This short post is a follow up to the post “Manage Cobalt Strike with Services” where I described a method to automate Cobalt Strike teamservers by creating services.
In this post, I will take a closer look at the aggressor function that is used to create listeners listener_create_ext to expanded on the documentation and provide an example.
The documentation shows three arguments. Let’s focus on $3, the key/value pairs. The key/values control the settings used to setup a listener.
From the Documentation
listener_create_ext Create a new listener.
$1- the listener name
$2- the payload (e.g., windows/beacon_http/reverse_http)
$3- a map with key/value pairs that specify options for the listener
Let’s break down the options with an aggressor script that creates an HTTP listener. I formatted the script to be easier to read and added comments to provide a bit of guidance.
listener_create_ext( "HTTP", # Listener name, use something unique across all teamservers (i.e., server1-http) "windows/beacon_http/reverse_http", # Listener type, remember, payloads are driven by listeners %(host => "stage.host", # Staging host, Only one staging host can be set profile => "default", # The profile variant name, variants are set in the malleable c2 profile port => 80, # Port for c2 communications beacons => "b1.host,b2.host", # Comma separated list of beacon hosts althost => "alt.host", # host header value bindto => 8080, # The port HTTP Beacon payload web server will bind to. strategy => "failover-5x", # Host rotation strategy aka fail strategy proxy => "http://user:email@example.com:8080" # Proxy host settings ) );
This aggressor script will create a listener that looks like this in the GUI.