Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/EncodeGroup/AggressiveGadgetToJScript
A Cobalt Strike Aggressor script to generate GadgetToJScript payloads
https://github.com/EncodeGroup/AggressiveGadgetToJScript
aggressor aggressor-script cobaltstrike gadgettojscript-payloads redteam
Last synced: 3 months ago
JSON representation
A Cobalt Strike Aggressor script to generate GadgetToJScript payloads
- Host: GitHub
- URL: https://github.com/EncodeGroup/AggressiveGadgetToJScript
- Owner: EncodeGroup
- License: gpl-3.0
- Created: 2020-09-30T09:43:53.000Z (about 4 years ago)
- Default Branch: master
- Last Pushed: 2020-09-30T09:47:55.000Z (about 4 years ago)
- Last Synced: 2024-05-02T18:08:28.564Z (6 months ago)
- Topics: aggressor, aggressor-script, cobaltstrike, gadgettojscript-payloads, redteam
- Language: C#
- Homepage:
- Size: 24.4 KB
- Stars: 95
- Watchers: 6
- Forks: 17
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - EncodeGroup/AggressiveGadgetToJScript - A Cobalt Strike Aggressor script to generate GadgetToJScript payloads (C# #)
README
## AggressiveGadgetToJScript
We created this aggressor script in order to automate the generation of payloads using the GadgetToJScript technique.
For the purposes of this release, we used a common injector that implements the QueueUserAPC injection method and injects to notepad.exe.
Feel free to use your own templates.
Additionally, the shellcode generated is compressed before being used in the injector template.
---
### Usage
* Install mono framework: `apt install mono-complete`.
* Set the path variables inside `GadgetToJScript.cna`:
* `$toolpath` is the absolute path of the installation directory.
* `$outpath` is the directory used to output all generated artifacts.
* `$python3` is the absolute path of python3 binary.
* `$gzip` is the absolute path of gzip binary.
* `$mcs` is the absolute path of mcs binary.
* Load cna into CobaltStrike.
* A new menu `CustomPayloads` will appear. Generate the payload choosing listener, staged / stageless, architecture. Payload will be stored in your defined `$outpath`.
* Due to `ConfigurationManager.AppSettings` being readonly in Mono (https://github.com/mono/mono/issues/11751), we have to copy the generated EXE file into a windows box and execute it.
* The final GadgetToJscript payload (.js) will be generated. Currently using the reg-free template from GadgetToJscript.
### Configuration:
```
$toolpath = "/opt/cobaltstrike/custom/AggressiveGadgetToJScript";
$outpath = "/tmp/payloads";
$python3 = "/usr/bin/python3";
$gzip = "/usr/bin/gzip";
$mcs = "/usr/bin/mcs";
```
---
### Caveats
* Payload generated (.js) gets flagged by AV. Consider obfuscating `/Templates/GadgetToJScript.js`. As a PoC we opted using a powerful royal-like technique directly stolen from Caesar!
* Shellcode can also be encrypted by placing an encrypt function in Helper.py and a decrypt function in `/Templates/Injector.cs`
* Injection method can be replaced in `/Templates/Injector.cs`. Just make sure to place it in the constructor of the class.
---
### Authors
* [@eksperience](https://github.com/eksperience)
* [@leftp](https://github.com/leftp)
---
### Credits
This tool is based on:
* Original code of GadgetToJScript from @med0x2e - https://github.com/med0x2e/GadgetToJScript
* Sample Injector used from @pwndizzle - https://github.com/pwndizzle/c-sharp-memory-injection/blob/master/apc-injection-new-process.cs