Cobalt Strike is a powerful threat emulation tool that provides a post-exploitation agent and covert channels ideal for Adversary Simulations and Red Team exercises. With Cobalt Strike, companies can emulate the tactics and techniques of a quiet long-term embedded threat actor in an IT network. Malleable C2 lets you change your network indicators to look like different malware each time. These tools complement Cobalt Strike's solid social engineering process, its robust collaboration capability, and unique reports designed to aid blue team training.
Beacon, Cobalt Strike's post-exploitation payload, executes PowerShell scripts, logs keystrokes, takes screenshots, downloads files, and spawns other payloads.
Using asynchronous “low and slow” communication to remain undetected, Beacon can simulate an embedded attacker. Additionally, Beacon’s flexible Command and Control language, Malleable C2, can be used to alter network indicators to blend in with normal traffic or cloak its activities by emulating different types of malware.
Cobalt Strike can utilize a man-in-the-browser attack to hijack a compromised user's authenticated web sessions, enabling users to browser pivot to go around two-factor authentication and access sites as their target.
Cobalt Strike’s System Profiler is ideal for client-side reconnaissance activities. It stands up a local web-server, fingerprinting anyone who visits it and then redirects them to a legitimate site. From there, it can discover the internal IP address, applications, plugins, and version information of the visitor.
Multiple Red Teamers can log on to the team server for collaborative engagements, communicating in real time. In addition to shared sessions, team members can also share hosts, captured data, and download files.
Cobalt Strike has multiple reporting options for data synthesis and further analysis. Report types include:
- Indicators of Compromise
- Social Engineering
- Tactics, Techniques, Procedures
New Cobalt Strike licenses cost $5,900 per user for a one year license. Cobalt Strike can also be bundled with our penetration testing solution, Core Impact, for a reduced price. For more information, check out our pricing page.
A Framework Built for Flexibility
Users can modify built-in scripts or write their own using Cobalt Strike’s scripting language, Aggressor Script. New scripts are easily uploaded and managed in the Script Console, where you can trace, profile, debug, and further interact with scripts.
Adjustable Attack Kits
Kits downloaded from the Cobalt Strike arsenal can be altered to suit the needs of each engagement. For example, script templates from the Resource Kit, which is used in workflows, can be redefined. Additionally, users can create their own Beacon Object File (BOF) to expand the Beacon agent with post-exploitation features.
Interoperability with Core Impact
Organizations with both Core Impact and Cobalt Strike can take advantage of session passing and tunneling capabilities between these two tools. Beacon can be deployed from within Core Impact and users can spawn a Core Impact agent from within Cobalt Strike.
Users are encouraged to extend Cobalt Strike’s capabilities by creating their own tools. The Community Kit serves as a central repository for projects from the user community so fellow security professionals may also benefit from these extensions.
A Brief History of Cobalt Strike
Raphael Mudge created Cobalt Strike in 2012 to enable threat-representative security tests. Cobalt Strike was one of the first public red team command and control frameworks. In 2020, HelpSystems acquired Cobalt Strike to add to its Core Security portfolio. Today, Cobalt Strike is the go-to red team platform for many U.S. government, large business, and consulting organizations.
Learn more at www.cobaltstrike.com