Skip to content

nickvourd/CS-Aggressor-Kit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CS-Aggressor-Kit

Homemade Aggressor scripts kit for Cobalt Strike



GitHub License GitHub Repo stars GitHub forks GitHub watchers

Table of Contents

Summary

The following table illustrates all the CNA files included in this project:

Section Name Description
Alert slack-alerts_linux.cna Slack CNA file for Linux CS client
Alert slack-alerts_windows.cna Slack CNA file for Windows CS client
Alert discord-alerts_linux.cna Discord CNA file for Linux CS Client
Alert teams-alerts_linux.cna Teams CNA file for Linux CS Client
Alert mattermost-alerts_linux.cna Mattermost CNA file for Linux CS Client
Alert mattermost-alerts_windows.cna Mattermost CNA file for Windows CS Client
Auto auto-sleep-on-start.cna This CNA file automatically sets the sleep time to a specific value when a new user joins the teamserver. It requires a client to remain open at all times, ensuring the sleep time is configured even if the Cobalt Strike client is closed or you forget to set it while away
Auto auto-sleep-on-exit.cna This CNA file automatically sets the sleep time to a specific value when all users, except one, disconnect from the teamserver. A client must remain open at all times
Auto auto-sleep-interactive-for-testing.cna This CNA file automatically set beacon sleep to 0 on initial connection
Misc Beacon-Name-Tab.cna This CNA file modifies the Beacon tab name format from the default to username@hostname (pid)
Misc Beacon-Name-Tab-Colors.cna This CNA file modifies the Beacon tab name format from the default to username@hostname (pid), for admin's beacon the color is red, for user's beacon the color is green
Misc CS-All-Tabs-Bold.cna This CNA file makes all CS client tabs bold
Misc CWD-Beacon-Bar.cna This CNA file enhances Beacon console status bar to display the Beacon's last known working directory path. Additionally, improves the 'cd' command to support restoring the previous directory path seamlessly (Usage: cd -)
SA File-Color.cna This CNA file outputs files in a colorful format for file hunting
SA PS-Color.cna This CNA file outputs proccess in a colorful format for process hunting
Utils Sonata.cna This CNA file is a port of the Sonata tool. Sonata is a file hash calculator that supports MD5, SHA1, SHA256, and SHA512 algorithms. The CNA port enhances functionality by supporting string hash calculations as well
Utils locate.cna This CNA functions like the locate Linux command. Additionally, it performs case-insensitive keyword searches. This CNA requires a Linux CS client

Alert

These CNA files will notify you via the Slack/Discord/Teams/Mattermost applications when:

  • A new client connects to the team server.
  • A CS client disconnects from the team server.
  • A new incoming beacon.
  • A new web hit occurs.
  • A CS client posts something in the event log.
  • New site hosts.
  • New credentials come in from keylogging.
  • A new screenshot is taken from Cobalt Strike.

ℹ️ Some CNA files are compatible with both Windows and Linux operating systems.

The following table illustrates the CNA files included in the Alert section:

Name OS App Description
slack-alerts_linux.cna Linux Slack Slack CNA file for Linux CS client
slack-alerts_windows.cna Windows Slack Slack CNA file for Windows CS client
discord-alerts_linux.cna Linux Discord Discord CNA file for Linux CS Client
teams-alerts_linux.cna Linux Teams Teams CNA file for Linux CS Client
mattermost-alerts_linux.cna Linux Mattermost Mattermost CNA file for Linux CS Client
mattermost-alerts_windows.cna Windows Mattermost Mattermost CNA file for Windows CS Client

Setup Slack and Webhooks

ℹ️ To set up a Slack server and webhook, you can follow these guides provided on the Slack website.

Setup Discord and Webhooks

ℹ️ To set up a Discord server and webhook, you can follow these guides provided on the Discord website.

Setup Teams Webhooks

ℹ️ To set up a Microsoft Teams webhook, you can follow these guides provided on Microsoft website.

Setup Mattermost Webhooks

ℹ️ To set up a Mattermost webhook, you can follow these guides provided on Mattermost website.

Alert CNA Output Examples

New incoming Beacon notification example (Slack):

New-Beacon-Example

New Web hit notification example (Discord):

Web-Hit-Example

New CS client connects to the teamserver notification example (Slack):

New-CS-Client-Connect-Example

CS Client disconnects from the teamserver notification example (Discord):

CS-Client-Disconnect

CS Client hosts a file or clones a website notification example (Slack):

Host-File-Clone-Site

CS client posts something in the event log (Discord):

New-message-CS

New credentials come in from keylogging (Discord):

New-credentials-come-in

New screenshot is taken from Cobalt Strike (Slack):

New-Screesnhot-taken

Auto

These CNA files automatically configure certain actions in Cobalt Strike.

