SpecterOps · zurro · Dec 16, 2025 · Dec 16, 2025 · Dec 16, 2025 · Dec 16, 2025
diff --git a/docs/cli.md b/docs/cli.md
@@ -275,6 +275,63 @@ docker run --rm -ti \
 - **File Downloads**: Agent-collected files
 - **Screenshots**: Visual captures from agents
 
+## Cobalt Strike Connector
+
+Ingest data from Cobalt Strike into Nemesis.
+
+### Requirements
+
+- The Cobalt Strike API Server should be running. For information on starting the REST API server, see [Starting the REST API Server](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/welcome_starting-rest-server.htm).
+- Cobalt Strike should be installed and configured.
+- Cobalt Strike should be properly licensed
+
+### Configuration
+
+Create a configuration file (e.g., `settings_cobaltstrike.yaml`):
+
+```yaml
+cache_db_path: "/tmp/nemesis_connectors"
+conn_timeout_sec: 5
+validate_https_certs: true
+
+nemesis:
+  url: "https://nemesis.example.com"
+  credential:
+    username: "connector_bot"
+    password: "connector_password"
+  expiration_days: 100
+  max_file_size: 1000000000
+
+cobaltstrike:
+  - url: "https://cobaltstrike.example.com:50443"
+    credential:
+      username: "nemesis_bot"
+      password: "cobaltstrike_password"
+
+    project: "project name"
+    poll_interval_sec: 3
+```
+
+### Usage
+
+```bash
+# Run with mounted config file
+docker run \
+  --rm -ti \
+  -v /path/to/settings_cobaltstrike.yaml:/config/settings_cobaltstrike.yaml \
+  ghcr.io/specterops/nemesis/cli \
+  connect-cobaltstrike -c /config/settings_cobaltstrike.yaml
+
+# Show example configuration
+docker run --rm ghcr.io/specterops/nemesis/cli connect-cobaltstrike --showconfig
+
+# Enable debug logging
+docker run --rm \
+  -v /path/to/settings_cobaltstrike.yaml:/config/settings_cobaltstrike.yaml \
+  ghcr.io/specterops/nemesis/cli \
+  connect-cobaltstrike -c /config/settings_cobaltstrike.yaml --debug
+```
+
 ## Outflank Connector
 
 Ingest data from Outflank Stage1 C2 into Nemesis.

diff --git a/docs/usage_guide.md b/docs/usage_guide.md
@@ -24,7 +24,7 @@ For a general overview of the Nemesis project structure, see the [overview](over
 
 Once Nemesis is running, data first needs to be ingested into the platform. Ingestion into Nemesis can occur in multiple ways, including:
 
-* [Auto-ingesting data from C2 platforms](#nemesis-c2-connector-setup), including Mythic and Outflank C2.
+* [Auto-ingesting data from C2 platforms](#nemesis-c2-connector-setup), including Mythic, Cobalt Strike and Outflank C2.
 * [Manually uploading files on the "File Upload" page in the Nemesis Dashboard UI.](#manual-file-upload)
 * [Using the CLI tool](./cli.md) to:
     * [submit individual files or entire folders/subfolders](./cli.md#file-submission)
@@ -33,7 +33,7 @@ Once Nemesis is running, data first needs to be ingested into the platform. Inge
 
 ### Nemesis C2 Connector Setup
 
-Nemesis includes connectors for [Mythic](https://github.com/its-a-feature/Mythic) and Outflank C2 (formerly Stage1). The connectors hook into the C2 platforms and transfer data automatically into Nemesis. The connectors are located in the [CLI](https://github.com/SpecterOps/Nemesis/tree/main/projects/cli/cli/) project.
+Nemesis includes connectors for [Mythic](https://github.com/its-a-feature/Mythic), Cobalt Strike and Outflank C2 (formerly Stage1). The connectors hook into the C2 platforms and transfer data automatically into Nemesis. The connectors are located in the [CLI](https://github.com/SpecterOps/Nemesis/tree/main/projects/cli/cli/) project.
 
 See the [CLI](./cli.md) documentation for more details on configuration.
 
@@ -201,4 +201,4 @@ Navigating to the "Help" menu reachable in the bottom left of the Nemesis interf
 
 ![ReDoc API Documentation](images/api-redoc.png)
 
-Additionally, the API documentation is dynamically rebuilt by GitHub actions when the relevant files are modified and published to [API](./api.md) for up-to-date offline access.
+Additionally, the API documentation is dynamically rebuilt by GitHub actions when the relevant files are modified and published to [API](./api.md) for up-to-date offline access.
diff --git a/projects/cli/README.md b/projects/cli/README.md
@@ -4,13 +4,13 @@ A command-line interface for the Nemesis platform that provides file submission,
 
 ## Purpose
 
-This CLI tool serves as the primary interface for uploading files to Nemesis, monitoring directories for new files, and synchronizing data from C2 frameworks like Mythic and Outflank.
+This CLI tool serves as the primary interface for uploading files to Nemesis, monitoring directories for new files, and synchronizing data from C2 frameworks like Mythic, Cobalt Strike and Outflank.
 
 ## Features
 
 - **File submission**: Upload single files or entire directories to Nemesis
 - **Directory monitoring**: Real-time monitoring of folders for new files
-- **C2 connectors**: Synchronize data from Mythic and Outflank C2 frameworks
+- **C2 connectors**: Synchronize data from Mythic, Cobalt Strike and Outflank C2 frameworks
 - **Stress testing**: Load testing capabilities for the Nemesis API
 - **Module testing**: Execute file enrichment modules standalone for development
 
@@ -46,6 +46,13 @@ Ingest data from Outflank Stage1 C2 into Nemesis.
 - Uses `settings_outflank.yaml` configuration file
 - `--showconfig`: Display example configuration
 
+### connect-cobaltstrike
+Ingest data from Cobalt Strike into Nemesis.
+
+**Configuration:**
+- Uses `settings_cobaltstrike.yaml` configuration file
+- `--showconfig`: Display example configuration
+
 ## Additional Tools
 
 - **stress_test**: Load testing tool for API performance evaluation

diff --git a/projects/cli/cli/cobaltstrike_connector/cache.py b/projects/cli/cli/cobaltstrike_connector/cache.py
@@ -0,0 +1,37 @@
+import logging
+
+from cli.cobaltstrike_connector.cobaltstrike_client import Beacon, CobaltStrikeClient
+
+
+class ImplantCache:
+    def __init__(self, client: CobaltStrikeClient):
+        self.client = client
+        self.cache: dict[str, Beacon] = {}
+        self.logger = logging.getLogger(__name__)
+
+    async def initialize(self):
+        """Initialize the cache with current beacons"""
+        try:
+            beacons = await self.client.get_beacons()
+            for beacon in beacons:
+                self.cache[beacon.bid] = beacon
+            self.logger.info(f"Initialized cache with {len(beacons)} beacons")
+        except Exception as e:
+            self.logger.error(f"Failed to initialize beacon cache: {e}")
+            raise
+
+    async def get_beacon(self, bid: str) -> Beacon | None:
+        """Get beacon from cache, fetching from API if not found"""
+        if bid in self.cache:
+            return self.cache[bid]
+
+        try:
+            # Refresh entire cache as there's no endpoint for single beacon
+            beacons = await self.client.get_beacons()
+            for beacon in beacons:
+                self.cache[beacon.bid] = beacon
+
+            return self.cache.get(bid)
+        except Exception as e:
+            self.logger.error(f"Failed to fetch beacon {bid}: {e}")
+            return None