Awesome-CobaltStrike

0x00 Introduction
0x01 Articles & Videos
0x02 C2 Profiles
0x03 BOF
0x04 Aggressor Script
0x05 Related Tools
0x06 Related Resources

0x00 Introduction

The first part is a collection of quality articles about CobaltStrike
The third part is about the integration of the new features BOF resources
This project is to solve the problem of not finding the right aggressor script or BOF when it is needed
If there is quality content that is not covered in this repo, welcome to submit pr

0x01 Articles & Videos

1. Basic Knowledge

2. Crack and Customisation

3. Useful Trick

4. CobaltStrike Hide

5. CobaltStrike Analysis

6. CobaltStrike Video

0x02 C2 Profiles

Type	Name	Description
ALL	Malleable-C2-Profiles	Official Malleable C2 Profiles
ALL	Malleable-C2-Randomizer	This script randomizes Cobalt Strike Malleable C2 profiles through the use of a metalanguage
ALL	malleable-c2	Cobalt Strike Malleable C2 Design and Reference Guide
ALL	C2concealer	C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.
ALL	MalleableC2-Profiles	A collection of Cobalt Strike Malleable C2 profiles. now have Windows Updates Profile
ALL	pyMalleableC2	A Python interpreter for Cobalt Strike Malleable C2 profiles that allows you to parse, modify, build them programmatically and validate syntax.
ALL	1135-CobaltStrike-ToolKit	Cobalt Strike的Malleable C2配置文件，被设计用来对抗流量分析

0x03 BOF

Type	Name	Description
ALL	BOF_Collection	Various Cobalt Strike BOFs
ALL	Situational Awareness BOF	Its larger goal is providing a code example and workflow for others to begin making more BOF files. Blog
ALL	bof_helper	Beacon Object File (BOF) Creation Helper
ALL	BOF-DLL-Inject	BOF DLL Inject is a custom Beacon Object File that uses manual map DLL injection in order to migrate a dll into a process all from memory.
ALL	cobaltstrike_bofs	BOF spawns a process of your choice under a specified parent, and injects a provided shellcode file via QueueUserAPC().
ALL	BOF-RegSave	Beacon Object File(BOF) for CobaltStrike that will acquire the necessary privileges and dump SAM - SYSTEM - SECURITY registry keys for offline parsing and hash extraction.
ALL	CobaltStrike BOF	DCOM Lateral Movement; WMI Lateral Movement - Win32_Process Create; WMI Lateral Movement - Event Subscription
ALL	BOFs	ETW Patching; API Function Utility; Syscalls Shellcode Injection
Dev	bof	This is a template project for building Cobalt Strike BOFs in Visual Studio.
Dev	BOF.NET	A .NET Runtime for Cobalt Strike's Beacon Object Files.
Dev	beacon-object-file	The format, described by Mudge here, asks that the operator construct an COFF file using a mingw-w64 compiler or the msvc compiler that holds an symbol name indicating its entrypoint, and underlying function calls.
Dev	InlineWhispers	Demonstrate the ability to easily use syscalls using inline assembly in BOFs.
Dev	WdToggle	A Proof of Concept Cobalt Strike Beacon Object File which uses direct system calls to enable WDigest credential caching and circumvent Credential Guard (if enabled).
Dev	Situational Awareness BOF	This Repo intends to serve two purposes. First it provides a nice set of basic situational awareness commands implemented in BOF. This allows you to perform some checks on a host before you begin executing commands that may be more invasive.
Dev	MiniDumpWriteDump	Custom implementation of DbgHelp's MiniDumpWriteDump function. Uses static syscalls to replace low-level functions like NtReadVirtualMemory.
Dev	COFF Loader	This is a quick and dirty COFF loader (AKA Beacon Object Files). Currently can run un-modified BOF's so it can be used for testing without a CS agent running it. The only exception is that the injection related beacon compatibility functions are just empty.
Auxiliary	EnumCLR.c	Cobalt Strike BOF to identify processes with the CLR loaded with a goal of identifying SpawnTo / injection candidates.
Auxiliary	FindObjects-BOF	A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process handles.
Auxiliary	ChromeKeyDump	BOF implementation of Chlonium tool to dump Chrome Masterkey and download Cookie/Login Data files
Auxiliary	Sleeper	BOF to call the SetThreadExecutionState function to prevent host from Sleeping
Auxiliary	LSASS	Beacon Object File to dump Lsass memory by obtaining a snapshot handle. Does MiniDumpWriteDump/NtReadVirtualMemory on SnapShot of LSASS instad of original LSASS itself hence evades some AV/EDR.
Auxiliary	getsystem	get system by duplicating winlogon's token.
Auxiliary	Silent Lsass Dump	Silent Lsass Dump
Auxiliary	unhook-bof	This is a Beacon Object File to refresh DLLs and remove their hooks.
Auxiliary	Beacon Health Check Aggressor Script	This aggressor script uses a beacon's note field to indicate the health status of a beacon.
Auxiliary	Registry BOF	A beacon object file for use with cobalt strike v4.1+. Supports querying, adding, and deleting keys/values of local and remote registries.
Auxiliary	InlineExecute-Assembly	InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module
Auxiliary	CredBandit	CredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel. The memory dump is done by using NTFS transactions which allows us to write the dump to memory and the MiniDumpWriteDump API has been replaced with an adaptation of ReactOS's implementation of MiniDumpWriteDump.
Auxiliary	Inject AMSI Bypass	Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection.
Exploit	CVE-2020-0796-BOF	SMBGhost LPE
Exploit	ZeroLogon-BOF	ZeroLogon
Persistence	SPAWN	Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing.

