Software: Cobalt Strike

From enterprise
Jump to: navigation, search
Cobalt Strike
ID S0154
Aliases Cobalt Strike
Type Tool
Platform Windows
Contributors Josh Abraham

Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.1

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.1

Techniques Used

  • Commonly Used Port - Cobalt Strike uses a custom command and control protocol that communicates over commonly used ports. The C2 protocol is encapsulated in common application layer protocols.1
  • Standard Application Layer Protocol - Cobalt Strike uses a custom command and control protocol that is encapsulated in HTTP, HTTPS, or DNS. In addition, it conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.1
  • Connection Proxy - Cobalt Strike can be configured to have commands relayed over a peer-to-peer network of infected hosts. This can be used to limit the number of egress points, or provide access to a host without direct internet access.1
  • Scheduled Transfer - Cobalt Strike can set its "beacon" payload to reach out to the C2 server on an arbitrary and random interval. In addition it will break large data sets into smaller chunks for exfiltration.1
  • PowerShell - Cobalt Strike can execute a payload on a remote host with PowerShell. This technique does write any data to disk.1
  • Man in the Browser - Cobalt Strike can perform browser pivoting and inject into a user's browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates.1


The following groups use this software: