Cobalt Strike MCP Server

Model Context Protocol server for managing Cobalt Strike operations through natural language commands. Currently only tested with Cursor and Claude on Windows

<img width="500" height="1089" alt="image" src="https://github.com/user-attachments/assets/3150c2eb-9360-4db3-ae3d-4543796f576e" />

Prerequisites

• Node.js 18.0.0 or higher
• npm package manager
• Cobalt Strike teamserver with REST API enabled
• Network connectivity to Cobalt Strike teamserver

Installation

Windows Installation

Prerequisites

1. Install Node.js 18.0.0 or higher from nodejs.org
2. Open PowerShell or Command Prompt as Administrator (for global installation)

Global Installation (Recommended)

Install the package globally to make the cobaltstrike-mcp command available system-wide:

PowerShell:

npm install -g .

macOS/Linux Installation

Global Installation (Recommended)

Install the package globally to make the cobaltstrike-mcp command available system-wide:

npm install -g .

Configuration

Before using the MCP server, you need to configure it with your Cobalt Strike teamserver credentials.

Initial Setup

Run the setup command to configure the server:

cobaltstrike-mcp --setup

This will prompt you for:

• Teamserver URL: The full URL to your Cobalt Strike REST API (e.g., https://teamserver.example.com:50050)
• Username: Your Cobalt Strike username
• Password: Your Cobalt Strike password
• Verify SSL: Whether to verify SSL certificates (yes/no)

Credentials are stored securely in your OS credential manager (keyring).

Configuration Location

Configuration files are stored in:

• Windows: %USERPROFILE%\.cobaltstrike-mcp\ or C:\Users\<username>\.cobaltstrike-mcp\
• macOS/Linux: ~/.cobaltstrike-mcp/

Files:

• config.json - Non-sensitive configuration (URL, SSL settings)
• Credentials are stored in OS keyring (Windows Credential Manager on Windows)

Usage

With Claude Desktop

Add the MCP server to your Claude Desktop configuration:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json Linux: ~/.config/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "cobaltstrike": {
      "command": "cobaltstrike-mcp",
      "args": []
    }
  }
}

With Cursor

Cursor supports MCP servers through its settings. To configure this MCP server in Cursor:

1. Open Cursor Settings:

   • Press Ctrl+, (Windows/Linux) or Cmd+, (macOS)
   • Or go to File > Preferences > Settings

2. Navigate to MCP Settings:

   • Search for "MCP" in the settings search bar
   • Or look for "Model Context Protocol" settings

3. Add the MCP Server:

   • Click "Add MCP Server" or edit the MCP configuration
   • Add the following configuration:

{
  "mcpServers": {
    "cobaltstrike": {
      "command": "cobaltstrike-mcp",
      "args": []
    }
  }
}

4. Restart Cursor after making changes to the configuration.

Available Tools

This MCP server provides comprehensive access to Cobalt Strike operations through 200+ tools organized into the following categories:

Teamserver Operations

• get_teamserver_info - Get information about the Cobalt Strike teamserver (version, license, stats)
• test_connection - Test the connection to the Cobalt Strike REST API server

Beacon Operations

• list_beacons - List all active beacons in the teamserver
• get_beacon - Get detailed information about a specific beacon by ID
• execute_beacon_command - Execute a command on a beacon (e.g., "whoami", "ls", "shell", "powershell")
• get_beacon_output - Get the output from a beacon (console output)
• get_beacon_task - Get the status and output of a specific beacon task
• kill_beacon - Kill/remove a beacon from the teamserver
• note_beacon - Add or update a note on a beacon

Beacon State Management

• set_beacon_sleep - Set the sleep time and jitter for a beacon
• set_beacon_spawnto - Set the spawn-to process for a beacon
• set_beacon_ppid - Set the parent process ID for a beacon
• set_beacon_syscall_method - Set the system call method for a beacon
• set_beacon_dns_mode - Set DNS mode for beacon
• set_beacon_block_dlls - Enable or disable block DLLs
• set_beacon_beacon_gate - Enable or disable beacon gate
• set_beacon_c2_host - Set C2 host for beacon
• set_beacon_c2_host_hold - Hold C2 host (prevent failover)
• set_beacon_c2_host_release - Release C2 host (allow failover)
• set_beacon_c2_host_reset - Reset C2 host
• set_beacon_spoofed_arguments - Set spoofed arguments for beacon
• set_beacon_c2_failover_notification - Enable or disable C2 failover notification
• get_beacon_jobs - Get jobs running on a beacon
• get_beacon_c2_host_profiles - Get available C2 profiles for beacon
• get_beacon_tokenStore - Get token store state for beacon

Listener Operations

• list_listeners - List all active listeners in the teamserver
• create_listener - Create a new listener (HTTP, HTTPS, DNS, SMB, etc.)
• delete_listener - Delete/remove a listener from the teamserver

Listener-Specific Operations

• create_listener_http / get_listener_http / update_listener_http / delete_listener_http
• create_listener_https / get_listener_https / update_listener_https / delete_listener_https
• create_listener_dns / get_listener_dns / update_listener_dns / delete_listener_dns
• create_listener_smb / get_listener_smb / delete_listener_smb
• create_listener_tcp / get_listener_tcp / delete_listener_tcp
• create_listener_externalC2 / get_listener_externalC2 / delete_listener_externalC2
• create_listener_foreignHttp / get_listener_foreignHttp / delete_listener_foreignHttp
• create_listener_foreignHttps / get_listener_foreignHttps / delete_listener_foreignHttps
• create_listener_userDefinedC2 / get_listener_userDefinedC2 / delete_listener_userDefinedC2
• get_listener - Get listener by ID

Credential Management

• list_credentials - List all stored credentials in the teamserver
• get_credential - Get detailed information about a specific credential by ID
• create_credential - Create a new credential entry
• delete_credential - Delete a credential from the teamserver

Task Management

• list_tasks - List all tasks across all beacons or filter by beacon ID
• get_task - Get detailed information about a specific task by ID
• get_task_error - Get error information for a specific task
• get_task_log - Get log information for a specific task
• get_beacon_tasks_summary - Get task summary for a specific beacon
• get_beacon_tasks_detail - Get detailed task information for a specific beacon

File Operations

• beacon_list_directory - List directory contents on a beacon
• beacon_change_directory - Change current directory on a beacon
• beacon_get_current_directory - Get current working directory on a beacon
• beacon_list_drives - List available drives on a beacon
• beacon_upload_file - Upload a file to a beacon
• beacon_download_file - Download a file from a beacon
• beacon_copy_file - Copy a file on a beacon
• beacon_move_file - Move/rename a file on a beacon
• beacon_delete_file - Delete a file or directory on a beacon
• beacon_create_directory - Create a directory on a beacon

Spawn Operations (40+ tools)

Spawn operations execute commands in new processes. Available tools include:

• spawn_beacon - Spawn a new beacon session
• spawn_powershell - Execute PowerShell command
• spawn_command - Execute a command (spawns in new process)
• spawn_shell - Execute a shell command
• spawn_screenshot - Take a screenshot
• spawn_hashdump - Dump password hashes
• spawn_mimikatz - Run Mimikatz
• spawn_logon_passwords - Dump logon passwords using Mimikatz
• spawn_process_list - List processes
• spawn_beacon_asUser - Spawn a beacon as a specific user
• spawn_beacon_under - Spawn a beacon under a specific process
• spawn_command_runAs - Run a command as a specific user
• spawn_dcsync - Perform DCSync attack
• spawn_keylogger - Start keylogger
• spawn_chromedump - Dump Chrome passwords
• spawn_dotnetAssembly - Execute .NET assembly
• spawn_net_computers - Enumerate computers
• spawn_net_dclist - List domain controllers
• spawn_net_domainControllers - List domain controllers
• spawn_net_domainTrusts - Enumerate domain trusts
• spawn_net_group - Enumerate groups
• spawn_net_localGroup - Enumerate local groups
• spawn_net_logons - Enumerate logged on users
• spawn_net_sessions - Enumerate sessions
• spawn_net_share - Enumerate shares
• spawn_net_time - Get time from target
• spawn_net_user - Enumerate users
• spawn_net_user_detail - Get user details
• spawn_net_view - View network resources
• spawn_portscan - Perform port scan
• spawn_postExDll - Load post-exploitation DLL
• spawn_powershell_unmanaged - Execute unmanaged PowerShell
• spawn_printscreen - Print screen
• spawn_pth - Pass-the-hash
• spawn_screenwatch - Start screen watch
• spawn_shellcode - Execute shellcode
• spawn_ssh - Inject SSH session
• spawn_sshKey - Inject SSH session with key
• And more...

Inject Operations (30+ tools)

Inject operations execute commands within existing processes. Available tools include:

• inject_dcsync - Perform DCSync attack to extract domain credentials
• inject_net_computers - Enumerate computers (inject mode)
• inject_net_users - Enumerate users (inject mode)
• inject_net_user_detail - Get user details (inject mode)
• inject_net_groups - Enumerate groups (inject mode)
• inject_net_sessions - Enumerate sessions (inject mode)
• inject_net_shares - Enumerate shares (inject mode)
• inject_net_domain_controllers - List domain controllers (inject mode)
• inject_portscan - Perform port scan (inject mode)
• inject_keylogger - Start keylogger on a process
• inject_chromedump - Dump Chrome passwords
• inject_net_view - View network resources (inject mode)
• inject_net_logons - Enumerate logged on users (inject mode)
• inject_beacon - Inject a beacon into a process
• inject_dll - Inject a DLL into a process
• inject_shellcode - Execute shellcode
• inject_mimikatz - Run Mimikatz
• inject_hashdump - Dump password hashes (inject mode)
• inject_logonPasswords - Dump logon passwords (inject mode)
• inject_powershell_unmanaged - Execute unmanaged PowerShell
• inject_screenshot - Take a screenshot
• inject_printscreen - Print screen
• inject_screenwatch - Start screen watch
• inject_browserpivotStart - Start browser pivot
• inject_ssh - Inject SSH session
• inject_sshKey - Inject SSH session with key
• inject_pth - Pass-the-hash (inject mode)
• inject_postExDll - Load post-exploitation DLL
• inject_loadDll - Load a DLL
• And more...

