External C2

External C2 is a specification to allow third-party programs to act as a communication layer for Cobalt Strike’s Beacon payload. These third-party programs connect to Cobalt Strike to read frames destined for, and write frames with output from payloads controlled in this way. The External C2 server is what these third-party programs use to interface with your Cobalt Strike team server.

External C2 Listener Setup

To create an External C2 Beacon listener select Cobalt Strike -> Listeners on the main menu and press the Add button at the bottom of the Listeners tab display.

The New Listener panel displays.

Go to Cobalt Strike -> Listeners, press Add, and choose External C2 as your payload.

figure 33 - External C2

Select External C2 as the Payload type and give the listener a Name. Make sure to give the new listener a memorable name as this name is how you will refer to this listener through Cobalt Strike’s commands and workflows.

NOTE:

External C2 listeners are not like other Cobalt Strike listeners. You cannot target these with Cobalt Strike’s post-exploitation actions. This option is just a convenience to stand up the interface itself.

Specification

The External C2 interface is described in the External C2 specification.

Third-party Materials

Here's a list of third-party projects and posts that reference, use, or build on External C2:

 

Related Topics