Notice: There is a serious security flaw in Cobalt Strike 3.5 and below (2.x is deprecated and assumed affected as well). Please read the advisory for more details.


Generate a Windows EXE

Attacks -> Packages -> Windows Executable generates a Windows executable artifact that delivers a Win32 Listener. This package gives you several output options:

Windows EXE is an x86 Windows executable.

Windows Service EXE is an x86 Windows executable that responds to Service Control Manager commands. You may use this executable to create a Windows service with sc or as a custom executable with the Metasploit® Framework's PsExec modules.

Windows DLL (32-bit) is an x86 Windows DLL.

Windows DLL (64-bit) is an x64 Windows DLL. This DLL will spawn a 32-bit process and migrate your listener to it. Both DLL options export a Start function that is compatible with rundll32.exe. Use rundll32.exe to load your DLL from the command line.

rundll32 foo.dll,Start

Cobalt Strike uses its Artifact Kit to generate this output.