Scripting Cobalt Strike

Cobalt Strike is scriptable through its Aggressor Script language. Aggressor Script allows you to modify and extend the Cobalt Strike client.


Aggressor Script is the spiritual successor to Cortana, the open source scripting engine in Armitage. Cortana was made possible by a contract through DARPA's Cyber Fast Track program. Cortana allows its users to extend Armitage and control the Metasploit® Framework and its features through Armitage's team server. Cobalt Strike 3.0 is a ground-up rewrite of Cobalt Strike without Armitage as a foundation. This change afforded an opportunity to revisit Cobalt Strike's scripting and build something around Cobalt Strike's features. The result of this work is Aggressor Script.

Aggressor Script is a scripting language for red team operations and adversary simulations inspired by scriptable IRC clients and bots. Its purpose is two-fold. You may create long running bots that simulate virtual red team members, hacking side-by-side with you. You may also use it to extend and modify the Cobalt Strike client to your needs.

Loading Scripts

Aggressor Script is built into the Cobalt Strike client. To manage scripts, go to Cobalt Strike -> Script Manager and press Load.

A default script inside of Cobalt Strike defines all of Cobalt Strike’s popup menus and formats information displayed in Cobalt Strike’s consoles. Through the Aggressor Script engine, you may override these defaults and customize Cobalt Strike to your preferences.

You may also use Aggressor Script to add new features to Cobalt Strike’s Beacon and to automate certain tasks.

To learn more about Aggressor Script, see Aggressor Script.


Related Topics