Scripted Web Delivery

The Attacks -> Web Drive-by -> Scripted Web Delivery feature generates an artifact that starts Beacon, hosts it on Cobalt Strike's web server, and presents a one-liner to download and run the artifact. The options are: bitsadmin, powershell, python, and regsvr32.

The bitsadmin option hosts an executable and uses bitsadmin to download it. The bitsadmin method runs the executable via cmd.exe. The powershell option hosts a PowerShell script and uses powershell.exe to download the script and evaluate it. The python option hosts a Python script and uses python.exe to download the script and run it. The regsvr32 option generates a COM Scriptlet file and uses regsvr32.exe to download and run the scriptlet’s contents. The COM Scriptlet gets Beacon into memory with a malicious VBA macro. The COM Scriptlet option requires Microsoft Office on the target. Each of these options is a different way to run a Cobalt Strike listener.