C2concealer – Command Line Tool That Generates Randomized C2 Malleable Profiles For Use In Cobalt Strike

C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike. Installation chmod u+x install.sh./install.sh Building Docker image docker build -t C2concealer . Running with Docker docker container run -it -v <cobalt_strike_location>:/usr/share/cobaltstrike/ C2concealer –hostname google.com –variant 3 Example Usage Usage: $ C2concealer –hostname google.com –variant 3Flags: (optional) –hostname TheRead More

LDAPFragger – Command And Control Tool That Enables Attackers To Route Cobalt Strike Beacon Data Over LDAP

LDAPFragger is a Command and Control tool that enables attackers to route Cobalt Strike beacon data over LDAP using user attributes. For background information, read the release blog: http://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes Dependencies and installation Compiled with .NET 4.0, but may work with older and newer .NET frameworks as well Usage Active Directory domain –ldaps: Use LDAPS insteadRead More

CobaltBus – Cobalt Strike External C2 Integration With Azure Servicebus, C2 Traffic Via Azure Servicebus

Cobalt Strike External C2 Integration With Azure Servicebus, C2 traffic via Azure Servicebus Setup Create an Azure Service Bus Create a Shared access policy (Connection string) that can only Send and Listen Edit the static connectionString variable in Beacon C# projects to match the “Primary Connection String” value for the Shared access policy created inRead More

StayKit – Cobalt Strike Kit For Persistence

StayKit is an extension for Cobalt Strike persistence by leveraging the execute_assembly function with the SharpStay .NET assembly. The aggressor script handles payload creation by reading the template files for a specific execution type. IMPORTANT: To use the script a user will only need to load the StayKit.cna aggressor script. Additionally, the SharpStay assembly willRead More

Registry-Recon – Cobalt Strike Aggressor Script That Performs System/AV/EDR Recon

Cobalt Strike Aggressor Script that Performs System/AV/EDR Recon. Author: Jess Hires Description As a red-team practitioner, we are often using tools that attempt to fingerprint details about a compromised system, preferably in the most stealthy way possible. Some of our usual tooling for this started getting flagged by EDR products, due to the use ofRead More

Melting-Cobalt – A Cobalt Strike Scanner That Retrieves Detected Team Server Beacons Into A JSON Object

A tool to hunt/mine for Cobalt Strike beacons and “reduce” their beacon configuration for later indexing. Hunts can either be expansive and internet wide using services like SecurityTrails, Shodan, or ZoomEye or a list of IP’s. Getting started Install melting-cobalt Configure your tokens to begin the hunt Mine Beacons to begin reducing them Review resultsRead More

FindObjects-BOF – A Cobalt Strike Beacon Object File (BOF) Project Which Uses Direct System Calls To Enumerate Processes For Specific Loaded Modules Or Process Handles

A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process handles. What is this repository for? Use direct systems calls within Beacon Object files to enumerate processes for specific loaded modules (e.g. winhttp.dll, amsi.dll or clr.dll). Use direct systems calls within Beacon Object filesRead More

Aggrokatz – An Aggressor Plugin Extension For Cobalt Strike Which Enables Pypykatz To Interface With The Beacons Remotely

aggrokatz is an Aggressor plugin extension for CobaltStrike which enables pypykatz to interface with the beacons remotely. The current version of aggrokatz allows pypykatz to parse LSASS dump files and Registry hive files to extract credentials and other secrets stored without downloading the file and without uploading any suspicious code to the beacon (Cobalt StrikeRead More

MoveKit – Cobalt Strike Kit For Lateral Movement

Movekit is an extension of built in Cobalt Strike lateral movement by leveraging the execute_assembly function with the SharpMove and SharpRDP .NET assemblies. The aggressor script handles payload creation by reading the template files for a specific execution type. IMPORTANT: To use the script a user will only need to load the MoveKit.cna aggressor scriptRead More

AzureC2Relay – An Azure Function That Validates And Relays Cobalt Strike Beacon Traffic By Verifying The Incoming Requests Based On A Cobalt Strike Malleable C2 Profile

AzureC2Relay is an Azure Function that validates and relays Cobalt Strike beacon traffic by verifying the incoming requests based on a Cobalt Strike Malleable C2 profile. Any incoming requests that do not share the profiles user-agent, URI paths, headers, and query parameters, will be redirected to a configurable decoy website. The validated C2 traffic isRead More

X