Home

Awesome

Awesome CobaltStrike Awesome CobaltStrike Awesome community

Contents

0x00 Introduction

  1. The first part is a collection of quality articles about CobaltStrike
  2. The third part is about the integration of the new features BOF resources
  3. This project is to solve the problem of not finding the right aggressor script or BOF when it is needed
  4. If there is quality content that is not covered in this repo, welcome to submit pr

0x01 Articles & Videos

1. Basic Knowledge

  1. Cobalt_Strike_wiki
  2. Cobalt Strike Book
  3. CobaltStrike4.0笔记
  4. CobaltStrike相关网络文章集合
  5. Cobalt Strike 外部 C2 之原理篇
  6. Cobalt Strike 桌面控制问题的解决(以及屏幕截图等后渗透工具)
  7. Cobalt Strike & MetaSploit 联动
  8. Cobalt-Strike-CheatSheet
  9. Cobalt Strike MITRE TTPs
  10. Red Team Operations with Cobalt Strike (2019)
  11. Cobalt Strike: Overview
  12. CobaltStrike插件开发
  13. Cobalt Strike 中文 Wiki

2. Crack and Customisation

  1. IntelliJ-IDEA修改cobaltstrike
  2. CobaltStrike二次开发环境准备
  3. Cobal Strike 自定义OneLiner
  4. 通过反射DLL注入来构建后渗透模块(第一课)
  5. Cobalt Strike Aggressor Script (第一课)
  6. Cobalt Strike Aggressor Script (第二课)
  7. Implementing Syscalls In The Cobaltstrike Artifact Kit
  8. Cobalt Strike 4.0 认证及修补过程
  9. 使用ReflectiveDLLInjection武装你的CobaltStrike
  10. Bypass cobaltstrike beacon config scan
  11. Tailoring Cobalt Strike on Target
  12. COFFLOADER: BUILDING YOUR OWN IN MEMORY LOADER OR HOW TO RUN BOFS
  13. Yet Another Cobalt Strike Stager: GUID Edition
  14. Cobalt Strike4.3 破解日记
  15. Cobalt Strike 进程创建与对应的 Syslog 日志分析
  16. Behind the Mask: Spoofing Call Stacks Dynamically with Timers

3. Useful Trick

  1. Cobalt Strike Spear Phish
  2. run CS in win -- teamserver.bat
  3. Remote NTLM relaying through CS -- related to CVE_2018_8581
  4. Cobalt Strike Convet VPN
  5. 渗透神器CS3.14搭建使用及流量分析
  6. CobaltStrike生成免杀shellcode
  7. CS-notes--一系列CS的使用技巧笔记
  8. 使用 Cobalt Strike 对 Linux 主机进行后渗透
  9. Cobalt Strike Listener with Proxy
  10. Cobalt Strike Convet VPN
  11. CS 4.0 SMB Beacon
  12. Cobalt Strike 浏览器跳板攻击
  13. Cobalt Strike 中 Bypass UAC
  14. 一起探索Cobalt Strike的ExternalC2框架
  15. 深入探索Cobalt Strike的ExternalC2框架
  16. Cobalt Strike的特殊功能(external_C2)探究
  17. A tale of .NET assemblies, cobalt strike size constraints, and reflection
  18. AppDomain.AssemblyResolve
  19. 从webshell建立代理上线不出网的内网机器
  20. 在Cobalt Strike BOF中进行直接系统调用
  21. Using Direct Syscalls in Cobalt Strike's Artifact Kit
  22. Cobalt Strike Staging and Extracting Configuration Information
  23. Create a proxy DLL with artifact kit
  24. Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons
  25. Lateral Movement with LiquidSnake
  26. CoffLoader from OtterHacker

4. CobaltStrike Hide

  1. CobaltStrike证书修改躲避流量审查
  2. CS 合法证书 + Powershell 上线
  3. Cobalt Strike 团队服务器隐匿
  4. 红队基础建设:隐藏你的C2 server
  5. Cobalt Strike HTTP C2 Redirectors with Apache mod_rewrite
  6. 深入研究cobalt strike malleable C2配置文件
  7. A Brave New World: Malleable C2
  8. How to Write Malleable C2 Profiles for Cobalt Strike
  9. Randomized Malleable C2 Profiles Made Easy
  10. 关于CobaltStrike的Stager被扫问题
  11. Beacon Stager listener 去特征
  12. 检测与隐藏Cobaltstrike服务器
  13. 记一次cs bypass卡巴斯基内存查杀
  14. cs bypass卡巴斯基内存查杀 2
  15. Cobalt Strike – Bypassing C2 Network Detections
  16. Cobalt Strike特征隐藏
  17. Cobalt Strike 反溯源之 CDN 篇
  18. Unleashing The Unseen: Harnessing The Power Of Cobalt Strike Profiles For EDR Evasion

5. CobaltStrike Analysis

  1. Volatility Plugin for Detecting Cobalt Strike Beacon. blog|Toolset
  2. 逆向分析Cobalt Strike安装后门
  3. 分析cobaltstrike c2 协议
  4. Small tool to decrypt a Cobalt Strike auth file
  5. Cobalt Strike 的 ExternalC2
  6. Detecting Cobalt Strike Default Modules via Named Pipe Analysis
  7. 浅析CobaltStrike Beacon Staging Server扫描
  8. Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
  9. Analyzing Cobalt Strike for Fun and Profit
  10. Cobalt Strike Remote Threads detection
  11. The art and science of detecting Cobalt Strike
  12. A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers
  13. How to detect Cobalt Strike activities in memory forensics
  14. Detecting Cobalt Strike by Fingerprinting Imageload Events
  15. The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration
  16. CobaltStrike - beacon.dll : Your No Ordinary MZ Header
  17. GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic
  18. Detecting Cobalt Strike beacons in NetFlow data
  19. Volatility Plugin for Detecting Cobalt Strike Beacon
  20. Easily Identify Malicious Servers on the Internet with JARM
  21. Cobalt Strike Beacon Analysis
  22. Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike
  23. Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike
  24. Hiding in the Cloud: Cobalt Strike Beacon C2 using Amazon APIs
  25. Identifying Cobalt Strike team servers in the wild
  26. Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature
  27. Operation Cobalt Kitty
  28. Detecting and Advancing In-Memory .NET Tradecraft
  29. Analysing Fileless Malware: Cobalt Strike Beacon
  30. IndigoDrop spreads via military-themed lures to deliver Cobalt Strike
  31. Cobalt Group Returns To Kazakhstan
  32. Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
  33. Azure Sentinel Quick-Deploy with Cyb3rWard0g’s Sentinel To-Go – Let’s Catch Cobalt Strike!
  34. Cobalt Strike stagers used by FIN6
  35. Malleable C2 Profiles and You
  36. C2 Traffic patterns including Cobalt Strike
  37. Cobalt Strike DNS Direct Egress Not That Far Away
  38. Detecting Exposed Cobalt Strike DNS Redirectors
  39. Example of Cleartext Cobalt Strike Traffic
  40. Cobaltstrike-Beacons analyzed
  41. 通过DNS协议探测Cobalt Strike服务器
  42. Detecting Cobalt Strike with memory signatures
  43. CobaltStrike通信中host字段的获取
  44. 反击CobaltStrike(一) 以假乱真
  45. 某 C2 鸡肋漏洞分析:你的 CS 安全吗?
  46. Cobalt Strike Beacon Analysis from a Live C2

6. CobaltStrike Video

  1. Malleable Memory Indicators with Cobalt Strike's Beacon Payload
  2. STAR Webcast: Spooky RYUKy: The Return of UNC1878
  3. Excel 4.0 Macros Analysis - Cobalt Strike Shellcode Injection
  4. Profiling And Detecting All Things SSL With JA3

