Homemade Aggressor scripts kit for Cobalt Strike
The following table illustrates all the CNA files included in this project:
| Section | Name | Description |
|---|---|---|
| Alert | slack-alerts_linux.cna | Slack CNA file for Linux CS client |
| Alert | slack-alerts_windows.cna | Slack CNA file for Windows CS client |
| Alert | discord-alerts_linux.cna | Discord CNA file for Linux CS Client |
| Alert | teams-alerts_linux.cna | Teams CNA file for Linux CS Client |
| Alert | mattermost-alerts_linux.cna | Mattermost CNA file for Linux CS Client |
| Alert | mattermost-alerts_windows.cna | Mattermost CNA file for Windows CS Client |
| Auto | auto-sleep-on-start.cna | This CNA file automatically sets the sleep time to a specific value when a new user joins the teamserver. It requires a client to remain open at all times, ensuring the sleep time is configured even if the Cobalt Strike client is closed or you forget to set it while away |
| Auto | auto-sleep-on-exit.cna | This CNA file automatically sets the sleep time to a specific value when all users, except one, disconnect from the teamserver. A client must remain open at all times |
| Auto | auto-sleep-interactive-for-testing.cna | This CNA file automatically set beacon sleep to 0 on initial connection |
| Misc | Beacon-Name-Tab.cna | This CNA file modifies the Beacon tab name format from the default to username@hostname (pid) |
| Misc | Beacon-Name-Tab-Colors.cna | This CNA file modifies the Beacon tab name format from the default to username@hostname (pid), for admin's beacon the color is red, for user's beacon the color is green |
| Misc | CS-All-Tabs-Bold.cna | This CNA file makes all CS client tabs bold |
| Misc | CWD-Beacon-Bar.cna | This CNA file enhances Beacon console status bar to display the Beacon's last known working directory path. Additionally, improves the 'cd' command to support restoring the previous directory path seamlessly (Usage: cd -) |
| Utils | Sonata.cna | This CNA file is a port of the Sonata tool. Sonata is a file hash calculator that supports MD5, SHA1, SHA256, and SHA512 algorithms. The CNA port enhances functionality by supporting string hash calculations as well |
| Utils | locate.cna | This CNA functions like the locate Linux command. Additionally, it performs case-insensitive keyword searches. This CNA requires a Linux CS client |
These CNA files will notify you via the Slack/Discord/Teams/Mattermost applications when:
- A new client connects to the team server.
- A CS client disconnects from the team server.
- A new incoming beacon.
- A new web hit occurs.
- A CS client posts something in the event log.
- New site hosts.
- New credentials come in from keylogging.
- A new screenshot is taken from Cobalt Strike.
ℹ️ Some CNA files are compatible with both Windows and Linux operating systems.
The following table illustrates the CNA files included in the Alert section:
| Name | OS | App | Description |
|---|---|---|---|
| slack-alerts_linux.cna | Linux | Slack | Slack CNA file for Linux CS client |
| slack-alerts_windows.cna | Windows | Slack | Slack CNA file for Windows CS client |
| discord-alerts_linux.cna | Linux | Discord | Discord CNA file for Linux CS Client |
| teams-alerts_linux.cna | Linux | Teams | Teams CNA file for Linux CS Client |
| mattermost-alerts_linux.cna | Linux | Mattermost | Mattermost CNA file for Linux CS Client |
| mattermost-alerts_windows.cna | Windows | Mattermost | Mattermost CNA file for Windows CS Client |
ℹ️ To set up a Slack server and webhook, you can follow these guides provided on the Slack website.
ℹ️ To set up a Discord server and webhook, you can follow these guides provided on the Discord website.
ℹ️ To set up a Microsoft Teams webhook, you can follow these guides provided on Microsoft website.
ℹ️ To set up a Mattermost webhook, you can follow these guides provided on Mattermost website.
These CNA files automatically configure certain actions in Cobalt Strike.
The following table illustrates the CNA files included in the Auto section:
| Name | Description |
|---|---|
| auto-sleep-on-start.cna | This CNA file automatically sets the sleep time to a specific value when a new user joins the teamserver. It requires a client to remain open at all times |
| auto-sleep-on-exit.cna | This CNA file automatically sets the sleep time to a specific value when all users, except one, disconnect from the teamserver. A client must remain open at all times |
| auto-sleep-interactive-for-testing.cna | This CNA file automatically set beacon sleep to 0 on initial connection |
ℹ️ The two auto-sleep CNA files can be used individually or together, depending on your preferences.
Diagram 1: The two Cobalt Srike clients are connected to the Team server.
Diagram 2: At the end of the day's engagement tasks, the operators decide to stop the engagement. One operator, using a Cobalt Strike client without the CNA file, disconnects from the teamserver, while the other operator ensures his/her Cobalt Strike client with the CNA file (auto-sleep-on-exit.cna) remains open.
Diagram 3: The Cobalt Strike client with the CNA file will detect the user disconnection event and automatically adjust the sleep time to the predefined value specified in the CNA file.
Diagram 4: The next day, when the operator (with the Cobalt Strike client without the CNA file) connects to the Team Server, the always-open client with the loaded CNA file (auto-sleep-on-start.cna) will detect the new user connection. It will then automatically set the sleep time to the predefined value specified in the CNA file.
This CNA file automatically sets the beacon sleep interval to 0 upon initial connection, which is useful for testing purposes.
These CNA files will configure the output format for various default functionalities of Cobalt Strike.
The following table illustrates the CNA files included in the Misc section:
| Name | Description |
|---|---|
| Beacon-Name-Tab.cna | This CNA file modifies the Beacon tab name format from the default to username@hostname (pid) |
| Beacon-Name-Tab-Colors.cna | This CNA file modifies the Beacon tab name format from the default to username@hostname (pid), for admin's beacon the color is red, for user's beacon the color is green |
| CS-All-Tabs-Bold.cna | This CNA file makes all CS client tabs bold |
| CWD-Beacon-Bar.cna | This CNA file enhances Beacon console status bar to display the Beacon's last known working directory path. Additionally, improves the 'cd' command to support restoring the previous directory path seamlessly (Usage: cd -) |
This CNA file modifies the Beacon tab name format from the default to username@hostname (pid).
This CNA file modifies the Beacon tab name format from the default to username@hostname (pid). For an Administrator's Beacon, the tab color is set to red, while for a standard user's Beacon, the tab color is set to green.
This CNA file makes all Cobalt Strike client tabs bold.
This CNA file enhances Beacon console status bar to display the Beacon's last known working directory path.
Additionally, improves the 'cd' command to support restoring the previous directory path seamlessly (Usage: cd -).
Finally, when you have an Administrator's Beacon, the hostname of the target machine changes from the CNA's default green (used for standard users) to red.
These CNA files are used for general micro tasks during operations.
The following table illustrates the CNA files included in the Utils section:
| Name | Description |
|---|---|
| Sonata.cna | This CNA file is a port of the Sonata tool. Sonata is a file hash calculator that supports MD5, SHA1, SHA256, and SHA512 algorithms. The CNA port enhances functionality by supporting string hash calculations as well |
| locate.cna | This CNA functions like the locate Linux command. Additionally, it performs case-insensitive keyword searches. This CNA requires a Linux CS client |
Hash calculator for local files and strings.
Usage: Sonata -f/--file <local_filepath> OR Sonata -s/--string <string>
This CNA functions like the locate Linux command. Additionally, it performs case-insensitive keyword searches. This CNA requires a Linux CS client
