《深入理解Cobalt Strike》

这里记录收集优秀的CobaltStrike内容，包括优秀的资源工具或优秀的项目代码等。本项目大部分工具都未检测是否存在后门，务必在虚拟机下运行。CobaltStrike思想是攻击者的进步。作者：0e0w

本项目创建时间为2021年8月3日。最近的一次更新时间为2022年8月22日。

• 01-CobaltStrike资源
• 02-CobaltStrike程序
• 03-CobaltStrike功能
• 04-CobaltStrike扩展
• 05-CobaltStrike研究
• 06-CobaltStrike魔改
• 07-CobaltStrike免杀
• 08-CobaltStrike参考

01-CobaltStrike资源

• https://github.com/search?q=CobaltStrike
• https://github.com/topics/cobalt-strike
• https://github.com/topics/cobaltstrike

一、官方手册

• [ ] https://download.cobaltstrike.com/downloads/csmanual44.pdf

二、基础教程

• [ ] https://wiki.wgpsec.org/knowledge/intranet/Cobalt-Strike.html

三、视频教程

四、其他资源

• [ ] https://github.com/S1ckB0y1337/Cobalt-Strike-CheatSheet
• [ ] https://github.com/cisagov/ansible-role-cobalt-strike
• [ ] https://github.com/hattmo/c2profilejs
• [ ] https://github.com/jan-call/Cobaltstrike-Plugins
• [ ] https://github.com/REW-sploit/REW-sploit
• [ ] https://github.com/geemion/Khepri
• [ ] 【知识回顾】Cobalt Strike 4.0 认证及修补过程
• [ ] CobaltStrike4.0无Hook蛮力Cracked License思路
• [ ] https://github.com/Tw1sm/HTTPS-MalleableC2-Config
• [ ] https://github.com/bashexplode/cs2webconfig
• [ ] https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence
• [ ] https://github.com/cisagov/teamserver-packer
• [ ] https://github.com/Cerbersec/DomainBorrowingC2
• [ ] https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
• [ ] https://github.com/XRSec/Docker-CobaltStrike
• [ ] https://wbglil.gitbook.io/cobalt-strike
• [ ] https://github.com/akkuman/EvilEye
• [ ] https://github.com/wsummerhill/CobaltStrike_RedTeam_CheatSheet
• [ ] https://github.com/splunk/melting-cobalt
• [ ] https://github.com/AlphabugX/csOnvps
• [ ] https://github.com/warhorse/ansible-role-cobaltstrike-docker
• [ ] https://github.com/kluo84/CS-notes
• [ ] https://github.com/lovechoudoufu/cobaltstrike4.4_cdf
• [ ] https://www.anquanke.com/post/id/269539
• [ ] https://github.com/rmartinsanta/cs-dns-parser
• [ ] https://github.com/outflanknl/C2-Tool-Collection
• [ ] https://xz.aliyun.com/t/11404
• [ ] https://tttang.com/archive/1631
• [ ] https://xz.aliyun.com/t/11508
• [ ] https://tttang.com/archive/1662
• [ ] https://bbs.pediy.com/thread-273749.htm

02-CobaltStrike程序

03-CobaltStrike功能

04-CobaltStrike扩展

• https://github.com/zer0yu/Awesome-CobaltStrike
• https://www.cobaltstrike.com/aggressor-script/index.html
• https://payloads.online/archivers/2020-03-02/4/
• http://sleep.dashnine.org/manual/
• https://github.com/Cobalt-Strike/community_kit
• https://cobalt-strike.github.io/community_kit

一、Malleable-C2

• [ ] https://github.com/Tylous/SourcePoint
• [ ] https://github.com/FortyNorthSecurity/C2concealer
• [ ] https://github.com/threatexpress/malleable-c2
• [ ] https://github.com/vestjoe/cobaltstrike_services
• [ ] https://github.com/threatexpress/cs2modrewrite
• [ ] https://github.com/Cobalt-Strike/Malleable-C2-Profiles
• [ ] https://github.com/rsmudge/Malleable-C2-Profiles
• [ ] https://github.com/threatexpress/random_c2_profile
• [ ] https://github.com/BC-SECURITY/Malleable-C2-Profiles
• [ ] https://github.com/D00Movenok/goMalleable
• [ ] https://github.com/Peithon/JustC2file