0x04 Aggressor Script

Type	Name	Description
BypassAV	BypassAV	用于快速生成免杀的可执行文件
BypassAV	scrun	BypassAV ShellCode Loader (Cobaltstrike/Metasploit) Useage
BypassAV	beacon-c2-go	beacon-c2-go (Cobaltstrike/Metasploit)
BypassAV	C--Shellcode	python ShellCode Loader (Cobaltstrike&Metasploit) Useage
BypassAV	Doge-Loader	Cobalt Strike Shellcode Loader by Golang
BypassAV	CS-Loader	CS免杀,包括python版和C版本的
BypassAV	CSSG	Cobalt Strike Shellcode Generator. Generates beacon stageless shellcode with exposed exit method, additional formatting, encryption, encoding, compression, multiline output, etc
BypassAV	Alaris	Alaris is a new and sneaky shellcode loader capable of bypassing most EDR systems as of today (02/28/2021). It uses several known TTP’s that help protect the malware and it’s execution flow.
BypassAV	CarbonMonoxide	EDR Evasion - Combination of SwampThing - TikiTorch
BypassAV	bypassAV-1	条件触发式远控 VT 6/70 免杀国内杀软及defender、卡巴斯基等主流杀软.
BypassAV	ScareCrow	ScareCrow is a payload creation framework for generating loaders for the use of side loading (not injection) into a legitimate Windows process (bypassing Application Whitelisting controls).
BypassAV	Dent	A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.
BypassAV	PEzor	Open-Source PE Packer.
BypassAV	FuckThatPacker	A simple python packer to easily bypass Windows Defender
BypassAV	goShellCodeByPassVT	Go编译-race参数实现VT全免杀
BypassAV	HouQing	Advanced AV Evasion Tool For Red Team Ops
BypassAV	DesertFox	使用Golang实现免杀加载CobaltStrike和Metasploit的shellcode，目前免杀火绒、Avast、腾讯安全管家、360全家桶等主机安全软件。
BypassUAC	UAC-SilentClean	This project implements a DLL planting technique to bypass UAC Always Notify and execute code in a high integrity process.
BypassUAC	csload.net	A cobaltStrike Shellcode loader, can bypass most of AV
Recon	red-team-scripts	perform some rudimentary Windows host enumeration with Beacon built-in commands
Recon	aggressor-powerview	All functions listed in the PowerView about page are included in this with all arguments for each function. PowerView
Recon	PowerView3-Aggressor	PowerView Aggressor Script for CobaltStrike PowerView
Recon	AggressorScripts	Sharphound-Aggressor- A user menu for the SharpHound ingestor
Recon	ServerScan	内网横向信息收集的高并发网络扫描、服务探测工具。
Recon	TailorScan	端口扫描+探测网卡+ms17010探测
Recon	AggressiveProxy	LetMeOutSharp will try to enumerate all available proxy configurations and try to communicate with the Cobalt Strike server over HTTP(s) using the identified proxy configurations.
Recon	Spray-AD	A Cobalt Strike tool to audit Active Directory user accounts for weak, well known or easy guessable passwords.
Recon	Ladon	Ladon一款用于大型网络渗透的多线程插件化综合扫描神器，含端口扫描、服务识别、网络资产、密码爆破、高危漏洞检测以及一键GetShell，支持批量A段/B段/C段以及跨网段扫描，支持URL、主机、域名列表扫描。
Recon	Ladon for Cobalt Strike	Ladon for Cobalt Strike(巨龙拉冬套件)
Recon	Recon-AD	Recon-AD, an AD recon tool based on ADSI and reflective DLL’s
Exploit	XSS-Fishing2-CS	鱼儿在cs上线后自动收杆 / Automatically stop fishing in javascript after the fish is hooked
Exploit	XSS-Phishing	xss钓鱼，cna插件配合php后端收杆
Exploit	custom_payload_generator	CobaltStrike3.0+ --> creates various payloads for Cobalt Strike's Beacon. Current payload formats
Exploit	CrossC2	CrossC2 framework - Generator CobaltStrike's cross-platform beacon
