This short post is a follow up to the post “Manage Cobalt Strike with Services” where I described a method to automate Cobalt Strike teamservers by creating services.
In this post, I will take a closer look at the aggressor function that is used to create listeners listener_create_ext to expanded on the documentation and provide an example.
The documentation shows three arguments. Let’s focus on $3, the key/value pairs. The key/values control the settings used to setup a listener.
From the Documentation
listener_create_ext Create a new listener.
Arguments
$1 - the listener name$2 - the payload (e.g., windows/beacon_http/reverse_http)$3 - a map with key/value pairs that specify options for the listener
Let’s break down the options with an aggressor script that creates an HTTP listener. I formatted the script to be easier to read and added comments to provide a bit of guidance.
listener_create_ext(
"HTTP", # Listener name, use something unique across all teamservers (i.e., server1-http)
"windows/beacon_http/reverse_http", # Listener type, remember, payloads are driven by listeners
%(host => "stage.host", # Staging host, Only one staging host can be set
profile => "default", # The profile variant name, variants are set in the malleable c2 profile
port => 80, # Port for c2 communications
beacons => "b1.host,b2.host", # Comma separated list of beacon hosts
althost => "alt.host", # host header value
bindto => 8080, # The port HTTP Beacon payload web server will bind to.
strategy => "failover-5x", # Host rotation strategy aka fail strategy
proxy => "http://user:[email protected]:8080" # Proxy host settings
)
);
This aggressor script will create a listener that looks like this in the GUI.
References:
- https://www.cobaltstrike.com/aggressor-script/functions.html#listener_create_ext
- https://www.cobaltstrike.com/help-http-beacon
- https://www.cobaltstrike.com/2021/06/23/manage-cobalt-strike-with-services/
