![]() ![]() Thanks to Kostastsale for helping put this guide together! Cobalt Strike CapabilitiesĬobalt Strike has many features, and it is under constant development by a team of developers at Core Security by Help Systems. Threat actors turn to Cobalt Strike for its ease of use and extensibility. Cobalt Strike is chosen for the second stage of the attack as it offers enhanced post-exploitation capabilities. QakBot), Ursnif, Hancitor, Bazar and TrickBot. Some of the most common droppers we see are IcedID (a.k.a. Having said that, not all of Cobalt Strike’s features will be discussed.Īs you have noticed from our reporting so far, Cobalt Strike is used as a post-exploitation tool with various malware droppers responsible for the initial infection stage. The primary purpose of this post is to expose the most common techniques that we see from the intrusions that we track and provide detections. Therefore, defenders should know how to detect Cobalt Strike in various stages of its execution. In most of our cases, we see the threat actors utilizing Cobalt Strike. Instead, the product provides flexibility, both in its potential configurations and options to execute offense actions, to allow you to adapt the product to your circumstance and objectives.Ĭopyright © Fortra, LLC and its group of companies.Īll trademarks and registered trademarks are the property of their respective owners.In our research, we expose adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools they use to execute their mission objectives. It is not Cobalt Strike’s goal to provide evasion out-of-the-box. ![]() Throughout each of the above steps, you will need to understand the target environment, its defenses, and reason about the best way to meet your objectives with what is available to you. Cobalt Strike generates high quality reports that you may present to your clients as stand-alone products or use as appendices to your written narrative. ![]() Provide the network administrators an activity timeline so they may find attack indicators in their sensors. This Cobalt Strike-only technique works with most sites and bypasses two-factor authentication.Ĭobalt Strike’s reporting features reconstruct the engagement for your client. Use browser pivoting to gain access to websites that your compromised target is logged onto with Internet Explorer. Cobalt Strike’s workflows make it easy to deploy keystroke loggers and screenshot capture tools on compromised systems. Cobalt Strike is optimized to capture trust relationships and enable lateral movement with captured credentials, password hashes, access tokens, and Kerberos tickets.ĭemonstrate meaningful business risk with Cobalt Strike’s user-exploitation tools. Pivot into the compromised network, discover hosts, and move laterally with Beacon’s helpful automation and peer-to-peer communication over named pipes and TCP sockets. Reprogram Beacon to use network indicators that look like known malware or blend in with existing traffic. Beacon walks through common proxy configurations and calls home to multiple hosts to resist blocking.Įxercise your target’s attack attribution and analysis capability with Beacon’s Malleable Command and Control language. Beacon will phone home over DNS, HTTP, or HTTPS. This post-exploitation payload uses an asynchronous “ low and slow” communication pattern that’s common with advanced threat malware. Cobalt Strike’s phishing tool repurposes saved emails into pixel- perfect phishes.Ĭontrol your target’s network with Cobalt Strike’s Beacon. Use Cobalt Strike’s spear phishing tool to deliver your weaponized document to one or more people in your target’s network. Cobalt Strike also has options to export its post-exploitation payload, Beacon, in a variety of formats for pairing with artifacts outside of this toolset. Cobalt Strike has options to turn common documents into weaponized artifacts. Weaponization is pairing a post-exploitation payload with a document or exploit that will execute it on target. The insights gleaned from reconnaissance will help you understand which options have the best chance of success on your target. Cobalt Strike’s system profiler is a web application that maps your target’s client-side attack surface. OverviewĪ thought-out targeted attack begins with reconnaissance. The rest of this manual discusses these features in detail. This section describes the attack process supported by Cobalt Strike’s feature set. The product is designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors. Cobalt Strike is a platform for adversary simulations and red team operations. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |