High-risk tools in Cobalt Strike MCP Server
113 of the 220 tools in Cobalt Strike MCP Server are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
beacon_change_directoryExecuteChange current directory on a beacon
-
beacon_copy_fileExecuteCopy a file on a beacon
-
create_listenerExecuteCreate a new listener (HTTP, HTTPS, DNS, SMB, etc.)
-
create_listener_dnsExecuteCreate a DNS listener
-
create_listener_externalC2ExecuteCreate an ExternalC2 listener
-
create_listener_foreignHttpExecuteCreate a Foreign HTTP listener
-
create_listener_foreignHttpsExecuteCreate a Foreign HTTPS listener
-
create_listener_httpExecuteCreate an HTTP listener
-
create_listener_httpsExecuteCreate an HTTPS listener
-
create_listener_smbExecuteCreate an SMB listener
-
create_listener_tcpExecuteCreate a TCP listener
-
create_listener_userDefinedC2ExecuteCreate a User-Defined C2 listener
-
elevate_beaconExecuteElevate to a new beacon with higher privileges
-
elevate_commandExecuteElevate a command with higher privileges
-
execute_beacon_commandExecuteExecute a command on a beacon (e.g.,
-
execute_bofExecuteExecute a BOF (Beacon Object File) on a beacon. Common BOFs: @artifacts/BOFs/whoami.x64.o, @artifacts/BOFs/whoami.x86.o
-
execute_bof_packExecuteExecute a BOF with packing
-
execute_bof_packedExecuteExecute a packed BOF
-
execute_browserpivot_stopExecuteStop browser pivot
-
execute_cancel_file_downloadExecuteCancel file download
-
execute_checkinExecuteForce beacon to check in immediately
-
execute_exitExecuteExit the beacon
-
execute_get_systemExecuteGet SYSTEM privileges
-
execute_get_uidExecuteGet user ID
-
execute_job_stopExecuteStop a job
-
execute_kerberos_ticket_useExecuteUse a Kerberos ticket
-
execute_kill_processExecuteKill a process by PID
-
execute_link_smbExecuteLink to SMB beacon
-
execute_link_tcpExecuteLink to TCP beacon
-
execute_make_tokenExecuteMake a token using logon credentials
-
execute_make_token_upnExecuteMake a token using UPN (User Principal Name)
-
execute_net_domainExecuteGet domain information
-
execute_powershell_importExecuteImport PowerShell module
-
execute_rev2selfExecuteRevert to self (drop impersonated token)
-
execute_rportfwd_startExecuteStart reverse port forward
-
execute_rportfwd_stopExecuteStop reverse port forward
-
execute_setenvExecuteSet an environment variable
-
execute_socks_stopExecuteStop SOCKS proxy
-
execute_socks_stop_portExecuteStop SOCKS proxy on specific port
-
execute_socks4_startExecuteStart SOCKS4 proxy
-
execute_socks5_startExecuteStart SOCKS5 proxy
-
execute_steal_tokenExecuteSteal a token from a process
-
execute_timestompExecuteModify file timestamps
-
execute_tokenStore_stealExecuteSteal a token and add it to the token store
-
execute_tokenStore_stealAndUseExecuteSteal a token and immediately use it
-
execute_tokenStore_useExecuteUse a token from the token store
-
execute_unlinkExecuteUnlink from beacon
-
generate_stageless_payloadExecuteGenerate a stageless payload for a listener
-
generate_stager_payloadExecuteGenerate a stager payload for a listener
-
inject_beaconExecuteInject beacon into a process
-
inject_browserpivotStartExecuteStart browser pivot
-
inject_dllExecuteInject a DLL into a process
-
inject_hashdumpExecuteDump password hashes (inject mode)
-
inject_keyloggerExecuteStart keylogger on a process
-
inject_loadDllExecuteLoad DLL
-
inject_mimikatzExecuteRun Mimikatz (inject mode)
-
inject_net_viewExecuteView network resources
-
inject_portscanExecutePerform port scan
-
inject_postExDllExecuteLoad post-exploitation DLL
-
inject_powershell_unmanagedExecuteExecute unmanaged PowerShell
-
inject_printscreenExecutePrint screen (inject mode)
-
inject_pthExecutePass-the-hash attack
-
inject_screenshotExecuteTake screenshot (inject mode)
-
inject_screenwatchExecuteStart screen watch (inject mode)
-
inject_shellcodeExecuteInject shellcode into a process
-
inject_sshExecuteInject SSH session
-
inject_sshKeyExecuteInject SSH session with key
-
remoteExec_beaconExecuteRemotely execute a beacon on a target
-
remoteExec_commandExecuteRemotely execute a command on a target
-
set_beacon_beacon_gateExecuteEnable or disable beacon gate
-
set_beacon_block_dllsExecuteEnable or disable block DLLs
-
set_beacon_c2_host_holdExecuteHold C2 host (prevent failover)
-
set_beacon_c2_host_releaseExecuteRelease C2 host (allow failover)
-
set_beacon_dns_modeExecuteSet DNS mode for beacon
-
set_beacon_ppidExecuteSet the parent process ID for a beacon
-
set_beacon_sleepExecuteSet the sleep time and jitter for a beacon
-
set_beacon_spawntoExecuteSet the spawn-to process for a beacon
-
set_beacon_spoofed_argumentsExecuteSet spoofed arguments for beacon
-
set_beacon_syscall_methodExecuteSet the system call method for a beacon
-
spawn_beaconExecuteSpawn a new beacon session on a target
-
spawn_beacon_asUserExecuteSpawn a beacon as a specific user
-
spawn_beacon_underExecuteSpawn a beacon under a specific process
-
spawn_chromedumpExecuteDump Chrome passwords (spawn mode)
-
spawn_commandExecuteExecute a command on a beacon (spawns in new process)
-
spawn_command_runAsExecuteRun a command as a specific user
-
spawn_command_runNoOutputExecuteRun command without output
-
spawn_command_runUnderExecuteRun command under a process
-
spawn_dcsyncExecutePerform DCSync attack (spawn mode)
-
spawn_dotnetAssemblyExecuteExecute .NET assembly
-
spawn_hashdumpExecuteDump password hashes from a beacon
-
spawn_keyloggerExecuteStart keylogger (spawn mode)
-
spawn_mimikatzExecuteRun Mimikatz on a beacon
-
spawn_net_computersExecuteEnumerate computers (spawn mode)
-
spawn_net_domainTrustsExecuteEnumerate domain trusts (spawn mode)
-
spawn_net_groupExecuteEnumerate groups (spawn mode)
-
spawn_net_sessionsExecuteEnumerate sessions (spawn mode)
-
spawn_net_shareExecuteEnumerate shares (spawn mode)
-
spawn_net_timeExecuteGet time from target (spawn mode)
-
spawn_net_userExecuteEnumerate users (spawn mode)
-
spawn_net_user_detailExecuteGet user details (spawn mode)
-
spawn_net_viewExecuteView network resources (spawn mode)
-
spawn_portscanExecutePerform port scan (spawn mode)
-
spawn_postExDllExecuteLoad post-exploitation DLL (spawn mode)
-
spawn_powershellExecuteExecute PowerShell command on a beacon
-
spawn_powershell_unmanagedExecuteExecute unmanaged PowerShell (spawn mode)
-
spawn_printscreenExecutePrint screen (spawn mode)
-
spawn_pthExecutePass-the-hash (spawn mode)
-
spawn_screenshotExecuteTake a screenshot on a beacon
-
spawn_screenwatchExecuteStart screen watch (spawn mode)
-
spawn_shellExecuteExecute a shell command on a beacon
-
spawn_shellcodeExecuteExecute shellcode (spawn mode)
-
spawn_sshExecuteInject SSH session (spawn mode)
-
spawn_sshKeyExecuteInject SSH session with key (spawn mode)
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.