support

Data Model

Overview

Cobalt Strike 3.0's team server is a broker for information collected by Cobalt Strike during your engagement. Cobalt Strike parses output from its Beacon payload to extract targets, services, and credentials.

If you'd like to export Cobalt Strike's data, you may do so through Reporting -> Export Data. Cobalt Strike provides options to export its data as TSV and XML files. The Cobalt Strike client's export data feature will merge data from all of the team servers you're currently connected to.

Targets

You may interact with Cobalt Strike's target information through View -> Targets. This tab displays the same information as the Targets Visualization. Press Add to add new targets to Cobalt Strike's data model.

Services

From a targets display, right-click a host, and select Services. This will open Cobalt Strike's services browser. Here you may browse services, assign notes to different services, and remove service entries as well.

Credentials

Go to View -> Credentials to interact with Cobalt Strike's credential model. Press Add to add an entry to the credential model. Again, you may hold shift and press Save to keep the dialog open and make it easier to add new credentials to the model. Press Copy to copy the highlighted entries to your clipboard.

Maintenance

All of the data Cobalt Strike collects is stored in the data/ sub-folder in the same location you started your team server from.

If you'd like to clear Cobalt Strike's data model, stop the team server, and delete the data/ folder and its contents. Cobalt Strike will recreate the data/ folder when you start the team server next.

If you’d like to archive the data model, stop the team server, and use your favorite program to store the data/ folder and its files elsewhere. To restore the data model, stop the team server, and restore the old content to the data/ folder. Cobalt Strike's data model keeps all of its state and state metadata in the data/ folder.

Reporting -> Reset Data resets Cobalt Strike’s Data Model without a team server restart.