Cobalt Strike

Description

Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.

The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.

Names

Name
Cobalt Strike
CobaltStrike
Agentemis
BEACON
cobeacon

Category

Tools

Type

• Backdoor
• Vulnerability scanner
• Keylogger
• Tunneling
• Loader
• Exfiltration

Information

• https://www.cobaltstrike.com/
• https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
• https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html
• https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py
• https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
• http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems
• https://www.lac.co.jp/lacwatch/people/20180521_001638.html
• https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/
• https://www.bleepingcomputer.com/news/security/threat-actors-use-older-cobalt-strike-versions-to-blend-in/
• https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf
• https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html
• https://www.bleepingcomputer.com/news/security/alleged-source-code-of-cobalt-strike-toolkit-shared-online/
• https://www.darkreading.com/threat-intelligence/how-to-identify-cobalt-strike-on-your-network/a/d-id/1339357
• https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/
• https://www.darkreading.com/attacks-breaches/cobalt-strike-becomes-a-preferred-hacking-tool-by-cybercrime-apt-groups/d/d-id/1341073
• http://www.intel471.com/blog/cobalt-strike-cybercriminals-trickbot-qbot-hancitor
• https://blog.malwarebytes.com/researchers-corner/2021/06/cobalt-strike-a-penetration-testing-tool-popular-among-criminals/
• https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware
• https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/
• https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/
• https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/
• https://www.recordedfuture.com/detect-cobalt-strike-inside-look/
• https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9
• https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/
• https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot
• https://asec.ahnlab.com/en/31811/
• https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
• https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/
• https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decryption/
• https://securityintelligence.com/posts/analysis-rce-vulnerability-cobalt-strike/
• https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse
• https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/
• https://securityintelligence.com/posts/defining-cobalt-strike-reflective-loader/
• https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2/
• https://asec.ahnlab.com/en/59110/
• https://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-profiles/
• https://www.europol.europa.eu/media-press/newsroom/news/europol-coordinates-global-action-against-criminal-abuse-of-cobalt-strike
• https://www.cobaltstrike.com/blog/update-stopping-cybercriminals-from-abusing-cobalt-strike

Mitre Attack

• https://attack.mitre.org/software/S0154/

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Alienvault Otx

• https://otx.alienvault.com/browse/pulses?q=tag:Cobalt%20Strike

Other Information

Uuid

7ea8d070-cfd7-473c-a615-437fc292af55

Last Card Change

2025-04-21