Cobalt Strike MCP Server

# Cobalt Strike MCP Server Model Context Protocol server for managing Cobalt Strike operations through natural language commands. Currently only tested with Cursor and Claude on Windows <img width="500" height="1089" alt="image" src="https://github.com/user-attachments/assets/3150c2eb-9360-4db3-ae3d-4543796f576e" /> ## Prerequisites - Node.js 18.0.0 or higher - npm package manager - Cobalt Strike teamserver with REST API enabled - Network connectivity to Cobalt Strike teamserver ## Installation ### Windows Installation #### Prerequisites 1. Install Node.js 18.0.0 or higher from [nodejs.org](https://nodejs.org/) 2. Open PowerShell or Command Prompt as Administrator (for global installation) #### Global Installation (Recommended) Install the package globally to make the `cobaltstrike-mcp` command available system-wide: **PowerShell:** ```powershell npm install -g . ``` ### macOS/Linux Installation #### Global Installation (Recommended) Install the package globally to make the `cobaltstrike-mcp` command available system-wide: ```bash npm install -g . ``` ## Configuration Before using the MCP server, you need to configure it with your Cobalt Strike teamserver credentials. ### Initial Setup Run the setup command to configure the server: ```bash cobaltstrike-mcp --setup ``` This will prompt you for: - **Teamserver URL**: The full URL to your Cobalt Strike REST API (e.g., `https://teamserver.example.com:50050`) - **Username**: Your Cobalt Strike username - **Password**: Your Cobalt Strike password - **Verify SSL**: Whether to verify SSL certificates (yes/no) Credentials are stored securely in your OS credential manager (keyring). ### Configuration Location Configuration files are stored in: - **Windows**: `%USERPROFILE%\.cobaltstrike-mcp\` or `C:\Users\<username>\.cobaltstrike-mcp\` - **macOS/Linux**: `~/.cobaltstrike-mcp/` Files: - `config.json` - Non-sensitive configuration (URL, SSL settings) - Credentials are stored in OS keyring (Windows Credential Manager on Windows) ## Usage ### With Claude Desktop Add the MCP server to your Claude Desktop configuration: **macOS**: `~/Library/Application Support/Claude/claude_desktop_config.json` **Windows**: `%APPDATA%\Claude\claude_desktop_config.json` **Linux**: `~/.config/Claude/claude_desktop_config.json` ```json { "mcpServers": { "cobaltstrike": { "command": "cobaltstrike-mcp", "args": [] } } } ``` ### With Cursor Cursor supports MCP servers through its settings. To configure this MCP server in Cursor: 1. **Open Cursor Settings**: - Press `Ctrl+,` (Windows/Linux) or `Cmd+,` (macOS) - Or go to `File > Preferences > Settings` 2. **Navigate to MCP Settings**: - Search for "MCP" in the settings search bar - Or look for "Model Context Protocol" settings 3. **Add the MCP Server**: - Click "Add MCP Server" or edit the MCP configuration - Add the following configuration: ```json { "mcpServers": { "cobaltstrike": { "command": "cobaltstrike-mcp", "args": [] } } } ``` 4. **Restart Cursor** after making changes to the configuration. ### Available Tools This MCP server provides comprehensive access to Cobalt Strike operations through **200+ tools** organized into the following categories: #### Teamserver Operations - `get_teamserver_info` - Get information about the Cobalt Strike teamserver (version, license, stats) - `test_connection` - Test the connection to the Cobalt Strike REST API server #### Beacon Operations - `list_beacons` - List all active beacons in the teamserver - `get_beacon` - Get detailed information about a specific beacon by ID - `execute_beacon_command` - Execute a command on a beacon (e.g., "whoami", "ls", "shell", "powershell") - `get_beacon_output` - Get the output from a beacon (console output) - `get_beacon_task` - Get the status and output of a specific beacon task - `kill_beacon` - Kill/remove a beacon from the teamserver - `note_beacon` - Add or