二、External-C2

• [ ] https://github.com/Und3rf10w/external_c2_framework
• [ ] https://github.com/mdsecactivebreach/Browser-ExternalC2
• [ ] https://github.com/SpiderLabs/DoHC2
• [ ] https://github.com/outflanknl/external_c2
• [ ] https://github.com/rasta-mouse/ExternalC2.NET
• [ ] https://github.com/Flangvik/CobaltBus
• [ ] https://github.com/wikiZ/RedGuard

三、UDRL：User Defined Reflective Loader

• [ ] https://github.com/mgeeky/ElusiveMice
• [ ] https://github.com/SecIdiot/TitanLdr
• [ ] https://github.com/boku7/CobaltStrikeReflectiveLoader

四、BOFs：Beacon Object Files

• https://github.com/BOFs/BOFs
• https://github.com/Cerbersec/KillDefenderBOF

五、Aggressor Scripts

• https://github.com/topics/aggressor
• [ ] https://github.com/001SPARTaN/aggressor_scripts
• [ ] https://github.com/0x727/AggressorScripts_0x727
• [ ] https://github.com/harleyQu1nn/AggressorScripts
• [ ] https://github.com/bluscreenofjeff/AggressorScripts
• [ ] https://github.com/jordanpotti/opsec-aggressor
• [ ] https://github.com/mgeeky/cobalt-arsenal
• [ ] https://github.com/Cobalt-Strike/beacon_health_check
• [ ] https://github.com/RCStep/CSSG
• [ ] https://github.com/Verizon/redshell
• [ ] https://github.com/EspressoCake/Aggressor_Scripts
• [ ] https://github.com/darkoperator/vscode-language-aggressor
• [ ] https://github.com/threatexpress/cobaltstrike_payload_generator
• [ ] https://github.com/outflanknl/HelpColor
• [ ] https://github.com/capt-meelo/Beaconator
• [ ] https://github.com/NVISOsecurity/cobalt-strike-notifier
• [ ] https://github.com/FortyNorthSecurity/AggressorAssessor
• [ ] https://github.com/outflanknl/Dumpert
• [ ] https://github.com/killswitch-GUI/CobaltStrike-ToolKit
• [ ] https://github.com/Und3rf10w/Aggressor-scripts
• [ ] https://github.com/vysecurity/Aggressor-VYSEC
• [ ] https://github.com/rasta-mouse/Aggressor-Script
• [ ] https://github.com/422926799/csplugin
• [ ] https://github.com/Peco602/cobaltstrike-aggressor-scripts
• 上线提醒
• [ ] CS_Mail_Tip
• [ ] WeChatPush
• [ ] https://github.com/Daybr4ak/C2ReverseProxy
• [ ] https://github.com/teamssix/dingding_cs_notice
• [ ] https://github.com/lintstar/CS-PushPlus
• [ ] https://github.com/lintstar/CS-ServerChan
• 持久上线
• [ ] https://github.com/0xthirteen/StayKit
• [ ] https://github.com/TheKingOfDuck/XSS-Fishing2-CS
• [ ] https://github.com/yanghaoi/CobaltStrike_CNA
• [ ] https://github.com/improsec/SharpEventPersist
• [ ] https://github.com/Richard-Tang/Tomcat2CS
• 虚拟上线
• [ ] https://github.com/Doneone/happy_cs
• 权限提升
• [ ] weichi
• [ ] ElevateKit
• [ ] Aggressor-Script
• [ ] SweetPotato_CS
• 漏洞扫描
• [ ] CVE-2018-4878
• [ ] CVE-2020-0796
• [ ] MS17-010
• 流量隧道
• [ ] UploadAndRunFrp
• [ ] https://github.com/m3rcer/Chisel-Strike
• 痕迹清理
• [ ] EventLogMaster
• [ ] Phant0m_cobaltstrike
• 近源攻击
• [ ] https://github.com/AdminTest0/badusb_cobaltstrike

六、Kit

• [x] 神器獬廌
• [x] 梼杌
• [x] LSTAR
• [x] Erebus
• [ ] 巨龙拉冬
• [ ] Ladon
• [ ] CrossC2
• [ ] CrossC2Kit
• [ ] https://github.com/darkr4y/geacon
• [ ] https://github.com/RedTeamWing/WingKit
• [ ] Cobalt-Strike-Aggressor-Scripts
• [ ] https://github.com/wafinfo/cobaltstrike
• [ ] https://github.com/Adminisme/ServerScan
• [ ] https://github.com/SeaOf0/CSplugins
• [ ] https://github.com/k1d0ne/cobaltstrike_plugin

