There are several research projects to collect raw data from red team activity, process this data, and try to turn it into information. In this blog post, I’ll show you how to instrument a Cobalt Strike team server and generate a real-time feed of engagement activity. Aggressor Script is the scripting engine in Cobalt Strike […]
CTA Type: Blog
Interoperability with the Metasploit Framework
Cobalt Strike 3.0 is a stand-alone platform for Adversary Simulations and Red Team Operations. It doesn’t depend on the Metasploit Framework. That said, the Metasploit Framework is a wealth of capability and there are places where it adds value. I didn’t forget this in my design of Cobalt Strike 3.0. In this blog post, I’ll […]
Read More… from Interoperability with the Metasploit Framework
Cobalt Strike 2015: An Offensive Platform is Born
It’s hard to believe we’re at the end of 2015 and on to 2016. I’ve now had a product on the market for three and a half years. That’s like 27 dog years! It’s a long time for a hacking tool too. 2015 was an exciting year here. Our industry is changing and Cobalt Strike has made changes to […]
Read More… from Cobalt Strike 2015: An Offensive Platform is Born
Windows Access Tokens and Alternate Credentials
I’d like to call your attention to the humble runas.exe program on Windows. This program allows a Windows user to spawn another program with another user’s credentials. It’s a little painful to use runas.exe from a remote access tool. This program doesn’t accept a password as an argument. Cobalt Strike’s Beacon has a built-in runas […]
Read More… from Windows Access Tokens and Alternate Credentials
Post-Exploitation Only (Not Really)
During a recent conversation, a friend had mentioned that they saw Cobalt Strike as a post-exploitation only tool. This strikes me as a little odd. Cobalt Strike has always had all the features necessary to execute a full attack chain. The system profiler, spear phishing tool, and user-driven attacks support a social engineering process designed […]
Cobalt Strike 3.1 – Scripting Beacons
Cobalt Strike 3.1 is now available. This release adds a lot of polish to the 3.x codebase and addresses several items from user feedback. Aggressor Script Aggressor Script is the scripting engine in Cobalt Strike 3.0 and later. It allows you to extend the Cobalt Strike client with new features and automate your engagements with […]
Appropriate Covert Channels
As a product vendor, I regularly receive suggestions from my users. It’s easy to break these suggestions up into different categories. One such category would be Beacon communication channels. I get requests that ask when I will look into various protocols or third-party services as communication channels. I see communication options as very important. But, […]
Flying a Cylon Raider
In Season 1, Episode 5 of Battlestar Galactica, Lieutenant Kara Thrace finds herself marooned on a barren planet with a crashed Cylon Raider. To get home, Lieutenant Thrace has to apply her knowledge of flight fundamentals to control the strange platform and pilot it back to safety. And, so it goes with hacking. You don’t […]
Revolutionary Device Detects Mimikatz Use
I see mimikatz as one of the most significant collections of offensive capability available today. Because there’s so much capability, folks are often interested in how to detect its use on their network. For example, one blog post recommends that use of Honey Hashes to detect mimikatz use. Others might recommend that you look for […]
How do I psexec without an initial Beacon?
Here and there, I’m getting questions that are variants of this post’s title. The inquiry usually goes like this: Dearest Raphael, I do a lot of internal engagements. I don’t expect that I will always have a Beacon on target due to a phishing or client-side attack. How do I launch a psexec attack directly […]