0x02 C2 Profiles

TypeNameDescriptionPopularityLanguage
ALLMalleable-C2-ProfilesOfficial Malleable C2 Profiles
ALLMalleable-C2-RandomizerThis script randomizes Cobalt Strike Malleable C2 profiles through the use of a metalanguage
ALLmalleable-c2Cobalt Strike Malleable C2 Design and Reference Guide
ALLMalleable-C2-ProfilesA collection of profiles used in Cobalt Strike and Empire's Malleable C2 Listener.
ALLrandom_c2_profileRandom C2 Profile Generator
ALLSourcePointSourcePoint is a C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion.
ALLC2concealerC2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.
ALLMalleableC2-ProfilesA collection of Cobalt Strike Malleable C2 profiles. now have Windows Updates Profile
ALLMalleableC2-ProfilesCobalt Strike - Malleable C2 Profiles. A collection of profiles used in different projects using Cobalt Strike
ALLpyMalleableC2A Python interpreter for Cobalt Strike Malleable C2 profiles that allows you to parse, modify, build them programmatically and validate syntax.
ALL1135-CobaltStrike-ToolKitCobalt Strike的Malleable C2配置文件,被设计用来对抗流量分析
ALLservice_cobaltstrikeCobaltStrike profile
ALLCobaltNotionA spin-off research project. Cobalt Strike x Notion collab 2022.
ALLBurp2MalleableThis is a quick python utility I wrote to turn HTTP requests from burp suite into Cobalt Strike Malleable C2 profiles.
ALLautoRebindAutomatically parse Malleable C2 profiled into CrossC2 rebinding library source code
ALLgoMalleableMalleable C2 profiles parser and assembler written in golang
ALLMalleable-CS-ProfilesA list of python tools to help create an OPSEC-safe Cobalt Strike profile.

0x03 BOF

TypeNameDescriptionPopularityLanguage
ALLBOF_CollectionVarious Cobalt Strike BOFs
ALLcobaltstrike-bof-toolset收集网络中在cobaltstrike中使用的bof工具集。
ALLSituational Awareness BOFIts larger goal is providing a code example and workflow for others to begin making more BOF files. Blog
ALLbof_helperBeacon Object File (BOF) Creation Helper
ALLBOF-DLL-InjectBOF DLL Inject is a custom Beacon Object File that uses manual map DLL injection in order to migrate a dll into a process all from memory.
ALLcobaltstrike_bofsBOF spawns a process of your choice under a specified parent, and injects a provided shellcode file via QueueUserAPC().
ALLBOF-RegSaveBeacon Object File(BOF) for CobaltStrike that will acquire the necessary privileges and dump SAM - SYSTEM - SECURITY registry keys for offline parsing and hash extraction.
ALLCobaltStrike BOFDCOM Lateral Movement; WMI Lateral Movement - Win32_Process Create; WMI Lateral Movement - Event Subscription
ALLBOFsETW Patching; API Function Utility; Syscalls Shellcode Injection
ALLRemote Operations BOFThis repo serves as an addition to our previously released SA Repo. Our original stance was that we would not release our tooling that modified other systems, and we would only provide information gathering tooling in a ready to go format.
ALLOperatorsKitThis repository contains a collection of tools that integrate with Cobalt Strike through Beacon Object Files (BOFs).
DevbofThis is a template project for building Cobalt Strike BOFs in Visual Studio.
DevNeedle_Sift_BOFStrstr with user-supplied needle and filename as a BOF.
DevQuser-BOFBeacon Object Files Quser implementation using Windows API
DevBOF.NETA .NET Runtime for Cobalt Strike's Beacon Object Files.
Devbeacon-object-fileThe format, described by Mudge here, asks that the operator construct an COFF file using a mingw-w64 compiler or the msvc compiler that holds an symbol name indicating its entrypoint, and underlying function calls.
DevInlineWhispersDemonstrate the ability to easily use syscalls using inline assembly in BOFs.
DevWdToggleA Proof of Concept Cobalt Strike Beacon Object File which uses direct system calls to enable WDigest credential caching and circumvent Credential Guard (if enabled).
DevSituational Awareness BOFThis Repo intends to serve two purposes. First it provides a nice set of basic situational awareness commands implemented in BOF. This allows you to perform some checks on a host before you begin executing commands that may be more invasive.
DevMiniDumpWriteDumpCustom implementation of DbgHelp's MiniDumpWriteDump function. Uses static syscalls to replace low-level functions like NtReadVirtualMemory.
DevCOFF LoaderThis is a quick and dirty COFF loader (AKA Beacon Object Files). Currently can run un-modified BOF's so it can be used for testing without a CS agent running it. The only exception is that the injection related beacon compatibility functions are just empty.
DevSelf_Deletion_BOFBOF implementation of the research by @jonasLyk and the drafted PoC from @LloydLabs
DevPE Import Enumerator BOFThis is a BOF to enumerate DLL files to-be-loaded by a given PE file. Depending on the number of arguments, this will allow an operator to either view a listing of anticipated imported DLL files, or to view the imported functions for an anticipated DLL.
DevVisual-Studio-BOF-templateA Visual Studio template used to create Cobalt Strike BOFs
DevBOF-BuilderC# .Net 5.0 project to build BOF (Beacon Object Files) in mass based on them all being in a folder directory struct somewhere.
DevELFLoaderThis is a ELF object in memory loader/runner. The goal is to create a single elf loader that can be used to run follow on capabilities across all x86_64 and x86 nix operating systems.
DevRust BOFs for Cobalt StrikeThis took me like 4 days, but I got it working... rust core + alloc for Cobalt Strike BOFs. This is very much a PoC, but I'd love to see others playing around with it and contributing.
DevCoffeeLdrCoffeeLdr is a loader for so called Beacon Object Files. This project can be used for testing Beacon Object files without using the Cobalt Strike framework or can be used to give custom implants a way to execute BOFs that where designed for Cobalt strike.
DevHalosGate Processlist Cobalt Strike BOFCobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes.
DevPPLFaultDumpBOFTakes the original PPLFault and the original included DumpShellcode and combinds it all into a BOF targeting cobalt strike.
DevWinsockyWinsocket implementation for Cobalt Strike. Used to communicate with the victim using winsockets instead of the traditional ways.
Devbof-vsA Beacon Object File (BOF) template for Visual Studio.
AuxiliaryDefender Exclusions BOFA BOF to determine Windows Defender exclusions.
AuxiliaryScreenShot-BOFScreenShot bof for Cobalt Strike . All in memory and no spawn/inject.
AuxiliaryBofRoastBeacon Object File repo for roasting Active Directory.
AuxiliaryEnumCLR.cCobalt Strike BOF to identify processes with the CLR loaded with a goal of identifying SpawnTo / injection candidates.
AuxiliaryPPEnumSimple BOF to read the protection level of a process.
AuxiliarysecinjectSection Mapping Process Injection (secinject): Cobalt Strike BOF
AuxiliaryFindObjects-BOFA Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process handles.
AuxiliaryInject-assemblyInject-assembly - Execute .NET in an Existing Process. This tool is an alternative to traditional fork and run execution for Cobalt Strike. The loader can be injected into any process, including the current Beacon. Long-running assemblies will continue to run and send output back to the Beacon, similar to the behavior of execute-assembly.
AuxiliaryWhereAmiIWhereAmiI - Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.
AuxiliaryGetWebDAVStatusSmall project to determine if the Web Client service (WebDAV) is running on a remote system by checking for the presence of the DAV RPC SERVICE named pipe.
AuxiliaryChromeKeyDumpBOF implementation of Chlonium tool to dump Chrome Masterkey and download Cookie/Login Data files
AuxiliarySleeperBOF to call the SetThreadExecutionState function to prevent host from Sleeping
AuxiliaryLSASSBeacon Object File to dump Lsass memory by obtaining a snapshot handle. Does MiniDumpWriteDump/NtReadVirtualMemory on SnapShot of LSASS instad of original LSASS itself hence evades some AV/EDR.
Auxiliarygetsystemget system by duplicating winlogon's token.
AuxiliarySilent Lsass DumpSilent Lsass Dump
Auxiliaryunhook-bofThis is a Beacon Object File to refresh DLLs and remove their hooks.
AuxiliaryBeacon Health Check Aggressor ScriptThis aggressor script uses a beacon's note field to indicate the health status of a beacon.
AuxiliaryRegistry BOFA beacon object file for use with cobalt strike v4.1+. Supports querying, adding, and deleting keys/values of local and remote registries.
AuxiliaryInlineExecute-AssemblyInlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module
AuxiliaryCredBanditCredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel. The memory dump is done by using NTFS transactions which allows us to write the dump to memory and the MiniDumpWriteDump API has been replaced with an adaptation of ReactOS's implementation of MiniDumpWriteDump.
AuxiliaryInject AMSI BypassCobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection.
AuxiliaryFirewall_Enumerator_BOFCobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection.
AuxiliaryDetect-HooksProof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR
Auxiliaryunhook-bofRemove API hooks from a Beacon process.
AuxiliarywhereamiCobalt Strike "Where Am I?" Beacon Object File
AuxiliaryHOLLOWEarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode
AuxiliaryBOFssend_shellcode_via_pipe;cat;wts_enum_remote_processes
AuxiliarySCShellSCShell is a fileless lateral movement tool that relies on ChangeServiceConfigA to run commands.
AuxiliaryWinRMDLLA while ago I produced CSharpWinRM which was alright, but I wanted to look at the WinRM C++ API properly.
AuxiliaryLSASS Dumping With Foreign HandlesLSASS Dumping With Foreign Handles
AuxiliaryPPLDump BOFthis is a fully-fledged BOF to dump an arbitrary protected process.(LSASS)
AuxiliaryPortBenderPortBender is a TCP port redirection utility that allows a red team operator to redirect inbound traffic destined for one TCP port (e.g., 445/TCP) to another TCP port (e.g., 8445/TCP).
AuxiliaryBOF2ShellcodePOC tool to convert a Cobalt Strike BOF into raw shellcode.
AuxiliaryDLL Hijack Search Order BOFDLL Hijack Search Order Enumeration BOF
AuxiliaryInlineWhispers2Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2
AuxiliaryNetUser使用windows api添加用户,可用于net无法使用时
AuxiliaryBOF-Nim用Nim语言写BoF
AuxiliaryInvoke-BofLoad any Beacon Object File using Powershell!
AuxiliaryCobalt-ClipCobalt-clip is clipboard addons for cobaltstrike to interact with clipboard. With this you can dump, edit and monitor the content of q clipboard.
AuxiliaryCoffLoaderLoad and execute COFF files and Cobalt Strike BOFs in-memory
AuxiliaryCOFFLoader2Load and execute COFF files and Cobalt Strike BOFs in-memory
AuxiliaryProcess Protection Level Enumerator BOFA Syscall-only BOF file intended to grab process protection attributes, limited to a handful that Red Team operators and pentesters would commonly be interested in.
AuxiliaryToggle_Token_Privileges_BOFAAn (almost) syscall-only BOF file intended to either add or remove token privileges within the context of your current process.
AuxiliaryCobalt Strike BOF - Inject ETW BypassInject ETW Bypass into Remote Process via Syscalls (HellsGateHalosGate)
AuxiliaryHandleKatz_BOFPIC your Katz! Say hello to HandleKatz, our position independent Lsass dumper abusing cloned handles, direct system calls and a modified version of minidumpwritedump()
Auxiliarytgtdelegationtgtdelegation is a Beacon Object File (BOF) to obtain a usable TGT via the "TGT delegation trick"
AuxiliarynanodumpA Beacon Object File that creates a minidump of the LSASS process.
AuxiliaryxPipe Cobalt Strike BOF (x64)Cobalt Strike Beacon Object File (BOF) to list active Pipes & return their Owner & Discretionary Access Control List (DACL) permissions.
AuxiliaryAddUser-BofCobalt Strike BOF that Add an admin user
AuxiliaryServiceMove-BOFLateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking
AuxiliaryDetect-HooksProof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR
AuxiliaryMemReader BoFMemReader Beacon Object File will allow you to search and extract specific strings from a target process memory and return what is found to the beacon output.
AuxiliaryReadfile BoFNot the prettiest code, short sweet and to the point and will allow you to read file contents to beacon output.
AuxiliaryChromiumKeyDumpBOF implementation of Chlonium tool to dump Chrome/Edge Masterkey and download Cookie/Login Data files
AuxiliaryLdapSignCheckBeacon Object File to scan a Domain Controller to see if LdapEnforceChannelBinding or LdapServerIntegrity has been modified to mitigate against relaying attacks.
AuxiliaryDelegationBOFThis tool uses LDAP to check a domain for known abusable Kerberos delegation settings. Currently, it supports RBCD, Constrained, Constrained w/Protocol Transition, and Unconstrained Delegation checks.
AuxiliaryRunOFA tool to run object files, mainly beacon object files (BOF), in .Net.
AuxiliaryKillDefender_BOFBeacon Object File implementation of pwn1sher's KillDefender.
AuxiliaryTokenStripBOFTokenStrip is a Beacon Object File implementation of pwn1sher's KillDefender project utilizing syscalls via InlineWhispers.
AuxiliaryBOF - RDPHijackCobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking.
AuxiliaryKohCobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking.
AuxiliaryRDPHijackCobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking.
AuxiliaryKDStabBOF combination of KillDefender and Backstab.
AuxiliaryToken Vault BOF for Cobalt StrikeThis Beacon Object File (BOF) creates in-memory storage for stolen/duplicated Windows access tokens.
AuxiliaryASRenumIdentify ASR rules, actions, and exclusion locations.
AuxiliaryThreadlessInject-BOFBOF implementation of @EthicalChaos's ThreadlessInject project. A novel process injection technique with no thread creation, released at BSides Cymru 2023.
AuxiliaryInline-Execute-PEExecute unmanaged Windows executables in CobaltStrike Beacons. This enables Operators to use many third party tools (Mimikatz, Dsquery, Sysinternals tools, etc) without needing to drop them to disk, reformat them to position independent code using a tool like Donut, or create a new process to run them.
AuxiliaryBOFsSubscribes to WNF notifications for a number of seconds. && Backdoors SCManager SDDL.
AuxiliaryDomainPasswordSprayPerform LDAP-based or Kerberos-based password spray using Windows API LogonUserSSPI. Skip disabled accounts, locked accounts and large BadPwdCount (if specified).
AuxiliaryBOF-CredUICredentials Collection via CredUIPromptForWindowsCredentials
AuxiliaryCookie-Graber-BOFC or BOF file to extract WebKit master key to decrypt user cookie. The C code can be used to compile an executable or a bof script for Cobalt Strike.
AuxiliaryScreenshotBOFAn alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot downloaded in memory.
AuxiliaryScreenshotBOFPlusTake a screenshot without injection for Cobalt Strike. I only made minor optimizations to the existing code, and made it support the ability to get a complete screenshot when global scaling is initiated on Windows.
AuxiliaryElevate-System-Trusted-BOFThis BOF can be used to elevate the current beacon to SYSTEM and obtain the TrustedInstaller group privilege. The impersonation is done through the SetThreadToken API.
AuxiliaryHidden Desktop BOFHidden Desktop (often referred to as HVNC) is a tool that allows operators to interact with a remote desktop session without the user knowing.
AuxiliaryDropSpawnDropSpawn is a CobaltStrike BOF used to spawn additional Beacons via a relatively unknown method of DLL hijacking. Works x86-x86, x64-x64, and x86-x64/vice versa. Use as an alternative to process injection.
AuxiliaryNanorobeusCOFF file (BOF) for managing Kerberos tickets.
AuxiliarySelfDelDelete file regardless of whether the handle is used via SetFileInformationByHandle
AuxiliaryGetWeChatBOF用于获取微信信息的BOF测试文件, 仅支持3.9.6.33版本的偏移
AuxiliaryShadowRDP用This repository contains two applications. One is a beacon object file, which is used to retrieve the authentication string, also known as the invitation. The other is a graphical user interface program that can be run on the operator's system behind a SOCKS proxy to connect to the remote desktop session.
AuxiliarySharpHound4CobaltThe SharpHound data (test file, json, zip, cache file) will not be written on the disk but only sent to Cobalt Strike downloads through BOF.NET library.
ExploitCVE-2020-0796-BOFSMBGhost LPE
ExploitZeroLogon-BOFZeroLogon
Exploitkernel-miiCobalt Strike (CS) Beacon Object File (BOF) foundation for kernel exploitation using CVE-2021-21551.
ExploitPrivKitPrivKit is a simple beacon object file that detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS.
ExploitCVE-2023-36874About
Weaponized CobaltStrike BOF for CVE-2023-36874 Windows Error Reporting LPE.
PersistenceSPAWNCobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing.
PersistencePersistBOFA tool to help automate common persistence mechanisms. Currently supports Print Monitor (SYSTEM), Time Provider (Network Service), Start folder shortcut hijacking (User), and Junction Folder (User).
BypassAVClipboardWindow-InjectBeacon Object File (BOF) that injects beacon shellcode into remote process, avoiding the usage of common monitored APIs.
BypassAVSigFlipSigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) in a way that doesn't affect or break the existing authenticode signature, in other words you can change PE file checksum/hash by embedding data (i.e shellcode) without breaking the file signature, integrity checks or PE file functionality.
BypassAVBokuLoaderCobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.
BypassAVAddDefenderExclusionsAddDefenderExclusions Beacon Object File Resources.
BypassAVBOFMaskit demonstrates a technique to stealthily run BOFs without exposing Beacon to detection.
BypassUACTrusted Path UAC BypassBeacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.
BypassUACEventViewerUAC_BOFThis is a Beacon Object File implementation of the Event Viewer deserialization UAC bypass discovered by @orange_8361 and the POC put together by CsEnox.

