Cobalt Strike Basics

Starting Cobalt Strike Team Server

./teamserver {IP} {password}

Connecting to Team Server

Connecting From a Windows Clinet
Verifing the Connection in Kali linux.

Listener Management

A "listener" is a host/port/protocol combination that "listens" for incoming communication from Cobalt Strike's payload, Beacon. The two main flavours of listeners are egress and peer-to-peer. The egress listener that you will use the majority of the time is the HTTP listener. This listener acts like a web server, where the Team Server and Beacon will encapsulate their communications over HTTP. The "appearance" (bodies, headers, cookies, URIs etc) of this HTTP traffic can be tightly controlled using Malleable C2 Profiles.

Peer-to-peer listeners allow Beacons to chain their communications together over SMB or TCP. These are particularly useful in cases where a machine that you compromise cannot reach your Team Server directly over HTTP. To create an HTTP listener, go to Cobalt Strike > Listeners and a new tab will open. Click the Add button and a New Listener dialogue will appear. Select Beacon HTTP as the payload type and enter a descriptive name. This listener name is used in several Beacon commands (such as when moving laterally), so make sure it describes the listener well. Click the + button next to HTTP Hosts which should autocomplete to the Kali IP address (10.10.5.120). This is fine, so click OK. Leave everything else as it is and click Save.

Generating Payloads

To generate a payload for this listener, go to Attacks > Packages > Windows Executable (S). Cobalt Strike is able to generated both staged and stageless payloads. Whenever you see (S) within the Ul,it's an indication that it's using a stageless payload.

OPSEC: Staged payloads are good if your delivery method limits the amount of data you can send. However,they tend to have more indicators compared to stageless. Given the choice, go stageless. Select the HTTP listener created previously, select Windows EXE as the output and tick Use x64.

OPSEC: The use of 64-bit payloads on 64-bit Operating Systems is preferable to using 32-bit payloads on 64-bit Operating Systems.

Click Generate and save the file to C:\Payloads. Now execute that EXE and you should see a new Beacon appear
Beacon Appearing in the listener tab.

Interacting with beacon

Tips and Shortcuts

PreviousRedirectorsNextGoPhish Setup

Last updated