Exploit	GECC	Go External C2 Client implementation for cobalt strike.
Exploit	Cobaltstrike-MS17-010	ms17-010 exploit tool and scanner.
Exploit	AES-PowerShellCode	Standalone version of my AES Powershell payload for Cobalt Strike.
Exploit	SweetPotato_CS	CobaltStrike4.x --> SweetPotato
Exploit	ElevateKit	privilege escalation exploits
Exploit	CVE-2018-4878	CVE-2018-4878
Exploit	Aggressor-Scripts	The only current public is UACBypass, whose readme can be found inside its associated folder.
Exploit	CVE_2020_0796_CNA	基于ReflectiveDLLInjection实现的本地提权漏洞
Exploit	DDEAutoCS	setup our stage(d) Web Delivery attack
Exploit	geacon	Implement CobaltStrike's Beacon in Go (can be used in Linux)
Exploit	SpoolSystem	SpoolSystem is a CNA script for Cobalt Strike which uses the Print Spooler named pipe impersonation trick to gain SYSTEM privileges.
Persistence	persistence-aggressor-script	persistence-aggressor-script
Persistence	Peinject_dll	弃用winexec函数，使用shellexecute函数，程序流不在卡顿，达到真正的无感。
Persistence	TikiTorch	TikiTorch follows the same concept(CACTUSTORCH) but has multiple types of process injection available, which can be specified by the user at compile time.
Persistence	CACTUSTORCH	A JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it.
Persistence	UploadAndRunFrp	上传frpc并且运行frpc
Persistence	persistence-aggressor-script	Persistence Aggressor Script
Persistence	AggressiveGadgetToJScript	Automate the generation of payloads using the GadgetToJScript technique.
Persistence	FrpProPlugin	frp0.33修改版,过流量检测,免杀,支持加载远程配置文件可用于cs直接使用的插件
Persistence	Automatic-permission-maintenance	CobaltStrike 上线自动权限维持插件
Persistence	cobalt-strike-persistence	使用者通过cobalt strike生成Web Delivery类型的payload，然后加载此脚本可以到达自启动效果
Persistence	Cobalt_Strike_CNA	使用多种WinAPI进行权限维持的CobaltStrike脚本，包含API设置系统服务，设置计划任务，管理用户等。
Auxiliary	generate-rotating-beacon	1. Generate a beacon for a given listener; 2. Host the file at a specified location;3. Monitor the weblog for fetching of the specified location;
Auxiliary	ScareCrow-CobaltStrike	A Cobalt Strike script for ScareCrow payload generation. Works with all Loaders.
Auxiliary	AggressorScripts	CreateTicket; Seatbelt; SharpHound
Auxiliary	SharpeningCobaltStrike	In realtime compiling of dotnet v35/v40 exe/dll binaries + obfuscation with ConfuserEx on your linux cobalt strike server.
Auxiliary	CS_Mail_Tip	Cobalt Strike主机上线邮件提醒插件
Auxiliary	Cobaltstrike-atexec	利用任务计划进行横向，需要与135端口、445端口进行通信
Auxiliary	Sharp-HackBrowserData	C#的HackBrowserData工具，方便在cs中直接内存加载
Auxiliary	HackBrowserData	HackBrowserData的反射模块
Auxiliary	cobalt_sync	Standalone Cobalt Strike Operation Logging Aggressor script for Ghostwriter 2.0+
Auxiliary	samdump	Cobalt Strike samdump
Auxiliary	SharpeningCobaltStrike	In realtime compiling of dotnet v35/v40 exe/dll binaries + obfuscation with ConfuserEx on your linux cobalt strike server.
Auxiliary	SharpCompile	SharpCompile is an aggressor script for Cobalt Strike which allows you to compile and execute C# in realtime.
Auxiliary	Quickrundown	Utilizing QRD will allow an operator to quickly characterize what processes are both known and unknown on a host through the use of colors and notes about the processes displayed.
Auxiliary	NetUser	This tool achieves "net user" in Window API. I made this to be used with Cobalt Strike's execute-assembly，所以可以内存加载添加用户
