External C2

External C2 is a specification to allow third-party programs to act as a communication layer for Cobalt Strike’s Beacon payload. These third-party programs connect to Cobalt Strike to read frames destined for, and write frames with output from payloads controlled in this way. The External C2 server is what these third-party programs use to interface with your Cobalt Strike team server.

External C2 Listener Setup

To create an External C2 Beacon listener select Cobalt Strike -> Listeners on the main menu and press the Add button at the bottom of the Listeners tab display.

The New Listener panel displays.

Go to Cobalt Strike -> Listeners, press Add, and choose External C2 as your payload.

figure 33 - External C2

Select External C2 as the Payload type and give the listener a Name. Make sure to give the new listener a memorable name as this name is how you will refer to this listener through Cobalt Strike’s commands and workflows.

NOTE:

External C2 listeners are not like other Cobalt Strike listeners. You cannot target these with Cobalt Strike’s post-exploitation actions. This option is just a convenience to stand up the interface itself.

Specification

The External C2 interface is described in the External C2 specification.

If you'd like to adapt the example (Appendix B) in the specification into a third-party C2, you may assume a 3-clause BSD license for the code contained within the specification.

Third-party Materials

Here's a list of third-party projects and posts that reference, use, or build on External C2:

 

Related Topics