Gettin’ Down with Aggressor ScriptJuly 6, 2016
Aggressor Script is the scripting engine in Cobalt Strike 3.0 and later. As much as possible, I tried to make Cobalt Strike’s scripting feel like the scripting you would find in a modern IRC client. In this post, I’d like to take you through some resources and third-party examples to help you become familiar with Aggressor Script.
The Official Stuff
If you’d like to learn Aggressor Script, I recommend that you spend quality time with the documentation. These files are kept up to date with each release and are the authoritative reference on the language.
The documentation also includes copies of default.cna and default.rpt. The default.cna script defines Cobalt Strike’s menu structure and default presentation of events. The default.rpt script is the source code to Cobalt Strike’s built-in reports. You may not have known this, but you can script custom reports for Cobalt Strike to generate.
Aggressor Script is based on my open source Sleep scripting language. If you’d like to learn Sleep, I recommend you dig into its documentation. The manual is available as HTML, PDF, and even as a book.
Other Sleep Scripts
Sleep is quite capable of calling Java APIs and you can do (almost) anything in Sleep that you could do in Java. If you’d like to see what it looks like to push the limits of this, take a look at Armitage’s source code or look at the various scripts available for my scriptable IRC client, jIRCii.
Beacon to Empire
bluescreenjeff has several scripts available on his Aggressor Scripts Github repository. Beacon to Empire uses PowerShell Empire’s REST API to find listeners and present them in a nice dialog for session passing. There’s also a script to make a few popup menus for PowerUp and PowerView as well.
Cobalt Strike Toolkit
The Cobalt Strike Toolkit by Alexander Rymdeko-Harvey and Brian R is a combination of Aggressor Script and PowerShell scripts to identify if a Beacon is a domain admin and to automatically elevate if you’re not a local admin. The scripts demonstrate how to do a few other things to check privileges too.
A quick search of Github and I found a few scripts changing how Cobalt Strike presents its information. For example, beacon_tweaks.cna changes the command prompt in Beacon’s log to include more information. I also found beacon-highlight-ps.cna which overrides Beacon’s default output for the ps command and alters it to highlight certain processes with an alternate color. These scripts demonstrate a key feature of Aggressor Script: you can redefine the output of almost everything in Cobalt Strike. If you want timestamps next to every line? Go ahead and add them. Don’t like my color scheme? Change it. The default.cna script defines the default presentation of most output. Just copy code from this file, put it in a new file, and edit away.
Most of the scripts in this post show how to extend the Cobalt Strike client or add new commands to Beacon. The Kickass Bot by Ari Davies is an example of a bot, best run with Cobalt Strike’s headless agscript client. This bot performs a quick survey of any newly compromised systems and presents information to the event log.
My Github Gists
Time to time, folks will ask me for an example of how to do something in Aggressor Script. I publish my answers to these questions as Github gists. Right now, I have examples to identify PIDs for a process name, IRC integration, and harvesting environment variables. You may find these helpful when writing your own scripts.
My Persistence Kit
I use Aggressor Script quite a bit in my red work. Earlier this year, I published a blog post with the scripts I used at North East CCDC. These scripts include how I do persistence, auto-labeling beacons, and a few aliases to make routine tasks easier.
Persistence Aggressor Script
The Persistence Aggressor Script by Tyler Rosonke adds a persistence command to Beacon with options to persist in the registry, with schtasks, and via WMI. Tyler also had a good blog post on this topic too.
Jonathan Echavarria has several Aggressor Script examples on Github. These scripts include integration with PushOver.net (notifications sent to your phone/watch), in-progress Inveigh integration, and more.
The scripts presented in this post are very much in the spirit of what Aggressor Script was built for, to help you make Cobalt Strike your own. I hope you enjoy these resources. Special thanks to all of you who put your scripts on Github. This is greatly appreciated by me and other users of Cobalt Strike!