《深入理解Cobalt Strike》

这里记录收集优秀的CobaltStrike内容，包括优秀的资源工具或优秀的项目代码等。本项目大部分工具都未检测是否存在后门，务必在虚拟机下运行。CobaltStrike思想是攻击者的进步。作者：0e0w

本项目创建时间为2021年8月3日。最近的一次更新时间为2023年8月4日。

• 01-CobaltStrike资源
• 02-CobaltStrike程序
• 03-CobaltStrike功能
• 04-CobaltStrike扩展
• 05-CobaltStrike研究
• 06-CobaltStrike魔改
• 07-CobaltStrike免杀
• 08-CobaltStrike参考

01-CobaltStrike资源

• https://github.com/search?q=CobaltStrike
• https://github.com/topics/cobalt-strike
• https://github.com/topics/cobaltstrike

一、官方手册

• https://download.cobaltstrike.com/downloads/csmanual44.pdf

二、基础教程

• https://wiki.wgpsec.org/knowledge/intranet/Cobalt-Strike.html

三、视频教程

四、其他资源

• https://github.com/S1ckB0y1337/Cobalt-Strike-CheatSheet
• https://github.com/cisagov/ansible-role-cobalt-strike
• https://github.com/hattmo/c2profilejs
• https://github.com/jan-call/Cobaltstrike-Plugins
• https://github.com/REW-sploit/REW-sploit
• https://github.com/geemion/Khepri
• 【知识回顾】Cobalt Strike 4.0 认证及修补过程
• CobaltStrike4.0无Hook蛮力Cracked License思路
• https://github.com/Tw1sm/HTTPS-MalleableC2-Config
• https://github.com/bashexplode/cs2webconfig
• https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence
• https://github.com/cisagov/teamserver-packer
• https://github.com/Cerbersec/DomainBorrowingC2
• https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
• https://github.com/XRSec/Docker-CobaltStrike
• https://wbglil.gitbook.io/cobalt-strike
• https://github.com/akkuman/EvilEye
• https://github.com/wsummerhill/CobaltStrike_RedTeam_CheatSheet
• https://github.com/splunk/melting-cobalt
• https://github.com/AlphabugX/csOnvps
• https://github.com/warhorse/ansible-role-cobaltstrike-docker
• https://github.com/kluo84/CS-notes
• https://github.com/lovechoudoufu/cobaltstrike4.4_cdf
• https://www.anquanke.com/post/id/269539
• https://github.com/rmartinsanta/cs-dns-parser
• https://github.com/outflanknl/C2-Tool-Collection
• https://xz.aliyun.com/t/11404
• https://tttang.com/archive/1631
• https://xz.aliyun.com/t/11508
• https://tttang.com/archive/1662
• https://bbs.pediy.com/thread-273749.htm
• https://www.anquanke.com/post/id/278690
• https://xz.aliyun.com/t/11662
• https://github.com/XXC385/Cobalt-Strike-Start
• https://www.anquanke.com/post/id/285270
• https://xz.aliyun.com/t/12094
• https://www.secpulse.com/archives/196736.html

02-CobaltStrike程序

03-CobaltStrike功能

04-CobaltStrike扩展

• https://github.com/zer0yu/Awesome-CobaltStrike
• https://www.cobaltstrike.com/aggressor-script/index.html
• https://payloads.online/archivers/2020-03-02/4/
• http://sleep.dashnine.org/manual/
• https://github.com/Cobalt-Strike/community_kit
• https://cobalt-strike.github.io/community_kit

一、Malleable-C2

• https://github.com/Tylous/SourcePoint
• https://github.com/FortyNorthSecurity/C2concealer
• https://github.com/threatexpress/malleable-c2
• https://github.com/vestjoe/cobaltstrike_services
• https://github.com/threatexpress/cs2modrewrite
• https://github.com/Cobalt-Strike/Malleable-C2-Profiles
• https://github.com/rsmudge/Malleable-C2-Profiles
• https://github.com/threatexpress/random_c2_profile
• https://github.com/BC-SECURITY/Malleable-C2-Profiles
• https://github.com/D00Movenok/goMalleable
• https://github.com/Peithon/JustC2file

二、External-C2

• https://github.com/Und3rf10w/external_c2_framework
• https://github.com/mdsecactivebreach/Browser-ExternalC2
• https://github.com/SpiderLabs/DoHC2
• https://github.com/outflanknl/external_c2
• https://github.com/rasta-mouse/ExternalC2.NET
• https://github.com/Flangvik/CobaltBus
• https://github.com/wikiZ/RedGuard

三、UDRL：User Defined Reflective Loader

• https://github.com/mgeeky/ElusiveMice
• https://github.com/SecIdiot/TitanLdr
• https://github.com/boku7/CobaltStrikeReflectiveLoader

