Extending Cobalt Strike
The "best" C2 Frameworks (in my opinion) are those that have the capability to customise and diversify its behaviours - we've already seen how the Artifact and Resource Kits can be used to modify Beacon to bypass antivirus solutions. The ".cna" files that we load into the Cobalt Strike Script Manager are called Aggressor Scripts. These can override default behaviours in Cobalt Strike to customise the UI (add new menus, commands, etc), extended the data models, extended existing commands like jump
, and add brand new, custom commands. Beacon also has an internal API that we can call from Aggressor, so any base primitive that Beacon has (powershell
, execute-assembly
, etc) can be called from Aggressor.
The Aggressor script reference is public and available at helpsystems.com. The underlying programming language used is called Sleep.
When working with Aggressor, you will find functions from both the Aggressor script reference and Sleep.
Last updated