{"id":13840681,"url":"https://github.com/EncodeGroup/AggressiveGadgetToJScript","last_synced_at":"2025-07-11T09:32:48.211Z","repository":{"id":44827048,"uuid":"299874433","full_name":"EncodeGroup/AggressiveGadgetToJScript","owner":"EncodeGroup","description":"A Cobalt Strike Aggressor script to generate GadgetToJScript payloads","archived":false,"fork":false,"pushed_at":"2020-09-30T09:47:55.000Z","size":25,"stargazers_count":97,"open_issues_count":0,"forks_count":18,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-08-05T17:25:31.373Z","etag":null,"topics":["aggressor","aggressor-script","cobaltstrike","gadgettojscript-payloads","redteam"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/EncodeGroup.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-09-30T09:43:53.000Z","updated_at":"2024-05-27T11:51:29.000Z","dependencies_parsed_at":"2022-07-14T19:30:44.068Z","dependency_job_id":null,"html_url":"https://github.com/EncodeGroup/AggressiveGadgetToJScript","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EncodeGroup%2FAggressiveGadgetToJScript","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EncodeGroup%2FAggressiveGadgetToJScript/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EncodeGroup%2FAggressiveGadgetToJScript/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EncodeGroup%2FAggressiveGadgetToJScript/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/EncodeGroup","download_url":"https://codeload.github.com/EncodeGroup/AggressiveGadgetToJScript/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225712624,"owners_count":17512440,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aggressor","aggressor-script","cobaltstrike","gadgettojscript-payloads","redteam"],"created_at":"2024-08-04T17:00:51.972Z","updated_at":"2024-11-21T10:30:36.992Z","avatar_url":"https://github.com/EncodeGroup.png","language":"C#","funding_links":[],"categories":["C# (212)","C# #"],"sub_categories":[],"readme":"## AggressiveGadgetToJScript\nWe created this aggressor script in order to automate the generation of payloads using the GadgetToJScript technique.\n\nFor the purposes of this release, we used a common injector that implements the QueueUserAPC injection method and injects to notepad.exe.\n\nFeel free to use your own templates.\n\nAdditionally, the shellcode generated is compressed before being used in the injector template.\n\n---\n\n### Usage\n* Install mono framework: `apt install mono-complete`.\n* Set the path variables inside `GadgetToJScript.cna`:\n\t* `$toolpath` is the absolute path of the installation directory.\n\t* `$outpath` is the directory used to output all generated artifacts.\n\t* `$python3` is the absolute path of python3 binary.\n\t* `$gzip` is the absolute path of gzip binary.\n\t* `$mcs` is the absolute path of mcs binary.\n* Load cna into CobaltStrike.\n* A new menu `CustomPayloads` will appear. Generate the payload choosing listener, staged / stageless, architecture. Payload will be stored in your defined `$outpath`.\n* Due to `ConfigurationManager.AppSettings` being readonly in Mono (https://github.com/mono/mono/issues/11751), we have to copy the generated EXE file into a windows box and execute it. \n* The final GadgetToJscript payload (.js) will be generated. Currently using the reg-free template from GadgetToJscript. \n\n### Configuration:\n```\n$toolpath = \"/opt/cobaltstrike/custom/AggressiveGadgetToJScript\";\n$outpath = \"/tmp/payloads\";\n$python3 = \"/usr/bin/python3\";\n$gzip = \"/usr/bin/gzip\";\n$mcs = \"/usr/bin/mcs\";\n```\n---\n\n### Caveats\n* Payload generated (.js) gets flagged by AV. Consider obfuscating `/Templates/GadgetToJScript.js`. As a PoC we opted using a powerful royal-like technique directly stolen from Caesar!\n* Shellcode can also be encrypted by placing an encrypt function in Helper.py and a decrypt function in `/Templates/Injector.cs`\n* Injection method can be replaced in `/Templates/Injector.cs`. Just make sure to place it in the constructor of the class.\n\n---\n\n### Authors\n\n* [@eksperience](https://github.com/eksperience)\n\n* [@leftp](https://github.com/leftp)\n\n---\n\n### Credits\n\nThis tool is based on:\n\n* Original code of GadgetToJScript from @med0x2e - https://github.com/med0x2e/GadgetToJScript\n\n* Sample Injector used from @pwndizzle - https://github.com/pwndizzle/c-sharp-memory-injection/blob/master/apc-injection-new-process.cs\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FEncodeGroup%2FAggressiveGadgetToJScript","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FEncodeGroup%2FAggressiveGadgetToJScript","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FEncodeGroup%2FAggressiveGadgetToJScript/lists"}