Third-party Command and Control

External C2 is a specification to allow third-party programs to act as a communication layer for Cobalt Strike’s Beacon payload. These third-party programs connect to Cobalt Strike to read frames destined for, and write frames with output from payloads controlled in this way. The External C2 server is what these third-party programs use to interface with your Cobalt Strike team server.

Go to Cobalt Strike -> Listeners, press Add, and choose External C2 as your payload.

External C2 Setup

External C2 Setup

The External C2 interface has two options. Port (Bind) specifies the port the External C2 server waits for connections on. Check Bind to localhost only to make the External C2 server localhost-only.

External C2 listeners are not like other Cobalt Strike listeners. You cannot target these with Cobalt Strike’s post-exploitation actions. This option is just a convienence to stand up the interface itself.

Specification

The External C2 interface is described in the External C2 specification.

If you'd like to adapt the example (Appendix B) in the specification into a third-party C2, you may assume a 3-clause BSD license for the code contained within the specification.

If you'd like to refer to the External C2 spec, please link to this page instead. As the documentation and resources evolve, this page will have the latest information.

Third-party Materials

Here's a list of third-party projects and posts that reference, use, or build on External C2: