Cobalt Strike is a powerful threat emulation tool that provides a post-exploitation agent and covert channels ideal for Adversary Simulations and Red Team exercises, replicating the tactics and techniques of an advanced adversary in a network.
Simulate an Embedded Threat Actor
Beacon, Cobalt Strike's post-exploitation payload, can be quietly transmitted over HTTP, HTTPS, or DNS and uses asynchronous “low and slow” communication commonly utilized by embedded attackers who wish to remain undetected. With Malleable C2, Beacon’s flexible Command and Control language, users can modify network indicators to blend in with normal traffic or cloak its activities by emulating different types of malware. Beacon can perform various post-exploitation activities, including PowerShell script execution, keystroke logging, capturing screenshots, downloading files, and spawning other payloads.
Gain a Foothold with Targeted Attacks
Begin by gathering intelligence using Cobalt Strike’s system profiler, which maps out a target’s client-side attack surface, providing a list of applications and plugins it discovers through the user’s browser, as well as Internal IP address of users who are behind a proxy server. With this advanced reconnaissance, it’s easier to determine the most successful attack path.
Design an attack using one of Cobalt Strike’s numerous packages. For example, host a web drive-by attack using website clones. Alternately, you can transform an innocent file into a trojan horse using Microsoft Office Macros or Windows Executables.
You can also deliver an attack using Cobalt Strike’s spear phishing tool. Assemble a list of targets and select one of the preconfigured templates or create your own.
Tailor Scripts and Frameworks to Suit Specific Needs
Cobalt Strike is designed with flexibility in mind in order to meet all of your needs. Users are encouraged to extend Cobalt Strike’s capabilities by making changes to built-in scripts or bringing their own weaponization. Additional modifications can be made to the Cobalt Strike client by writing scripts in its custom scripting language, Aggressor Script.
Alterations can also be made to kits downloaded from the Cobalt Strike arsenal. Modify the Artifact Kit, the source code framework used to generate executables and DLLs, or redefine the script templates located in the Resource Kit, which Cobalt Strike uses in its workflows.
Finally, you can write your own Beacon Object File (BOF) and expand the Beacon agent with post-exploitation features. A BOF is a compiled C program, written to a convention that allows it to execute within a Beacon process and use internal Beacon APIs.
Collaborate for Efficient Red Teaming
Multiple people can log on to the team server for Red Team efforts. Once connected, team members can use the same sessions and communicate in real time through a shared event log. They are also able to share hosts, captured data, and download files.
Reconstruct Engagements with Comprehensive Reports
Cobalt Strike can generate multiple reports to provide a complete picture of all the activities that took place during an engagement. Report types include:
Timeline of activities
Summary of data on a per-host basis
Indicators of compromise
Full account of activity for all sessions
Tactics, techniques, and procedures
Reports are exported in MS Word or as a PDF, and can be tailored as needed. Custom logos may be added, and title, description, and hosts can be configured.
Streamline Efforts with Core Impact Interoperability
Those with both Core Impact and Cobalt Strike can take advantage of session passing and tunneling capabilities between the two tools. This interoperability can streamline pen testing efforts even further. For example, users can start their engagement, getting initial access from Core Impact, and they can continue with post-exploitation activities with Cobalt Strike by spawning a Beacon.
Cobalt Strike licenses cost $5,900 per user for a one year license. Cobalt Strike can also be bundled with our penetration testing solution, Core Impact, for a reduced price.