Auxiliary	FileSearch	C++枚举磁盘列表、遍历指定盘搜索特定类型文件包括反射DLL版本。
Auxiliary	Phant0m_cobaltstrike	This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
Auxiliary	NoPowerShell	NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms.
Auxiliary	EventLogMaster	RDP EventLog Master
Auxiliary	ANGRYPUPPY	Bloodhound Attack Path Execution for Cobalt Strike
Auxiliary	CobaltStrike_Script_Wechat_Push	上线微信提醒的插件,通过微信Server酱提醒
Auxiliary	CS-Aggressor-Scripts	slack and webhooks reminder
Auxiliary	Aggressor-Scripts	surveying of powershell on targets (在对应的目标上检测powershell的相关信息)
Auxiliary	cs-magik	Implements an events channel and job queue using Redis for Cobalt Strike.
Auxiliary	AggressorScripts	查看进程的时候讲av进程标注为红色
Auxiliary	Beaconator	Beaconator is an aggressor script for Cobalt Strike used to generate a raw stageless shellcode and packing the generated shellcode using PEzor.
Auxiliary	Raven	CobaltStrike External C2 for Websockets
Auxiliary	CobaltStrikeParser	Python parser for CobaltStrike Beacon's configuration
Auxiliary	fakelogonscreen	FakeLogonScreen is a utility to fake the Windows logon screen in order to obtain the user's password.
Auxiliary	SyncDog	Make bloodhound sync with cobaltstrike.
Auxiliary	360SafeBrowsergetpass	一键辅助抓取360安全浏览器密码的CobaltStrike脚本，通过下载浏览器数据库、记录密钥来离线解密浏览器密码。
Auxiliary	SharpDecryptPwd	对密码已保存在 Windwos 系统上的部分程序进行解析,包括：Navicat,TeamViewer,FileZilla,WinSCP,Xmangager系列产品（Xshell,Xftp)。
Auxiliary	List-GitHubAssembly	Fetch a list of avaialble artifacts from the configured GitHub repo.
Auxiliary	ExecuteAssembly	ExecuteAssembly is an alternative of CS execute-assembly, built with C/C++ and it can be used to Load/Inject .NET assemblies by; reusing the host (spawnto) process loaded CLR Modules/AppDomainManager, Stomping Loader/.NET assembly PE DOS headers, Unlinking .NET related modules, bypassing ETW+AMSI, avoiding EDR hooks via NT static syscalls (x64) and hiding imports by dynamically resolving APIs via superfasthash hashing algorithm.
Auxiliary	aggrokatz	aggrokatz is an Aggressor plugin extension for CobaltStrike which enables pypykatz to interface with the beacons remotely.
Auxiliary	Zipper	This CobaltStrike tool allows Red teams to compress files and folders from local and UNC paths. This could be useful in situations where large files or folders need to be exfiltrated. After compressing a file or folder a random named zipfile is created within the user temp folder.
Auxiliary	CobaltStrike Helpmsg CNA	This cna contains error messages for Win32 error codes, HRESULT defintions, and NTSTATUS definitions. This cna can be helpful for those operating out of linux/mac clients without access to the net.exe program, or as a quick way to looking hresult/ntstatus codes without having to do a google search.
Synthesis	Erebus	CobaltStrike4.x --> Erebus CobaltStrike后渗透测试插件
Synthesis	CSplugins	CobaltStrike后渗透测试插件集合
Synthesis	Cobalt-Strike-Aggressor-Scripts	CobaltStrike后渗透测试插件集合 Usage
Synthesis	AggressorScripts	Aggressor scripts for use with Cobalt Strike 3.0+
Synthesis	RedTeamTools	RedTeamTools for use with Cobalt Strike
Synthesis	cobalt-arsenal	Aggressor Scripts for Cobalt Strike 4.0+
Synthesis	MoveKit	The aggressor script handles payload creation by reading the template files for a specific execution type. intro
