Getting Started

Cobalt Strike functions as a client/server framework. The server is called teamserver and it typically runs a host that all operators have access to. The operators will use the client (cobaltstrike-client) to connect to the teamserver to perform their actions.

Starting the Team Server

To start the Team Server, use the following command:

teamserver <ip-address> <shared-password> [<malleableC2profile> <kill-date>]

• IP Address is mandatory. This is the IP address of the Team Server
• Password is mandatory. This is the shared password given to the red team operators
• Malleable C2 Profile is optional. This is for using a specific profile
• Kill Date is optional. This date is put into the beacons that are generated, and will not work past this date

Example:

sudo ./teamserver 10.10.10.2 P@ssw0rd

On startup of the Team Server, there will be a SHA256 hash of the SSL certificate generated. The Client will present this hash on connection to ensure the operator is connecting to the proper Team Server.

. . . 
[+] Team server is up on 0.0.0.0:50050
[*] SHA256 hash of SSL cert is: ad08da875f894d9298ce270270bceeb0c864888d55cc2e0a5d699cea7e27f4c2

Note: It is recommended that the Team Server be started in a tmux session in case the SSH connection goes down. Additionally, it should be started using sudo, or by the root user.

Starting the Client

To start the Client on a Windows system:

• Locate the cobaltstrike-client.cmd file and double-click on it to launch the Client

• From the command-line, execute the cobaltstrike-client.cmd file:

  .\cobaltstrike-client.cmd

To start the Client on a Linux or macOS system:

• Open the terminal and execute the cobaltstrike-client.sh script:

./cobaltstrike-client.sh

Regardless of the system that the Client is launched from, the Java GUI will load on the operator's desktop.

Note: Keep in mind that if you run the Client on a macOS system, you will need to grant it permissions to access Files and Folders or grant Full Disk Access.