The following table illustrates the CNA files included in the Auto section:

Name Description
auto-sleep-on-start.cna This CNA file automatically sets the sleep time to a specific value when a new user joins the teamserver. It requires a client to remain open at all times
auto-sleep-on-exit.cna This CNA file automatically sets the sleep time to a specific value when all users, except one, disconnect from the teamserver. A client must remain open at all times
auto-sleep-interactive-for-testing.cna This CNA file automatically set beacon sleep to 0 on initial connection

How Auto Sleep Works

ℹ️ The two auto-sleep CNA files can be used individually or together, depending on your preferences.

Diagram 1: The two Cobalt Srike clients are connected to the Team server.

Diagram-1

Diagram 2: At the end of the day's engagement tasks, the operators decide to stop the engagement. One operator, using a Cobalt Strike client without the CNA file, disconnects from the teamserver, while the other operator ensures his/her Cobalt Strike client with the CNA file (auto-sleep-on-exit.cna) remains open.

Diagram-2

Diagram 3: The Cobalt Strike client with the CNA file will detect the user disconnection event and automatically adjust the sleep time to the predefined value specified in the CNA file.

Diagram-3

Diagram 4: The next day, when the operator (with the Cobalt Strike client without the CNA file) connects to the Team Server, the always-open client with the loaded CNA file (auto-sleep-on-start.cna) will detect the new user connection. It will then automatically set the sleep time to the predefined value specified in the CNA file.

Diagram-4

Auto Sleep Interactive For Testing

This CNA file automatically sets the beacon sleep interval to 0 upon initial connection, which is useful for testing purposes.

Auto-Sleep-Interactive-Example

Misc

These CNA files will configure the output format for various default functionalities of Cobalt Strike.

The following table illustrates the CNA files included in the Misc section:

Name Description
Beacon-Name-Tab.cna This CNA file modifies the Beacon tab name format from the default to username@hostname (pid)
Beacon-Name-Tab-Colors.cna This CNA file modifies the Beacon tab name format from the default to username@hostname (pid), for admin's beacon the color is red, for user's beacon the color is green
CS-All-Tabs-Bold.cna This CNA file makes all CS client tabs bold
CWD-Beacon-Bar.cna This CNA file enhances Beacon console status bar to display the Beacon's last known working directory path. Additionally, improves the 'cd' command to support restoring the previous directory path seamlessly (Usage: cd -)

Beacon Name Tab Example

This CNA file modifies the Beacon tab name format from the default to username@hostname (pid).

Beacon-Tab-Name-Example

Beacon Name Tab Colors Example

This CNA file modifies the Beacon tab name format from the default to username@hostname (pid). For an Administrator's Beacon, the tab color is set to red, while for a standard user's Beacon, the tab color is set to green.

Beacon-Tab-Name-Colors-Example

CS All Tabs Bold Example

This CNA file makes all Cobalt Strike client tabs bold.

CS-All-Tabs-Bold-Example

CWD Beacon Bar Example

This CNA file enhances Beacon console status bar to display the Beacon's last known working directory path.

CWD-Beacon-Bar-Example

Additionally, improves the 'cd' command to support restoring the previous directory path seamlessly (Usage: cd -).

CWD-Beacon-Bar-Example-2

Finally, when you have an Administrator's Beacon, the hostname of the target machine changes from the CNA's default green (used for standard users) to red.

CWD-Beacon-Bar-Example-Admin

SA

These CNA files are used for Situational Awareness.

The following table illustrates the CNA files included in the SA section:

Name Description
File-Color.cna This CNA file outputs files in a colorful format for file hunting
PS-Color.cna This CNA file outputs proccess in a colorful format for process hunting

File Color Example

This CNA file outputs files in a colorful format for file hunting.

  • [*] Executable files listed in GREEN
  • [*] System-Related files listed in PURPLE
  • [*] Database files listed in YELLOW
  • [*] Office related files listed in RED
  • [*] Source Code files listed in CYAN
  • [*] Media files listed in ORANGE
  • [*] Directories listed in BLUE

File-Color-Example

Process Color Example

This CNA file outputs proccess in a colorful format for process hunting.

  • [*] This Beacon PID: YELLOW (<beacon_pid>)
  • [*] Windows Processes: GREEN
  • [*] Security Products: RED

Process-Color-Example

Utils

These CNA files are used for general micro tasks during operations.

The following table illustrates the CNA files included in the Utils section:

Name Description
Sonata.cna This CNA file is a port of the Sonata tool. Sonata is a file hash calculator that supports MD5, SHA1, SHA256, and SHA512 algorithms. The CNA port enhances functionality by supporting string hash calculations as well
locate.cna This CNA functions like the locate Linux command. Additionally, it performs case-insensitive keyword searches. This CNA requires a Linux CS client

Sonata Examples

Hash calculator for local files and strings.

Usage: Sonata -f/--file <local_filepath> OR Sonata -s/--string <string>

Sonata File

Sonata-Example-1

Sonata String

Sonata-Example-2

Locate Example

This CNA functions like the locate Linux command. Additionally, it performs case-insensitive keyword searches. This CNA requires a Linux CS client

locate-example