七、其他内容

• [ ] https://github.com/bitsadmin/nopowershell
• [ ] https://github.com/vysecurity/ANGRYPUPPY
• [ ] https://github.com/TheKingOfDuck/XSS-Fishing2-CS
• [ ] https://github.com/timwhitez/XSS-Phishing
• [ ] https://github.com/alphaSeclab/cobalt-strike
• [ ] https://github.com/bitsadmin/fakelogonscreen
• [ ] https://github.com/Al1ex/CSPlugins
• [ ] https://github.com/josephkingstone/cobalt_strike_extension_kit
• [ ] https://github.com/isafe/cobaltstrike_brute
• [ ] https://github.com/ryanohoro/csbruter
• [ ] https://github.com/1135/1135-CobaltStrike-ToolKit
• [ ] https://github.com/cube0x0/SharpeningCobaltStrike
• [ ] https://github.com/Cliov/Arsenal
• [ ] https://github.com/outflanknl/Zipper
• [ ] https://github.com/outflanknl/Spray-AD
• [ ] https://github.com/Apr4h/CobaltStrikeScan
• [ ] https://github.com/SecIdiot/CobaltPatch
• [ ] https://github.com/Rvn0xsy/Cobaltstrike-atexec
• [ ] https://github.com/aleenzz/Cobalt_Strike_wiki
• [ ] https://teamssix.com/year/201023-192553.html
• [ ] https://github.com/Lz1y/SyncDog
• [ ] https://github.com/Freakboy/CobaltStrike
• [ ] https://github.com/Daybr4ak/C2ReverseProxy
• [ ] https://github.com/rasta-mouse/Aggressor-Script
• [ ] https://github.com/EncodeGroup/AggressiveGadgetToJScript
• [ ] https://github.com/bytecod3r/Cobaltstrike-Aggressor-Scripts-Collection
• [ ] https://github.com/Sifter-Ex/cPlug
• [ ] https://github.com/rsmudge/cortana-scripts
• [ ] https://github.com/dcsync/pycobalt
• [ ] https://github.com/uknowsec/SharpToolsAggressor
• [ ] https://www.cnblogs.com/backlion/p/14000269.html
• [ ] https://github.com/hayasec/360SafeBrowsergetpass
• [ ] https://github.com/S1ckB0y1337/Cobalt-Strike-CheatSheet
• [ ] https://github.com/sk3w/beacon-object-files
• [ ] https://xz.aliyun.com/t/8557
• [ ] https://www.freebuf.com/articles/web/255876.html
• [ ] https://github.com/Ridter/cs_custom_404
• [ ] https://github.com/medasz/CobaltStrike4.0
• [ ] https://github.com/c1y2m3/FileSearch
• [ ] https://github.com/bopin2020/NetUser
• [ ] https://github.com/qigpig/bypass-beacon-config-scan
• [ ] https://github.com/slaeryan/DetectCobaltStomp
• [ ] https://github.com/breakid/SharpUtils
• [ ] https://github.com/rmikehodges/cs-ssl-gen
• [ ] https://github.com/Rvn0xsy/Cobaltstrike-atexec
• [ ] https://github.com/z1un/Z1-AggressorScripts
• [ ] https://github.com/Te-k/cobaltstrike
• [ ] https://github.com/S1ckB0y1337/Cobalt-Strike-CheatSheet
• [ ] https://github.com/RedXRanger/StageStrike
• [ ] https://github.com/outflanknl/Zipper
• [ ] https://github.com/Ridter/CS_Chinese_support
• [ ] https://github.com/0xthirteen/MoveKit
• [ ] https://github.com/SecIdiot/Beacon
• [ ] https://github.com/xx0hcd/Malleable-C2-Profiles
• [ ] https://github.com/Ridter/cs_custom_404
• [ ] https://github.com/nccgroup/pybeacon
• [ ] https://github.com/Skactor/cs-scripts
• [ ] https://www.svenbeast.com/post/ny5NkDd40
• [ ] https://github.com/j5s/Automatic-permission-maintenance
• [ ] https://github.com/mgeeky/RedWarden
• [ ] https://github.com/Lz1y/GECC
• [ ] https://github.com/Daybr4ak/C2ReverseProxy
• [ ] https://github.com/Twi1ight/CSAgent
• [ ] https://github.com/ORCA666/Cobalt-Wipe
• [ ] https://github.com/xorrior/raven
• [ ] https://github.com/xinbailu/TiEtwAgent
• [ ] https://github.com/GeorgePatsias/ScareCro
• [ ] https://github.com/burpheart/CS_mock
• [ ] https://github.com/huoji120/CobaltStrikeDetected
• [ ] https://github.com/Mikasazero/Cobalt-Strike
• [ ] https://github.com/D1sAbl4/samdump
• [ ] https://github.com/ASkyeye/CobaltPatch
• [ ] https://github.com/boku7/halosgate-ps
• [ ] https://github.com/CCob/BeaconEye
• [ ] https://github.com/Sentinel-One/CobaltStrikeParser
• [ ] https://github.com/hariomenkel/CobaltSpam
• [ ] https://github.com/cisagov/ansible-role-cobalt-strike
• [ ] https://github.com/dcsync/pycobalt
• [ ] https://github.com/optiv/Registry-Recon
• [ ] https://github.com/wgpsec/Automatic-permission-maintenance
• [ ] https://github.com/Kara-4search/APC_ShellcodeExecution_CSharp
• [ ] https://github.com/fitzgeralddaniel/HTTP_File_Covert_Channel
• [ ] https://github.com/med0x2e/SigFlip
• [ ] https://github.com/mstxq17/CVE-2021-1675_RDL_LPE
• [ ] https://github.com/CPO-EH/SharpZeroLogon
• [ ] https://github.com/wikiZ/service_cobaltstrike
• [ ] https://github.com/chryzsh/ansible-role-cobalt-strike
• [ ] https://github.com/kingz40o/Aggressor_dingding
• [ ] https://github.com/howmp/CobaltStrikeDetect
• [ ] https://github.com/JUICY00000/HellLoader
• [ ] https://github.com/Peithon/JustC2file
• [ ] https://github.com/Yihsiwei/SearchForCS
• [ ] https://github.com/hlldz/Phant0m
• [ ] https://github.com/JDArmy/RPCSCAN
• [ ] https://github.com/Cracked5pider/KaynStrike
• [ ] https://github.com/kyleavery/AceLdr
• [ ] https://github.com/matthieu-hackwitharts/UnhookMe
• [ ] https://github.com/ScriptIdiot/BOF-patchit