Execute Operations

• execute_kill_process - Kill a process
• execute_clipboard - Get clipboard contents
• execute_setenv - Set environment variable
• execute_timestomp - Modify file timestamps
• execute_checkin - Force beacon check-in
• execute_exit - Exit beacon
• execute_reg_query - Query registry key
• execute_reg_queryv - Query registry value
• execute_beacon_info - Get beacon information
• execute_get_uid - Get user ID
• execute_job_stop - Stop a job
• execute_kerberos_ticket_purge - Purge Kerberos tickets
• execute_kerberos_ticket_use - Use Kerberos ticket
• execute_powershell_import - Import PowerShell script
• execute_net_domain - Get domain information
• execute_browserpivot_stop - Stop browser pivot
• execute_cancel_file_download - Cancel file download
• execute_socks_stop_all - Stop all SOCKS proxies
• execute_socks_stop_port - Stop SOCKS proxy on specific port

Token Operations

• execute_steal_token - Steal a token from a process
• execute_make_token - Make a token using logon credentials
• execute_rev2self - Revert to self (drop impersonated token)
• execute_get_system - Get SYSTEM privileges
• execute_get_privs - Get privileges
• execute_tokenStore_use - Use a token from the token store
• execute_tokenStore_steal - Steal a token and add it to the token store
• execute_tokenStore_stealAndUse - Steal a token and immediately use it
• execute_tokenStore_remove - Remove a token from the token store
• execute_tokenStore_removeAll - Remove all tokens from the token store
• execute_make_token_upn - Make a token using UPN (User Principal Name)

Pivoting Operations

• execute_socks4_start - Start SOCKS4 proxy
• execute_socks5_start - Start SOCKS5 proxy
• execute_socks_stop - Stop SOCKS proxy
• execute_link_smb - Link to SMB beacon
• execute_link_tcp - Link to TCP beacon
• execute_unlink - Unlink from beacon
• execute_rportfwd_start - Start reverse port forward
• execute_rportfwd_stop - Stop reverse port forward

Elevation Operations

• elevate_beacon - Elevate beacon privileges
• elevate_command - Elevate command privileges

Remote Execution Operations

• remoteExec_beacon - Execute remote beacon
• remoteExec_command - Execute remote command

Payload Generation

• generate_stager_payload - Generate a stager payload for a listener
• generate_stageless_payload - Generate a stageless payload for a listener
• download_payload - Download a generated payload file

BOF (Beacon Object File) Operations

• execute_bof - Execute a BOF on a beacon
• execute_bof_pack - Execute a BOF with packing
• execute_bof_packed - Execute a packed BOF

Data Operations

• list_screenshots - List all screenshots captured from beacons
• get_screenshot - Get a specific screenshot by ID
• list_keystrokes - List all keystroke captures from beacons
• get_keystrokes - Get keystroke data by ID
• list_downloads - List all file downloads from beacons
• get_download - Get download information by ID

Configuration Operations

• get_system_information - Get system information
• get_profile - Get C2 profile
• update_profile - Update C2 profile
• get_killdate - Get kill date
• set_killdate - Set kill date
• get_teamserver_ip - Get teamserver IP
• set_teamserver_ip - Set teamserver IP
• reset_data - Reset data

Utility Operations

• get_artifacts - Get artifacts
• get_beacon_active_downloads - Get active downloads for a beacon
• clear_beacon_command_queue - Clear beacon command queue
• get_beacon_help - Get beacon help
• get_beacon_command_help - Get help for a specific beacon command
• get_beacon_keystrokes - Get keystrokes for a beacon

Cobalt Strike REST API

This MCP server interacts with the Cobalt Strike REST API. For detailed API documentation, see:

• Cobalt Strike REST API Documentation

Security Considerations

⚠️ Important Security Notes:

• This tool is for authorized security testing and red team operations only
• Credentials are stored in your OS credential manager
• SSL certificate verification can be disabled for testing (not recommended for production)
• All operations are logged by the Cobalt Strike teamserver
• Use with appropriate authorization and in compliance with applicable laws

License

GPL-3.0

References

• Cobalt Strike Documentation
• Model Context Protocol
• Anthropic MCP Documentation