Synthesis	StayKit	The aggressor script handles payload creation by reading the template files for a specific execution type. intro
Synthesis	AggressorScripts	AggressorScripts
Synthesis	AggressorScripts	Collection of Aggressor scripts for Cobalt Strike 3.0+ pulled from multiple sources
Synthesis	AggressorScripts	AggressorScripts
Synthesis	Aggressor-VYSEC	Contains a bunch of CobaltStrike Aggressor Scripts
Synthesis	AggressorAssessor	AggressorAssessor
Synthesis	AggressorAssessor	AggressorAssessor
Synthesis	aggressor-scripts	Collection of Cobalt Strike Aggressor Scripts
Synthesis	梼杌	基于cobalt strike平台的红队自动化框架
Synthesis	Aggressor-scripts	This is just a random collection of Aggressor Scripts I've written for Cobalt Strike 3.x. (其中有一个debug脚本比较好用)
Synthesis	Aggressor-Script	Collection of Aggressor Scripts for Cobalt Strike(主要包含了提权和权限维持脚本)
Synthesis	Aggressor-Script	Aggressor Script, Kit, Malleable C2 Profiles, External C2 and so on
Synthesis	aggressor_scripts_collection	Collection of various aggressor scripts for Cobalt Strike from awesome people. Will be sure to update this repo with credit to each person.
Synthesis	CobaltStrike-ToolKit	googlesearch.profile and script related to AD.
Synthesis	Arsenal	Cobalt Strike 3.13 Arsenal Kit
Synthesis	cobalt-arsenal	My collection of battle-tested Aggressor Scripts for Cobalt Strike 4.0+
Synthesis	aggressor_scripts	A collection of useful scripts for Cobalt Strike.(powershell.cna;bot.cna;dcom_lateral_movement.cna;ElevateKit)
Synthesis	aggressor	creating tunnels with netsh; changed default to bit.ly redirect to mcdonalds;using powershell to kill parent process;
Synthesis	CobaltStrikeCNA	A collection of scripts - from various sources - see script for more info.
Synthesis	AggressorScripts	Highlights selected processes from the ps command in beacon;Loads various aliases into beacon;sets a few defaults for scripts to be used later..
Synthesis	AggressorAssessor	从C2生成到横向移动的全辅助脚本套件
Synthesis	AggressorCollection	Collection of awesome Cobalt Strike Aggressor Scripts. All credit due to the authors
Synthesis	Cobaltstrike-Aggressor-Scripts-Collection	The collection of tested cobaltstrike aggressor scripts.
Synthesis	aggressorScripts	CobaltStrike AggressorScripts for the lazy
Synthesis	cobalt_strike_extension_kit	集成了SharpHound,SharpRDP,SharpWMI等在内的各种内网工具，使用AggressorScripts构建workflow
Synthesis	cobaltstrike	具备域管理员定位、域信息收集、权限维持、内网扫描、数据库hash dump、Everything内网搜索文件等功能的插件集合
Synthesis	365CobaltStrike	兼容CobaltStrike4.0的插件集合
Synthesis	Cobalt-Strike	内容有横向移动、密码抓取、权限提升、权限维持等,尽可能将内网渗透中常用到的东西整理一下,方便使用
Synthesis	CSPlugins	一个对Cobaltstrike第三方插件进行收集的项目，持续更新。
Synthesis	CobaltStrike-xor	third-party --> vnc_x86_dll and vnc_x64_dll
Synthesis	Z1-AggressorScripts	适用于Cobalt Strike 3.x & 4.x 的内网渗透插件集合
Synthesis	csplugin	导入PowerView脚本，和常见的功能使用
Synthesis	CSplugins	涉及工作目录、信息收集、凭据获取、权限维持、权限提升、用户相关、RDP相关、防火墙相关、域渗透、powershell相关、内网穿透、内网探测、远程文件下载、痕迹清除的综合型插件系统
Synthesis	SharpUtils	A collection of C# utilities intended to be used with Cobalt Strike's execute-assembly.
Synthesis	SharpToolsAggressor	内网渗透中常用的c#程序整合成cs脚本，直接内存加载。持续更新~
Synthesis	C.Ex	CobaltStrike Plugin to start and utilize Cobalt Strike (locally or remotely) from within Sifter

