Skip to content

Commit

Permalink
Corrected CS integration paths on Windows to match docs and newer ver…
Browse files Browse the repository at this point in the history 
…sions of CS

Added additional error cases to the team server connectivity checker.
  • Loading branch information
@neonbunny
neonbunny committed Aug 19, 2024
1 parent 8fd9909 commit a26226d
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 21 deletions.
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@ Once an EventStream log has been ingested by Stepping Stones specific relevant e

## Cobalt Strike Integration Details

The preferred method of integrating Cobalt Strike is via SSBot. This requires a licensed copy of Cobalt Strike in /opt/cobaltstrike or c:\tools\cobaltstrike-dist\cobaltstrike which will be used to contact any (enabled) team servers configured in the Web interface.
The preferred method of integrating Cobalt Strike is via SSBot. This requires a licensed copy of Cobalt Strike in /opt/cobaltstrike or c:\tools\cobaltstrike which will be used to contact any (enabled) team servers configured in the Web interface.

Once integrated:
* Source/Target dropdowns will include beacons
Expand Down
52 changes: 32 additions & 20 deletions cobalt_strike_monitor/poll_team_server.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,24 +76,33 @@ def healthcheck_teamserver(serverid):
}""")
tempfile.close()
jar_path = _get_jar_path()
p = subprocess.Popen(["java",
"-XX:ParallelGCThreads=4",
"-XX:+AggressiveHeap",
"-XX:+UseParallelGC",
"-Xmx128M",
"-classpath",
str(jar_path),
"aggressor.headless.Start",
server.hostname,
str(server.port),
f"ssbot{int(time_ns() / 1_000_000_000)}",
server.password,
tempfile.name],
cwd=str(jar_path.parent),
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT)
aggressor_output = p.stdout.read().decode("unicode_escape")
os.unlink(tempfile.name)
try:
p = subprocess.Popen(["java",
"-XX:ParallelGCThreads=4",
"-XX:+AggressiveHeap",
"-XX:+UseParallelGC",
"-Xmx128M",
"-classpath",
str(jar_path),
"aggressor.headless.Start",
server.hostname,
str(server.port),
f"ssbot{int(time_ns() / 1_000_000_000)}",
server.password,
tempfile.name],
cwd=str(jar_path.parent),
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT)
aggressor_output = p.stdout.read().decode("unicode_escape")
except FileNotFoundError as e:
aggressor_output = f"Java Virtual Machine not found in $PATH"
except NotADirectoryError as e:
aggressor_output = f"No such JAR directory: {jar_path.parent}"
finally:
os.unlink(tempfile.name)

if "Could not find or load main class aggressor.headless.Start" in aggressor_output:
aggressor_output += "\nTry (re-)running Cobalt Strike's update script"
try:
p = subprocess.Popen(["systemctl",
"status",
Expand Down Expand Up @@ -191,12 +200,15 @@ def poll_teamserver(serverid):

def _get_jar_path():
if platform.system() == "Windows":
jar_path = Path(r"C:\Tools\cobaltstrike-4.8\cobaltstrike.jar")
jar_path = Path(r"C:\Tools\cobaltstrike\cobaltstrike.jar")
else:
jar_path = Path(r"/opt/cobaltstrike/cobaltstrike.jar")
cs46_jar_path = jar_path.with_name("cobaltstrike-client.jar")
cs46_jar_path = jar_path.parent / "cobaltstrike-client.jar"
if cs46_jar_path.exists():
jar_path = cs46_jar_path
cs49_jar_path = jar_path.parent / "client" / "cobaltstrike-client.jar"
if cs49_jar_path.exists():
jar_path = cs49_jar_path
return jar_path


Expand Down

0 comments on commit a26226d

Please sign in to comment.