It’s been less than a month since I joined the Cobalt Strike team. My first impressions of this team have been overwhelmingly positive. As Raphael transitioned out, He left us with a message “Cobalt Strike is in good hands.” I couldn’t agree more. What can you expect from me? I’m here to provide input and […]
CTA Type: Blog
SSL certificate verification failure
UPDATE: This has now been fixed. I’ve amended this post to reflect that. If you ran the Cobalt Strike update program today, you may have seen an error message about the failed SSL certificate verification for www.cobaltstrike.com: The update program pins the certificate for this server. When the certificate does not match what the update […]
Simple DNS Redirectors for Cobalt Strike
This post, from Ernesto Alvarez Capandeguy of Core Security’s CoreLabs Research Team, describes techniques used for creating UDP redirectors for protecting Cobalt Strike team servers. This is one of the recommended mechanisms for hiding Cobalt Strike team servers and involves adding different points which a Beacon can contact for instructions when using the HTTP channel. […]
Raphael’s Transition
Friday was my last day at HelpSystems. I spent the day on the #Aggressor channel on Slack, put some final touches on a 12 month roadmap document, and worked with my colleagues to remove myself from a few systems I had originally designed. I had planned to get a blog post out yesterday, but the […]
Cobalt Strike 4.3 – Command and CONTROL
Cobalt Strike 4.3 is now available. The bulk of the release involves updates to DNS processing but there are some other, smaller changes in there too. DNS updates We have added options to Malleable C2 to allow DNS traffic to be masked. A new dns-beacon block allows you to specify options to override the DNS […]
Learn Pipe Fitting for all of your Offense Projects
Named pipes are a method of inter-process communication in Windows. They’re used primarily for local processes to communicate with eachother. They can also facilitate communication between two processes on separate hosts. This traffic is encapsulated in the Microsoft SMB Protocol. If you ever hear someone refer to a named pipe transport as an SMB channel, […]
Read More… from Learn Pipe Fitting for all of your Offense Projects
Pushing back on userland hooks with Cobalt Strike
When I think about defense in the current era, I think of it as a game of instrumentation and telemetry. A well-instrumented endpoint provides a defense team and an automated security solution with the potential to react to or have visibility into a lot of events on a system. I say a lot, because certainly […]
Read More… from Pushing back on userland hooks with Cobalt Strike
Agent Deployed: Core Impact and Cobalt Strike Interoperability
Core Impact 20.3 has shipped this week. With this release, we’re revealing patterns for interoperability between Core Impact and Cobalt Strike. In this post, I’ll walk you through these patterns and provide advice on how to get benefit using Cobalt Strike and Core Impact together. A Red Team Operator’s Introduction to Core Impact Prior to […]
Read More… from Agent Deployed: Core Impact and Cobalt Strike Interoperability
A Red Teamer Plays with JARM
I spent a little time looking into Saleforce’s JARM tool released in November. JARM is an active tool to probe the TLS/SSL stack of a listening internet application and generate a hash that’s unique to that specific TLS/SSL stack. One of the initial JARM fingerprints of interest relates to Cobalt Strike. The value associated with Cobalt […]
verify.cobaltstrike.com outage summary
Cobalt Strike’s update process was degraded due to a data center outage that affected https://verify.cobaltstrike.com. The verify server is back up and the functionality of our update process is restored. Here’s the timeline of the incident: November 10, 2020 – 5:15pm EST The Cobalt Strike update process is degraded. You may still download and update […]