0x04 Aggressor Script

TypeNameDescriptionPopularityLanguage
BypassAVBypassAV用于快速生成免杀的可执行文件
BypassAVBypassAV本质上利用的ps2exe.ps1脚本编译为exe,只是不想在命令行里操作,将其写为cna脚本,方便直接快速生成免杀的可执行文件且只有50KB,目前支持exe、ps1文件格式。
BypassAVscrunBypassAV ShellCode Loader (Cobaltstrike/Metasploit) Useage
BypassAVShellCode_LoaderMsf&CobaltStrike免杀ShellCode加载器
BypassAVbeacon-c2-gobeacon-c2-go (Cobaltstrike/Metasploit)
BypassAVC--Shellcodepython ShellCode Loader (Cobaltstrike&Metasploit) Useage
BypassAVDoge-LoaderCobalt Strike Shellcode Loader by Golang
BypassAVCS-LoaderCS免杀,包括python版和C版本的
BypassAVCSSGCobalt Strike Shellcode Generator. Generates beacon stageless shellcode with exposed exit method, additional formatting, encryption, encoding, compression, multiline output, etc
BypassAVAlarisAlaris is a new and sneaky shellcode loader capable of bypassing most EDR systems as of today (02/28/2021). It uses several known TTP’s that help protect the malware and it’s execution flow.
BypassAVCarbonMonoxideEDR Evasion - Combination of SwampThing - TikiTorch
BypassAVbypassAV-1条件触发式远控 VT 6/70 免杀国内杀软及defender、卡巴斯基等主流杀软.
BypassAVScareCrowScareCrow is a payload creation framework for generating loaders for the use of side loading (not injection) into a legitimate Windows process (bypassing Application Whitelisting controls).
BypassAVDentA framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.
BypassAVPEzorOpen-Source PE Packer.
BypassAVFuckThatPackerA simple python packer to easily bypass Windows Defender
BypassAVgoShellCodeByPassVTGo编译-race参数实现VT全免杀
BypassAVHouQingAdvanced AV Evasion Tool For Red Team Ops
BypassAVDesertFox使用Golang实现免杀加载CobaltStrike和Metasploit的shellcode,目前免杀火绒、Avast、腾讯安全管家、360全家桶等主机安全软件。
BypassAVDInjectorThis repository is an accumulation of code snippets for various shellcode injection techniques using fantastic D/Invoke API
BypassAVGoBypassGolang免杀马生成工具(该工具仅针对Windows系统)
BypassAVBypass-script使用 GoBypass 来进行免杀生成
BypassAVCobaltWhispersCobaltWhispers is an aggressor script that utilizes a collection of Beacon Object Files for Cobalt Strike to perform process injection, persistence and more, leveraging direct syscalls to bypass EDR/AV.
BypassAVAceLdrCobalt Strike UDRL for memory scanner evasion.
BypassAVSharpTerminatorTerminate AV/EDR Processes using kernel driver
BypassUACUAC-SilentCleanThis project implements a DLL planting technique to bypass UAC Always Notify and execute code in a high integrity process.
BypassUACcsload.netA cobaltStrike Shellcode loader, can bypass most of AV
Devcs-rdll-exampleThis is an example code pattern for using named pipes for IPC with ReflectiveDlls in Cobalt Strike.
DevTitanTitan: A generic user defined reflective DLL for Cobalt Strike.
DevGECCGo External C2 Client implementation for cobalt strike.
DevCobaltStrike beacon in rustCobaltStrike beacon in rust.
Reconred-team-scriptsperform some rudimentary Windows host enumeration with Beacon built-in commands
ReconRegistry-ReconCobalt Strike Aggressor Script that Performs System/AV/EDR Recon.
Reconaggressor-powerviewAll functions listed in the PowerView about page are included in this with all arguments for each function. PowerView
ReconPowerView3-AggressorPowerView Aggressor Script for CobaltStrike PowerView
ReconAggressorScriptsSharphound-Aggressor- A user menu for the SharpHound ingestor
ReconServerScan内网横向信息收集的高并发网络扫描、服务探测工具。
ReconTailorScan端口扫描+探测网卡+ms17010探测
ReconAggressiveProxyLetMeOutSharp will try to enumerate all available proxy configurations and try to communicate with the Cobalt Strike server over HTTP(s) using the identified proxy configurations.
ReconSpray-ADA Cobalt Strike tool to audit Active Directory user accounts for weak, well known or easy guessable passwords.
ReconLadonLadon一款用于大型网络渗透的多线程插件化综合扫描神器,含端口扫描、服务识别、网络资产、密码爆破、高危漏洞检测以及一键GetShell,支持批量A段/B段/C段以及跨网段扫描,支持URL、主机、域名列表扫描。
ReconLadon for Cobalt StrikeLadon for Cobalt Strike(巨龙拉冬套件)
ReconRecon-ADRecon-AD, an AD recon tool based on ADSI and reflective DLL’s
ExploitXSS-Fishing2-CS鱼儿在cs上线后自动收杆 / Automatically stop fishing in javascript after the fish is hooked
ExploitXSS-Phishingxss钓鱼,cna插件配合php后端收杆
Exploitcustom_payload_generatorCobaltStrike3.0+ --> creates various payloads for Cobalt Strike's Beacon. Current payload formats
ExploitCrossC2CrossC2 framework - Generator CobaltStrike's cross-platform beacon
ExploitCrossC2 KitCrossC2Kit provides some interfaces for users to call to manipulate the CrossC2 Beacon session, thereby extending the functionality of Cobalt Strike.
ExploitCobaltstrike-MS17-010ms17-010 exploit tool and scanner.
ExploitAES-PowerShellCodeStandalone version of my AES Powershell payload for Cobalt Strike.
ExploitSweetPotato_CSCobaltStrike4.x --> SweetPotato
ExploitElevateKitprivilege escalation exploits
ExploitCVE-2018-4878CVE-2018-4878
ExploitAggressor-ScriptsThe only current public is UACBypass, whose readme can be found inside its associated folder.
ExploitCVE_2020_0796_CNA基于ReflectiveDLLInjection实现的本地提权漏洞
ExploitDDEAutoCSsetup our stage(d) Web Delivery attack
ExploitgeaconImplement CobaltStrike's Beacon in Go (can be used in Linux)
Exploitgeacon_progeacon_pro is an Anti-Virus bypassing CobaltStrike Beacon written in Golang based on geacon project.
Exploitgeacon_plusgolang实现的CobaltStrike stageless http(s) beacon,在geacon项目基础上进行了较多扩展
ExploitSpoolSystemSpoolSystem is a CNA script for Cobalt Strike which uses the Print Spooler named pipe impersonation trick to gain SYSTEM privileges.
ExploitCVE-2021-1675_RDL_LPEPrintNightMare LPE提权漏洞的CS 反射加载插件。开箱即用、通过内存加载、混淆加载的驱动名称来ByPass Defender/EDR
ExploitKRBTGSKRBTGS is a post-exploitation option for Cobalt Strike to retrieve a working TGT for the current user that Beacon is running as, or impersonating. The attack does not require the user's password, and only assumes that the user you are running as is within a domain-joined environment. It attempts to guess the encryption type by choosing the strongest to least strong. The resulting .ccache can be converted into KIRBI format to be imported into other Beacons, or passed to other toolsets such as Impacket's example scripts to perform your post-exploitation endeavours.
ExploitPrintSpoofer-ReflectiveDLLPrintSpoofer的反射dll实现,结合Cobalt Strike使用
Persistencepersistence-aggressor-scriptpersistence-aggressor-script
PersistencePeinject_dll弃用winexec函数,使用shellexecute函数,程序流不在卡顿,达到真正的无感。
PersistenceTikiTorchTikiTorch follows the same concept(CACTUSTORCH) but has multiple types of process injection available, which can be specified by the user at compile time.
PersistenceCACTUSTORCHA JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it.
PersistenceUploadAndRunFrp上传frpc并且运行frpc
Persistencepersistence-aggressor-scriptPersistence Aggressor Script
PersistenceAggressiveGadgetToJScriptAutomate the generation of payloads using the GadgetToJScript technique.
PersistenceFrpProPluginfrp0.33修改版,过流量检测,免杀,支持加载远程配置文件可用于cs直接使用的插件
PersistenceAutomatic-permission-maintenanceCobaltStrike 上线自动权限维持插件
Persistencecobalt-strike-persistence使用者通过cobalt strike生成Web Delivery类型的payload,然后加载此脚本可以到达自启动效果
PersistenceCobalt_Strike_CNA使用多种WinAPI进行权限维持的CobaltStrike脚本,包含API设置系统服务,设置计划任务,管理用户等。
PersistenceCustomKeyboardLayoutPersistenceAchieve execution using a custom keyboard layout, tested in Windows 11 Home version 21H2
PersistenceSharpEventPersistPersistence by writing/reading shellcode from Event Log.
AuxiliarySharpZippoList/Read contents of Zip files (in memory and without extraction) using CobaltStrike's Execute-Assembly
AuxiliarySharpExceliburRead Excel Spreadsheets (XLS/XLSX) using Cobalt Strike's Execute-Assembly
AuxiliarySharpSwordRead the contents of DOCX files using Cobalt Strike's Execute-Assembly
AuxiliarySharpCatC# alternative to the linux "cat" command... Prints file contents to console. For use with Cobalt Strike's Execute-Assembly
AuxiliaryTabRenamer CNAThis will allow programmatic renaming of tabs as you see fit, with toggles of your history as you see fit.
AuxiliaryLiquid SnakeLiquidSnake is a tool that allows operators to perform fileless lateral movement using WMI Event Subscriptions and GadgetToJScript
AuxiliaryTaskShellTaskShell 计划任务相关自动化操作
Auxiliarygenerate-rotating-beacon1. Generate a beacon for a given listener; 2. Host the file at a specified location;3. Monitor the weblog for fetching of the specified location;
AuxiliaryScareCrow-CobaltStrikeA Cobalt Strike script for ScareCrow payload generation. Works with all Loaders.
AuxiliaryAggressorScriptsCreateTicket; Seatbelt; SharpHound
AuxiliarySharpeningCobaltStrikeIn realtime compiling of dotnet v35/v40 exe/dll binaries + obfuscation with ConfuserEx on your linux cobalt strike server.
AuxiliaryCS_Mail_TipCobalt Strike主机上线邮件提醒插件
AuxiliaryCobalt_Strike_BotCobaltStrike上线通知,飞书群聊机器人、server酱通知
AuxiliaryCobaltstrike-atexec利用任务计划进行横向,需要与135端口、445端口进行通信
