tokens to begin the hunt Mine Beacons to begin reducing them Review resultsRead More

FindObjects-BOF – A Cobalt Strike Beacon Object File (BOF) Project Which Uses Direct System Calls To Enumerate Processes For Specific Loaded Modules Or Process Handles

A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process handles. What is this repository for? Use direct systems calls within Beacon Object files to enumerate processes for specific loaded modules (e.g. winhttp.dll, amsi.dll or clr.dll). Use direct systems calls within Beacon Object filesRead More