Net (commands to find targets on the domain) Getsystem (SYSTEM account impersonation using named pipes)Įlevate svc-exe (creates a services that runs a payload as SYSTEM)Ĭhromedump (Recover Google Chrome passwords from current user) In the table below, the “Documented Features” correspond to the Cobalt Strike execution commands via the interactive shell as per official documentation: Capabilitiesĭllinject (for reflective dll injection)ĭllload ( for loading an on-disk DLL to memory) This is not an exhaustive list of commands available, but it contains most of the built-in features that we encounter in most cases. Below are some of the capabilities that we see being used by operators. His videos are handy to watch if you want to get a glimpse of all the features that Cobalt Strike has to offer in various phases of the intrusion.
Raphael has an extensive playlist on youtube that demonstrates the many features of Cobalt Strike and step-by-step guides on how to use its full potential. Raphael Mudge was the primary maintainer for many years before the acquisition from Core Security. Thanks to Kostastsale for helping put this guide together! Cobalt Strike CapabilitiesĬobalt Strike has many features, and it is under constant development by a team of developers at Core Security by Help Systems. Threat actors turn to Cobalt Strike for its ease of use and extensibility. Cobalt Strike is chosen for the second stage of the attack as it offers enhanced post-exploitation capabilities. QakBot), Ursnif, Hancitor, Bazar and TrickBot. Some of the most common droppers we see are IcedID (a.k.a. Having said that, not all of Cobalt Strike’s features will be discussed.Īs you have noticed from our reporting so far, Cobalt Strike is used as a post-exploitation tool with various malware droppers responsible for the initial infection stage. The primary purpose of this post is to expose the most common techniques that we see from the intrusions that we track and provide detections. Therefore, defenders should know how to detect Cobalt Strike in various stages of its execution. In most of our cases, we see the threat actors utilizing Cobalt Strike. = Linux version available.In our research, we expose adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools they use to execute their mission objectives. Version history available = Complete changelog on our site. Old versions available = Download old versions of the program.
Portable version available = Download the portable version and you can just extract the files and run the program without installation. It may not contain the latest versions.ĭownload old versions = Free downloads of previous versions of the program.ĭownload 64-bit version = If you have a 64bit operating system you can download this version.ĭownload portable version = Portable/Standalone version meaning that no installation is required, just extract the files to a folder and run directly.
Visit developers site = A link to the software developer site.ĭownload (mirror link) = A mirror link to the software download.
Be careful when you install the software and disable addons that you don't want!
Ad-Supported = The software is bundled with advertising. No installation is required.ĭownload beta = It could be a Beta, RC(Release Candidate) or an Alpha / Nightly / Unstable version of the software.ĭownload 15MB = A direct link to the software download. Portable version = A portable/standalone version is available. Free Trial version available for download and testing with usually a time limit or limited functions. Trialware = Also called shareware or demo. It may be disabled when installing or after installation. Free software Ads = Free Download software and open source code but supported by advertising, usually with a included browser toolbar. Freeware Ads = Download Free software but supported by advertising, usually with a included browser toolbar. Free software Trialware = Download Free software and also open source code but some parts are trial/shareware. Free software = Download Free software and also open source code also known as FOSS (Free and Open Source Software).
Freeware Trialware = Download Free software but some parts are trial/shareware. RECENTLY UPDATED = The software has been updated the last 31 days. NO LONGER DEVELOPED = The software hasn't been updated in over 5 years. Type and download NO MORE UPDATES? = The software hasn't been updated in over 2 years.
Version number / Beta version number / Update version number and when it whas released. Explanation: NEW SOFTWARE= New tool since your last visit NEW VERSION= New version since your last visit NEW REVIEW= New review since your last visit NEW VERSION= New version Latest version