A Deeper Look Into the Max Retry Strategy Option

A complementary strategy to the Host Rotation Strategy was introduced to Cobalt Strike 4.5. The max retry strategy was added to HTTP, HTTPS, and DNS beacon listeners. A max retry strategy allows a beacon to exit after a specified failure count. As the failure count increases, sleep is adjusted to a specified value. By default, sleep is adjusted at 50% of the failure count.

A max retry can be selected from a list via the create listener GUI:

max retry option set as a listener option

The list can be updated with custom values using the aggressor hook LISTENER_MAX_RETRY_STRATEGIES.


The values in aggressor allow combination of options to be set vs. selecting from the default list.

Use a hard coded list of strategies

    $out .= "exit-18-12-5m\n";
    $out .= "exit-22-14-5m\n";
    return $out;

Use loops to build a list of strategies

    @attempts = @(50, 100);
    @durations = @("5m", "15m");
    $increase = 25;
    foreach $attempt (@attempts)
        foreach $duration (@durations)
            $out .= "exit $+ - $+ $attempt $+ - $+ $increase $+ - $+ $duration\n";
    return $out;

Understanding the Max Retry Syntax

Max Retry Strategy Syntax

The syntax is broken into four sections separated by a dash:

Column Description
1 exit
2 Exit beacon after this number of failures
3 Number of failures to begin adjust sleep
4 Sleep time to set when sleep failures are met. Note: The jitter is kept to the current setting.

Using Aggressor to Create a Listener

If you use aggressor to create listeners, you can set the max retry using the max_retry option. This can be set to your custom max retry strategy without the need to be pre-defined.

Below is an example of the listener_create_ext function used to create a listener.


create an HTTP Beacon listener

listener_create_ext("HTTP", "windows/beacon_http/reverse_http",
      %(host => "stage.host",
      profile => "default",
      port => 80,
      beacons => "b1.host,b2.host",
      althost => "alt.host",
      bindto => 8080,
      strategy => "failover-5x",
      max_retry => "exit-10-5-5m",
      proxy => "proxy.host"));

TIP: Running Cobalt Strike Teamserver as a Service

These scripts can be used as a template to set up teamserver as a service and to auto-start listeners.


This is a companion discussion topic for the original entry at https://www.cobaltstrike.com/blog/a-deeper-look-into-the-max-retry-strategy-option/. You can start discussion on this topic by mention the topic or reply here.