Starting the Team Server

Cobalt Strike is split into client and a server components. The server, referred to as the team server, is the controller for the Beacon payload and the host for Cobalt Strike’s social engineering features. The team server also stores data collected by Cobalt Strike and it manages logging. The team server is located in the “server” folder.

The Cobalt Strike team server must run on a supported Linux system. To start a Cobalt Strike team server, issue the following command to run the team server script included with the Cobalt Strike Linux package:

figure 3 - Starting the Team Server

./teamserver <ip_address> <password> [<malleableC2profile> <kill_date>]

The team server script uses the following two mandatory and two optional parameters:

IP Address - (mandatory) Enter the externally reachable IP address of the team server. Cobalt Strike uses this value as a default host for its features.

Password - (mandatory) Enter a password that your team members will use to connect the Cobalt Strike client to the team server.

Malleable C2 Profile - (optional) Specify a valid Malleable C2 Profile. See Malleable Command and Control for more information on this feature.

Kill Date - (optional) Enter a date value in YYYY-MM-DD format. The team server will embed this kill date into each Beacon stage it generates. The Beacon payload will refuse to run on or after this date and will also exit if it wakes up on or after this date.

When the team server starts, it will publish the SHA256 hash of the team server’s SSL certificate. Distribute this hash to your team members. When your team members connect, their Cobalt Strike client will ask if they recognize this hash before it authenticates to the team server. This is an important protection against man-in-the-middle attacks.

Team Server Properties File

TeamServer.prop is an optional file containing a number of parameters that can be used to customize settings. This file is not included in the distribution as the defaults are the recommended settings. If there is a need to modify the settings, download the default TeamServer.prop file from https://github.com/Cobalt-Strike/teamserver-prop repository into the Cobalt Strike installation directory. Make any modifications and restart the teamserver.

For additional information on a setting see the README.md in the repository and comments in the TeamServer.prop file.

 

Related Topics