Running the Client on macOS

The Cobalt Strike client may not be able to show contents of the Documents, Desktop, and Downloads folders in the file browser initially. (e.g. loading scripts, uploading files, generating payloads, etc…)

By default, macOS limits what access applications have to the Documents, Desktop, and Download folders. These applications need to explicitly be granted access to these folders.

Since Cobalt Strike is a third party application, it isn't as straight forward as granting the app "Cobalt Strike" access. You may need to give the JRE running Cobalt Strike client access to the file system. You can give access to the specific Files and Folders or Full Disk Access.

You may be prompted for the access:

Graphical user interface, text, application Description automatically generated

figure 9 - macOS Access Prompt

Or, if the access has been previously denied, you may need to edit the access in the macOS System Preferences / Security & Privacy / Privacy dialog:

Graphical user interface, application Description automatically generated

figure 10 - macOS Privacy Dialog

Please be advised that other applications that use the JRE will also have this access.

NOTE:

The same steps may also need to be taken for '/bin/bash'.

 

 

Related Topics