aggressor – WindowsTechs.com

Process Injection Update in Cobalt Strike 4.5

Posted on December 15, 2021 by Chris Thorpe

Process injection is a core component to Cobalt Strike post exploitation. Until now, the option was to use a built-in injection technique using fork&run. This has been great for stability, but does come at the cost of OPSEC. Cobalt Strike 4.5 now supports two new Aggressor Script hooks: PROCESS_INJECT_SPAWN and PROCESS_INJECT_EXPLICIT. These hooks allow a user to define how the fork&run and explicit injection techniques are implemented when executing post […]

Create a proxy DLL with artifact kit

Posted on October 29, 2021 by Joe Vest

DLL attacks (hijacking, proxying, etc) are a challenge defenders must face. They can be leveraged in a red team engagement to help measure these defenses. Have you used this technique? In this post, I’ll walk through an example of adding a DLL proxy to beacon.dll for use in a DLL Proxy attack. What is a […]

Continue reading Create a proxy DLL with artifact kit→

Cobalt Strike Sleep Python Bridge

Posted on October 13, 2021 by Joe Vest

This project started after seeing how the user community tweaks and tunes Cobalt Strike. I was inspired by @BinaryFaultline and @Mcgigglez16 in their project https://github.com/emcghee/PayloadAutomation and blog post http://blog.redxorblue.com/2021/06/introducing-striker-and-payload.html. They created a clever way to interact with a teamserver without the GUI. Before I get too far, I’ll touch on Aggressor scripting and the Sleep […]

Continue reading Cobalt Strike Sleep Python Bridge→

Cobalt Strike Sleep Python Bridge

Posted on October 13, 2021 by Joe Vest

Continue reading Cobalt Strike Sleep Python Bridge→

CredBandit (In memory BOF MiniDump) – Tool review – Part 1

Posted on July 13, 2021 by Joe Vest

One of the things I find fascinating about being on the Cobalt Strike team is the community. It is amazing to see how people overcome unique challenges and push the tool in directions never considered. I want explore this with CredBandit (https://github.com/xforcered/CredBandit). This tool has had updates since I started exploring. I’m specifically, looking at […]

Continue reading CredBandit (In memory BOF MiniDump) – Tool review – Part 1→

Create listeners with an aggressor script – listener_create_ext

Posted on July 2, 2021 by Joe Vest

This short post is a follow up to the post “Manage Cobalt Strike with Services” where I described a method to automate Cobalt Strike teamservers by creating services. In this post, I will take a closer look at the aggressor function that is used to create listeners listener_create_ext to expanded on the documentation and provide an […]

Continue reading Create listeners with an aggressor script – listener_create_ext→

Manage Cobalt Strike with Services

Posted on June 23, 2021 by Joe Vest

This post is part of a “Quality of Life” series, where tips and tricks will be shared to make using Cobalt Stike easier. Cobalt Strike is a post-exploitation framework and requires customization to meet your specific needs. This flexibility is one of the most powerful features of Cobalt Strike. While this is great, some may […]

Continue reading Manage Cobalt Strike with Services→