https://github.com/nickvourd/cs-aggressor-kit
Homemade Aggressor scripts kit for Cobalt Strike
https://github.com/nickvourd/cs-aggressor-kit
aggressor-scripts c2 c2-framework cna cobalt-strike command-and-control configuration configuration-files java kit redteam redteam-tools redteaming weaponized
Last synced: 4 months ago
JSON representation
Homemade Aggressor scripts kit for Cobalt Strike
- Host: GitHub
- URL: https://github.com/nickvourd/cs-aggressor-kit
- Owner: nickvourd
- License: mit
- Created: 2024-03-10T09:54:45.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2025-01-30T05:38:56.000Z (5 months ago)
- Last Synced: 2025-02-25T12:12:47.960Z (4 months ago)
- Topics: aggressor-scripts, c2, c2-framework, cna, cobalt-strike, command-and-control, configuration, configuration-files, java, kit, redteam, redteam-tools, redteaming, weaponized
- Homepage:
- Size: 2.77 MB
- Stars: 42
- Watchers: 2
- Forks: 7
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# CS-Aggressor-Kit
Homemade Aggressor scripts kit for Cobalt Strike
## Table of Contents
- [CS-Aggressor-Kit](#cs-aggressor-kit)
- [Table of Contents](#table-of-contents)
- [Summary](#summary)
- [Alert](#alert)
- [Setup Slack and Webhooks](#setup-slack-and-webhooks)
- [Setup Discord and Webhooks](#setup-discord-and-webhooks)
- [Setup Teams Webhooks](#setup-teams-webhooks)
- [Setup Mattermost Webhooks](#setup-mattermost-webhooks)
- [Alert CNA Output Examples](#alert-cna-output-examples)
- [New incoming Beacon notification example (Slack)](#new-incoming-beacon-notification-example-slack)
- [New Web hit notification example (Discord)](#new-web-hit-notification-example-discord)
- [New CS client connects to the teamserver notification example (Slack)](#new-cs-client-connects-to-the-teamserver-notification-example-slack)
- [CS Client disconnects from the teamserver notification example (Discord)](#cs-client-disconnects-from-the-teamserver-notification-example-discord)
- [CS Client hosts a file or clones a website notification example (Slack)](#cs-client-hosts-a-file-or-clones-a-website-notification-example-slack)
- [CS client posts something in the event log (Discord)](#cs-client-posts-something-in-the-event-log-discord)
- [New credentials come in from keylogging (Discord)](#new-credentials-come-in-from-keylogging-discord)
- [New screenshot is taken from Cobalt Strike (Slack)](#new-screenshot-is-taken-from-cobalt-strike-slack)
- [Auto](#auto)
- [How Auto Sleep Works](#how-auto-sleep-works)
- [Auto Sleep Interactive For Testing](#auto-sleep-interactive-for-testing)
- [Auto Sleep After Initial Access](#auto-sleep-after-initial-access)
- [Misc](#misc)
- [Beacon Name Tab Example](#beacon-name-tab-example)
- [Beacon Name Tab Colors Example](#beacon-name-tab-colors-example)
- [CS All Tabs Bold Example](#cs-all-tabs-bold-example)
- [CWD Beacon Bar Example](#cwd-beacon-bar-example)
- [SA](#sa)
- [File Color Example](#file-color-example)
- [Process Color Example](#process-color-example)
- [Utils](#utils)
- [Sonata Examples](#sonata-examples)
- [Sonata File](#sonata-file)
- [Sonata String](#sonata-string)
- [Locate Example](#locate-example)
## Summary
The following table illustrates all the CNA files included in this project:
| Section | Name | Description |
|:-----------:|:-----------:|:-----------:|
| Alert |[slack-alerts_linux.cna](/Alert/Slack/slack-alerts_linux.cna)| Slack CNA file for Linux CS client |
| Alert |[slack-alerts_windows.cna](/Alert/Slack/slack-alerts_windows.cna)| Slack CNA file for Windows CS client |