0x05 Related Tools

Type	Name	Description
AntiCobaltStrike	cobaltstrike_brute	Cobalt Strike Team Server Password Brute Forcer
AntiCobaltStrike	CobaltStrikeScan	Scan files or process memory for Cobalt Strike beacons and parse their configuration.
AntiCobaltStrike	grab_beacon_config	Simple PoC script to scan and acquire CobaltStrike Beacon configurations.
AntiCobaltStrike	C2-JARM	通过ssl实现所产生的JARM hash来识别不同的c2，例如CobaltStrike
AntiCobaltStrike	JARM	JARM fingerprints scanner
AntiCobaltStrike	DetectCobaltStomp	A quick(and perhaps dirty!) PoC tool to detect Module Stomping as implemented by Cobalt Strike with moderate to high confidence
AntiCobaltStrike	cobaltstrike	Code and yara rules to detect and analyze Cobalt Strike
AntiCobaltStrike	CS_Decrypt	解密可以帮助你理解cs beacon通信原理，但注意密钥是在本地teamserver中
AntiCobaltStrike	CS Scripts	parse_beacon_keys.py 对 .cobaltstrike.beacon_keys 文件的解析工具
AntiCobaltStrike	PyBeacon	A collection of scripts for dealing with Cobalt Strike beacons in Python Resources
AntiCobaltStrike	cobaltstrikescan	Detecting CobaltStrike for Volatility
AntiCobaltStrike	CobaltStrikeForensic	Toolset for research malware and Cobalt Strike beacons
AntiCobaltStrike	DuckMemoryScan	A simple tool to find backdoors including but not limited to iis hijacking, fileless Trojan, bypass AV shellcode.
AntiCobaltStrike	CobaltSplunk Splunk Application	CobaltSplunk is a Splunk Application that knows how to 1) ingest Cobalt Strike related logs and parse them properly, 2) display useful operational dashboards, 3) display relevant reports.
AntiCobaltStrike	BeaconHunter	Behavior based monitoring and hunting tool built in C# tool leveraging ETW tracing. Blue teamers can use this tool to detect and respond to potential Cobalt Strike beacons. Red teamers can use this tool to research ETW bypasses and discover new processes that behave like beacons.
AntiCobaltStrike	CobaltStrikeDetected	40行代码检测到大部分CobaltStrike的shellcode
Anti-AntiCobaltStrike	bypass-beacon-config-scan	Bypass cobaltstrike beacon config scan for 4.1
BypassAV	Cooolis-ms	Cooolis-ms是一个包含了Metasploit Payload Loader、Cobalt Strike External C2 Loader、Reflective DLL injection的代码执行工具，它的定位在于能够在静态查杀上规避一些我们将要执行且含有特征的代码，帮助红队人员更方便快捷的从Web容器环境切换到C2环境进一步进行工作。
BypassAV	UrbanBishopLocal	A port of FuzzySecurity's UrbanBishop project for inline shellcode execution.
BypassAV	SecondaryDevCobaltStrike	CobaltStrike after second development, can bypass Kaspersky, Norton, McAfee, etc.
BypassAV	CrossNet-Beta	In the red team operation, the phishing executable file is generated by using the white utilization, to bypass AV and automatically judging the network environment. can bypass 360 and huorong
BypassAV	EVA	FUD shellcode Injector
BypassAV	BypassAV	用golang来打包生成后门，具备一定的免杀能力
Analysis	Beacon	Open Source Cobalt Strike Beacon. Unreleased, in research stages
Analysis	Linco2	模拟Cobalt Strike的Beacon与C2通信过程，实现了基于HTTP协议的Linux C2，客户端可以通过curl就能下发Beacon任务。
Analysis	beacon-object-files	This repository contains miscellaneous examples of Cobalt Strike Beacon object file extensions.
Auxiliary	C2ReverseProxy	When you encounter a non-networked environment during penetration, you can use this tool to establish a reverse proxy channel so that the beacons generated by CobaltStrike can bounce back to the CobaltStrike server.
Auxiliary	Cobalt strike custom 404 page	You can find the CS service through 404 pages.
Auxiliary	StageStrike	A custom Cobalt Strike stager written in C.. is how the project started.