AuxiliarySharp-HackBrowserDataC#的HackBrowserData工具,方便在cs中直接内存加载
AuxiliaryHackBrowserDataHackBrowserData的反射模块
Auxiliarycobalt_syncStandalone Cobalt Strike Operation Logging Aggressor script for Ghostwriter 2.0+
AuxiliarysamdumpCobalt Strike samdump
AuxiliaryCallBackDump能过卡巴、核晶、defender等杀软的dump lsass进程工具
AuxiliarySharpeningCobaltStrikeIn realtime compiling of dotnet v35/v40 exe/dll binaries + obfuscation with ConfuserEx on your linux cobalt strike server.
AuxiliarySharpCompileSharpCompile is an aggressor script for Cobalt Strike which allows you to compile and execute C# in realtime.
AuxiliaryQuickrundownUtilizing QRD will allow an operator to quickly characterize what processes are both known and unknown on a host through the use of colors and notes about the processes displayed.
AuxiliaryNetUserThis tool achieves "net user" in Window API. I made this to be used with Cobalt Strike's execute-assembly,所以可以内存加载添加用户
AuxiliaryFileSearchC++枚举磁盘列表、遍历指定盘搜索特定类型文件包括反射DLL版本。
AuxiliaryPhant0m_cobaltstrikeThis script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
AuxiliaryNoPowerShellNoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms.
AuxiliaryEventLogMasterRDP EventLog Master
AuxiliaryANGRYPUPPYBloodhound Attack Path Execution for Cobalt Strike
AuxiliaryCobaltStrike_Script_Wechat_Push上线微信提醒的插件,通过微信Server酱提醒
AuxiliaryCS-Aggressor-Scriptsslack and webhooks reminder
AuxiliaryAggressor-Scriptssurveying of powershell on targets (在对应的目标上检测powershell的相关信息)
Auxiliarycs-magikImplements an events channel and job queue using Redis for Cobalt Strike.
AuxiliaryGetClipboardCobalt Strike Reflective DLL Get clipboard content. The code basically comes from ReflectiveDLLInjection
AuxiliaryAggressorScripts查看进程的时候讲av进程标注为红色
AuxiliaryBeaconatorBeaconator is an aggressor script for Cobalt Strike used to generate a raw stageless shellcode and packing the generated shellcode using PEzor.
AuxiliaryRavenCobaltStrike External C2 for Websockets
AuxiliaryCobaltStrikeParserPython parser for CobaltStrike Beacon's configuration
AuxiliaryfakelogonscreenFakeLogonScreen is a utility to fake the Windows logon screen in order to obtain the user's password.
AuxiliarySyncDogMake bloodhound sync with cobaltstrike.
Auxiliary360SafeBrowsergetpass一键辅助抓取360安全浏览器密码的CobaltStrike脚本,通过下载浏览器数据库、记录密钥来离线解密浏览器密码。
AuxiliarySharpDecryptPwd对密码已保存在 Windwos 系统上的部分程序进行解析,包括:Navicat,TeamViewer,FileZilla,WinSCP,Xmangager系列产品(Xshell,Xftp)。
AuxiliaryList-GitHubAssemblyFetch a list of avaialble artifacts from the configured GitHub repo.
AuxiliaryExecuteAssemblyExecuteAssembly is an alternative of CS execute-assembly, built with C/C++ and it can be used to Load/Inject .NET assemblies by; reusing the host (spawnto) process loaded CLR Modules/AppDomainManager, Stomping Loader/.NET assembly PE DOS headers, Unlinking .NET related modules, bypassing ETW+AMSI, avoiding EDR hooks via NT static syscalls (x64) and hiding imports by dynamically resolving APIs via superfasthash hashing algorithm.
Auxiliaryaggrokatzaggrokatz is an Aggressor plugin extension for CobaltStrike which enables pypykatz to interface with the beacons remotely.
AuxiliaryZipperThis CobaltStrike tool allows Red teams to compress files and folders from local and UNC paths. This could be useful in situations where large files or folders need to be exfiltrated. After compressing a file or folder a random named zipfile is created within the user temp folder.
AuxiliaryCS-ServerChan通过 CobaltStike 服务端 / 客户端 挂载脚本,将上线主机信息通过 Server 酱通知到微信
AuxiliaryCS-PushPlus使用免费且支持微信模板消息推送的 PushPlus 进行上线主机提醒
AuxiliaryHelpColorAggressor script that lists available Cobalt Strike beacon commands and colors them based on their type
AuxiliaryCobaltStrike Helpmsg CNAThis cna contains error messages for Win32 error codes, HRESULT defintions, and NTSTATUS definitions. This cna can be helpful for those operating out of linux/mac clients without access to the net.exe program, or as a quick way to looking hresult/ntstatus codes without having to do a google search.
AuxiliaryYouMayPasserStable PeSieve Bypass and Stable Moneta Bypass.
AuxiliarySync DownloadsThis is meant as a fine-tuned control mechanism for syncing files from the Cobalt Strike Downloads entries in the data model
AuxiliaryHeadless StrikeAggressorscript that turns the headless aggressor client into a (mostly) functional cobalt strike client.
AuxiliaryHeadless Strike内网渗透\红队工具\C#内存加载\cobaltstrike
AuxiliaryCohab_ProcessesA small Aggressor script to help Red Teams identify foreign processes on a host machine
AuxiliaryEnumStrikeCobalt Strike Aggressor script to automate host and domain enumeration.
SynthesisAM0N-EyeAM0N-Eye is a compilation of a group of the most important scripts that were written specifically for Cobaltsetrike and the rest of the files such as de for modification in colors and images.
Synthesisaggressor_snippetsA collection of random small Aggressor snippets that don't warrant their own repo
SynthesisErebusCobaltStrike4.x --> Erebus CobaltStrike后渗透测试插件
SynthesisCSpluginsCobaltStrike后渗透测试插件集合
SynthesisCobalt-Strike-Aggressor-ScriptsCobaltStrike后渗透测试插件集合 Usage
SynthesisAggressorScriptsAggressor scripts for use with Cobalt Strike 3.0+
SynthesisRedTeamToolsRedTeamTools for use with Cobalt Strike
Synthesiscobalt-arsenalAggressor Scripts for Cobalt Strike 4.0+
SynthesisMoveKitThe aggressor script handles payload creation by reading the template files for a specific execution type. intro
SynthesisStayKitThe aggressor script handles payload creation by reading the template files for a specific execution type. intro
SynthesisAggressorScriptsAggressorScripts
SynthesisAggressorScriptsCollection of Aggressor scripts for Cobalt Strike 3.0+ pulled from multiple sources
SynthesisAggressorScriptsAggressorScripts
SynthesisAggressor-VYSECContains a bunch of CobaltStrike Aggressor Scripts
SynthesisAggressorAssessorAggressorAssessor
SynthesisAggressorAssessorAggressorAssessor
Synthesisaggressor-scriptsCollection of Cobalt Strike Aggressor Scripts
Synthesis梼杌基于cobalt strike平台的红队自动化框架
SynthesisAggressor-scriptsThis is just a random collection of Aggressor Scripts I've written for Cobalt Strike 3.x. (其中有一个debug脚本比较好用)
SynthesisAggressor-ScriptCollection of Aggressor Scripts for Cobalt Strike(主要包含了提权和权限维持脚本)
SynthesisAggressor-ScriptAggressor Script, Kit, Malleable C2 Profiles, External C2 and so on
Synthesisaggressor_scripts_collectionCollection of various aggressor scripts for Cobalt Strike from awesome people. Will be sure to update this repo with credit to each person.
SynthesisCobaltStrike-ToolKitgooglesearch.profile and script related to AD.
SynthesisArsenalCobalt Strike 3.13 Arsenal Kit
Synthesiscobalt-arsenalMy collection of battle-tested Aggressor Scripts for Cobalt Strike 4.0+
Synthesisaggressor_scriptsA collection of useful scripts for Cobalt Strike.(powershell.cna;bot.cna;dcom_lateral_movement.cna;ElevateKit)
Synthesisaggressorcreating tunnels with netsh; changed default to bit.ly redirect to mcdonalds;using powershell to kill parent process;
SynthesisCobaltStrikeCNAA collection of scripts - from various sources - see script for more info.
SynthesisAggressorScriptsHighlights selected processes from the ps command in beacon;Loads various aliases into beacon;sets a few defaults for scripts to be used later..
SynthesisAggressorAssessor从C2生成到横向移动的全辅助脚本套件
SynthesisAggressorCollectionCollection of awesome Cobalt Strike Aggressor Scripts. All credit due to the authors
SynthesisCobaltstrike-Aggressor-Scripts-CollectionThe collection of tested cobaltstrike aggressor scripts.
SynthesisaggressorScriptsCobaltStrike AggressorScripts for the lazy
SynthesisAggressor_ScriptsA compilation of Aggressor/Sleep scripts for operational purposes that I've made.
Synthesiscobalt_strike_extension_kit集成了SharpHound,SharpRDP,SharpWMI等在内的各种内网工具,使用AggressorScripts构建workflow
Synthesiscobaltstrike具备域管理员定位、域信息收集、权限维持、内网扫描、数据库hash dump、Everything内网搜索文件等功能的插件集合
Synthesis365CobaltStrike兼容CobaltStrike4.0的插件集合
SynthesisCobalt-Strike内容有横向移动、密码抓取、权限提升、权限维持等,尽可能将内网渗透中常用到的东西整理一下,方便使用
SynthesisCSPlugins一个对Cobaltstrike第三方插件进行收集的项目,持续更新。
SynthesisCobaltStrike-xorthird-party --> vnc_x86_dll and vnc_x64_dll
SynthesisZ1-AggressorScripts适用于Cobalt Strike 3.x & 4.x 的内网渗透插件集合
Synthesiscsplugin导入PowerView脚本,和常见的功能使用
SynthesisCSplugins涉及工作目录、信息收集、凭据获取、权限维持、权限提升、用户相关、RDP相关、防火墙相关、域渗透、powershell相关、内网穿透、内网探测、远程文件下载、痕迹清除的综合型插件系统
SynthesisLSTAR本着简化 CS 右键和方便自己集成的目的,对 Reference 里的项目进行了缝合以及二次开 (抄) 发 (袭)并添加了虚拟机/AV 检测、主机相关密码抓取、 Cxk 限时免杀的 Mimikatz 和 Adduser 等功能
SynthesisSharpUtilsA collection of C# utilities intended to be used with Cobalt Strike's execute-assembly.
SynthesisSharpToolsAggressor内网渗透中常用的c#程序整合成cs脚本,直接内存加载。持续更新~
SynthesisC.ExCobaltStrike Plugin to start and utilize Cobalt Strike (locally or remotely) from within Sifter
SynthesisOLa一款CS后渗透模块插件,让大家使用一款插件就够了,本插件集大家之所长