| Alert |[discord-alerts_linux.cna](/Alert/Discord/discord-alerts_linux.cna)| Discord CNA file for Linux CS Client |
| Alert |[teams-alerts_linux.cna](/Alert/Teams/teams-alerts_linux.cna)| Teams CNA file for Linux CS Client |
| Alert |[mattermost-alerts_linux.cna](/Alert/Mattermost/mattermost-alerts_linux.cna)| Mattermost CNA file for Linux CS Client |
| Alert |[mattermost-alerts_windows.cna](/Alert/Mattermost/mattermost-alerts_windows.cna)| Mattermost CNA file for Windows CS Client |
| Auto | [auto-sleep-on-start.cna](/Auto/auto-sleep-on-start.cna) | This CNA file automatically sets the sleep time to a specific value when a new user joins the teamserver. It requires a client to remain open at all times, ensuring the sleep time is configured even if the Cobalt Strike client is closed or you forget to set it while away |
| Auto | [auto-sleep-on-exit.cna](/Auto/auto-sleep-on-exit.cna) | This CNA file automatically sets the sleep time to a specific value when all users, except one, disconnect from the teamserver. A client must remain open at all times |
| Auto | [auto-sleep-after-initial-access.cna](/Auto/auto-sleep-after-initial-access.cna) | This CNA file automatically configures the beacon's sleep interval upon initial acccess |
| Auto | [auto-sleep-interactive-for-testing.cna](/Auto/auto-sleep-interactive-for-testing.cna) | This CNA file automatically set beacon sleep to 0 on initial connection |
| Misc | [Beacon-Name-Tab.cna](/Misc/Beacon-Name-Tab.cna) | This CNA file modifies the Beacon tab name format from the default to `username`@`hostname` (`pid`) |
| Misc | [Beacon-Name-Tab-Colors.cna](/Misc/Beacon-Name-Tab-Colors.cna) | This CNA file modifies the Beacon tab name format from the default to `username`@`hostname` (`pid`), for admin's beacon the color is red, for user's beacon the color is green |
| Misc | [CS-All-Tabs-Bold.cna](/Misc/CS-All-Tabs-Bold.cna) | This CNA file makes all CS client tabs bold |
| Misc | [CWD-Beacon-Bar.cna](/Misc/CWD-Beacon-Bar.cna) | This CNA file enhances Beacon console status bar to display the Beacon's last known working directory path. Additionally, improves the 'cd' command to support restoring the previous directory path seamlessly (Usage: `cd -`) |
| SA | [File-Color.cna](/SA/File-Color.cna) | This CNA file outputs files in a colorful format for file hunting |
| SA | [PS-Color.cna](/SA/PS-Color.cna) | This CNA file outputs proccess in a colorful format for process hunting |
| Utils | [Sonata.cna](/Utils/Sonata.cna) | This CNA file is a port of the [Sonata](https://github.com/nickvourd/Sonata) tool. Sonata is a file hash calculator that supports MD5, SHA1, SHA256, and SHA512 algorithms. The CNA port enhances functionality by supporting string hash calculations as well |
| Utils | [locate.cna](/Utils/locate.cna) | This CNA functions like the `locate` Linux command. Additionally, it performs case-insensitive keyword searches. This CNA requires a Linux CS client |
## Alert
These CNA files will notify you via the `Slack`/`Discord`/`Teams`/`Mattermost` applications when:
- A new client connects to the team server.
- A CS client disconnects from the team server.
- A new incoming beacon.
- A new web hit occurs.
- A CS client posts something in the event log.
- New site hosts.
- New credentials come in from keylogging.
- A new screenshot is taken from Cobalt Strike.
:information_source: Some CNA files are compatible with both Windows and Linux operating systems.