Auxiliary	CS_SSLGen	sslgen will install a letsencrypt certificate and create a Cobalt Strike keystore from it.
Auxiliary	CobaltPatch	Cobalt Strike Malleable Profile Inline Patch Template: A Position Independent Code (PIC) Code Template For Creating Shellcode That Can Be Appended In Stage / Post-Ex Blocks. Made for C Programmers
Auxiliary	pycobalt	Cobalt Strike Malleable Profile Inline Patch Template: A Position Independent Code (PIC) Code Template For Creating Shellcode That Can Be Appended In Stage / Post-Ex Blocks. Made for C Programmers.
Auxiliary	redshell	An interactive command prompt that executes commands through proxychains and automatically logs them on a Cobalt Strike team server.
Auxiliary	CobaltStrikeToGhostWriter	Log converter from CS logs to a CSV in Ghostwriter's operation log format.
Auxiliary	Ansible-Cobalt-Strike	An Ansible role to install cobalt-strike on debian based architectures, let's be honest it's for kali.
Auxiliary	cobaltstrike_runtimeconfig	A POC showing how to modify Cobalt Strike beacon at runtime
Auxiliary	pystinger	Pystinger implements SOCK4 proxy and port mapping through webshell. It can be directly used by cobalt strike for session online.
Auxiliary	ansible-role-cobalt-strike	An Ansible role for installing Cobalt Strike.
Auxiliary	CrossNet	In the red team operation, the phishing executable file is generated by using the white utilization, avoiding killing and automatically judging the network environment.
Auxiliary	BypassAddUser	Bypass AV to add users
Synthesis	redi	Automated script for setting up CobaltStrike redirectors (nginx reverse proxy, letsencrypt)
Synthesis	cs2modrewrite	Automatically Generate Rulesets for Apache mod_rewrite or Nginx for Intelligent HTTP C2 Redirection
Synthesis	RedWarden	Flexible CobaltStrike Malleable Redirector
Synthesis	Apache Mod_Rewrite Terrafrom Automation	Bash scripts that take variables from the user and then call terraform scripts to automate standing up apache2 with mod_rewrite in front of C2 servers. Right now, this repo supports standing up redirectors in Linode or Digital Ocean, and I have different scripts for standing up http redirectors versus https redirectors. Since the mod_rewrite redirector setup scripts use a user agent value and optionally a bearer token, these redirectors are not C2 dependent and can work for any C2 that uses http or https.
Synthesis	Red-EC2	Deploy RedTeam Specific EC2 via ansible.
Synthesis	Rapid Attack Infrastructure	Red Team Infrastructure... Quick... Fast... Simplified.
Synthesis	RedCommander	Creates two Cobalt Strike C2 servers (DNS and HTTPS), with redirectors, and RedELK in Amazon AWS. Minimal setup required! Companion Blog here
Synthesis	CobaltPatch	Cobalt Strike Malleable Profile Inline Patch Template: A Position Independent Code (PIC) Code Template For Creating Shellcode That Can Be Appended In Stage / Post-Ex Blocks. Made for C Programmers
Synthesis	CPLResourceRunner	Run shellcode(Cobalt Strike) from resource
Dev	vscode-language-aggressor	This is a Visual Studio Code (VSC) extension that aims to provide: An implement of the Sleep and Cobalt Strike (CS) Aggressor grammar; and The definition of Cobalt Strike functions' prototype
Dev	PayloadAutomation	Payload Automation is a collection of Python classes for automating payload development, testing, opsec checking, and deployment with Cobalt Strike.
Crack	CSAgent	CobaltStrike 4.x通用白嫖及汉化加载器，采用javaagent+javassist的方式动态修改jar包，可直接加载原版cobaltstrike.jar，理论上支持到目前为止的所有4.x版本

