forked from mgeeky/cobalt-arsenal
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrename-beacon-tabs.cna
100 lines (82 loc) · 3.01 KB
/
rename-beacon-tabs.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#
# Beacons tabs renaming script.
#
# Lets us rename tabs from a default format of:
# Beacon <ip>@<pid>
#
# to anything other we like. Take note that the script only renames Beacon-related
# tabs, leaving SSH ones untouched. The renaming action kicks in every 15 seconds, as registered
# in heartbeat_15s event handler.
#
# Format deciding how should each Beacon's tab be named, utilising beacon's metadata fields
# is described in a global variable named $beacon_tab_name_format . That variable may contain
# any of the following available beacon's metadata keys (CobaltStrike 4.2):
# note, charset, internal , alive, session, listener, pid, lastf, computer, host,
# is64, id, process, ver, last, os, barch, phint, external, port, build, pbid, arch,
# user, _accent
#
# Example:
# $beacon_tab_name_format = "B: <user>@<computer> (<pid>)";
#
# Author:
# Mariusz Banach / mgeeky, '20
# <mb [at] binary-offensive.com>
# (https://github.com/mgeeky)
#
$beacon_tab_name_format = "B: <user>@<computer> (<pid>)";
on heartbeat_15s {
if($beacon_tab_name_format is $null || strlen($beacon_tab_name_format) == 0) {
return;
}
renameBeaconTabs();
}
sub renameBeaconTabs {
local('$bid');
foreach $bid (beacon_ids()) {
renameBeaconTab($bid);
}
}
#
# CobaltStrike 4.4 changed ApplicationTab's class definition.:
#
# cobaltstrike.jar:aggressor.TabManager.class:
# - title => - E
# - component => - C
# - removeListener => - D
# - label => - B
# - bid => - A
#
sub renameBeaconTab {
local('$client $srctabname $i $dsttabname $apptabs $applicationTab');
if($beacon_tab_name_format is $null || strlen($beacon_tab_name_format) == 0) {
return;
}
$bid = $1;
$client = getAggressorClient();
$apptabs = [[$client tabs] apptabs];
$srctabname = "Beacon " . beacon_info($bid, 'host') . "@" . beacon_info($bid, 'pid');
$srctabname = [$srctabname trim];
for ( $i = 0; $i < [$apptabs size] ; $i++) {
$applicationTab = [$apptabs get: $i];
if ([$applicationTab A] eq $bid) {
$currtabname = [[[$applicationTab B] getText] trim];
if ($currtabname eq $srctabname) {
$dsttabname = $beacon_tab_name_format;
foreach $beacon (beacons()) {
if ($beacon['id'] eq $bid) {
foreach $k => $v ($beacon) {
$dsttabname = replace($dsttabname, '<' . $k . '>', $v);
}
}
}
# For some reason when we call setField to set title property of
# applicationTab var, the beacon tab's title gets reverted to its previous
# value, completely ignoring followed setText(). No clue what's going on, so we
# better avoid the setField call.
#setField($applicationTab, E => $dsttabname);
[[$applicationTab B] setText: $dsttabname . " "];
}
}
}
}
renameBeaconTabs();