05-CobaltStrike研究

一、逆向分析

• [ ] https://github.com/verctor/Cobalt_Homework

二、源码阅读

三、程序特征

• [ ] https://github.com/WBGlIl/Beacon_re
• [ ] https://github.com/NoOne-hub/Beacon.dll

06-CobaltStrike魔改

为什么需要魔改？需要魔改那些内容？如何进行程序魔改？

一、特征修改

二、流量免杀

三、功能添加

四、其他魔改

• [ ] https://mp.weixin.qq.com/s/AePKPUDnBUr4WbJqvPCleg
• [ ] https://github.com/Yang0615777/SecondaryDevCobaltStrike
• [ ] https://github.com/mai1zhi2/SharpBeacon
• [ ] https://github.com/HKirito/GoogleAuth
• [ ] https://github.com/Cobalt-Strike/sleep_python_bridge

07-CobaltStrike免杀

一、流量免杀

• [ ] https://github.com/timwhitez/Doge-CSBridge

二、上线免杀

• https://github.com/0e0w/BypassAV
• [ ] https://github.com/hack2fun/BypassAV
• [ ] https://github.com/Cliov/Arsenal
• [ ] https://github.com/Gality369/CS-Loader
• [ ] https://github.com/timwhitez/Doge-Loader
• [ ] https://paper.seebug.org/1349/
• [ ] https://github.com/t3hbb/NSGenCS
• [ ] https://github.com/GeorgePatsias/ScareCrow-CobaltStrike
• [ ] https://wiki.ioin.in/url/G7PK
• [ ] https://github.com/novysodope/Myloader

08-CobaltStrike参考

• https://www.cobaltstrike.com