Cobalt Strike Sleep Python Bridge

Overview

Cobalt Strike Sleep Python Bridge

This project is 'bridge' between the sleep and python language. It allows the control of a Cobalt Strike teamserver through python without the need for for the standard GUI client.

NOTE: This project is very much in BETA. The goal is to provide a playground for testing and is in no way an officially support feature. Perhaps this could be something added in the future to the core product.

The project was inspired by the work done by @BinaryFaultline and @Mcgigglez16 in the project https://github.com/emcghee/PayloadAutomation. I want to offer a special thanks you both !!

The heart of this bridge is a python implementation of a headless Cobalt Strike client. This is achieved by using the Aggressor Script Console provided by agscript as the engine. Agscript allows for headless interaction with Cobalt Stike (https://www.cobaltstrike.com/aggressor-script/index.html). The 'bridge' works by using python helper functions in sleepy.py to generate the needed sleep commands expected by the agscript console. Instead of writing the sleep functions, striker.py provides helper functions that abstracts sleep and allows the use of python.

Changes of note from the original project

Because the PayloadAutomation project inspired this, it started with much of the same code, but I wanted to strip this down to use the components needed to act as an agscript wrapper.

  • Renamed from Payload_Automation to sleep_python_bridge. This project is more than payload generation.
  • Changed from a PyPI library to local modules. This was down for testing and may be a good candidate for a python library after extensive testing
  • Updated and added helpers to match aggressor versions
  • Add ability to load external script.

Included Libraries

  • Striker: A set of functions to interact with Cobalt Strike and execute functionality typically only accessible via Sleep/GUI.
  • Sleepy: A set of functions to help facilitate a bridge between Sleep objects and Python objects.
  • Compyler: A set of functions to compile various payloads from platform or cross-platform.
  • Artifactor: A set of functions to inspect and review artifacts and collect and track IoCs.

Files and Directories

Item Description
sleep_python_bridge The libray that allows python to interface with Cobalt Strike
output/html path for html data viewers
output/html/data path for json data used by data viewer
output/payloads path for saved payloads (used by payload generator)
payload_scripts path for external scripts to be loaded by payloadgenerator.py
payload_scripts.cna init script for loading external scripts loaded by payloadgenerator.py
beaconlogtracker.py Implementation of a beacon log tracker the uses an HTML datagrid to display beacon logs
payloadgenerator.py Implementation of a beacon payload genertor that create payloads for each listener
beacongrapher.py Implementation of a beacon graph tracker the uses an HTML javascript directed graph to beacons

TODO

  • Document the exposed functions
  • move compile based functions from striker.py to compyler.py
  • Add additional error checking, specifically for application dependencies
  • Expand compyler to include remote builds and mingw
  • Add IOC tracking to payloads generated via artifactor.py
  • handle error: "User is already connected."
  • Consider converting this to a formal python library

How to use

The examples in this project may be the easist way to understand but is the script example.py

#!/usr/local/bin/python3

## Import the bridge
from sleep_python_bridge.striker import CSConnector
from argparse import ArgumentParser
from pprint import pp, pprint

###################
## Argparse
def parseArguments():
    parser = ArgumentParser()
    parser.add_argument('host', help='The teamserver host.')
    parser.add_argument('port', help='The teamserver port.')
    parser.add_argument('username', help='The desired username.')
    parser.add_argument('password', help='The teamserver password.')
    parser.add_argument('path', help="Directory to CobaltStrike")
    
    args = parser.parse_args()
    return args

## Let's go
def main(args):

    cs_host = args.host
    cs_port = args.port
    cs_user = args.username
    cs_pass = args.password
    cs_directory = args.path

    ## Connect to server
    print(f"[*] Connecting to teamserver: {cs_host}")
    with CSConnector(
        cs_host=cs_host, 
        cs_port=cs_port, 
        cs_user=cs_user, 
        cs_pass=cs_pass,
        cs_directory=cs_directory) as cs:

        # Perform some actions
        # 
        # Get beacon metadata - i.e., x beacons() from the script console
        beacons = cs.get_beacons()
        print("BEACONS")
        pprint(beacons)

        # Get list of listners - i.e., x listeners_stageless() from the script console
        listeners = cs.get_listeners_stageless()
        print("LISTENERS")
        pprint(listeners)

if __name__ == "__main__":
    args = parseArguments()
    main(args)

Call the script

python3 example.py 127.0.0.1 50050 example password ~/cobaltstrike

Practical Examples

Log Tracker

Beacon logs are available at runtime in a teamserver or through the beacon log files saved on the teamserver. The data is always there, but may not be presented in a way you would like. This is an example of log tracker that use an HTML data grid to quickly view beacon logs.

beaconlogtracker.py is a script that connects to a teamserver, extracts the running beacon logs every 30 seconds, saves to beaconlogs.json` and, displays in a searchable and sortable HTML data grid.

