Cobalt Strike MCP Server

Model Context Protocol server for managing Cobalt Strike operations through natural language commands.Currently only tested with Cursor and Claude on Windows

Prerequisites

Node.js 18.0.0 or higher
npm package manager
Cobalt Strike teamserver with REST API enabled
Network connectivity to Cobalt Strike teamserver

Installation

Windows Installation

Prerequisites

Install Node.js 18.0.0 or higher from nodejs.org
Open PowerShell or Command Prompt as Administrator (for global installation)

Global Installation (Recommended)

Install the package globally to make the cobaltstrike-mcp command available system-wide:

PowerShell:

npm install -g .

macOS/Linux Installation

Global Installation (Recommended)

Install the package globally to make the cobaltstrike-mcp command available system-wide:

npm install -g .

Configuration

Before using the MCP server, you need to configure it with your Cobalt Strike teamserver credentials.

Initial Setup

Run the setup command to configure the server:

cobaltstrike-mcp --setup

This will prompt you for:

Teamserver URL: The full URL to your Cobalt Strike REST API (e.g., https://teamserver.example.com:50050)
Username: Your Cobalt Strike username
Password: Your Cobalt Strike password
Verify SSL: Whether to verify SSL certificates (yes/no)

Credentials are stored securely in your OS credential manager (keyring).

Configuration Location

Configuration files are stored in:

Windows: %USERPROFILE%\.cobaltstrike-mcp\ or C:\Users\<username>\.cobaltstrike-mcp\
macOS/Linux: ~/.cobaltstrike-mcp/

Files:

config.json - Non-sensitive configuration (URL, SSL settings)
Credentials are stored in OS keyring (Windows Credential Manager on Windows)

Usage

With Claude Desktop

Add the MCP server to your Claude Desktop configuration:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.jsonWindows: %APPDATA%\Claude\claude_desktop_config.jsonLinux: ~/.config/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "cobaltstrike": {
      "command": "cobaltstrike-mcp",
      "args": []
    }
  }
}

With Cursor

Cursor supports MCP servers through its settings. To configure this MCP server in Cursor:

Open Cursor Settings:
- Press Ctrl+, (Windows/Linux) or Cmd+, (macOS)
- Or go to File > Preferences > Settings
Navigate to MCP Settings:
- Search for "MCP" in the settings search bar
- Or look for "Model Context Protocol" settings
Add the MCP Server:
- Click "Add MCP Server" or edit the MCP configuration
- Add the following configuration:

{
  "mcpServers": {
    "cobaltstrike": {
      "command": "cobaltstrike-mcp",
      "args": []
    }
  }
}

Restart Cursor after making changes to the configuration.

Available Tools

This MCP server provides comprehensive access to Cobalt Strike operations through 200+ tools organized into the following categories:

Teamserver Operations

get_teamserver_info - Get information about the Cobalt Strike teamserver (version, license, stats)
test_connection - Test the connection to the Cobalt Strike REST API server

Beacon Operations

list_beacons - List all active beacons in the teamserver
get_beacon - Get detailed information about a specific beacon by ID
execute_beacon_command - Execute a command on a beacon (e.g., "whoami", "ls", "shell", "powershell")
get_beacon_output - Get the output from a beacon (console output)
get_beacon_task - Get the status and output of a specific beacon task
kill_beacon - Kill/remove a beacon from the teamserver
note_beacon - Add or update a note on a beacon

Beacon State Management

set_beacon_sleep - Set the sleep time and jitter for a beacon
set_beacon_spawnto - Set the spawn-to process for a beacon
set_beacon_ppid - Set the parent process ID for a beacon
set_beacon_syscall_method - Set the system call method for a beacon
set_beacon_dns_mode - Set DNS mode for beacon
set_beacon_block_dlls - Enable or disable block DLLs
set_beacon_beacon_gate - Enable or disable beacon gate
set_beacon_c2_host - Set C2 host for beacon
set_beacon_c2_host_hold - Hold C2 host (prevent failover)
set_beacon_c2_host_release - Release C2 host (allow failover)
set_beacon_c2_host_reset - Reset C2 host
set_beacon_spoofed_arguments - Set spoofed arguments for beacon
set_beacon_c2_failover_notification - Enable or disable C2 failover notification
get_beacon_jobs - Get jobs running on a beacon
get_beacon_c2_host_profiles - Get available C2 profiles for beacon
get_beacon_tokenStore - Get token store state for beacon

Listener Operations

list_listeners - List all active listeners in the teamserver
create_listener - Create a new listener (HTTP, HTTPS, DNS, SMB, etc.)
delete_listener - Delete/remove a listener from the teamserver

Listener-Specific Operations

create_listener_http / get_listener_http / update_listener_http / delete_listener_http
create_listener_https / get_listener_https / update_listener_https / delete_listener_https
create_listener_dns / get_listener_dns / update_listener_dns / delete_listener_dns
create_listener_smb / get_listener_smb / delete_listener_smb
create_listener_tcp / get_listener_tcp / delete_listener_tcp
create_listener_externalC2 / get_listener_externalC2 / delete_listener_externalC2
create_listener_foreignHttp / get_listener_foreignHttp / delete_listener_foreignHttp
create_listener_foreignHttps / get_listener_foreignHttps / delete_listener_foreignHttps
create_listener_userDefinedC2 / get_listener_userDefinedC2 / delete_listener_userDefinedC2
get_listener - Get listener by ID

Credential Management

list_credentials - List all stored credentials in the teamserver
get_credential - Get detailed information about a specific credential by ID
create_credential - Create a new credential entry
delete_credential - Delete a credential from the teamserver

Task Management

list_tasks - List all tasks across all beacons or filter by beacon ID
get_task - Get detailed information about a specific task by ID
get_task_error - Get error information for a specific task
get_task_log - Get log information for a specific task
get_beacon_tasks_summary - Get task summary for a specific beacon
get_beacon_tasks_detail - Get detailed task information for a specific beacon

File Operations

beacon_list_directory - List directory contents on a beacon
beacon_change_directory - Change current directory on a beacon
beacon_get_current_directory - Get current working directory on a beacon
beacon_list_drives - List available drives on a beacon
beacon_upload_file - Upload a file to a beacon
beacon_download_file - Download a file from a beacon
beacon_copy_file - Copy a file on a beacon
beacon_move_file - Move/rename a file on a beacon
beacon_delete_file - Delete a file or directory on a beacon
beacon_create_directory - Create a directory on a beacon

Spawn Operations (40+ tools)

Spawn operations execute commands in new processes. Available tools include:

spawn_beacon - Spawn a new beacon session
spawn_powershell - Execute PowerShell command
spawn_command - Execute a command (spawns in new process)
spawn_shell - Execute a shell command
spawn_screenshot - Take a screenshot
spawn_hashdump - Dump password hashes
spawn_mimikatz - Run Mimikatz
spawn_logon_passwords - Dump logon passwords using Mimikatz
spawn_process_list - List processes
spawn_beacon_asUser - Spawn a beacon as a specific user
spawn_beacon_under - Spawn a beacon under a specific process
spawn_command_runAs - Run a command as a specific user
spawn_dcsync - Perform DCSync attack
spawn_keylogger - Start keylogger
spawn_chromedump - Dump Chrome passwords
spawn_dotnetAssembly - Execute .NET assembly
spawn_net_computers - Enumerate computers
spawn_net_dclist - List domain controllers
spawn_net_domainControllers - List domain controllers
spawn_net_domainTrusts - Enumerate domain trusts
spawn_net_group - Enumerate groups
spawn_net_localGroup - Enumerate local groups
spawn_net_logons - Enumerate logged on users
spawn_net_sessions - Enumerate sessions
spawn_net_share - Enumerate shares
spawn_net_time - Get time from target
spawn_net_user - Enumerate users
spawn_net_user_detail - Get user details
spawn_net_view - View network resources
spawn_portscan - Perform port scan
spawn_postExDll - Load post-exploitation DLL
spawn_powershell_unmanaged - Execute unmanaged PowerShell
spawn_printscreen - Print screen
spawn_pth - Pass-the-hash
spawn_screenwatch - Start screen watch
spawn_shellcode - Execute shellcode
spawn_ssh - Inject SSH session
spawn_sshKey - Inject SSH session with key
And more...

Inject Operations (30+ tools)

Inject operations execute commands within existing processes. Available tools include:

inject_dcsync - Perform DCSync attack to extract domain credentials
inject_net_computers - Enumerate computers (inject mode)
inject_net_users - Enumerate users (inject mode)
inject_net_user_detail - Get user details (inject mode)
inject_net_groups - Enumerate groups (inject mode)
inject_net_sessions - Enumerate sessions (inject mode)
inject_net_shares - Enumerate shares (inject mode)
inject_net_domain_controllers - List domain controllers (inject mode)
inject_portscan - Perform port scan (inject mode)
inject_keylogger - Start keylogger on a process
inject_chromedump - Dump Chrome passwords
inject_net_view - View network resources (inject mode)
inject_net_logons - Enumerate logged on users (inject mode)
inject_beacon - Inject a beacon into a process
inject_dll - Inject a DLL into a process
inject_shellcode - Execute shellcode
inject_mimikatz - Run Mimikatz
inject_hashdump - Dump password hashes (inject mode)
inject_logonPasswords - Dump logon passwords (inject mode)
inject_powershell_unmanaged - Execute unmanaged PowerShell
inject_screenshot - Take a screenshot
inject_printscreen - Print screen
inject_screenwatch - Start screen watch
inject_browserpivotStart - Start browser pivot
inject_ssh - Inject SSH session
inject_sshKey - Inject SSH session with key
inject_pth - Pass-the-hash (inject mode)
inject_postExDll - Load post-exploitation DLL
inject_loadDll - Load a DLL
And more...

