## Initial Beacon OPSEC headless script

This script operates in headless mode, launched by Cobalt Strike's `./agscript` side by side to `./teamserver`. 
It reacts to new beacons checkin-in and administers following OPSEC commands on them:

- `spawnto x86`
- `spawnto x64`
- `unhook kernel32`
- `etw stop`
- `autoppid`

### How to run it

Firstly `cd` into Cobalt Strike linux directory and run:

```
DISPLAY= ./agscript 127.0.0.1 <port> beacon-opsec <pass> cobalt-initial-opsec.cna
```

Change `<port>` and `<pass>` to your teamserver settings.


### Adaptation

If you wish to change current defaults, edit `cobalt-initial-opsec.cna` and change these lines:

```
#
# ==============================================================
# CONFIGURATION
# 

$parent_process_name = "explorer.exe";
$privileged_parent_process_name = "svchost.exe";

$spawnto_x86 = "C:\\Windows\\System32\\conhost.exe";
$spawnto_x64 = "C:\\Windows\\System32\\conhost.exe";
```

Additionally, at the end of the file there is a definition of `beacon_initial` callback that can be edited:

```

on beacon_initial {

    # ...

    bspawnto($1, "x86", $spawnto_x86);
    bspawnto($1, "x64", $spawnto_x64);

    fireAlias($1, "unhook", "kernel32");
    fireAlias($1, "etw", "stop");
    fireAlias($1, "autoppid", "");
    
    binput($1, "Beacon Initial OPSEC applied: autoppid, unhook, spawnto, etw stop")
}
```


---

### ☕ Show Support ☕

This and other projects are outcome of sleepless nights and **plenty of hard work**. If you like what I do and appreciate that I always give back to the community,
[Consider buying me a coffee](https://github.com/sponsors/mgeeky) _(or better a beer)_ just to say thank you! 💪 

---

```
Mariusz Banach / mgeeky, (@mariuszbit)
<mb [at] binary-offensive.com>
```