SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. Cobalt Strike

Cobalt Strike

Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors". Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. [1]

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. [1]

ID: S0154
Type: MALWARE
Platforms: Windows
Contributors: Josh Abraham
Version: 1.5
Created: 14 December 2017
Last Modified: 11 September 2020
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Cobalt Strike can use a number of known techniques to bypass Windows UAC.[1]
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

Cobalt Strike can steal access tokens from exiting processes.[1]
.004 Access Token Manipulation: Parent PID Spoofing

Cobalt Strike can spawn processes with alternate PPIDs.[2]
.003 Access Token Manipulation: Make and Impersonate Token

Cobalt Strike can make tokens from known credentials.[1]
Enterprise T1087 .002 Account Discovery: Domain Account

Cobalt Strike can determine if the user on an infected machine is in the admin or domain admin group.[3]
Enterprise T1071 Application Layer Protocol

Cobalt Strike conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.[1]

.004 DNS

Cobalt Strike uses a custom command and control protocol that can encapsulated in DNS. All protocols use their standard assigned ports.[1]

.001 Web Protocols

Cobalt Strike uses a custom command and control protocol that can be encapsulated in HTTP or HTTPS, or DNS. All protocols use their standard assigned ports.[1]

Enterprise T1197 BITS Jobs

Cobalt Strike can download a hosted "beacon" payload using BITSAdmin.[4]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Cobalt Strike uses a command-line interface to interact with systems.[5]
.001 Command and Scripting Interpreter: PowerShell

Cobalt Strike can execute a payload on a remote host with PowerShell. This technique does not write any data to disk.[1][3] Cobalt Strike can also use PowerSploit and other scripting frameworks to perform execution.[5][2]
.005 Command and Scripting Interpreter: Visual Basic

Cobalt Strike can use VBA to perform execution.[5][2]
.006 Command and Scripting Interpreter: Python

Cobalt Strike can use Python to perform execution.[5][2]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Cobalt Strike can install a new service.[5]
Enterprise T1005 Data from Local System

Cobalt Strike can collect data from a local system.[5]
Enterprise T1068 Exploitation for Privilege Escalation

Cobalt Strike can exploit vulnerabilities such as MS14-058.[5]
Enterprise T1070 .006 Indicator Removal on Host: Timestomp

Cobalt Strike will timestomp any files or payloads placed on a target machine to help them blend in.[1]
Enterprise T1056 .001 Input Capture: Keylogging

Cobalt Strike can track key presses with a keylogger module.[1]
Enterprise T1185 Man in the Browser

Cobalt Strike can perform browser pivoting and inject into a user's browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates.[1]
Enterprise T1106 Native API

Cobalt Strike's "beacon" payload is capable of running shell commands without cmd.exe and PowerShell commands without powershell.exe[1]
Enterprise T1046 Network Service Scanning

Cobalt Strike can perform port scans from an infected host.[1]
Enterprise T1135 Network Share Discovery

Cobalt Strike can query shared drives on the local system.[5]
Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

Cobalt Strike includes a capability to modify the "beacon" payload to eliminate known signatures or unpacking methods.[1]
Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

Cobalt Strike can recover hashed passwords.[1]
Enterprise T1057 Process Discovery

Cobalt Strike's "beacon" payload can collect information on process details.[1]
Enterprise T1055 Process Injection

Cobalt Strike can inject a variety of payloads into processes dynamically chosen by the adversary.[1]
.012 Process Hollowing

Cobalt Strike can use process hollowing for execution.[5]
Enterprise T1572 Protocol Tunneling

Cobalt Strike uses a custom command and control protocol that is encapsulated in HTTP, HTTPS, or DNS. In addition, it conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.[1]
Enterprise T1090 .001 Proxy: Internal Proxy

Cobalt Strike can be configured to have commands relayed over a peer-to-peer network of infected hosts. This can be used to limit the number of egress points, or provide access to a host without direct internet access.[1]
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Cobalt Strike can use Window admin shares (C$ and ADMIN$) for lateral movement.[5]
.006 Remote Services: Windows Remote Management

Cobalt Strike can use WinRM to execute a payload on a remote host.[1]
.004 Remote Services: SSH

Cobalt Strike can SSH to a remote service.[5]
.001 Remote Services: Remote Desktop Protocol

Cobalt Strike can start a VNC-based remote desktop server and tunnel the connection through the already established C2 channel.[1]
.003 Remote Services: Distributed Component Object Model

Cobalt Strike can deliver "beacon" payloads for lateral movement by leveraging remote COM execution.[6]
Enterprise T1018 Remote System Discovery

Cobalt Strike uses the native Windows Network Enumeration APIs to interrogate and discover targets in a Windows Active Directory network.[1]
Enterprise T1029 Scheduled Transfer

Cobalt Strike can set its "beacon" payload to reach out to the C2 server on an arbitrary and random interval. In addition it will break large data sets into smaller chunks for exfiltration.[1]
Enterprise T1113 Screen Capture

Cobalt Strike's "beacon" payload is capable of capturing screenshots.[1]
Enterprise T1016 System Network Configuration Discovery

Cobalt Strike can determine the IP addresses of domain controllers.[3]
Enterprise T1569 .002 System Services: Service Execution

Cobalt Strike can use PsExec to execute a payload on a remote host. It can also use Service Control Manager to start new services.[1][5]
Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

Cobalt Strike can perform pass the hash.[5]
Enterprise T1078 .003 Valid Accounts: Local Accounts

Cobalt Strike can use known credentials to run commands and spawn processes as a local user account.[1][2]
.002 Valid Accounts: Domain Accounts

Cobalt Strike can use known credentials to run commands and spawn processes as a domain user account.[1][2]
Enterprise T1047 Windows Management Instrumentation

Cobalt Strike can use WMI to deliver a payload to a remote host.[1]

Groups That Use This Software

ID Name References
G0073 APT19

[7]
G0079 DarkHydrus

[8][9]
G0052 CopyKittens

[10]
G0050 APT32

[11][12][13][14]
G0080 Cobalt Group

[15][16][17][18] [19][20][21][22]
G0016 APT29

[23]
G0065 Leviathan

[24][25]
G0037 FIN6

[26]
G0096 APT41

[27]
G0114 Chimera

[28]
G0102 Wizard Spider

[29][30][31][32][33][34]

References

  1. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  2. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019.
  3. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  4. Strategic Cyber, LLC. (n.d.). Scripted Web Delivery. Retrieved January 23, 2018.
  5. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
  6. Mudge, R. (2017, January 24). Scripting Matt Nelson’s MMC20.Application Lateral Movement Technique. Retrieved November 21, 2017.
  7. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  8. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  9. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  10. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  11. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  12. Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
  13. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  14. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  15. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  16. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  17. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  1. Mesa, M, et al. (2017, June 1). Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions. Retrieved October 10, 2018.
  2. Klijnsma, Y.. (2017, November 28). Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions. Retrieved October 10, 2018.
  3. Klijnsma, Y.. (2018, January 16). First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks. Retrieved October 10, 2018.
  4. CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.
  5. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.
  6. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
  7. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  8. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  9. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  10. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  11. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.
  12. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  13. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  14. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  15. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  16. The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.
  17. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.