AggressorAssessor - Cobalt Strike Aggressor Scripts
I (@ChrisTruncer) had the opportunity to speak at Wild West Hackin Fest last week along with Harley LeBeau (@r3dQu1nn) on a topic we called “Aggressive Autonomous Actions – Operating with Automation”. This was a talk that we have been working on for a few months allowing us to write code, or identify existing code that already does everything we need.
The point of the talk is to demonstrate that Cobalt Strike (along with other tools) provide red teams with the ability to automate actions that would normally have to be conducted manually. Additionally, if something couldn’t be fully automated, scripting languages like Aggressor provide operators the ability to automate 90% of what they can and prompt the user to provide the last 10%. Automation clearly has certain benefits, if we can automate something that would normally require someone to manually conduct a step, then there’s a time savings benefit. Automation can also have other benefits; if you want to ensure that a certain command is always entered a certain way (possibly to prevent syntax errors or by providing a GUI for a command-line command), you can do this with Aggressor. Finally, what if you want to prevent someone from conducting an action? You can develop a script that will prevent execution of an action, or require a manual override.
There’s also a time to automate, and a time not to. If the actions that you take do not require analysis by a team member prior to conducting an action, that step is a good candidate for automating. However, if you need to review the data that is returned prior to conducting an action, then this would not be a good step to automate completely.
So, the first question might be, where is this useful?
The image above is how FortyNorth Security views the Attack Lifecycle. The goal for the AggressorAssessor repository is to contain Cobalt Strike, Metasploit, or any other tool’s scripts that would allow users to automate actions pertaining to the various stages of the Attack Lifecycle. If you view the repository, you can see the scripts which are currently available for your use – https://github.com/FortyNorthSecurity/AggressorAssessor.
Lateral Movement & Access Management
For example, the lateral movement within cobalt strike is largely limited to using psexec, psexec_psh, or WMI, so how can we add additional methods to move laterally and automate this process? Within the “Lateral Movement & Access Management” folder is a script called msbuild_exec.cna. This Aggressor script will register two new functions within Beacon, “msbuild_script” and “msbuild_cmd”. These functions will allow you to run a PowerShell script, or command, on a local or remote system using Casey Smith’s inline tasks method. The xml file is uploaded to the system that you specify you want to run a command or script on, and MSBuild.exe is triggered with WMI to run the file. The video below shows an example of running the command “Get-Date” and outputting the results to a file.
While not within the attack lifecycle, reporting is an essential step of any assessment, so why not automate this process as much as we can? What’s something that customers will almost always ask for at the end of an assessment (besides the report itself)? Something FortyNorth Security is always asked for is for us to provide our customer a list of all user accounts and computers that were compromised during the course of an assessment. Rather than giving our customer the large default output from Cobalt Strike, it is possible to hook into Cobalt Strike and generate our own customer report. Thankfully, Alyssa Rahman (@ramen0x3f) already created an Aggressor script that does exactly this – located here (original repo here). When you generate the report, it will look similar to the image below.
There’s a lot more than just the above scripts contained within the AggressorAssessor repository, so I suggest that you start to explore the scripts within it and feel free to submit additional scripts as they are developed, we’d love to get more added in! If you have any questions, don’t hesitate to contact us at FortyNorth Security!
Note: Everyone at FortyNorth Security thoroughly enjoyed our time at Wild West Hackin Fest. The talks were excellent and there was always a talk going on that was interesting and relevant. Beyond this, the opportunity to meet with everyone who attended the conference is what helped to really make the con. Everyone we spoke to thoroughly enjoyed just talking shop and having a good time in Deadwood, SD. If you can make it in 2019, we highly recommend it.