Navigation

3. Data Model

Cobalt Strike's team server stores your hosts, services, credentials, and other information. It also broadcasts this information and makes it available to all clients.

Data API

Use the &data_query function to query Cobalt Strike's data model. This function has access to all state and information maintained by the Cobalt Strike client. Use &data_keys to get a list of the different pieces of data you may query. This example queries all data in Cobalt Strike's data model and exports it to a text file:

command export {
	local('$handle $model $row $entry $index');
	$handle = openf(">export.txt");
	
	foreach $model (data_keys()) {
		println($handle, "== $model ==");
		println($handle, data_query($model));
	}
	
	closef($handle);
	
	println("See export.txt for the data.");
}

Cobalt Strike provides several functions that make it more intuitive to work with the data model.

Model Function Description
applications &applications System Profiler Results [View -> Applications]
archives &archives Engagement events/activities
beacons &beacons Active beacons
credentials &credentials Usernames, passwords, etc.
downloads &downloads Downloaded files
keystrokes &keystrokes Keystrokes received by Beacon
screenshots &screenshots Screenshots captured by Beacon
services &services Services and service information
sites &sites Assets hosted by Cobalt Strike
socks &pivots SOCKS proxy servers and port forwards
targets &targets Hosts and host information

These functions return an array with one row for each entry in the data model. Each entry is a dictionary with different key/value pairs that describe the entry.

The best way to understand the data model is to explore it through the Aggressor Script console. Go to View -> Script Console and use the x command to evaluate an expression. For example:

Querying Data from the Aggressor Script console

Querying Data from the Aggressor Script console

Use on DATA_KEY to subscribe to changes to a specific data model.

on keystrokes {
	println("I have new keystrokes: $1");
}