Execute Operations

execute_kill_process - Kill a process
execute_clipboard - Get clipboard contents
execute_setenv - Set environment variable
execute_timestomp - Modify file timestamps
execute_checkin - Force beacon check-in
execute_exit - Exit beacon
execute_reg_query - Query registry key
execute_reg_queryv - Query registry value
execute_beacon_info - Get beacon information
execute_get_uid - Get user ID
execute_job_stop - Stop a job
execute_kerberos_ticket_purge - Purge Kerberos tickets
execute_kerberos_ticket_use - Use Kerberos ticket
execute_powershell_import - Import PowerShell script
execute_net_domain - Get domain information
execute_browserpivot_stop - Stop browser pivot
execute_cancel_file_download - Cancel file download
execute_socks_stop_all - Stop all SOCKS proxies
execute_socks_stop_port - Stop SOCKS proxy on specific port

Token Operations

execute_steal_token - Steal a token from a process
execute_make_token - Make a token using logon credentials
execute_rev2self - Revert to self (drop impersonated token)
execute_get_system - Get SYSTEM privileges
execute_get_privs - Get privileges
execute_tokenStore_use - Use a token from the token store
execute_tokenStore_steal - Steal a token and add it to the token store
execute_tokenStore_stealAndUse - Steal a token and immediately use it
execute_tokenStore_remove - Remove a token from the token store
execute_tokenStore_removeAll - Remove all tokens from the token store
execute_make_token_upn - Make a token using UPN (User Principal Name)

Pivoting Operations

execute_socks4_start - Start SOCKS4 proxy
execute_socks5_start - Start SOCKS5 proxy
execute_socks_stop - Stop SOCKS proxy
execute_link_smb - Link to SMB beacon
execute_link_tcp - Link to TCP beacon
execute_unlink - Unlink from beacon
execute_rportfwd_start - Start reverse port forward
execute_rportfwd_stop - Stop reverse port forward

Elevation Operations

elevate_beacon - Elevate beacon privileges
elevate_command - Elevate command privileges

Remote Execution Operations

remoteExec_beacon - Execute remote beacon
remoteExec_command - Execute remote command

Payload Generation

generate_stager_payload - Generate a stager payload for a listener
generate_stageless_payload - Generate a stageless payload for a listener
download_payload - Download a generated payload file

BOF (Beacon Object File) Operations

execute_bof - Execute a BOF on a beacon
execute_bof_pack - Execute a BOF with packing
execute_bof_packed - Execute a packed BOF

Data Operations

list_screenshots - List all screenshots captured from beacons
get_screenshot - Get a specific screenshot by ID
list_keystrokes - List all keystroke captures from beacons
get_keystrokes - Get keystroke data by ID
list_downloads - List all file downloads from beacons
get_download - Get download information by ID

Configuration Operations

get_system_information - Get system information
get_profile - Get C2 profile
update_profile - Update C2 profile
get_killdate - Get kill date
set_killdate - Set kill date
get_teamserver_ip - Get teamserver IP
set_teamserver_ip - Set teamserver IP
reset_data - Reset data

Utility Operations

get_artifacts - Get artifacts
get_beacon_active_downloads - Get active downloads for a beacon
clear_beacon_command_queue - Clear beacon command queue
get_beacon_help - Get beacon help
get_beacon_command_help - Get help for a specific beacon command
get_beacon_keystrokes - Get keystrokes for a beacon

Cobalt Strike REST API

This MCP server interacts with the Cobalt Strike REST API. For detailed API documentation, see:

Cobalt Strike REST API Documentation

Security Considerations

⚠️ Important Security Notes:

This tool is for authorized security testing and red team operations only
Credentials are stored in your OS credential manager
SSL certificate verification can be disabled for testing (not recommended for production)
All operations are logged by the Cobalt Strike teamserver
Use with appropriate authorization and in compliance with applicable laws

License

GPL-3.0