四、BOFs：Beacon Object Files

• https://github.com/BOFs/BOFs
• https://github.com/Cerbersec/KillDefenderBOF

五、Aggressor Scripts

• https://github.com/topics/aggressor
• https://github.com/001SPARTaN/aggressor_scripts
• https://github.com/0x727/AggressorScripts_0x727
• https://github.com/harleyQu1nn/AggressorScripts
• https://github.com/bluscreenofjeff/AggressorScripts
• https://github.com/jordanpotti/opsec-aggressor
• https://github.com/mgeeky/cobalt-arsenal
• https://github.com/Cobalt-Strike/beacon_health_check
• https://github.com/RCStep/CSSG
• https://github.com/Verizon/redshell
• https://github.com/EspressoCake/Aggressor_Scripts
• https://github.com/darkoperator/vscode-language-aggressor
• https://github.com/threatexpress/cobaltstrike_payload_generator
• https://github.com/outflanknl/HelpColor
• https://github.com/capt-meelo/Beaconator
• https://github.com/NVISOsecurity/cobalt-strike-notifier
• https://github.com/FortyNorthSecurity/AggressorAssessor
• https://github.com/outflanknl/Dumpert
• https://github.com/killswitch-GUI/CobaltStrike-ToolKit
• https://github.com/Und3rf10w/Aggressor-scripts
• https://github.com/vysecurity/Aggressor-VYSEC
• https://github.com/rasta-mouse/Aggressor-Script
• https://github.com/422926799/csplugin
• https://github.com/Peco602/cobaltstrike-aggressor-scripts
• 上线提醒
• CS_Mail_Tip
• WeChatPush
• https://github.com/Daybr4ak/C2ReverseProxy
• https://github.com/teamssix/dingding_cs_notice
• https://github.com/lintstar/CS-PushPlus
• https://github.com/lintstar/CS-ServerChan
• 持久上线
• https://github.com/0xthirteen/StayKit
• https://github.com/TheKingOfDuck/XSS-Fishing2-CS
• https://github.com/yanghaoi/CobaltStrike_CNA
• https://github.com/improsec/SharpEventPersist
• https://github.com/Richard-Tang/Tomcat2CS
• 虚拟上线
• https://github.com/Doneone/happy_cs
• 权限提升
• weichi
• ElevateKit
• Aggressor-Script
• SweetPotato_CS
• 漏洞扫描
• CVE-2018-4878
• CVE-2020-0796
• MS17-010
• 流量隧道
• UploadAndRunFrp
• https://github.com/m3rcer/Chisel-Strike
• 痕迹清理
• EventLogMaster
• Phant0m_cobaltstrike
• 近源攻击
• https://github.com/AdminTest0/badusb_cobaltstrike

六、Kit

• 神器獬廌
• 梼杌
• LSTAR
• Erebus
• 巨龙拉冬
• Ladon
• CrossC2
• CrossC2Kit
• https://github.com/darkr4y/geacon
• https://github.com/RedTeamWing/WingKit
• Cobalt-Strike-Aggressor-Scripts
• https://github.com/wafinfo/cobaltstrike
• https://github.com/Adminisme/ServerScan
• https://github.com/SeaOf0/CSplugins
• https://github.com/k1d0ne/cobaltstrike_plugin
• https://github.com/9bie/Slacker

