zer0yu/Awesome-CobaltStrike: cobaltstrike的相关资源汇总 / List of Awesome CobaltStrike Resources
2020-12-28 11:54:42 Author: github.com(查看原文) 阅读量:427 收藏

目录

0x00 前言

  1. 第一部分是关于CobaltStrike优质文章的集合
  2. 第三部分是关于新特性BOF资源的整合
  3. 解决要用的时候找不到合适aggressor script或者BOF的问题
  4. 如果有本repo没有涉及的优质内容,欢迎大家提交pr

0x01 相关文章合集

1. 基础知识参考

  1. Cobalt_Strike_wiki
  2. Cobalt Strike Book
  3. CobaltStrike4.0笔记
  4. CobaltStrike相关网络文章集合
  5. Cobalt Strike 外部 C2【一、原理篇】
  6. Cobalt Strike 桌面控制问题的解决(以及屏幕截图等后渗透工具)
  7. Cobalt Strike & MetaSploit 联动
  8. Cobalt-Strike-CheatSheet

2. 破解以及定制参考

  1. IntelliJ-IDEA修改cobaltstrike
  2. CobaltStrike二次开发环境准备
  3. Cobal Strike 自定义OneLiner
  4. 通过反射DLL注入来构建后渗透模块(第一课)
  5. Cobalt Strike Aggressor Script (第一课)
  6. Cobalt Strike Aggressor Script (第二课)
  7. Implementing Syscalls In The Cobaltstrike Artifact Kit
  8. Cobalt Strike 4.0 认证及修补过程
  9. 使用ReflectiveDLLInjection武装你的CobaltStrike
  10. Bypass cobaltstrike beacon config scan

3. 使用技巧参考

  1. Cobalt Strike Spear Phish
  2. run CS in win -- teamserver.bat
  3. Remote NTLM relaying through CS -- related to CVE_2018_8581
  4. Cobalt Strike Convet VPN
  5. 渗透神器CS3.14搭建使用及流量分析
  6. CobaltStrike生成免杀shellcode
  7. CS-notes--一系列CS的使用技巧笔记
  8. 使用 Cobalt Strike 对 Linux 主机进行后渗透
  9. Cobalt Strike Listener with Proxy
  10. Cobalt Strike Convet VPN
  11. CS 4.0 SMB Beacon
  12. Cobalt Strike 浏览器跳板攻击
  13. Cobalt Strike 中 Bypass UAC
  14. 一起探索Cobalt Strike的ExternalC2框架
  15. 深入探索Cobalt Strike的ExternalC2框架
  16. Cobalt Strike的特殊功能(external_C2)探究

4. CobaltStrike隐匿参考

  1. CobaltStrike证书修改躲避流量审查
  2. CS 合法证书 + Powershell 上线
  3. Cobalt Strike 团队服务器隐匿
  4. 红队基础建设:隐藏你的C2 server
  5. Cobalt Strike HTTP C2 Redirectors with Apache mod_rewrite
  6. 深入研究cobalt strike malleable C2配置文件
  7. A Brave New World: Malleable C2
  8. How to Write Malleable C2 Profiles for Cobalt Strike
  9. Randomized Malleable C2 Profiles Made Easy
  10. 关于CobaltStrike的Stager被扫问题
  11. Beacon Stager listener 去特征

5. CobaltStrike分析参考

  1. Volatility Plugin for Detecting Cobalt Strike Beacon. blog|Toolset
  2. 逆向分析Cobalt Strike安装后门
  3. 分析cobaltstrike c2 协议
  4. Small tool to decrypt a Cobalt Strike auth file
  5. Cobalt Strike 的 ExternalC2
  6. Detecting Cobalt Strike Default Modules via Named Pipe Analysis
  7. 浅析CobaltStrike Beacon Staging Server扫描
  8. Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
  9. Analyzing Cobalt Strike for Fun and Profit

0x02 C2 Profiles

Type Name Description Popularity Language
ALL Malleable-C2-Profiles Official Malleable C2 Profiles
ALL Malleable-C2-Randomizer This script randomizes Cobalt Strike Malleable C2 profiles through the use of a metalanguage
ALL malleable-c2 Cobalt Strike Malleable C2 Design and Reference Guide
ALL C2concealer C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.
ALL MalleableC2-Profiles A collection of Cobalt Strike Malleable C2 profiles. now have Windows Updates Profile

