pyCobaltHound: Aggressor script extension for Cobalt Strike

Aggressor script extension

pyCobaltHound

pyCobaltHound is an Aggressor script extension for Cobalt Strike which aims to provide deep integration between Cobalt Strike and Bloodhound.

pyCobaltHound strives to assist red team operators by:

  • Automatically querying the BloodHound database to discover escalation paths opened up by newly collected credentials.
  • Automatically marking compromised users and computers as owned.
  • Allowing operators to quickly and easily investigate the escalation potential of beacon sessions and users.

To accomplish this, pyCobaltHound uses a set of built-in queries. Operators are also able to add/remove their own queries to fine tune pyCobaltHound’s monitoring capabilities. This grants them the flexibility to adapt pyCobaltHound on the fly during engagements to account for engagement-specific targets (users, hosts, etc..).

Tips & tricks

  • PyCobalt comes with some Script Console commands to manage the running Python scripts. When you reload your Aggressor script you should explicitly stop the Python scripts first. Otherwise, they’ll run forever doing nothing. During pyCobaltHound’s development we noticed that this can also lead to undefined behavior.

    Reloading pyCobaltHound can be done as follows:

    aggressor> python-stop-all`
    [pycobalt] Asking script to stop: /root/pycobalthound/pycobalthound.py
    [pycobalt] Script process exited: /root/pycobalthound/pycobalthound.py

    aggressor> reload example.cna`
    [pycobalt] Executing script /root/pycobalthound/pycobalthound.py

  • For PyCobalt to work properly you can only call PyCobalt in one Aggressor script. Keep this in mind if you want to use pyCobaltHound together with other Aggressor scripts that usePyCobalt. Our approach is to have an Aggressor script with a call to python() and include() for every PyCobalt-based tool.

Install & Use

Copyright (C) 2022 NVISOsecurity