Navigation

4. Listeners

Listeners are Cobalt Strike's abstraction on top of payload handlers. A listener is a name attached to payload configuration information (e.g., protocol, host, port, etc.) and, in some cases, a promise to setup a server to receive connections from the described payload.

Listener API

Aggressor Script aggregates listener information from all of the team servers you're currently connected to. This makes it easy to pass sessions to another team server. To get a list of all listener names, use the &listeners function. If you would like to work with local listeners only, use &listeners_local. The &listener_info function resolves a listener name to its configuration information. This example dumps all listeners and their configuration to the Aggressor Script console:

command listeners {
	local('$name $key $value');
	foreach $name (listeners()) {
		println("== $name == ");
		foreach $key => $value (listener_info($name)) {
			println("$[20]key : $value");
		}
	}
}

Creating Listeners

Use &listener_create_ext to create a listener and start a payload handler associated with it.

Choosing Listeners

Use &openPayloadHelper to open a dialog that lists all available listeners. After the user selects a listener, this dialog will close, and Cobalt Strike will run a callback function. Here's the source code for Beacon's spawn menu:

item "&Spawn" {
	openPayloadHelper(lambda({
		binput($bids, "spawn $1");
		bspawn($bids, $1);
	}, $bids => $1));
}

Stagers

A stager is a tiny program that downloads a payload and passes execution to it. Stagers are ideal for size-constrained payload delivery vector (e.g., a user-driven attack, a memory corruption exploit, or a one-liner command. Stagers do have downsides though. They introduce an additional component to your attack chain that is possible to disrupt. Cobalt Strike's stagers are based on the stagers in the Metasploit Framework and these are well-signatured and understood in memory as well. Use payload-specific stagers if you must; but it's best to avoid them otherwise.

Use &stager to export a payload stager tied to a Cobalt Strike payload. Not all payload options have an explicit payload stager. Not all stagers have x64 options.

The &artifact_stager function will export a PowerShell script, executable, or DLL that runs a stager associated with a Cobalt Strike payload.

Local Stagers

For post-exploitation actions that require the use of a stager, use a localhost-only bind_tcp stager. The use of this stager allows a staging-required post-exploitation action to work with all of Cobalt Strike's payloads equally.

Use &stager_bind_tcp to export a bind_tcp payload stager. Use &beacon_stage_tcp to deliver a payload to this stager.

&artifact_general will accept this arbitrary code and generate a PowerShell script, executable, or DLL to host it.

Named Pipe Stager

Cobalt Strike does have a bind_pipe stager that is useful for some lateral movement situations. This stager is x86 only. Use &stager_bind_pipe to export this bind_pipe stager. Use &beacon_stage_pipe to deliver a payload to this stager.

&artifact_general will accept this arbitrary code and generate a PowerShell script, executable, or DLL to host it.

Stageless Payloads

Use &payload to export a Cobalt Strike payload (in its entirety) as a ready-to-run position-independent program.

&artifact_payload will export a PowerShell script, executable, or DLL that containts this payload.