From d8878198215a6444f64b39edb23158e50ba1b1a6 Mon Sep 17 00:00:00 2001
From: op7ic <3172590+op7ic@users.noreply.github.com>
Date: Fri, 16 Aug 2019 17:07:00 +0300
Subject: [PATCH] cobalt plugin

---
 Cobalt/EDR-TEST.CNA | 15 +++++++++++++++
 README.md           | 18 ++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 Cobalt/EDR-TEST.CNA

diff --git a/Cobalt/EDR-TEST.CNA b/Cobalt/EDR-TEST.CNA
new file mode 100644
index 0000000..963ecc8
--- /dev/null
+++ b/Cobalt/EDR-TEST.CNA
@@ -0,0 +1,15 @@
+popup beacon_bottom {
+
+	menu "EDR TEST" {		
+			
+		item "RUN ALL TESTS" {
+			 bupload($1, script_resource("../runtests.bat"));
+	         bshell($1, "runtests.bat");		
+			}
+			
+		item "REMOVE RUNTEST.BAT" {
+	         bshell($1, "del /y runtests.bat");		
+			}		
+		
+	}
+}
\ No newline at end of file
diff --git a/README.md b/README.md
index 325d264..dc63f21 100644
--- a/README.md
+++ b/README.md
@@ -60,6 +60,24 @@ The following techniques are currently covered by this script:
 | | WseClientSvc.exe | |
 
 
+** Run with Metasploit **
+If you want to run this script as part of Purple Team exercise then simple MSF module execution will do:
+
+```
+msf > use post/multi/manage/upload_exec
+msf post(upload_exec) > set lfile /tmp/runtests.bat
+lfile => /tmp/runtests.bat
+msf post(upload_exec) > set rfile C:\\Users\\Public\\runtests.bat
+rfile => C:\\Users\\Public\\runtests.bat
+msf post(upload_exec) > set session 1
+session => 1
+msf post(upload_exec) > run
+```
+
+** Run with Cobalt Strike **
+
+Using plugin in Cobalt folder, simply load it and click "EDR TEST > RUN ALL TESTS" against specified target.
+
 **Thanks** 
 
 Everyone working on awesome projects like [LOLBAS](https://github.com/LOLBAS-Project/LOLBAS) or [Invoke-CradleCrafter](https://github.com/danielbohannon/Invoke-CradleCrafter) 
\ No newline at end of file