0x03 BOF

Type Name Description Popularity Language
ALL BOF_Collection Various Cobalt Strike BOFs
ALL Situational Awareness BOF Its larger goal is providing a code example and workflow for others to begin making more BOF files. Blog
ALL bof_helper Beacon Object File (BOF) Creation Helper
ALL BOF-DLL-Inject BOF DLL Inject is a custom Beacon Object File that uses manual map DLL injection in order to migrate a dll into a process all from memory.
ALL cobaltstrike_bofs BOF spawns a process of your choice under a specified parent, and injects a provided shellcode file via QueueUserAPC().
ALL BOF-RegSave Beacon Object File(BOF) for CobaltStrike that will acquire the necessary privileges and dump SAM - SYSTEM - SECURITY registry keys for offline parsing and hash extraction.
ALL CobaltStrike BOF DCOM Lateral Movement; WMI Lateral Movement - Win32_Process Create; WMI Lateral Movement - Event Subscription
Dev bof This is a template project for building Cobalt Strike BOFs in Visual Studio.
Dev BOF.NET A .NET Runtime for Cobalt Strike's Beacon Object Files.
Dev beacon-object-file The format, described by Mudge here, asks that the operator construct an COFF file using a mingw-w64 compiler or the msvc compiler that holds an symbol name indicating its entrypoint, and underlying function calls.
Exploit CVE-2020-0796-BOF SMBGhost LPE
Exploit ZeroLogon-BOF ZeroLogon

