Cobalt Strike has several report options to help make sense of your data and convey a story to your clients. You may configure the title, description, and hosts displayed in most reports.

Go to Reporting and choose one of the reports to generate. Cobalt Strike will export your report as an MS Word or PDF document.

Report Types

  • Activity Report (.pdf)
    The activity report provides a timeline of red team activities.
  • Hosts Report (.pdf)
    The hosts report summarizes Cobalt Strike's data model on a per-host basis. Hosts, services, credentials, and sessions are documented here.
  • Indicators of Compromise Report (.pdf)
    This report resembles an Indicators of Compromise appendix from a threat intelligence report. It contains a sample of Beacon traffic (derived from the Malleable C2 profile), MD5 hashes for files put on systems, and hosts/domains used for Beacon callbacks.
  • Sessions Report (.pdf)
    This report provides full disclosure of red team activity. It captures each session, the communication path of that session, MD5 hashes of files put on target during that session, and it provides a running log of red team activity.
  • Social Engineering Report (.pdf)
    The social engineering report documents each round of spear phishing emails, who clicked, and what was collected from each user that clicked. This report also shows applications discovered by the system profiler.

Custom Logo

Cobalt Strike reports display a Cobalt Strike logo at the top of the first page. You may replace this with an image of your choosing. Go to Cobalt Strike -> Preferences -> Reporting and set the image you'd like to use. You may also set an accent color. The accent color is the thick line below your image on the first page of the report.

Report Preferences

Your custom image should be 1192x257px set to 300dpi. The 300dpi setting is necessary for the reporting engine to render your image at the right size.

Custom Reports

Cobalt Strike uses a domain specific language to define its reports. You may load your own reports through the Report Preferences dialog. To learn more about this feature, consult the Custom Reports chapter of the Aggressor Script documentation.