Beacons logs are always saved to the logs directory, but this is an alternate way to track the in memory logs with an alternate viewer. If the teamserver is restarted the in memory logs are lost and you must refer to the logs stored in the logs directory on the teamserver. This script keep in memory logs sync'd to the file beaconlogs.json. This way you have a quick and easy way to visualize all data without digging through the logs directory even if Cobalt Strike is restarted.

Start the script by having it connect to your teamserver to sync logs every 30 seconds

Usage:

python3 beaconlogtracker.py 127.0.0.1 50050 logtracker password ~/cobaltstrike

This will keep beaconlogs.json sync'd with saved and running beacon logs. It syncs every 30 seconds

Start a webserver from output/html directory

python3 http.server

Connect to http://localhost:8000/beaconlogs.html

Payload Generator

A feature often requested by red team operators is the ability to create payloads programmatically with the need for the Cobalt Strike GUI. The reference project did this with a payload generator. This was great, but there is a unique challenge. Aggressor provides several hooks to influence how a payload is built. These hooks are used by the various kits (i.e., artifact kit, sleep mask kit, or UDRL kit). They are normally used by loading an aggressor script through the GUI. This project was extended to allow the loading of external scripts. Without this, using this payload hooks would be difficult. This code could easily be extended to pass the payloads to external functions to add custom obfuscation, embed in a customer loader, or any other modification.

The payload generator script connecta to the teamserver, loads the additional scripts, and creates payloads.

Usage:

  • Update payload_scripts.cna with external scripts (if needed. and see the note below on external scripts)
  • Add external scripts to the payload_scripts directory
  • run python3 payloadgenerator.py 127.0.0.1 50050 payloads password ~/cobaltstrike

NOTE: Loading of external scripts

Loading external scripts is not always needed but it used for payload modification scripts that include payload hooks (i.e., artifiact, sleepmask, and udrl kits). If you load scripts from the Cobalt Strike GUI, payloads will honor these scripts from the GUI but not from the agscript client (These are different clients). You must load the scripts in your python code.

  • scripts must be added to a 'scripts' directory
  • the data should be flat for best file path resolution
  • Currently there is no feedback provided that allows you to know if a script was successfully loaded. You can use the elog function to monitor the event log for dirty debugging.

The default script_resource function adds "/scripts/" to the path during resolution. This must be changed or paths built with the expected usage. Without updating, this function flow to loaded scripts and can cause weird path issues. The playloadgenerator script has an inline patch to help with this.

Code references for loading external scripts

striker.py

	def ag_load_script(self, script_path):
		command = f"include(getFileProper('{script_path}'))"
		self.ag_sendline(command)

init.cna

Overloads script_resource to point to the root of the scripts directory

Timing

The script needs time to load. Currently there is no feedback provide that allows you to know if a script was successfully loaded. You can use the elog function to monitor the event log for dirty debugging.

cs.ag_load_script(script_path.name)
time.sleep(3) # Allow time for the script to load

Beacon Grapher

This is beta code that will display beacon in a directed graph.

The script updates the file output/data/beacons.json

Start a webserver and open http://localhost:8000/beacons.html

Usage:

python3 beacongrapher.py 127.0.0.1 50050 grapher password ~/cobaltstrike

This will create the beacons.json file used by the javascript grapher.

Start a webserver from output/html directory

python3 http.server

Connect to http://localhost:8000/beacons.html

You might also like...
A wrapper script to make working with ADB (Android Debug Bridge) easier

Python-ADB-Wrapper A wrapper script to make working with ADB (Android Debug Bridge) easier This project was just a simple test to see if I could wrap

Todos os exercícios do Curso de Python, do canal Curso em Vídeo, resolvidos em Python, Javascript, Java, C++, C# e mais...
Todos os exercícios do Curso de Python, do canal Curso em Vídeo, resolvidos em Python, Javascript, Java, C++, C# e mais...

Exercícios - CeV Oferecido por Linguagens utilizadas atualmente O que vai encontrar aqui? 👀 Esse repositório é dedicado a armazenar todos os enunciad

PyDy, short for Python Dynamics, is a tool kit written in the Python
PyDy, short for Python Dynamics, is a tool kit written in the Python

PyDy, short for Python Dynamics, is a tool kit written in the Python programming language that utilizes an array of scientific programs to enable the study of multibody dynamics. The goal is to have a modular framework and eventually a physics abstraction layer which utilizes a variety of backends that can provide the user with their desired workflow

A Python script made for the Python Discord Pixels event.

Python Discord Pixels A Python script made for the Python Discord Pixels event. Usage Create an image.png RGBA image with your pattern. Transparent pi

this is a basic python project that I made using python

this is a basic python project that I made using python. This project is only for practice because my python skills are still newbie.

Analisador de strings feito em Python // String parser made in Python

Este é um analisador feito em Python, neste programa, estou estudando funções e a sua junção com "if's" e dados colocados pelo usuário. Neste código,

Python with braces. Because Python is awesome, but whitespace is awful.

Bython Python with braces. Because Python is awesome, but whitespace is awful. Bython is a Python preprosessor which translates curly brackets into in

PSP (Python Starter Package) is meant for those who want to start coding in python but are new to the coding scene.

Python Starter Package PSP (Python Starter Package) is meant for those who want to start coding in python, but are new to the coding scene. We include

Py-Parser est un parser de code python en python encore en plien dévlopement.

PY - PARSER Py-Parser est un parser de code python en python encore en plien dévlopement. Une fois achevé, il servira a de nombreux projets comme glad

Comments
  • fix: CS 4.6 breaking changes

    fix: CS 4.6 breaking changes

    Issue

    The April 12th 2022 release of CS 4.6 introduced a couple of breaking changes relating to connecting to the teamserver. From the release notes:

    • "The Cobalt Strike client now runs from a new jar file ('cobaltstrike-client.jar' rather than 'cobaltstrike.jar')."
    • "The 'TeamServerImage' and 'cobaltstrike-client.jar' files are extracted from the 'cobaltstrike.jar' as needed."

    With this change, using the bridge would result in errors attempting to make a connection to the teamserver due to the client jar being renamed to 'cobaltstrike-client.jar' (problematic line here).

    Also, 'cobaltstrike-client.jar' is not extracted automatically on teamserver start up. This opens up a conditional where a CS server could be started/created while the bridge will fail to locate 'cobaltstrike-client.jar' (if called directly, which is why replacing 'cobaltstrike.jar' with 'cobaltstrike-client.jar' here is not a sufficient fix) due to client jar file not having been extracted yet.

    Proposed Fix

    Initiating the teamserver connection by calling agscript ensures that the client jar will always be extracted and launched appropriately. The additional 'cwd' argument passed to pexpect.spawn ensures successful jar extraction (due to relative links used to source helper files/functions).

    opened by sims-security 1
  • Updates to the beaconlogtracker script

    Updates to the beaconlogtracker script

    Made some minor updates to the beaconlogtracker python script.

    1. Updated README.md file to add the -m option when starting a web server with python.
    2. Updated beaconlogtracker script on startup to continually try to connect to the teamserver every 30 seconds if a connection could not be made.
    3. Updated beaconlogtracker script if the beaconlogs data is empty to not exit and instead try again in 30 seconds. A beacon needs to actually check in to the teamserver for the logs to be available.
    opened by chris-thorpe 0
  • agressor.headless.Start.class Not Found

    agressor.headless.Start.class Not Found

    In case anyone else is running a newer version of CS (like 4.6)...

    When running example.py, the following error occurs when connecting to the CS server. [*] Connecting to teamserver: 127.0.0.1 Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true Error: Could not find or load main class aggressor.headless.Start.class Caused by: java.lang.ClassNotFoundException: aggressor.headless.Start.class

    If the sleep_python_bridge/sleep_python_bridge/striker.py file is updated on 57 to self.aggscriptcmd = "java -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -classpath '{}/cobaltstrike-client.jar' aggressor.headless.Start".format(self.cs_directory)

    That should resolve the error.

    opened by andrew-gomez 0
  • beaconlogtrack does not see logs on teamserver v4.7

    beaconlogtrack does not see logs on teamserver v4.7

    Hello,

    thanks you for the tool.

