These are the events fired by Aggressor Script.
This event fires whenever any Aggressor Script event fires.
$1 - the original event name... - the arguments to the event
# event spy script
on * {
println("[ $+ $1 $+ ]: " . subarray(@_, 1));
}
Fired when a Beacon checkin acknowledgement is posted to a Beacon's console.
$1 - the ID of the beacon$2 - the text of the message$3 - when this message occurredFired when an error is posted to a Beacon's console.
$1 - the ID of the beacon$2 - the text of the message$3 - when this message occurredFired when an indicator of compromise notice is posted to a Beacon's console.
$1 - the ID of the beacon$2 - the user responsible for the input $3 - the text of the message$4 - when this message occurredFired when a Beacon calls home for the first time.
$1 - the ID of the beacon that called home.
on beacon_initial {
# list network connections
bshell($1, "netstat -na | findstr \"ESTABLISHED\"");
# list shares
bshell($1, "net use");
# list groups
bshell($1, "whoami /groups");
}
Fired when a DNS Beacon calls home for the first time. At this point, no metadata has been exchanged.
$1 - the ID of the beacon that called home.
on beacon_initial_empty {
binput($1, "[Acting on new DNS Beacon]");
# change the data channel to DNS TXT
bmode($1, "dns-txt");
# request the Beacon checkin and send its metadata
bcheckin($1);
}
Fired when an input message is posted to a Beacon's console.
$1 - the ID of the beacon$2 - the user responsible for the input $3 - the text of the message$4 - when this message occurredFired when a mode change acknowledgement is posted to a Beacon's console.
$1 - the ID of the beacon$2 - the text of the message$3 - when this message occurredFired when output is posted to a Beacon's console.
$1 - the ID of the beacon$2 - the text of the message$3 - when this message occurredFired when (alternate) output is posted to a Beacon's console. What makes for alternate output? It's just different presentation from normal output.
$1 - the ID of the beacon$2 - the text of the message$3 - when this message occurredFired when jobs output is sent to a Beacon's console.
$1 - the ID of the beacon$2 - the text of the jobs output$3 - when this message occurredFired when ls output is sent to a Beacon's console.
$1 - the ID of the beacon$2 - the text of the ls output$3 - when this message occurredFired when ps output is sent to a Beacon's console.
$1 - the ID of the beacon$2 - the text of the ps output$3 - when this message occurredFired when a task acknowledgement is posted to a Beacon's console.
$1 - the ID of the beacon$2 - the text of the message$3 - when this message occurredFired when the team server sends over fresh information on all of our Beacons. This occurs about once each second.
$1 - an array of dictionary objects with metadata for each Beacon.Fired when this Cobalt Strike becomes disconnected from the team server.
Fired when a user performs an action in the event log. This is similar to an action on IRC (the /me command)
$1 - who the message is from$2 - the contents of the message$3 - the time the message was postedFired when an initial beacon message is posted to the event log.
$1 - the contents of the message$2 - the time the message was postedFired when a user connects to the team server
$1 - who joined the team server$2 - the time the message was postedFired when a new site message is posted to the event log.
$1 - who setup the new site$2 - the contents of the new site message$3 - the time the message was postedFired when a message from the team server is posted to the event log.
$1 - the contents of the message$2 - the time the message was postedFired when the current Cobalt Strike client tries to interact with a user who is not connected to the team server.
$1 - who is not present$2 - the time the message was postedFired when a private message is posted to the event log.
$1 - who the message is from$2 - who the message is directed to$3 - the contents of the message$4 - the time the message was postedFired when a public message is posted to the event log.
$1 - who the message is from$2 - the contents of the message$3 - the time the message was postedFired when someone disconnects from the team server.
$1 - who left the team server$2 - the time the message was postedFired every ten minutes
Fired every ten seconds
Fired every fifteen minutes
Fired every fifteen seconds
Fired every minute
Fired every second
Fired every twenty minutes
Fired every thirty minutes
Fired every thirty seconds
Fired every five minutes
Fired every five seconds
Fired every sixty minutes
Fired when there are new results reported to the web server via the cloned site keystroke logger.
$1 - external address of visitor$2 - reserved$3 - the logged keystrokes$4 - the phishing token for these recorded keystrokes.Fired when there are new results reported to the System Profiler.
$1 - external address of visitor$2 - de-cloaked internal address of visitor (or "unknown")$3 - visitor's User-Agent$4 - a dictionary containing the applications.$5 - the phishing token of the visitor (use &tokenToEmail to resolve to an email address)Fired when this Cobalt Strike client is connected to the team server and ready to act.
Fired when a phishing campaign completes
$1 - the campaign IDFired after a phish is sent to an email address.
$1 - the campaign ID$2 - the email we're sending a phish to$3 - the status of the phish (e.g., SUCCESS)$4 - the message from the mail serverFired before a phish is sent to an email address.
$1 - the campaign ID$2 - the email we're sending a phish toFired when a new phishing campaign kicks off.
$1 - the campaign ID$2 - number of targets$3 - local path to attachment$4 - the bounce to address$5 - the mail server string$6 - the subject of the phishing email$7 - the local path to the phishing template$8 - the URL to embed into the phishFired when an SSH client checkin acknowledgement is posted to an SSH console.
$1 - the ID of the session$2 - the text of the message$3 - when this message occurredFired when an error is posted to an SSH console.
$1 - the ID of the session$2 - the text of the message$3 - when this message occurredFired when an indicator of compromise notice is posted to an SSH console.
$1 - the ID of the session$2 - the user responsible for the input $3 - the text of the message$4 - when this message occurredFired when an SSH session is seen for the first time.
$1 - the ID of the session
on ssh_initial {
if (-isadmin $1) {
bshell($1, "cat /etc/shadow");
}
}
Fired when an input message is posted to an SSH console.
$1 - the ID of the session$2 - the user responsible for the input $3 - the text of the message$4 - when this message occurredFired when output is posted to an SSH console.
$1 - the ID of the session$2 - the text of the message$3 - when this message occurredFired when (alternate) output is posted to an SSH console. What makes for alternate output? It's just different presentation from normal output.
$1 - the ID of the session$2 - the text of the message$3 - when this message occurredFired when a task acknowledgement is posted to an SSH console.
$1 - the ID of the session$2 - the text of the message$3 - when this message occurredFired when there's a new hit on Cobalt Strike's web server.
$1 - the method (e.g., GET, POST)$2 - the requested URI$3 - the visitor's address$4 - the visitor's User-Agent string$5 - the web server's response to the hit (e.g., 200)$6 - the size of the web server's response$7 - a description of the handler that processed this hit.$8 - a dictionary containing the parameters sent to the web server$9 - the time when the hit took place.