0x04 Aggressor Script

Type Name Description Popularity Language
BypassAV BypassAV 用于快速生成免杀的可执行文件
BypassAV scrun BypassAV ShellCode Loader (Cobaltstrike/Metasploit) Useage
BypassAV beacon-c2-go beacon-c2-go (Cobaltstrike/Metasploit)
BypassAV C--Shellcode python ShellCode Loader (Cobaltstrike&Metasploit) Useage
BypassAV Doge-Loader Cobalt Strike Shellcode Loader by Golang
BypassAV CS-Loader CS免杀,包括python版和C版本的
BypassUAC UAC-SilentClean This project implements a DLL planting technique to bypass UAC Always Notify and execute code in a high integrity process.
Recon red-team-scripts perform some rudimentary Windows host enumeration with Beacon built-in commands
Recon aggressor-powerview All functions listed in the PowerView about page are included in this with all arguments for each function. PowerView
Recon PowerView3-Aggressor PowerView Aggressor Script for CobaltStrike PowerView
Recon AggressorScripts Sharphound-Aggressor- A user menu for the SharpHound ingestor
Recon ServerScan 内网横向信息收集的高并发网络扫描、服务探测工具。
Recon AggressiveProxy LetMeOutSharp will try to enumerate all available proxy configurations and try to communicate with the Cobalt Strike server over HTTP(s) using the identified proxy configurations.
Exploit XSS-Fishing2-CS 鱼儿在cs上线后自动收杆 / Automatically stop fishing in javascript after the fish is hooked
Exploit XSS-Phishing xss钓鱼,cna插件配合php后端收杆
Exploit custom_payload_generator CobaltStrike3.0+ --> creates various payloads for Cobalt Strike's Beacon. Current payload formats
Exploit CrossC2 CrossC2 framework - Generator CobaltStrike's cross-platform beacon
Exploit GECC Go External C2 Client implementation for cobalt strike.
Exploit Cobaltstrike-MS17-010 ms17-010 exploit tool and scanner.
Exploit AES-PowerShellCode Standalone version of my AES Powershell payload for Cobalt Strike.
Exploit SweetPotato_CS CobaltStrike4.x --> SweetPotato
Exploit ElevateKit privilege escalation exploits
Exploit CVE-2018-4878 CVE-2018-4878
Exploit Aggressor-Scripts The only current public is UACBypass, whose readme can be found inside its associated folder.
Exploit CVE_2020_0796_CNA 基于ReflectiveDLLInjection实现的本地提权漏洞
Exploit DDEAutoCS setup our stage(d) Web Delivery attack
Exploit geacon Implement CobaltStrike's Beacon in Go (can be used in Linux)
Persistence persistence-aggressor-script persistence-aggressor-script
Persistence Peinject_dll 弃用winexec函数,使用shellexecute函数,程序流不在卡顿,达到真正的无感。
Persistence TikiTorch TikiTorch follows the same concept(CACTUSTORCH) but has multiple types of process injection available, which can be specified by the user at compile time.
Persistence CACTUSTORCH A JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it.
Persistence UploadAndRunFrp 上传frpc并且运行frpc
Persistence persistence-aggressor-script Persistence Aggressor Script
Persistence AggressiveGadgetToJScript Automate the generation of payloads using the GadgetToJScript technique.
Auxiliary Cobaltstrike-atexec 利用任务计划进行横向,需要与135端口、445端口进行通信
Auxiliary Sharp-HackBrowserData C#的HackBrowserData工具,方便在cs中直接内存加载
Auxiliary SharpeningCobaltStrike In realtime compiling of dotnet v35/v40 exe/dll binaries + obfuscation with ConfuserEx on your linux cobalt strike server.
Auxiliary SharpCompile SharpCompile is an aggressor script for Cobalt Strike which allows you to compile and execute C# in realtime.
Auxiliary Quickrundown Utilizing QRD will allow an operator to quickly characterize what processes are both known and unknown on a host through the use of colors and notes about the processes displayed.
Auxiliary Phant0m_cobaltstrike This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
Auxiliary NoPowerShell NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms.
Auxiliary EventLogMaster RDP EventLog Master
Auxiliary ANGRYPUPPY Bloodhound Attack Path Execution for Cobalt Strike
Auxiliary CobaltStrike_Script_Wechat_Push 上线微信提醒的插件,通过微信Server酱提醒
Auxiliary CS-Aggressor-Scripts slack and webhooks reminder
Auxiliary Aggressor-Scripts surveying of powershell on targets (在对应的目标上检测powershell的相关信息)
Auxiliary cs-magik Implements an events channel and job queue using Redis for Cobalt Strike.
Auxiliary AggressorScripts 查看进程的时候讲av进程标注为红色
Auxiliary Raven CobaltStrike External C2 for Websockets
Auxiliary CobaltStrikeParser Python parser for CobaltStrike Beacon's configuration
Auxiliary fakelogonscreen FakeLogonScreen is a utility to fake the Windows logon screen in order to obtain the user's password.
Auxiliary SyncDog Make bloodhound sync with cobaltstrike.
Auxiliary 360SafeBrowsergetpass 一键辅助抓取360安全浏览器密码的CobaltStrike脚本,通过下载浏览器数据库、记录密钥来离线解密浏览器密码。
Auxiliary SharpDecryptPwd 对密码已保存在 Windwos 系统上的部分程序进行解析,包括:Navicat,TeamViewer,FileZilla,WinSCP,Xmangager系列产品(Xshell,Xftp)。
Synthesis Erebus CobaltStrike4.x --> Erebus CobaltStrike后渗透测试插件
Synthesis Cobalt-Strike-Aggressor-Scripts CobaltStrike后渗透测试插件集合 Usage
Synthesis AggressorScripts Aggressor scripts for use with Cobalt Strike 3.0+
Synthesis RedTeamTools RedTeamTools for use with Cobalt Strike
Synthesis cobalt-arsenal Aggressor Scripts for Cobalt Strike 4.0+
Synthesis MoveKit The aggressor script handles payload creation by reading the template files for a specific execution type. intro
Synthesis StayKit The aggressor script handles payload creation by reading the template files for a specific execution type. intro
Synthesis AggressorScripts AggressorScripts
Synthesis AggressorScripts Collection of Aggressor scripts for Cobalt Strike 3.0+ pulled from multiple sources
Synthesis AggressorScripts AggressorScripts
Synthesis Aggressor-VYSEC Contains a bunch of CobaltStrike Aggressor Scripts
Synthesis AggressorAssessor AggressorAssessor
Synthesis AggressorAssessor AggressorAssessor
Synthesis aggressor-scripts Collection of Cobalt Strike Aggressor Scripts
Synthesis Aggressor-scripts This is just a random collection of Aggressor Scripts I've written for Cobalt Strike 3.x. (其中有一个debug脚本比较好用)
Synthesis Aggressor-Script Collection of Aggressor Scripts for Cobalt Strike(主要包含了提权和权限维持脚本)
Synthesis Aggressor-Script Aggressor Script, Kit, Malleable C2 Profiles, External C2 and so on
Synthesis aggressor_scripts_collection Collection of various aggressor scripts for Cobalt Strike from awesome people. Will be sure to update this repo with credit to each person.
Synthesis CobaltStrike-ToolKit googlesearch.profile and script related to AD.
Synthesis Arsenal Cobalt Strike 3.13 Arsenal Kit
Synthesis cobalt-arsenal My collection of battle-tested Aggressor Scripts for Cobalt Strike 4.0+
Synthesis aggressor_scripts code execution via DCOM;the privilege escalation techniques included in ElevateKit;etc.
Synthesis aggressor_scripts code execution via DCOM;the privilege escalation techniques included in ElevateKit;etc.
Synthesis aggressor creating tunnels with netsh; changed default to bit.ly redirect to mcdonalds;using powershell to kill parent process;
Synthesis CobaltStrikeCNA A collection of scripts - from various sources - see script for more info.
Synthesis AggressorScripts Highlights selected processes from the ps command in beacon;Loads various aliases into beacon;sets a few defaults for scripts to be used later..
Synthesis AggressorAssessor 从C2生成到横向移动的全辅助脚本套件
Synthesis AggressorCollection Collection of awesome Cobalt Strike Aggressor Scripts. All credit due to the authors
Synthesis Cobaltstrike-Aggressor-Scripts-Collection The collection of tested cobaltstrike aggressor scripts.
Synthesis aggressorScripts CobaltStrike AggressorScripts for the lazy
Synthesis cobalt_strike_extension_kit 集成了SharpHound,SharpRDP,SharpWMI等在内的各种内网工具,使用AggressorScripts构建workflow
Synthesis cobaltstrike 具备域管理员定位、域信息收集、权限维持、内网扫描、数据库hash dump、Everything内网搜索文件等功能的插件集合
Synthesis 365CobaltStrike 兼容CobaltStrike4.0的插件集合
Synthesis CobaltStrike-xor third-party --> vnc_x86_dll and vnc_x64_dll

