This library provides Aggressor Script functions for interacting with the Cobalt Strike REST API from the client. It supports authentication, GET/POST/PUT/DELETE requests, and automatic parsing of JSON responses into native Sleep hashes and arrays.
Note
This tool is still in early development stage and subject to breaking changes.
- Authenticate and obtain JWT tokens
- Make
GET,POST,PUTandDELETErequests - Parse JSON responses to Sleep data structures
- Utility functions for easy API integration
-
The Cobalt Strike API Server should be running.
-
Cobalt Strike should be installed and configured.
-
Cobalt Strike should be properly licensed
-
Add the following flags to your Java command line when launching Cobalt Strike:
--add-exports java.base/sun.net.www.protocol.https=ALL-UNNAMED --add-exports java.base/sun.net.www.http=ALL-UNNAMED --add-opens java.base/sun.net.www.protocol.https=ALL-UNNAMED --add-opens java.base/sun.net.www.http=ALL-UNNAMED
An example of the
launch-cobaltstrike-client.batfile to launch the Windows client would be:@echo off setlocal set "JAVA_EXE=C:\Program Files\Microsoft\jdk-21.0.8.9-hotspot\bin\javaw.exe" if not exist "%JAVA_EXE%" ( for %%J in (javaw.exe java.exe) do ( where %%~J >nul 2>&1 && set "JAVA_EXE=%%~J" && goto :found_java ) echo ERROR: javaw/java not found. Install JRE/JDK or adjust JAVA_EXE in this script. pause exit /b 1 ) :found_java set "JAR=C:\Program Files\cobaltstrike\client\cobaltstrike-client.jar" rem --- build JVM_OPTS piece by piece (no carets) --- set "JVM_OPTS=-XX:ParallelGCThreads=4" set "JVM_OPTS=%JVM_OPTS% -XX:+AggressiveHeap" set "JVM_OPTS=%JVM_OPTS% -XX:+UseParallelGC" set "JVM_OPTS=%JVM_OPTS% --add-exports=java.base/sun.net.www.protocol.https=ALL-UNNAMED" set "JVM_OPTS=%JVM_OPTS% --add-exports=java.base/sun.net.www.http=ALL-UNNAMED" set "JVM_OPTS=%JVM_OPTS% --add-opens=java.base/sun.net.www.protocol.https=ALL-UNNAMED" set "JVM_OPTS=%JVM_OPTS% --add-opens=java.base/sun.net.www.http=ALL-UNNAMED" start "" /min "%JAVA_EXE%" %JVM_OPTS% -jar "%JAR%" endlocal exit /b 0
$url_base: Base URL for the REST API$token: JWT token for authentication$username: Username for API authentication$password: Password for API authentication
- apiGET(endpoint): GET request
- apiPOST(endpoint, body): POST request
- apiPUT(endpoint, body): PUT request
- apiDELETE(endpoint): DELETE request
-
Clone the repository:
git clone https://github.com/Cobalt-Strike/sleep2rest.git
-
Edit the Global Variables in cs_rest_api_lib.cna:
# Configure these variables for your environment $url_base = "https://<APISERVER>:50443"; $username = "<username>"; $password = "<password>"; # End of configuration
-
Include the
cs_rest_api_lib.cnascript into your script following this example. -
Load your
.cnascript into the Cobaltstrike client through Cobalt Strike > Script Manager > Load -
Enjoy!
| Name | Description |
|---|---|
| example_usage.cna | Simple GET and POST requests to the Cobalt Strike REST API. |
| serverside_payload_generation.cna | Script that provides an alternative menu to generate payloads server-side. README |
| serverside_artifact_execution.cna | Script that provides an example to run server-side stored .NET assemblies. It can be easily extended to run BOFs. |
include(script_resource("cs_rest_api_lib.cna"));
# Authenticate and get beacons
$response = apiGET("/api/v1/beacons");
if ($response["status"] == 200) {
$beacons = $response["content"];
println("Beacons: " . $beacons);
} else {
println("API error: " . $response["status"]);
}
# POST example
$beacon_id = "123456789";
$body = '{"command": "ps"}';
$response = apiPOST("/api/v1/beacons/".$beacon_id."/consoleCommand", $body);
if ($response["status"] == 200) {
println("Response: " . $response);
$statusUrl = $response["content"]["statusUrl"];
# Get task result
$task_response = apiGET($statusUrl);
$status = $task_response["content"]["taskStatus"];
println("Final GET Response: " . $task_response);
} else {
println("API error: " . $response["status"]);
}For issues and questions:
- Review Cobalt Strike documentation for API requirements
- Consult Sleep documentation for Sleep issues.
Warning
This tool provides direct access to Cobalt Strike capabilities, which include powerful adversary simulation capabilities. Use responsibly and only in environments where you have explicit permission to perform security testing.