External C2
External C2 is a specification to allow third-party programs to act as a communication layer for Cobalt Strike’s Beacon payload. These third-party programs connect to Cobalt Strike to read frames destined for, and write frames with output from payloads controlled in this way. The External C2 server is what these third-party programs use to interface with your Cobalt Strike team server.
External C2 Listener Setup
To create an External C2 Beacon listener select Cobalt Strike -> Listeners on the main menu and press the Add button at the bottom of the Listeners tab display.
The New Listener panel displays.
Go to Cobalt Strike -> Listeners, press Add, and choose External C2 as your payload.
figure 33 - External C2
Select External C2 as the Payload type and give the listener a Name. Make sure to give the new listener a memorable name as this name is how you will refer to this listener through Cobalt Strike’s commands and workflows.
Port (Bind) - Specify the port the External C2 server waits for connections on.
Bind to localhost only - Check to make the External C2 server localhost- only.
External C2 listeners are not like other Cobalt Strike listeners. You cannot target these with Cobalt Strike’s post-exploitation actions. This option is just a convenience to stand up the interface itself.
Specification
The External C2 interface is described in the External C2 specification.
If you'd like to adapt the example (Appendix B) in the specification into a third-party C2, you may assume a 3-clause BSD license for the code contained within the specification.
Third-party Materials
Here's a list of third-party projects and posts that reference, use, or build on External C2:
- Custom Command and Control (C3) by F-Secure Labs. A framework for rapid prototyping of custom C2 channels.
- external_c2_framework by Jonathan Echavarria. A Python Framework for building External C2 clients and servers.
- ExternalC2 Library by Ryan Hanson .NET library with Web API, WebSockets, and a direct socket. Includes unit tests and comments.
- Tasking Office 365 for Cobalt Strike C2 by MWR Labs. Discussion and demo of Office 365 C2 for Cobalt Strike.
- Shared File C2 by Outflank BV. POC to use a file/share for command and control.