    while testing beaconlogtracker.py, i have the following error "No logs yet. Did you just start the teamserver" even though i started teamserver with listeners and running beacons. I think something has changed in the teamserver v4.7.

    logs from cs console showing that logtracker logged in to collect logs:

    09/01 15:41:07 *** logtracker_striker has joined. 09/01 15:41:08 *** External Action Taken: [Beacon Log Tracker] Getting beacon logs from teamserve 09/01 15:41:09 *** External Action Taken: [Beacon Log Tracker] Processing logs 09/01 15:41:11 *** logtracker_striker has left.

    execution logs:

    $ python3 beaconlogtracker.py 127.0.0.1 50050 logtracker PASSWORD /opt/cobaltstrike

    Beacon Log Tracker

    [*] Connecting to teamserver: 127.0.0.1 [Beacon Log Tracker] Getting beacon logs from teamserver... [!] No logs yet. Did you just start the teamserver?

    (kali㉿kali)-[~/sleep_python_bridge] $ ls -lah /opt/cobaltstrike/logs total 16K drwxr-xr-x 4 root root 4.0K Sep 1 19:30 . drwxrwxr-x 5 kali lxd 4.0K Sep 1 22:41 .. drwxr-xr-x 2 root root 4.0K Aug 31 23:46 220831 drwxr-xr-x 3 root root 4.0K Sep 1 22:37 220901

    (kali㉿kali)-[~/sleep_python_bridge] $ ls -lah /opt/cobaltstrike/logs/220901 total 20K drwxr-xr-x 3 root root 4.0K Sep 1 22:37 . drwxr-xr-x 4 root root 4.0K Sep 1 19:30 .. drwxr-xr-x 2 root root 4.0K Sep 1 22:37 192.168.0.1 -rw-r--r-- 1 root root 921 Sep 1 22:41 events.log -rw-r--r-- 1 root root 132 Sep 1 22:21 weblog_80.log

    opened by superuser5 1
Owner
Cobalt Strike
Cobalt Strike
A beacon generator using Cobalt Strike and a variety of tools.

Beaconator is an aggressor script for Cobalt Strike used to generate either staged or stageless shellcode and packing the generated shellcode using your tool of choice.

Capt. Meelo 441 Dec 17, 2022
Script to use SysWhispers2 direct system calls from Cobalt Strike BOFs

SysWhispers2BOF Script to use SysWhispers2 direct system calls from Cobalt Strike BOFs. Introduction This script was initially created to fix specific

FalconForce 101 Dec 20, 2022
Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

null 150 Dec 31, 2022
Repls goes to sleep due to inactivity, but to keep it awake, simply host a webserver and ping it.

Repls goes to sleep due to inactivity, but to keep it awake, simply host a webserver and ping it. This repo will help you make a webserver with a bit of console controls.

null 2 Mar 1, 2022
flake8 plugin which checks that there is no use of sleep in the code.

flake8-sleep flake8 plugin which checks for use of sleep function. installation Using Pypi: pip install flake8-sleep flake8 codes Code Description SLP

null 1 Nov 26, 2021
A simple interface to help lazy people like me to shutdown/reboot/sleep their computer remotely.

?? Lazy Helper ! A simple interface to help lazy people like me to shut down/reboot/sleep/lock/etc. their computer remotely. - USAGE If you're a lazy

MeHDI Rh 117 Nov 30, 2022
Kellogg bad | Union good | Support strike funds

KelloggBot Credit to SeanDaBlack for the basis of the script. req.py is selenium python bot. sc.js is a the base of the ios shortcut [COMING SOON] Set

null 407 Nov 17, 2022
This is a calculator of strike price distance for options.

Calculator-of-strike-price-distance-for-options This is a calculator of strike price distance for options. Options are a type of derivative. One strat

André Luís Lopes da Silva 4 Dec 30, 2022
Heisenbridge a bouncer-style Matrix IRC bridge

Heisenbridge brings IRC to Matrix by creating an environment where every user connects to each network individually like they would with a traditional IRC bouncer

Toni Spets 152 Dec 28, 2022
tool to automate exploitation of android degubg bridge vulnerability

DISCLAIMER DISCLAIMER: ANY MALICIOUS USE OF THE CONTENTS FROM THIS ARTICLE WILL NOT HOLD THE AUTHOR RESPONSIBLE HE CONTENTS ARE SOLELY FOR EDUCATIONAL

null 6 Feb 12, 2022