0x06 Related Resources

Type	Name	Description
DATA	SilasCutler JARM Scan CobaltStrike Beacon Config.json	SilasCutler JARM Scan CobaltStrike Beacon Config
DATA	Cobalt Strike hashes	This page shows some basic information the Yara rule CobaltStrike including corresponding malware samples.
DATA	List of Cobalt Strike servers	List of Cobalt Strike servers
DATA	CobaltStrike samples pass=infected	CobaltStrike samples
DATA	List of spawns from exposed Cobalt Strike C2	List of spawns from exposed Cobalt Strike C2
DATA	C2IntelFeeds	Automatically created C2 Feeds based of Censys
YARA	apt_cobaltstrike	Cobalt Strike Yara
YARA	apt_cobaltstrike_evasive	Cobalt Strike Yara
YARA	rules	Cobalt Strike Yara
Rules	suricata-rules	Suricata IDS rules used to detect the red team penetration/malicious behavior, support testing CobaltStrike/MSF/Empire/DNS tunnels/Weevely scorpion/mining/rebound/kitchen/ice shell/ICMP tunnel, etc

Contents

0x00 Introduction

0x01 Articles & Videos

1. Basic Knowledge

2. Crack and Customisation

3. Useful Trick

4. CobaltStrike Hide

5. CobaltStrike Analysis

6. CobaltStrike Video

0x02 C2 Profiles

0x03 BOF

0x04 Aggressor Script

0x05 Related Tools

0x06 Related Resources