Software: Cobalt Strike

From enterprise
Jump to: navigation, search
Cobalt Strike
ID S0154
Aliases Cobalt Strike
Type Tool
Platform Windows
Contributors Josh Abraham

Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.1

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.1

Techniques Used

  • Commonly Used Port - Cobalt Strike uses a custom command and control protocol that communicates over commonly used ports. The C2 protocol is encapsulated in common application layer protocols.1
  • Standard Application Layer Protocol - Cobalt Strike uses a custom command and control protocol that is encapsulated in HTTP, HTTPS, or DNS. In addition, it conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.1
  • Custom Command and Control Protocol - Cobalt Strike allows adversaries to modify the way the "beacon" payload communicates. This is called "Malleable C2" in the Cobalt Strike manual and is intended to allow a penetration test team to mimic known APT C2 methods.12
  • Multiband Communication - Cobalt Strike's "beacon" payload can receive C2 from one protocol and respond on another. This is typically a mixture of HTTP, HTTPS, and DNS traffic.1
  • Connection Proxy - Cobalt Strike can be configured to have commands relayed over a peer-to-peer network of infected hosts. This can be used to limit the number of egress points, or provide access to a host without direct internet access.1
  • Scheduled Transfer - Cobalt Strike can set its "beacon" payload to reach out to the C2 server on an arbitrary and random interval. In addition it will break large data sets into smaller chunks for exfiltration.1
  • Process Injection - Cobalt Strike can inject a variety of payloads into processes dynamically chosen by the adversary.1
  • Process Discovery - Cobalt Strike's "beacon" payload can collect information on process details.1
  • Remote Desktop Protocol - Cobalt Strike can start a VNC-based remote desktop server and tunnel the connection through the already established C2 channel.
  • Service Execution - Cobalt Strike can use PsExec to execute a payload on a remote host.1 It can also use Service Control Manager to start new services.3
  • Access Token Manipulation - Cobalt Strike can steal access tokens from exiting processes and make tokens from known credentials.1
  • Valid Accounts - Cobalt Strike can use known credentials to run commands and spawn processes as another user.1
  • Remote System Discovery - Cobalt Strike uses the native Windows Network Enumeration APIs to interrogate and discover targets in a Windows Active Directory network.1
  • PowerShell - Cobalt Strike can execute a payload on a remote host with PowerShell. This technique does write any data to disk.1
  • Execution through API - Cobalt Strike's "beacon" payload is capable of running shell commands without cmd.exe and PowerShell commands without powershell.exe1
  • Timestomp - Cobalt Strike will timestomp any files or payloads placed on a target machine to help them blend in.1
  • Screen Capture - Cobalt Strike's "beacon" payload is capable of capturing screen shots.1
  • Input Capture - Cobalt Strike can track key presses with a keylogger module.1
  • Indicator Removal from Tools - Cobalt Strike includes a capability to modify the "beacon" payload to eliminate known signatures or unpacking methods.1
  • Man in the Browser - Cobalt Strike can perform browser pivoting and inject into a user's browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates.1
  • Scripting - Cobalt Strike can use PowerSploit or other scripting frameworks to perform execution.3


The following groups use this software: