AM0N-Eye is a compilation of a group of the most important scripts that were written specifically for Cobaltsetrike and the rest of the files such as de for modification in colors and images. All property rights reserved to the original developers. Just open the Cobaltsetrike.jar file and replace it with de and default.cna and resources The names of the projects that have been added.r3dqu1nn scripts ScareCrow,CrossC2,CSSG-xor,InvokeCredentialPhisher,Registry-Recon,StayKit

chmod +x install.sh

##PayloadGenerator

Generates every type of Stageless/Staged Payload based off a HTTP/HTTPS Listener

Creates /opt/amon-eye/Staged_Payloads, /opt/amon-eye/Stageless_Payloads

#Linux & MacOS C2 Server

A security framework for enterprises and Red Team personnel, supports AM0N-Eye penetration testing of other platforms (Linux / MacOS / ...), supports custom modules, and includes some commonly used penetration modules.

to send toast notifications on behalf on an (installed) application or the computer itself. The user will be asked to supply credentials once they click on the notification toast. The second one is a AM0N-Eye module to launch the phishing attack on connected beacons and you can learn the types of victim's defense mechanisms and exploit this to issue an update alert or to take action

#AV/EDR evasion

(AV/EDR evasion) is a payload creation framework for side loading (not injecting) into a legitimate Windows process (bypassing Application Whitelisting controls). Once the DLL loader is loaded into memory, it utilizes a technique to flush an EDR’s hook out of the system DLLs running in the process's memory. This works because we know the EDR’s hooks are placed when a process is spawned. (AV/EDR evasion) can target these DLLs and manipulate them in memory by using the API function VirtualProtect, which changes a section of a process’ memory permissions to a different value, specifically from Execute–Read to Read-Write-Execute.

#shellcode obfuscatior

Generates beacon stageless shellcode with exposed exit method, additional formatting, encryption, encoding, compression, multiline output, etc shellcode transforms are generally performed in descending menu order Requirements: The optional AES encryption option uses a python script in the /assets folder Depends on the pycryptodome package to be installed to perform the AES encryption

• (UserSchtasksPersist)

• (ServiceEXEPersist)

• (WMICEventPersist)

• (StartupGPOPersist)

• (RegistryPersist)

• (HKCURunKeyPSRegistryPersist)

##AVQuery

Queries the Registry with powershell for all AV Installed on the target

Quick and easy way to get the AV you are dealing with as an attacker

##checkmate request version of the checkmate request Web Delivery attack

Stageless Web Delivery using checkmate.exe 

Powerpick is used to spawn checkmate.exe to download the stageless payload on target and execute with rundll32.exe

##Curl-TLS

simple web requests without establishing SOCKS PROXY. Example use case could be confirming outbound access to specific service before deploying a relay from [F-Secure's C3]

#AV/EDR Recon & EDR exact query

As a red-team practitioner, we are often using tools that attempt to fingerprint details about a compromised system, preferably in the most stealthy way possible. Some of our usual tooling for this started getting flagged by EDR products, due to the use of Windows CLI commands. This aims to solve that problem by only probing the system using native registry queries, no CLI commands.

silentcleanup UAC bypass that bypasses "always notify" aka the highest UAC setting, even on Windows