update a note on a beacon #### Beacon State Management - `set_beacon_sleep` - Set the sleep time and jitter for a beacon - `set_beacon_spawnto` - Set the spawn-to process for a beacon - `set_beacon_ppid` - Set the parent process ID for a beacon - `set_beacon_syscall_method` - Set the system call method for a beacon - `set_beacon_dns_mode` - Set DNS mode for beacon - `set_beacon_block_dlls` - Enable or disable block DLLs - `set_beacon_beacon_gate` - Enable or disable beacon gate - `set_beacon_c2_host` - Set C2 host for beacon - `set_beacon_c2_host_hold` - Hold C2 host (prevent failover) - `set_beacon_c2_host_release` - Release C2 host (allow failover) - `set_beacon_c2_host_reset` - Reset C2 host - `set_beacon_spoofed_arguments` - Set spoofed arguments for beacon - `set_beacon_c2_failover_notification` - Enable or disable C2 failover notification - `get_beacon_jobs` - Get jobs running on a beacon - `get_beacon_c2_host_profiles` - Get available C2 profiles for beacon - `get_beacon_tokenStore` - Get token store state for beacon #### Listener Operations - `list_listeners` - List all active listeners in the teamserver - `create_listener` - Create a new listener (HTTP, HTTPS, DNS, SMB, etc.) - `delete_listener` - Delete/remove a listener from the teamserver #### Listener-Specific Operations - `create_listener_http` / `get_listener_http` / `update_listener_http` / `delete_listener_http` - `create_listener_https` / `get_listener_https` / `update_listener_https` / `delete_listener_https` - `create_listener_dns` / `get_listener_dns` / `update_listener_dns` / `delete_listener_dns` - `create_listener_smb` / `get_listener_smb` / `delete_listener_smb` - `create_listener_tcp` / `get_listener_tcp` / `delete_listener_tcp` - `create_listener_externalC2` / `get_listener_externalC2` / `delete_listener_externalC2` - `create_listener_foreignHttp` / `get_listener_foreignHttp` / `delete_listener_foreignHttp` - `create_listener_foreignHttps` / `get_listener_foreignHttps` / `delete_listener_foreignHttps` - `create_listener_userDefinedC2` / `get_listener_userDefinedC2` / `delete_listener_userDefinedC2` - `get_listener` - Get listener by ID #### Credential Management - `list_credentials` - List all stored credentials in the teamserver - `get_credential` - Get detailed information about a specific credential by ID - `create_credential` - Create a new credential entry - `delete_credential` - Delete a credential from the teamserver #### Task Management - `list_tasks` - List all tasks across all beacons or filter by beacon ID - `get_task` - Get detailed information about a specific task by ID - `get_task_error` - Get error information for a specific task - `get_task_log` - Get log information for a specific task - `get_beacon_tasks_summary` - Get task summary for a specific beacon - `get_beacon_tasks_detail` - Get detailed task information for a specific beacon #### File Operations - `beacon_list_directory` - List directory contents on a beacon - `beacon_change_directory` - Change current directory on a beacon - `beacon_get_current_directory` - Get current working directory on a beacon - `beacon_list_drives` - List available drives on a beacon - `beacon_upload_file` - Upload a file to a beacon - `beacon_download_file` - Download a file from a beacon - `beacon_copy_file` - Copy a file on a beacon - `beacon_move_file` - Move/rename a file on a beacon - `beacon_delete_file` - Delete a file or directory on a beacon - `beacon_create_directory` - Create a directory on a beacon #### Spawn Operations (40+ tools) Spawn operations execute commands in new processes. Available tools include: - `spawn_beacon` - Spawn a new beacon session - `spawn_powershell` - Execute PowerShell command - `spawn_command` - Execute a command (spawns in new process) - `spawn_shell` - Execute a shell command - `spawn_screenshot` - Take a screenshot - `spawn_hashdump` - Dump password hashes - `spawn_mimikatz` - Run Mimikatz - `spawn_logon_passwords` - Dump logon passwords using Mimikatz - `spawn_process_list` - List processes - `spawn_beacon_asUser` - Spawn a beacon as a specific user - `spawn_beacon_under` - Spawn a beacon under a specific process - `spawn_command_runAs` - Run a command as a specific user - `spawn_dcsync` - Perform DCSync attack - `spawn_keylogger` - Start keylogger - `spawn_chromedump` - Dump Chrome passwords - `spawn_dotnetAssembly` - Execute .NET assembly - `spawn_net_computers` - Enumerate computers - `spawn_net_dclist` - List domain controllers - `spawn_net_domainControllers` - List domain controllers - `spawn_net_domainTrusts` - Enumerate domain trusts - `spawn_net_group` - Enumerate groups - `spawn_net_localGroup` - Enumerate local groups - `spawn_net_logons` - Enumerate logged on users - `spawn_net_sessions` - Enumerate sessions - `spawn_net_share` - Enumerate shares - `spawn_net_time` - Get time from target - `spawn_net_user` - Enumerate users - `spawn_net_user_detail` - Get user details - `spawn_net_view` - View network resources - `spawn_portscan` - Perform port scan - `spawn_postExDll` - Load post-exploitation DLL - `spawn_powershell_unmanaged` - Execute unmanaged PowerShell - `spawn_printscreen` - Print screen - `spawn_pth` - Pass-the-hash - `spawn_screenwatch` - Start screen watch - `spawn_shellcode` - Execute shellcode - `spawn_ssh` - Inject SSH session - `spawn_sshKey` - Inject SSH session with key - And more... #### Inject Operations (30+ tools) Inject operations execute commands within existing processes. Available tools include: - `inject_dcsync` - Perform DCSync attack to extract domain credentials - `inject_net_computers` - Enumerate computers (inject mode) - `inject_net_users` - Enumerate users (inject mode) - `inject_net_user_detail` - Get user details (inject mode) - `inject_net_groups` - Enumerate groups (inject mode) - `inject_net_sessions` - Enumerate sessions (inject mode) - `inject_net_shares` - Enumerate shares (inject mode) - `inject_net_domain_controllers` - List domain controllers (inject mode) - `inject_portscan` - Perform port scan (inject mode) - `inject_keylogger` - Start keylogger on a process - `inject_chromedump` - Dump Chrome passwords - `inject_net_view` - View network resources (inject mode) - `inject_net_logons` - Enumerate logged on users (inject mode) - `inject_beacon` - Inject a beacon into a process - `inject_dll` - Inject a DLL into a process - `inject_shellcode` - Execute shellcode - `inject_mimikatz` - Run Mimikatz - `inject_hashdump` - Dump password hashes (inject mode) - `inject_logonPasswords` - Dump logon passwords (inject mode) - `inject_powershell_unmanaged` - Execute unmanaged PowerShell - `inject_screenshot` - Take a screenshot - `inject_printscreen` - Print screen - `inject_screenwatch` - Start screen watch - `inject_browserpivotStart` - Start browser pivot - `inject_ssh` - Inject SSH session - `inject_sshKey` - Inject SSH session with key - `inject_pth` - Pass-the-hash (inject mode) - `inject_postExDll` - Load post-exploitation DLL - `inject_loadDll` - Load a DLL - And more... #### Execute Operations - `execute_kill_process` - Kill a process - `execute_clipboard` - Get clipboard contents - `execute_setenv` - Set environment variable - `execute_timestomp` - Modify file timestamps - `execute_checkin` - Force beacon check-in - `execute_exit` - Exit beacon - `execute_reg_query` - Query registry key - `execute_reg_queryv` - Query registry value - `execute_beacon_info` - Get beacon information - `execute_get_uid` - Get user ID - `execute_job_stop` - Stop a job - `execute_kerberos_ticket_purge` - Purge Kerberos tickets - `execute_kerberos_ticket_use` - Use Kerberos ticket - `execute_powershell_import` - Import PowerShell script - `execute_net_domain` - Get domain information - `execute_browserpivot_stop` - Stop browser pivot - `execute_cancel_file_download` - Cancel file download - `execute_socks_stop_all` - Stop all SOCKS proxies - `execute_socks_stop_port` - Stop SOCKS proxy on specific port #### Token Operations - `execute_steal_token` - Steal a token from a process - `execute_make_token` - Make a token using logon credentials - `execute_rev2self` - Revert to self (drop impersonated token) - `execute_get_system` - Get SYSTEM privileges - `execute_get_privs` - Get privileges - `execute_tokenStore_use` - Use a token from the token store - `execute_tokenStore_steal` - Steal a token and add it to the token store - `execute_tokenStore_stealAndUse` - Steal a token and immediately use it - `execute_tokenStore_remove` - Remove a token from the token store - `execute_tokenStore_removeAll` - Remove all tokens from the token store - `execute_make_token_upn` - Make a token using UPN (User Principal Name) #### Pivoting Operations - `execute_socks4_start` - Start SOCKS4 proxy - `execute_socks5_start` - Start SOCKS5 proxy - `execute_socks_stop` - Stop SOCKS proxy - `execute_link_smb` - Link to SMB beacon - `execute_link_tcp` - Link to TCP beacon - `execute_unlink` - Unlink from beacon - `execute_rportfwd_start` - Start reverse port forward - `execute_rportfwd_stop` - Stop reverse port forward #### Elevation Operations - `elevate_beacon` - Elevate beacon privileges - `elevate_command` - Elevate command privileges #### Remote Execution Operations - `remoteExec_beacon` - Execute remote beacon - `remoteExec_command` - Execute remote command #### Payload Generation - `generate_stager_payload` - Generate a stager payload for a listener - `generate_stageless_payload` - Generate a stageless payload for a listener - `download_payload` - Download a generated payload file #### BOF (Beacon Object File) Operations - `execute_bof` - Execute a BOF on a beacon - `execute_bof_pack` - Execute a BOF with packing - `execute_bof_packed` - Execute a packed BOF #### Data Operations - `list_screenshots` - List all screenshots captured from beacons - `get_screenshot` - Get a specific screenshot by ID - `list_keystrokes` - List all keystroke captures from beacons - `get_keystrokes` - Get keystroke data by ID - `list_downloads` - List all file downloads from beacons - `get_download` - Get download information by ID #### Configuration Operations - `get_system_information` - Get system information - `get_profile` - Get C2 profile - `update_profile` - Update C2 profile - `get_killdate` - Get kill date - `set_killdate` - Set kill date - `get_teamserver_ip` - Get teamserver IP - `set_teamserver_ip` - Set teamserver IP - `reset_data` - Reset data #### Utility Operations - `get_artifacts` - Get artifacts - `get_beacon_active_downloads` - Get active downloads for a beacon - `clear_beacon_command_queue` - Clear beacon command queue - `get_beacon_help` - Get beacon help - `get_beacon_command_help` - Get help for a specific beacon command - `get_beacon_keystrokes` - Get keystrokes for a beacon ## Cobalt Strike REST API This MCP server interacts with the Cobalt Strike REST API. For detailed API documentation, see: - [Cobalt Strike REST API Documentation](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/api/index.html) ## Security Considerations ⚠️ **Important Security Notes:** - This tool is for authorized security testing and red team operations only - Credentials are stored in your OS credential manager - SSL certificate verification can be disabled for testing (not recommended for production) - All operations are logged by the Cobalt Strike teamserver - Use with appropriate authorization and in compliance with applicable laws ## License GPL-3.0 ## References - [Cobalt Strike Documentation](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/toc.html) - [Model Context Protocol](https://modelcontextprotocol.io/) - [Anthropic MCP Documentation](https://docs.anthropic.com/en/docs/agents-and-tools/mcp-connector)