Cobalt Strike

Cobalt Strike is an exploitation framework developed for security professionals for emulating targeted and post-exploitation attacks by advanced adversaries. Like other threat emulation tools like Metasploit, Cobalt Strike framework has became a popular option among threat actors and is used for malicious intents, mainly due to it being very well written, stable, and highly customizable.[1]

Specifically, Cobalt's Beacon is a preferred choice since it includes a wealth of functionality to the attacker, including, but not limited to command execution, keylogging, file transfer, SOCKS proxying, privilege escalation, Mimikatz, Network Scanning and Lateral Movement. Beacon is in-memory/fileless, and consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP.[2][3]

Techniques Used

Domain ID Name Use
Enterprise VT0018 .001 Input Capture: Keylogging

Cobalt Strike can track key presses with a keylogger module.[4]

Enterprise VT0024 Network Service Scanning

Cobalt Strike can perform port scans from an infected host.[4]

Enterprise VT0028 Protocol Tunneling

Cobalt Strike uses a custom command and control protocol that is encapsulated in HTTP, HTTPS, or DNS. In addition, it conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.[4]

Enterprise VT0020 .001 Remote Services: SSH

Cobalt Strike can SSH to a remote service.[5]

Enterprise VT0034 Remote System Discovery

Cobalt Strike uses the native Windows Network Enumeration APIs to interrogate and discover targets in a Windows Active Directory network.[4]

Threat actors That Use This Tools

ID Name References
VG0009 APT40

APT40 uses Cobalt Strike for Remote Services: SSH, Subvert Security Controls: Code Signing, and [Valid Accounts](https://threatmodel.venafi.com/techniques/VT0005/]

References

Attachments

ID
VS0005
Type
MALWARE
Platforms
Windows
Version
1.5

Created: 04 May 2021

Last Modified: 04 May 2021