0x05 Related Tools

TypeNameDescriptionPopularityLanguage
AntiCobaltStrikecobaltstrike_bruteCobalt Strike Team Server Password Brute Forcer
AntiCobaltStrikeDissecting Cobalt Strike using Pythondissect.cobaltstrike is a Python library for dissecting and parsing Cobalt Strike related data such as beacon payloads and Malleable C2 Profiles.
AntiCobaltStrikeCobaltSpamCobalt Strike Team Server Password Brute Forcer
AntiCobaltStrikeCobaltStrikeDosCVE-2021-36798 Exp: Cobalt Strike < 4.4 Dos
AntiCobaltStrikeCS_mock模拟cobalt strike beacon上线包
AntiCobaltStrikeCS_fakesubmit一个可以伪装上线Cobaltstrike的脚本
AntiCobaltStrikeCobaltStrikeScanScan files or process memory for Cobalt Strike beacons and parse their configuration.
AntiCobaltStrikegrab_beacon_configSimple PoC script to scan and acquire CobaltStrike Beacon configurations.
AntiCobaltStrikeC2-JARM通过ssl实现所产生的JARM hash来识别不同的c2,例如CobaltStrike
AntiCobaltStrikeJARMJARM fingerprints scanner
AntiCobaltStrikeDetectCobaltStompA quick(and perhaps dirty!) PoC tool to detect Module Stomping as implemented by Cobalt Strike with moderate to high confidence
AntiCobaltStrikecobaltstrikeCode and yara rules to detect and analyze Cobalt Strike
AntiCobaltStrikeCS_Decrypt解密可以帮助你理解cs beacon通信原理,但注意密钥是在本地teamserver中
AntiCobaltStrikeCS Scriptsparse_beacon_keys.py 对 .cobaltstrike.beacon_keys 文件的解析工具
AntiCobaltStrikePyBeaconA collection of scripts for dealing with Cobalt Strike beacons in Python Resources
AntiCobaltStrikecobaltstrikescanDetecting CobaltStrike for Volatility
AntiCobaltStrikeCobaltStrikeForensicToolset for research malware and Cobalt Strike beacons
AntiCobaltStrikeDuckMemoryScanA simple tool to find backdoors including but not limited to iis hijacking, fileless Trojan, bypass AV shellcode.
AntiCobaltStrikeCobaltSplunk Splunk ApplicationCobaltSplunk is a Splunk Application that knows how to 1) ingest Cobalt Strike related logs and parse them properly, 2) display useful operational dashboards, 3) display relevant reports.
AntiCobaltStrikeBeaconHunterBehavior based monitoring and hunting tool built in C# tool leveraging ETW tracing. Blue teamers can use this tool to detect and respond to potential Cobalt Strike beacons. Red teamers can use this tool to research ETW bypasses and discover new processes that behave like beacons.
AntiCobaltStrikeCobaltStrikeDetected40行代码检测到大部分CobaltStrike的shellcode
AntiCobaltStrikeBeaconEyeHunts out CobaltStrike beacons and logs operator command output
AntiCobaltStrikeBeacon_recobalt strike beacon代码还原
AntiCobaltStrikeBeacon.dllcobalt strike beacon实现
AntiCobaltStrikeSharpBeaconcobalt strike beacon csharp实现
AntiCobaltStrikeEvilEyeEvilEye is a BeaconEye implement in Golang.
AntiCobaltStrikeHunt-Sleeping-BeaconsThe idea of this project is to identify beacons which are unpacked at runtime or running in the context of another process (=InMemory malware)..
AntiCobaltStrikeCSRouge恶意的CS服务器,只能urldns
AntiCobaltStrikeCobalt Strike DiscoveryFinds Cobalt Strike fingerprint on targets via traffic telemetry
Anti-AntiCobaltStrikebypass-beacon-config-scanBypass cobaltstrike beacon config scan for 4.1
Anti-AntiCobaltStrikebypass-beacon-config-scanCSAgent 与 GoogleAuth 的缝合体,cobalt strike4.4版本的破解+otp动态口令的agent
BypassAVCooolis-msCooolis-ms是一个包含了Metasploit Payload Loader、Cobalt Strike External C2 Loader、Reflective DLL injection的代码执行工具,它的定位在于能够在静态查杀上规避一些我们将要执行且含有特征的代码,帮助红队人员更方便快捷的从Web容器环境切换到C2环境进一步进行工作。
BypassAVUrbanBishopLocalA port of FuzzySecurity's UrbanBishop project for inline shellcode execution.
BypassAVShellcodeLoaderWindows通用免杀shellcode加载器
BypassAVZheTian免杀shellcode加载框架
BypassAVEXOCETAV-evading, undetectable, payload delivery tool
BypassAVSecondaryDevCobaltStrikeCobaltStrike after second development, can bypass Kaspersky, Norton, McAfee, etc.
BypassAVBypass_Go参考CS的Bypass插件+分离免杀思想改造
BypassAVCrossNet-BetaIn the red team operation, the phishing executable file is generated by using the white utilization, to bypass AV and automatically judging the network environment. can bypass 360 and huorong
BypassAVEVAFUD shellcode Injector
BypassAVBypassAV用golang来打包生成后门,具备一定的免杀能力
BypassAVNimShellCodeLoaderNim编写Windows平台shellcode免杀加载器
BypassAVbeacon_hook_bypass_memscancs bypass卡巴斯基内存查杀: https://xz.aliyun.com/t/9399
BypassAVZheTianZheTian Powerful remote load and execute ShellCode tool
BypassAVbypassAV破产版免杀,大致思路是将shellcode异或,之后在主程序中解码。 关键是清除一些符号信息
BypassAVJsLoader免杀shellcode并绕过杀毒添加自启动
BypassAVShellcodeLoader将shellcode用rsa加密并动态编译exe,自带几种反沙箱技术。
BypassAVAlt-Beacon-PayloadBeacon payload using AV bypass method from https://github.com/fullmetalcache/CsharpMMNiceness and shellcode generated from https://github.com/RCStep/CSSG.(可以给他补充一个cna一键配置脚本)
BypassAVSigFlipSigFlip是一款用于修补有签名的PE文件(exe、dll、sys等)的工具,它不会影响或破坏现有的签名,换句话说,你可以通过嵌入数据(即shellcode)来改变PE文件的校验和/哈希值,而不会破坏文件签名、完整性检查或PE文件功能。
BypassAVSigFlipSigFlip是一款用于修补有签名的PE文件(exe、dll、sys等)的工具,它不会影响或破坏现有的签名,换句话说,你可以通过嵌入数据(即shellcode)来改变PE文件的校验和/哈希值,而不会破坏文件签名、完整性检查或PE文件功能。这是他的golang实现
BypassAVShellcode Fluctuation PoC一个内存规避技术的PoC,循环地加密和解密shellcode的内容,然后使它在RW(或NoAccess)和RX内存保护之间波动。当我们的shellcode驻留在RW或NoAccess内存页时,像Moneta或pe-sieve这样的扫描器将无法追踪它并转储它以进行进一步分析。
BypassAVcoolGolang-Gin 框架写的免杀平台,内置分离、捆绑等多种BypassAV方式。
BypassAVThreadStackSpooferThread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and
BypassAVSleepyCryptA shellcode function to encrypt a running process image in memory when sleeping.
BypassAVGobypassAV免杀shellcode加载器,使用go实现,免杀bypass火绒、360、核晶、def等主流杀软.
BypassAVAtomLdrA DLL loader with evasive features.
AnalysisBeaconOpen Source Cobalt Strike Beacon. Unreleased, in research stages
AnalysisLinco2模拟Cobalt Strike的Beacon与C2通信过程,实现了基于HTTP协议的Linux C2,客户端可以通过curl就能下发Beacon任务。
Analysisbeacon-object-filesThis repository contains miscellaneous examples of Cobalt Strike Beacon object file extensions.
AuxiliaryC2ReverseProxyWhen you encounter a non-networked environment during penetration, you can use this tool to establish a reverse proxy channel so that the beacons generated by CobaltStrike can bounce back to the CobaltStrike server.
AuxiliaryCobalt strike custom 404 pageYou can find the CS service through 404 pages.
AuxiliaryStageStrikeA custom Cobalt Strike stager written in C.. is how the project started.
AuxiliaryCS_SSLGensslgen will install a letsencrypt certificate and create a Cobalt Strike keystore from it.
AuxiliaryCobaltPatchCobalt Strike Malleable Profile Inline Patch Template: A Position Independent Code (PIC) Code Template For Creating Shellcode That Can Be Appended In Stage / Post-Ex Blocks. Made for C Programmers
AuxiliarypycobaltCobalt Strike Malleable Profile Inline Patch Template: A Position Independent Code (PIC) Code Template For Creating Shellcode That Can Be Appended In Stage / Post-Ex Blocks. Made for C Programmers.
AuxiliaryredshellAn interactive command prompt that executes commands through proxychains and automatically logs them on a Cobalt Strike team server.
