A position-independent reflective loader for Cobalt Strike. Zero results from Hunt-Sleeping-Beacons, BeaconHunter, BeaconEye, Patriot, Moneta, PE-sieve, or MalMemDetect. Features Easy to Use Import a single CNA script before generating shellcode. Dynamic Memory Encryption Creates a new heap for any allocations from Beacon and encrypts entries before sleep. Code Obfuscation and Encryption Changes the memory containingRead More
Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. With a valid access token / kerberos ticket (e.g., golden ticket) of the session owner, you will be able to hijack the session remotely without dropping any beacon/tool on the target server. To enumerate sessions locally/remotely, you could useRead More
A .NET XOR encrypted cobalt strike aggressor implementation for chisel to utilize faster proxy and advanced socks5 capabilities. Why write this? In my experience I found socks4/socks4a proxies quite slow in comparison to its socks5 counterparts and a lack of implementation of socks5 in most C2 frameworks. There is a C# wrapper around the goRead More
C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike. Installation chmod u+x install.sh./install.sh Building Docker image docker build -t C2concealer . Running with Docker docker container run -it -v <cobalt_strike_location>:/usr/share/cobaltstrike/ C2concealer –hostname google.com –variant 3 Example Usage Usage: $ C2concealer –hostname google.com –variant 3Flags: (optional) –hostname TheRead More
LDAPFragger is a Command and Control tool that enables attackers to route Cobalt Strike beacon data over LDAP using user attributes. For background information, read the release blog: http://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes Dependencies and installation Compiled with .NET 4.0, but may work with older and newer .NET frameworks as well Usage Active Directory domain –ldaps: Use LDAPS insteadRead More
Cobalt Strike External C2 Integration With Azure Servicebus, C2 traffic via Azure Servicebus Setup Create an Azure Service Bus Create a Shared access policy (Connection string) that can only Send and Listen Edit the static connectionString variable in Beacon C# projects to match the “Primary Connection String” value for the Shared access policy created inRead More
StayKit is an extension for Cobalt Strike persistence by leveraging the execute_assembly function with the SharpStay .NET assembly. The aggressor script handles payload creation by reading the template files for a specific execution type. IMPORTANT: To use the script a user will only need to load the StayKit.cna aggressor script. Additionally, the SharpStay assembly willRead More
Cobalt Strike Aggressor Script that Performs System/AV/EDR Recon. Author: Jess Hires Description As a red-team practitioner, we are often using tools that attempt to fingerprint details about a compromised system, preferably in the most stealthy way possible. Some of our usual tooling for this started getting flagged by EDR products, due to the use ofRead More
A tool to hunt/mine for Cobalt Strike beacons and “reduce” their beacon configuration for later indexing. Hunts can either be expansive and internet wide using services like SecurityTrails, Shodan, or ZoomEye or a list of IP’s. Getting started Install melting-cobalt Configure your tokens to begin the hunt Mine Beacons to begin reducing them Review resultsRead More
A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process handles. What is this repository for? Use direct systems calls within Beacon Object files to enumerate processes for specific loaded modules (e.g. winhttp.dll, amsi.dll or clr.dll). Use direct systems calls within Beacon Object filesRead More
