Aggressor Script Compatability Guide

This page documents Cobalt Strike changes version-to-version that may affect compatability with your current Aggressor Scripts. In general, it's Strategic Cyber LLC's goal that a script written for Cobalt Strike 3.0 is forward-compatible with future 3.x releases. Major product releases (e.g., 3.0 -> 4.0) do give us some license to revisit APIs and break some of this compatability. Sometimes, a compatability breaking API change is inevitable. These changes are documented here.

Cobalt Strike 4.0

1. Cobalt Strike 4.0 made major changes to Cobalt Strike's listener management systems. These changes included name changes for several payloads. Scripts that analyze the listener payload name should note these changes:

  • windows/beacon_smb/bind_pipe is now windows/beacon_bind_pipe
  • windows/beacon_tcp/bind_tcp is now windows/beacon_bind_tcp

2. Cobalt Strike 4.0 moves away from payload stagers. Stageless payloads are preferred in all post-ex workflows. Where stageless isn't possible; use an explicit stager that works with all payloads.

The jump psexec_psh lateral movement attack is a good example of the above. This automation generates a bind_pipe stager to fit within the size constraints of a PowerShell one-liner. All payloads are sent through this staging process; regardless of their configuration.

This convention change will break some privilege escalation scripts that follow the pre-4.0 patterns in the Elevate Kit. &bstage is now gone as its underlying functionality was changed too much to include in Cobalt Strike 4.0. Where possible, privilege escalation scripts should use &payload to export a payload, run it via the technique, and use &beacon_link to connect to the payload. If a stager is required; use &stager_bind_tcp to export a TCP stager and &beacon_stage_tcp to stage a payload through this stager.

2. Cobalt Strike 4.0 removes the following Aggressor Script functions:

Function Replacement Reason
&bbypassuac &belevate &belevate is the preferred function to spawn an elevated session on the local system
&bpsexec_psh &bjump &bjump is the preferred function to spawn a session on a remote target
&brunasadmin &belevate_command runasadmin was expanded to allow multiple options to run a command in an elevated context
&bstage multiple functions &bstage would stage AND link when needed. Bind staging is now explicit with &beacon_stage_tcp or &beacon_stage_pipe. &beacon_link is the general "link to this listener" step.
&bwdigest &bmimikatz Use &bmimikatz to run this command... if you really want to. :)
&bwinrm &bjump, winrm or winrm64 &bjump is the preferred function to spawn a session on a remote target
&bwmi No stageless WMI lateral movement option exists in CS 4.0

3. Cobalt Strike 4.0 deprecates the following Aggressor Script functions:

Function Replacement Reason
&artifact &artifact_stager Consistent arguments; consistent naming convetion
&artifact_stageless &artifact_payload Consistent naming; no need for a callback in Cobalt Strike 4.0
&drow_proxyserver Proxy config is now tied to the listener and not needed when exporting a payload stage.
&drow_listener_smb &drow_listener_stage These functions are now equivalent to eachother
&listener_create &listener_create_ext A lot more options required a change in how arguments are passed
&powershell &powershell_command, &artifact_stager Consistency; de-emphasis on PowerShell one-liners in API
&powershell_encode_oneliner &powershell_command Clearer naming.
&powershell_encode_stager &powershell_command, &artifact_general Consistency; clearer separation of parts in API
&shellcode &stager Consistent arguments; consistent naming