AuxiliaryCobaltStrikeToGhostWriterLog converter from CS logs to a CSV in Ghostwriter's operation log format.
AuxiliaryAnsible-Cobalt-StrikeAn Ansible role to install cobalt-strike on debian based architectures, let's be honest it's for kali.
Auxiliarycobaltstrike_runtimeconfigA POC showing how to modify Cobalt Strike beacon at runtime
AuxiliarypystingerPystinger implements SOCK4 proxy and port mapping through webshell. It can be directly used by cobalt strike for session online.
Auxiliaryansible-role-cobalt-strikeAn Ansible role for installing Cobalt Strike.
AuxiliaryCrossNetIn the red team operation, the phishing executable file is generated by using the white utilization, avoiding killing and automatically judging the network environment.
AuxiliaryCrossC2-C2ProfileCrossC2通信协议API实现,可兼容使用C2Profile
AuxiliaryBypassAddUserBypass AV to add users
AuxiliaryDocker-CobaltStrikeThe tool covers almost all the technical links needed in the apt attack chain. Use cloud functions to avoid traceability Using docker container is fast and convenient Use the python script I wrote to avoid privacy disclosure and malicious attacks
AuxiliaryTeamServer.propTeamServer.prop is an optional properties file used by the Cobalt Strike teamserver to customize the settings used to validate screenshot and keylog callback data, which allows you to tweak the fix for the “HotCobalt” vulnerability. This repository contains an example file that contains the default settings.
AuxiliaryCobalt_Strike_AnsibleCobalt Strike Ansible Deployment Guide (自动化部署与管理)
AuxiliaryAnsible Role: Cobalt StrikeAnsible Role: Cobalt Strike (自动化部署与管理)
AuxiliarycsOnvpscobaltstrike4.4 自动化执行teamserver,快速临时开启Teamserver脚本。
AuxiliaryCobalt Strike Sleep Python BridgeThis project is 'bridge' between the sleep and python language. It allows the control of a Cobalt Strike teamserver through python without the need for for the standard GUI client.
Auxiliaryc2_reporterIngests logs/dbs from cobalt and empire and outputs an excel report with activity, sessions, and credentials
AuxiliaryCobalt Strike Beacon DatasetOpen Dataset of Cobalt Strike Beacon metadata (2018-2022)
AuxiliaryDumpertDumpert, an LSASS memory dumper using direct system calls and API unhooking
AuxiliaryDuplicateDumpDumping LSASS with a duplicated handle from custom LSA plugin
AuxiliaryBOFHoundGenerate BloodHound compatible JSON from logs written by ldapsearch BOF and pyldapsearch
AuxiliaryPersistAssistPersistAssist is a fully modular persistence framework written in C#. All persistence techniques contain a cleanup method which will server to remove the persistence aside from the persistence code.
AuxiliaryElusiveMiceCobalt Strike User-Defined Reflective Loader with AV/EDR Evasion in mind
PhishingGoFileBinderA builder 🔨 for binding evil program 😈 and normal document 🐣
SynthesisgeaconUsing Go to implement CobaltStrike's Beacon
Synthesisgeacongeacon:简单适配了一个profile配置文件,可直接拿来修改使用,用于cs上线linux.
SynthesisrediAutomated script for setting up CobaltStrike redirectors (nginx reverse proxy, letsencrypt)
Synthesiscs2modrewriteAutomatically Generate Rulesets for Apache mod_rewrite or Nginx for Intelligent HTTP C2 Redirection
Synthesiscs2webconfigAutomatically Generate Rulesets for IIS for Intelligent HTTP/S C2 Redirection
SynthesisRedGuardRedGuard is a C2 front flow control tool,Can avoid Blue Teams,AVs,EDRs check.
SynthesisWebGuardWebGuard是根据风起师傅的RedGuard和mgeeky师傅的RedWarden结合出来的http请求过滤器go包,亦在帮助采用go编写C2 http监听器做流量过滤和规则匹配
SynthesisRedWardenFlexible CobaltStrike Malleable Redirector
SynthesisRedCaddyC2 redirector base on caddy
SynthesisOratu一个用于隐藏C2的、开箱即用的反向代理服务器。旨在省去繁琐的配置Nginx服务的过程。
SynthesisOss-stinger利用oss实现http转发/cobalt strike上线
SynthesisApache Mod_Rewrite Terrafrom AutomationBash scripts that take variables from the user and then call terraform scripts to automate standing up apache2 with mod_rewrite in front of C2 servers. Right now, this repo supports standing up redirectors in Linode or Digital Ocean, and I have different scripts for standing up http redirectors versus https redirectors. Since the mod_rewrite redirector setup scripts use a user agent value and optionally a bearer token, these redirectors are not C2 dependent and can work for any C2 that uses http or https.
SynthesisRed-EC2Deploy RedTeam Specific EC2 via ansible.
SynthesisRapid Attack InfrastructureRed Team Infrastructure... Quick... Fast... Simplified.
SynthesisRedCommanderCreates two Cobalt Strike C2 servers (DNS and HTTPS), with redirectors, and RedELK in Amazon AWS. Minimal setup required! Companion Blog here
SynthesisCobaltPatchCobalt Strike Malleable Profile Inline Patch Template: A Position Independent Code (PIC) Code Template For Creating Shellcode That Can Be Appended In Stage / Post-Ex Blocks. Made for C Programmers
SynthesisCPLResourceRunnerRun shellcode(Cobalt Strike) from resource
Synthesiscsdroidcobaltstrike手机客户端 / cobaltstrike android
Devvscode-language-aggressorThis is a Visual Studio Code (VSC) extension that aims to provide: An implement of the Sleep and Cobalt Strike (CS) Aggressor grammar; and The definition of Cobalt Strike functions' prototype
DevPayloadAutomationPayload Automation is a collection of Python classes for automating payload development, testing, opsec checking, and deployment with Cobalt Strike.
DevCrackSleevecs4.0 cs 4.1 beacon加解密
DevbeaconFormer attempt at creating a independent Cobalt Strike Beacon
DevExternalC2.NET.NET Standard 2.0 libraries which implement Cobalt Strike's External C2 specfication (revision 0.1).
DevGPUSleepGPUSleep moves the beacon image to GPU memory before the beacon sleeps, and move it back to main memory after sleeping.
DevCallStackMaskerA PoC implementation for dynamically masking call stacks with timers.
CrackCSAgentCobaltStrike 4.x通用白嫖及汉化加载器,采用javaagent+javassist的方式动态修改jar包,可直接加载原版cobaltstrike.jar,理论上支持到目前为止的所有4.x版本

0x06 Related Resources

TypeNameDescriptionPopularity
DATASilasCutler JARM Scan CobaltStrike Beacon Config.jsonSilasCutler JARM Scan CobaltStrike Beacon Config
DATACobalt Strike hashesThis page shows some basic information the Yara rule CobaltStrike including corresponding malware samples.
DATAList of Cobalt Strike serversList of Cobalt Strike servers
DATACobaltStrike samples pass=infectedCobaltStrike samples
DATAList of spawns from exposed Cobalt Strike C2List of spawns from exposed Cobalt Strike C2
DATAC2IntelFeedsAutomatically created C2 Feeds based of Censys
YARAapt_cobaltstrikeCobalt Strike Yara
YARAapt_cobaltstrike_evasiveCobalt Strike Yara
YARArulesCobalt Strike Yara
Rulessuricata-rulesSuricata IDS rules used to detect the red team penetration/malicious behavior, support testing CobaltStrike/MSF/Empire/DNS tunnels/Weevely scorpion/mining/rebound/kitchen/ice shell/ICMP tunnel, etc