The following table illustrates the CNA files included in the Alert section:
| Name | OS | App | Description |
|:-----------:|:-----------:|:-----------:|:-----------:|
|[slack-alerts_linux.cna](/Alert/Slack/slack-alerts_linux.cna)| Linux | Slack | Slack CNA file for Linux CS client |
|[slack-alerts_windows.cna](/Alert/Slack/slack-alerts_windows.cna)| Windows | Slack | Slack CNA file for Windows CS client |
|[discord-alerts_linux.cna](/Alert/Discord/discord-alerts_linux.cna)| Linux | Discord | Discord CNA file for Linux CS Client |
|[teams-alerts_linux.cna](/Alert/Teams/teams-alerts_linux.cna)| Linux | Teams | Teams CNA file for Linux CS Client |
|[mattermost-alerts_linux.cna](/Alert/Mattermost/mattermost-alerts_linux.cna)| Linux | Mattermost | Mattermost CNA file for Linux CS Client |
|[mattermost-alerts_windows.cna](/Alert/Mattermost/mattermost-alerts_windows.cna)| Windows | Mattermost | Mattermost CNA file for Windows CS Client |
### Setup Slack and Webhooks
:information_source: To set up a Slack server and webhook, you can follow these guides provided on the [Slack website](https://api.slack.com/incoming-webhooks).
### Setup Discord and Webhooks
:information_source: To set up a Discord server and webhook, you can follow these guides provided on the [Discord website](https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks).
### Setup Teams Webhooks
:information_source: To set up a Microsoft Teams webhook, you can follow these guides provided on [Microsoft website](https://learn.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/add-incoming-webhook?tabs=newteams%2Cdotnet).
### Setup Mattermost Webhooks
:information_source: To set up a Mattermost webhook, you can follow these guides provided on [Mattermost website](https://developers.mattermost.com/integrate/webhooks/incoming/).
### Alert CNA Output Examples
#### New incoming Beacon notification example (Slack):
#### New Web hit notification example (Discord):
#### New CS client connects to the teamserver notification example (Slack):
#### CS Client disconnects from the teamserver notification example (Discord):
#### CS Client hosts a file or clones a website notification example (Slack):
#### CS client posts something in the event log (Discord):
#### New credentials come in from keylogging (Discord):
#### New screenshot is taken from Cobalt Strike (Slack):
## Auto
These CNA files automatically configure certain actions in Cobalt Strike.
The following table illustrates the CNA files included in the Auto section:
| Name | Description |
|:-----------:|:-----------:|
| [auto-sleep-on-start.cna](/Auto/auto-sleep-on-start.cna) | This CNA file automatically sets the sleep time to a specific value when a new user joins the teamserver. It requires a client to remain open at all times |
| [auto-sleep-on-exit.cna](/Auto/auto-sleep-on-exit.cna) | This CNA file automatically sets the sleep time to a specific value when all users, except one, disconnect from the teamserver. A client must remain open at all times |
| [auto-sleep-interactive-for-testing.cna](/Auto/auto-sleep-interactive-for-testing.cna) | This CNA file automatically set beacon sleep to 0 on initial connection |
| [auto-sleep-after-initial-access.cna](/Auto/auto-sleep-after-initial-access.cna) | This CNA file automatically configures the beacon's sleep interval upon initial acccess |
### How Auto Sleep Works
:information_source: The two auto-sleep CNA files can be used individually or together, depending on your preferences.
**Diagram 1**: The two Cobalt Srike clients are connected to the Team server.
**Diagram 2**: At the end of the day's engagement tasks, the operators decide to stop the engagement. One operator, using a Cobalt Strike client without the CNA file, disconnects from the teamserver, while the other operator ensures his/her Cobalt Strike client with the CNA file ([auto-sleep-on-exit.cna](/Auto/auto-sleep-on-exit.cna)) remains open.
**Diagram 3**: The Cobalt Strike client with the CNA file will detect the user disconnection event and automatically adjust the sleep time to the predefined value specified in the CNA file.
**Diagram 4**: The next day, when the operator (with the Cobalt Strike client without the CNA file) connects to the Team Server, the always-open client with the loaded CNA file ([auto-sleep-on-start.cna](/Auto/auto-sleep-on-start.cna)) will detect the new user connection. It will then automatically set the sleep time to the predefined value specified in the CNA file.
### Auto Sleep Interactive For Testing
This CNA file automatically sets the beacon sleep interval to 0 upon initial connection, which is useful for testing purposes.
