Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Cobalt Strike

Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. [1]

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. [1]

ID: S0154
Aliases: Cobalt Strike
Type: TOOL
Contributors: Josh Abraham

Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1134Access Token ManipulationCobalt Strike can steal access tokens from exiting processes and make tokens from known credentials.[1]
EnterpriseT1197BITS JobsCobalt Strike can download a hosted "beacon" payload using BITSAdmin.[2]
EnterpriseT1088Bypass User Account ControlCobalt Strike can use a number of known techniques to bypass Windows UAC.[1]
EnterpriseT1059Command-Line InterfaceCobalt Strike uses a command-line interface to interact with systems.[3]
EnterpriseT1043Commonly Used PortCobalt Strike uses a custom command and control protocol that communicates over commonly used ports. The C2 protocol is encapsulated in common application layer protocols.[1]
EnterpriseT1090Connection ProxyCobalt Strike can be configured to have commands relayed over a peer-to-peer network of infected hosts. This can be used to limit the number of egress points, or provide access to a host without direct internet access.[1]
EnterpriseT1003Credential DumpingCobalt Strike can recover hashed passwords.[1]
EnterpriseT1094Custom Command and Control ProtocolCobalt Strike allows adversaries to modify the way the "beacon" payload communicates. This is called "Malleable C2" in the Cobalt Strike manual and is intended to allow a penetration test team to mimic known APT C2 methods.[1][4]
EnterpriseT1005Data from Local SystemCobalt Strike can collect data from a local system.[3]
EnterpriseT1175Distributed Component Object ModelCobalt Strike can deliver "beacon" payloads for lateral movement by leveraging remote COM execution.[5]
EnterpriseT1106Execution through APICobalt Strike's "beacon" payload is capable of running shell commands without cmd.exe and PowerShell commands without powershell.exe[1]
EnterpriseT1068Exploitation for Privilege EscalationCobalt Strike can exploit vulnerabilities such as MS14-058.[3]
EnterpriseT1066Indicator Removal from ToolsCobalt Strike includes a capability to modify the "beacon" payload to eliminate known signatures or unpacking methods.[1]
EnterpriseT1056Input CaptureCobalt Strike can track key presses with a keylogger module.[1]
EnterpriseT1185Man in the BrowserCobalt Strike can perform browser pivoting and inject into a user's browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates.[1]
EnterpriseT1026Multiband CommunicationCobalt Strike's "beacon" payload can receive C2 from one protocol and respond on another. This is typically a mixture of HTTP, HTTPS, and DNS traffic.[1]
EnterpriseT1046Network Service ScanningCobalt Strike can perform port scans from an infected host.[1]
EnterpriseT1135Network Share DiscoveryCobalt Strike can query shared drives on the local system.[3]
EnterpriseT1050New ServiceCobalt Strike can install a new service.[3]
EnterpriseT1075Pass the HashCobalt Strike can perform pass the hash.[3]
EnterpriseT1086PowerShellCobalt Strike can execute a payload on a remote host with PowerShell. This technique does write any data to disk.[1]
EnterpriseT1057Process DiscoveryCobalt Strike's "beacon" payload can collect information on process details.[1]
EnterpriseT1093Process HollowingCobalt Strike can use process hollowing for execution.[3]
EnterpriseT1055Process InjectionCobalt Strike can inject a variety of payloads into processes dynamically chosen by the adversary.[1]
EnterpriseT1076Remote Desktop ProtocolCobalt Strike can start a VNC-based remote desktop server and tunnel the connection through the already established C2 channel.[1]
EnterpriseT1021Remote ServicesCobalt Strike can SSH to a remote service.[3]
EnterpriseT1018Remote System DiscoveryCobalt Strike uses the native Windows Network Enumeration APIs to interrogate and discover targets in a Windows Active Directory network.[1]
EnterpriseT1029Scheduled TransferCobalt Strike can set its "beacon" payload to reach out to the C2 server on an arbitrary and random interval. In addition it will break large data sets into smaller chunks for exfiltration.[1]
EnterpriseT1113Screen CaptureCobalt Strike's "beacon" payload is capable of capturing screen shots.[1]
EnterpriseT1064ScriptingCobalt Strike can use PowerSploit or other scripting frameworks to perform execution.[3]
EnterpriseT1035Service ExecutionCobalt Strike can use PsExec to execute a payload on a remote host. It can also use Service Control Manager to start new services.[1][3]
EnterpriseT1071Standard Application Layer ProtocolCobalt Strike uses a custom command and control protocol that is encapsulated in HTTP, HTTPS, or DNS. In addition, it conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.[1]
EnterpriseT1099TimestompCobalt Strike will timestomp any files or payloads placed on a target machine to help them blend in.[1]
EnterpriseT1078Valid AccountsCobalt Strike can use known credentials to run commands and spawn processes as another user.[1]
EnterpriseT1077Windows Admin SharesCobalt Strike can use Window admin shares (C$ and ADMIN$) for lateral movement.[3]
EnterpriseT1047Windows Management InstrumentationCobalt Strike can use WMI to deliver a payload to a remote host.[1]
EnterpriseT1028Windows Remote ManagementCobalt Strike can use WinRM to execute a payload on a remote host.[1]

Groups

Groups that use this software:

APT19
APT32
Cobalt Group
CopyKittens
DarkHydrus
Leviathan

References