0x05 Related Tools

Type Name Description Popularity Language
AntiCobaltStrike cobaltstrike_brute Cobalt Strike Team Server Password Brute Forcer
AntiCobaltStrike CobaltStrikeScan Scan files or process memory for Cobalt Strike beacons and parse their configuration.
AntiCobaltStrike grab_beacon_config Simple PoC script to scan and acquire CobaltStrike Beacon configurations.
AntiCobaltStrike CS_Decrypt 解密可以帮助你理解cs beacon通信原理,但注意密钥是在本地teamserver中
AntiCobaltStrike C2-JARM 通过ssl实现所产生的JARM hash来识别不同的c2,例如CobaltStrike
AntiCobaltStrike DetectCobaltStomp A quick(and perhaps dirty!) PoC tool to detect Module Stomping as implemented by Cobalt Strike with moderate to high confidence
AntiCobaltStrike cobaltstrike Analyzing Cobalt Strike for Fun and Profit
SourceCode CobaltStrike CobaltStrike's source code,tested some code and function.
Auxiliary pycobalt PyCobalt is a Python API for Cobalt Strike.
Auxiliary redshell An interactive command prompt that executes commands through proxychains and automatically logs them on a Cobalt Strike team server.
Auxiliary CobaltStrikeToGhostWriter Log converter from CS logs to a CSV in Ghostwriter's operation log format.
Auxiliary Ansible-Cobalt-Strike An Ansible role to install cobalt-strike on debian based architectures, let's be honest it's for kali.
AVBypass UrbanBishopLocal A port of FuzzySecurity's UrbanBishop project for inline shellcode execution.
Synthesis redi Automated script for setting up CobaltStrike redirectors (nginx reverse proxy, letsencrypt)
Synthesis cs2modrewrite Automatically Generate Rulesets for Apache mod_rewrite or Nginx for Intelligent HTTP C2 Redirection
Synthesis Red-EC2 Deploy RedTeam Specific EC2 via ansible.
Synthesis RedCommander Creates two Cobalt Strike C2 servers (DNS and HTTPS), with redirectors, and RedELK in Amazon AWS. Minimal setup required! Companion Blog here
Synthesis CobaltPatch Cobalt Strike Malleable Profile Inline Patch Template: A Position Independent Code (PIC) Code Template For Creating Shellcode That Can Be Appended In Stage / Post-Ex Blocks. Made for C Programmers
Synthesis CPLResourceRunner Run shellcode(Cobalt Strike) from resource

文章来源: https://github.com/zer0yu/Awesome-CobaltStrike
如有侵权请联系:admin#unsafe.sh