### Auto Sleep After Initial Access
This CNA file automatically configures the beacon's sleep interval upon initial acccess.
## Misc
These CNA files will configure the output format for various default functionalities of Cobalt Strike.
The following table illustrates the CNA files included in the Misc section:
| Name | Description |
|:-----------:|:-----------:|
| [Beacon-Name-Tab.cna](/Misc/Beacon-Name-Tab.cna) | This CNA file modifies the Beacon tab name format from the default to `username`@`hostname` (`pid`) |
| [Beacon-Name-Tab-Colors.cna](/Misc/Beacon-Name-Tab-Colors.cna) | This CNA file modifies the Beacon tab name format from the default to `username`@`hostname` (`pid`), for admin's beacon the color is red, for user's beacon the color is green |
| [CS-All-Tabs-Bold.cna](/Misc/CS-All-Tabs-Bold.cna) | This CNA file makes all CS client tabs bold |
| [CWD-Beacon-Bar.cna](/Misc/CWD-Beacon-Bar.cna) | This CNA file enhances Beacon console status bar to display the Beacon's last known working directory path. Additionally, improves the 'cd' command to support restoring the previous directory path seamlessly (Usage: `cd -`) |
### Beacon Name Tab Example
This CNA file modifies the Beacon tab name format from the default to `username`@`hostname` (`pid`).
### Beacon Name Tab Colors Example
This CNA file modifies the Beacon tab name format from the default to `username`@`hostname` (`pid`). For an Administrator's Beacon, the tab color is set to red, while for a standard user's Beacon, the tab color is set to green.
### CS All Tabs Bold Example
This CNA file makes all Cobalt Strike client tabs bold.
### CWD Beacon Bar Example
This CNA file enhances Beacon console status bar to display the Beacon's last known working directory path.
Additionally, improves the 'cd' command to support restoring the previous directory path seamlessly (Usage: `cd -`).
Finally, when you have an Administrator's Beacon, the hostname of the target machine changes from the CNA's default green (used for standard users) to red.
## SA
These CNA files are used for Situational Awareness.
The following table illustrates the CNA files included in the SA section:
| Name | Description |
|:-----------:|:-----------:|
| [File-Color.cna](/SA/File-Color.cna) | This CNA file outputs files in a colorful format for file hunting |
| [PS-Color.cna](/SA/PS-Color.cna) | This CNA file outputs proccess in a colorful format for process hunting |
## File Color Example
This CNA file outputs files in a colorful format for file hunting.
- [*] Executable files listed in GREEN
- [*] System-Related files listed in PURPLE
- [*] Database files listed in YELLOW
- [*] Office related files listed in RED
- [*] Source Code files listed in CYAN
- [*] Media files listed in ORANGE
- [*] Directories listed in BLUE
## Process Color Example
This CNA file outputs proccess in a colorful format for process hunting.
- [*] This Beacon PID: YELLOW ()
- [*] Windows Processes: GREEN
- [*] Security Products: RED
## Utils
These CNA files are used for general micro tasks during operations.
The following table illustrates the CNA files included in the Utils section:
| Name | Description |
|:-----------:|:-----------:|
| [Sonata.cna](/Utils/Sonata.cna) | This CNA file is a port of the [Sonata](https://github.com/nickvourd/Sonata) tool. Sonata is a file hash calculator that supports MD5, SHA1, SHA256, and SHA512 algorithms. The CNA port enhances functionality by supporting string hash calculations as well |
| [locate.cna](/Utils/locate.cna) | This CNA functions like the `locate` Linux command. Additionally, it performs case-insensitive keyword searches. This CNA requires a Linux CS client |
### Sonata Examples
Hash calculator for local files and strings.
Usage: `Sonata -f/--file OR Sonata -s/--string `
#### Sonata File
#### Sonata String
### Locate Example
This CNA functions like the `locate` Linux command. Additionally, it performs case-insensitive keyword searches. This CNA requires a Linux CS client.
ℹ️ When you insert a new file on the host disk, it is recommended to run the `updatedb` command to update the file database and sync the system with the newly added files.
