I often receive emails that ask about slow file downloads with the Beacon payload. Here are the symptoms: When I get these emails, I usually ask the user about their Malleable C2 profile. Malleable C2 is a technology to change the network and memory indicators for Cobalt Strike’s Beacon payload. In some cases, it can alter the […]
CTA Type: Resource
In-Memory Evasion
Many analysts and automated solutions take advantage of various memory detections to find injected DLLs in memory. Memory detections look at the properties (and content) of processes, threads, and memory to find indicators of malicious activity in the current process. In-memory Evasion is a four-part mini course on the cat and mouse game related to […]
Cobalt Strike 3.10 – Хакер vs. 肉雞
Cobalt Strike 3.10 is now available. This release adds Unicode support to the Beacon payload, introduces a built-in report based on MITRE’s ATT&CK matrix, and performs endodontics on the Beacon payload. A Strategy for Unicode One of Cobalt Strike’s limitations is its ham-fisted handling of text. Cobalt Strike treats everything sent to and received from Beacon as binary […]
Modern Defenses and YOU!
Part 9 of Advanced Threat Tactics covers a lot of my thoughts on evasion. The ideas in that lecture are still relevant, the defenses discussed there didn’t go away! That said, there are other defenses and realities offensive operators must contend with today. This blog post discusses some of these and provides tips for adjusting […]
Kits, Profiles, and Scripts… Oh my!
If I had to describe Cobalt Strike in one word, I’d say ‘flexible’. There are a lot of options to control Cobalt Strike’s features and indicators. In this post, I’ll introduce these options, explain the rationale for each, and point you to resources to explore them further. Aggressor Script Aggressor Script is Cobalt Strike’s built-in […]
Cobalt Strike 3.9 – Livin’ in a Stager’s Paradise
Cobalt Strike 3.9 is now available. This release brings several additions to Malleable C2 with an emphasis on staging flexibility. Malleable HTTP/S Staging Stagers are tiny programs that download the Beacon payload and pass control to it. Stagers are a way to use a size-constrained attack to deliver a large payload like Beacon. While I recommend […]
Read More… from Cobalt Strike 3.9 – Livin’ in a Stager’s Paradise
OPSEC Considerations for Beacon Commands
Update January 9, 2020 – This topic is now part of the Cobalt Strike documentation. Head over to the Beacon Command Behavior page for the latest version of this information. A good operator knows their tools and has an idea of how the tool is accomplishing its objectives on their behalf. This blog post surveys […]
Cobalt Strike 3.8 – Who’s Your Daddy?
Cobalt Strike 3.8 is now available. This release adds features to spawn processes with an alternate parent process. This release also gives the operator control over the script templates Cobalt Strike uses in its attacks and workflows. Processes with Alternate Parents A favorite hunt technique is to instrument a host to report all new processes, […]
Java Startup Bug in Java 1.8u131
If you recently updated your penetration testing environment, it’s possible you were greeted with a special surprise. Cobalt Strike and its team server will no longer start. Instead of Cobalt Strike, you’re now greeted with this very intuitive and helpful error: The Parallel GC can not be combined with -XX:ParallelGCThreads=0. I’ve had a few emails […]
Cobalt Strike 3.7 – Cat, Meet Mouse
The 8th release of the Cobalt Strike 3.0 series is now available. The release extends Malleable C2 to influence how Beacon lives in memory, adds code-signing for executables, and gives operators control over which proxy server Beacon uses. There’s a lot of good stuff here. Let’s dig into it. Malleable PE A key goal of Cobalt Strike is to challenge […]