Distributed and Team Operations

Use Cobalt Strike to coordinate a distributed red team effort. Stage Cobalt Strike on one or more remote hosts. Start your team servers and have your team connect.

figure 6 - Distributed Operations with Cobalt Strike

Once connected to a team server, your team will:

  • Use the same sessions

  • Share hosts, captured data, and downloaded files

  • Communicate through a shared event log.

The Cobalt Strike client may connect to multiple team servers. Go to Cobalt Strike -> New Connection to initiate a new connection. When connected to multiple servers, a switchbar will show up at the bottom of your Cobalt Strike window.

figure 7 - Server Switchbar

This switchbar allows you to switch between active Cobalt Strike server instances. Each server has its own button. Right-click a button and select Rename to make the button’s text reflect the role of the server during your engagement. The server button will display the active button in bold text and color based on color preference found in Cobalt Strike -> Preferences -> TeamServers to better indicate which button is active. This button name will also identify the server in the Cobalt Strike Activity Report.

When connected to multiple servers, Cobalt Strike aggregates listeners from all of the servers it’s connected to. This aggregation allows you to send a phishing email from one server that references a malicious website hosted on another server. At the end of your engagement, Cobalt Strike’s reporting feature will query all of the servers you’re connected to and merge the data to tell one story.

Reconnecting the Client

When the client disconnection is user-initiated with the Menu, Toolbar or Switchbar Server button, a red banner displays with a Reconnect and Close button.

Press Close to close the window. Press Reconnect to reconnect to the TeamServer.

If the TeamServer is not available a dialog displays asking if you want to retry (Yes/No). If Yes then connection is attempted again (repeats if needed). If No, the dialog closes.

When disconnection is initiated by the TeamServer or other network interruption the red banner will display a message with a countdown for connection retry. This will repeat until a connection is made with the TeamServer or the user clicks on Close. In this case the user can interact with other parts of the UI.

When the client reconnects, the red reconnect bar disappears.

 

Related Topics