Slack Notifications for Cobalt Strike

We’ve seen several great incoming agent/shell notification mechanisms for Metasploit and Empire recently and the utility of being notified when new shells appear is without question. This is especially true when conducting phishing and social engineering style attacks or while waiting for a persistence mechanism to trigger. A recent example is SlackShellBot by @Ne0nd0g.  We really like it, but often use Cobalt Strike heavily and thus need another notification method for CS.

Enter Aggressor script. This is just one quick example of performing Slack notifications for Cobalt Strike using Aggressor. If you’re a regular CS user, we highly recommend spending some time with Aggressor scripting to step up your automation and workflows. @armitagehacker has a comprehensive post of Aggressor resources that is a great starting point.

New Beacon Slack Notifications

New Beacon Slack Notifications


  • This method relies on a custom web-hook just as SlackShellBot. Refer the official documentation if you need a quick guide on creating one
  • A Python module for Slack integrations called “slackweb”
    • Using pip: pip install slackweb

Step 1: Create your Custom Slack Webhook

Slack Custom Webhook Configuration

Slack Custom Webhook Configuration


Step 2: Create a Python script to post the Slack notifications

This Python code is a basic example of using the slackweb module to submit a Slack text notification to our custom webhook. Don’t forget to make the script executable!

 #! /usr/bin/env python

import argparse
import slackweb
import socket

parser = argparse.ArgumentParser(description='beacon info')

hostname = socket.gethostname()

args = parser.parse_args()

slackUrl = ""
computername = args.computername
internalip = args.internalip
username = args.username

slack = slackweb.Slack(url=slackUrl)
message = "New Beacon: {}@{} ({}) on {}".format(username,computername,internalip,hostname)

Step 3: Create the Aggressor script

Save the following code as a new Aggressor script. You can customize the desired information and format of the Slack notification here. The format provided in this example is “New Beacon: USERNAME@HOSTNAME (IP ADDRESS) on C2SERVERHOSTNAME”

Note: You could also modify this Aggressor script to use curl and eliminate the need for Python and an additional module entirely! However, Python allows us to quickly grab the hostname of the C2 server and easily track what assessment/campaign the incoming beacons are associated with.

 # Issue initial commands upon new beacon checkin
# slacknotification.cna

on beacon_initial {
    println("Initial Beacon Checkin: " . $1 . " PID: " . beacon_info($1,"pid"));
    local('$internalIP $computerName $userName');
    $internalIP = replace(beacon_info($1,"internal")," ","_");
    $computerName = replace(beacon_info($1,"computer")," ","_");
    $userName = replace(beacon_info($1,"user")," ","_");
    $cmd = '/path/to/ --computername ' . $computerName . " --internalip " . $internalIP . " --username " . $userName;

    println("Sending Slack Notification: " . $cmd);

Step 4: Load the Aggressor script into Cobalt Strike

The Aggressor script can be loaded into CS via the GUI or headless mode. Once loaded, fire off some beacons and watch the notifications come in!


Hopefully this post is useful and let us know if you have additional ideas or improvements!

Author Andrew Chiles

Andrew is a member of the Red Team at MINIS. He's worked as a red teamer and penetration tester for the past five years in various federal, defense and commercial settings, and been in the Information Security field for the past ten years. He's earned degrees in M.E. Information Assurance and B.S. Telecommunications Systems Management in addition to holding industry certifications such as OSCP, CISSP, CEH, and CCNA. He currently lives in Germany.

More posts by Andrew Chiles