- Navigate to Cobalt Strike -> Script Manager and Load the
serverside_payload_generation.cnascript. - A new menu option Server-Side Payloads will now be available on the top menu bar.
Server-Side Payloads Manu Item
Cobalt Strike's Stager Payload Generator outputs source code and artifacts to stage a Cobalt Strike listener onto a host.
Navigate to Server-Side Payloads -> Stager Payload Generator
Stager Payload Generator
Parameters
- Filename: Name of the payload.
- Listener: Press the ... button to select a Cobalt Strike listener you would like to output a payload for.
- Output: Use the drop-down to select one of the following output types (most options give you shellcode formatted as a byte array for that language):
- C: Shellcode formatted as a byte array.
- C#: Shellcode formatted as a byte array.
- COM Scriptlet: A .sct file to run a listener.
- Java: Shellcode formatted as a byte array.
- Perl: Shellcode formatted as a byte array.
- PowerShell: PowerShell script to run shellcode
- PowerShell Command: PowerShell one-liner to run a Beacon stager.
- Python: Shellcode formatted as a byte array.
- Raw: blob of position independent shellcode.
- Ruby: Shellcode formatted as a byte array.
- Veil: Custom shellcode suitable for use with the Veil Evasion Framework.
- VBA: Shellcode formatted as a byte array.
- x64: Check the box to generate an x64 stager for the selected listener.
Cobalt Strike's Stageless Payload Generator outputs source code and artifacts, without a stager, to a Cobalt Strike listener onto a host.
Navigate to Server-Side Payloads -> Stageless Payload Generator
Stageless Payload Generator
Parameters
- Filename: Name of the payload.
- Listener: Press the ... button to select a Cobalt Strike listener you would like to output a payload for.
- Guardrails: By default, the Listener guardrails will be used. Use this textbox to overwrite the settings por the beacon (The format should be
Key1=Value1and the possible keys are:IP,User,ServerandDomain). Wildcards are supported. - Output: Use the drop-down to select one of the following output types (most options give you shellcode formatted as a byte array for that language):
- C: Shellcode formatted as a byte array.
- C#: Shellcode formatted as a byte array.
- Java: Shellcode formatted as a byte array.
- Perl: Shellcode formatted as a byte array.
- Python: Shellcode formatted as a byte array.
- Raw: blob of position independent shellcode.
- Ruby: Shellcode formatted as a byte array.
- VBA: Shellcode formatted as a byte array.
- UDRL Aggressor Script: Aggressor Script to hook your desired server-side UDRL
- Sleepmask Aggressor Script: Aggressor Script to hook your desired server-side Sleepmask
- Options: User defined options map to pass to the hooks when generating the payload. The format should be
Key1=Value1or"Key with spaces"="Value with spaces". - Exit Function: This function determines the method/behavior that Beacon uses when the exit command is executed.
- Process: Terminates the whole process.
- Thread: Terminates only the current thread.
- System Call: Select one of the following system call methods to use at execution time when generating a stageless beacon payload from the Cobalt Strike UI or a supported aggressor function:
- None: Use the standard Windows API function.
- Direct: Use the Nt* version of the function.
- Indirect: Jump to the appropriate instruction within the Nt* version of the function.
- HTTP Library: Select the Microsoft library (WinINet or WinHTTP) for the generated payload.
- DNS Comm Mode: This option allows you to use DNS Over HTTPS (DOH) for egressing from the target using a DNS Beacon. The default value is determined by Malleable C2 “comm_mode“ option from listener definition. You can define more DOH configuration options in Malleable C2.
- x64: Check the box to generate an x64 payload for the selected listener.
This dialog allows you to download a server-side generated payload on the client machine.
Download Payloads
Parameters
- Filename: Name of the payload to download.