七、其他内容

• https://github.com/bitsadmin/nopowershell
• https://github.com/vysecurity/ANGRYPUPPY
• https://github.com/TheKingOfDuck/XSS-Fishing2-CS
• https://github.com/timwhitez/XSS-Phishing
• https://github.com/alphaSeclab/cobalt-strike
• https://github.com/bitsadmin/fakelogonscreen
• https://github.com/Al1ex/CSPlugins
• https://github.com/josephkingstone/cobalt_strike_extension_kit
• https://github.com/isafe/cobaltstrike_brute
• https://github.com/ryanohoro/csbruter
• https://github.com/1135/1135-CobaltStrike-ToolKit
• https://github.com/cube0x0/SharpeningCobaltStrike
• https://github.com/Cliov/Arsenal
• https://github.com/outflanknl/Zipper
• https://github.com/outflanknl/Spray-AD
• https://github.com/Apr4h/CobaltStrikeScan
• https://github.com/SecIdiot/CobaltPatch
• https://github.com/Rvn0xsy/Cobaltstrike-atexec
• https://github.com/aleenzz/Cobalt_Strike_wiki
• https://teamssix.com/year/201023-192553.html
• https://github.com/Lz1y/SyncDog
• https://github.com/Freakboy/CobaltStrike
• https://github.com/Daybr4ak/C2ReverseProxy
• https://github.com/rasta-mouse/Aggressor-Script
• https://github.com/EncodeGroup/AggressiveGadgetToJScript
• https://github.com/bytecod3r/Cobaltstrike-Aggressor-Scripts-Collection
• https://github.com/Sifter-Ex/cPlug
• https://github.com/rsmudge/cortana-scripts
• https://github.com/dcsync/pycobalt
• https://github.com/uknowsec/SharpToolsAggressor
• https://www.cnblogs.com/backlion/p/14000269.html
• https://github.com/hayasec/360SafeBrowsergetpass
• https://github.com/S1ckB0y1337/Cobalt-Strike-CheatSheet
• https://github.com/sk3w/beacon-object-files
• https://xz.aliyun.com/t/8557
• https://www.freebuf.com/articles/web/255876.html
• https://github.com/Ridter/cs_custom_404
• https://github.com/medasz/CobaltStrike4.0
• https://github.com/c1y2m3/FileSearch
• https://github.com/bopin2020/NetUser
• https://github.com/qigpig/bypass-beacon-config-scan
• https://github.com/slaeryan/DetectCobaltStomp
• https://github.com/breakid/SharpUtils
• https://github.com/rmikehodges/cs-ssl-gen
• https://github.com/Rvn0xsy/Cobaltstrike-atexec
• https://github.com/z1un/Z1-AggressorScripts
• https://github.com/Te-k/cobaltstrike
• https://github.com/S1ckB0y1337/Cobalt-Strike-CheatSheet
• https://github.com/RedXRanger/StageStrike
• https://github.com/outflanknl/Zipper
• https://github.com/Ridter/CS_Chinese_support
• https://github.com/0xthirteen/MoveKit
• https://github.com/SecIdiot/Beacon
• https://github.com/xx0hcd/Malleable-C2-Profiles
• https://github.com/Ridter/cs_custom_404
• https://github.com/nccgroup/pybeacon
• https://github.com/Skactor/cs-scripts
• https://www.svenbeast.com/post/ny5NkDd40
• https://github.com/j5s/Automatic-permission-maintenance
• https://github.com/mgeeky/RedWarden
• https://github.com/Lz1y/GECC
• https://github.com/Daybr4ak/C2ReverseProxy
• https://github.com/Twi1ight/CSAgent
• https://github.com/ORCA666/Cobalt-Wipe
• https://github.com/xorrior/raven
• https://github.com/xinbailu/TiEtwAgent
• https://github.com/GeorgePatsias/ScareCro
• https://github.com/burpheart/CS_mock
• https://github.com/huoji120/CobaltStrikeDetected
• https://github.com/Mikasazero/Cobalt-Strike
• https://github.com/D1sAbl4/samdump
• https://github.com/ASkyeye/CobaltPatch
• https://github.com/boku7/halosgate-ps
• https://github.com/CCob/BeaconEye
• https://github.com/Sentinel-One/CobaltStrikeParser
• https://github.com/hariomenkel/CobaltSpam
• https://github.com/cisagov/ansible-role-cobalt-strike
• https://github.com/dcsync/pycobalt
• https://github.com/optiv/Registry-Recon
• https://github.com/wgpsec/Automatic-permission-maintenance
• https://github.com/Kara-4search/APC_ShellcodeExecution_CSharp
• https://github.com/fitzgeralddaniel/HTTP_File_Covert_Channel
• https://github.com/med0x2e/SigFlip
• https://github.com/mstxq17/CVE-2021-1675_RDL_LPE
• https://github.com/CPO-EH/SharpZeroLogon
• https://github.com/wikiZ/service_cobaltstrike
• https://github.com/chryzsh/ansible-role-cobalt-strike
• https://github.com/kingz40o/Aggressor_dingding
• https://github.com/howmp/CobaltStrikeDetect
• https://github.com/JUICY00000/HellLoader
• https://github.com/Peithon/JustC2file
• https://github.com/Yihsiwei/SearchForCS
• https://github.com/hlldz/Phant0m
• https://github.com/JDArmy/RPCSCAN
• https://github.com/Cracked5pider/KaynStrike
• https://github.com/kyleavery/AceLdr
• https://github.com/matthieu-hackwitharts/UnhookMe
• https://github.com/ScriptIdiot/BOF-patchit
• https://github.com/nopbrick/SeeProxy
• https://github.com/WKL-Sec/HiddenDesktop
• https://github.com/mertdas/PrivKit

05-CobaltStrike研究

一、逆向分析

• https://github.com/verctor/Cobalt_Homework

二、源码阅读

三、程序特征

• https://github.com/WBGlIl/Beacon_re
• https://github.com/NoOne-hub/Beacon.dll

06-CobaltStrike魔改

为什么需要魔改？需要魔改那些内容？如何进行程序魔改？

一、特征修改

二、流量免杀

三、功能添加

四、其他魔改

• https://mp.weixin.qq.com/s/AePKPUDnBUr4WbJqvPCleg
• https://github.com/Yang0615777/SecondaryDevCobaltStrike
• https://github.com/mai1zhi2/SharpBeacon
• https://github.com/HKirito/GoogleAuth
• https://github.com/Cobalt-Strike/sleep_python_bridge
• https://github.com/bestspear/SharkOne

07-CobaltStrike免杀

• https://github.com/jimsonzhang/Ortau

一、流量免杀

• https://github.com/timwhitez/Doge-CSBridge

二、上线免杀

• https://github.com/0e0w/BypassAV
• https://github.com/hack2fun/BypassAV
• https://github.com/Cliov/Arsenal
• https://github.com/Gality369/CS-Loader
• https://github.com/timwhitez/Doge-Loader
• https://paper.seebug.org/1349/
• https://github.com/t3hbb/NSGenCS
• https://github.com/GeorgePatsias/ScareCrow-CobaltStrike
• https://wiki.ioin.in/url/G7PK
• https://github.com/novysodope/Myloader

08-CobaltStrike参考

• https://www.cobaltstrike.com