User-driven Attacks
A user-driven attack is an attack that relies on a feature to get code execution. Most penetration testers I know rely on user-driven attacks over
Cobalt Strike 2.1 – I have the POWER(shell)
For a long time, I’ve wanted the ability to use PowerUp, Veil PowerView, and PowerSploit with Cobalt Strike. These are useful post-exploitation capabilities written in
Evolution of a Modern Hacking Payload
One of the most important features in Cobalt Strike is its Beacon payload. This is my capability to model advanced attackers. In this post, I’d
Use Cobalt Strike’s Beacon with Veil’s Evasion
The Veil Framework is a collection of red team tools, focused on evading detection. The Veil Evasion project is a tool to generate artifacts that
HTTP Proxy Authentication for Malware
I spend a lot of time thinking about what my tools can and can’t do. One of the weakest points for penetration testing tools is
Cobalt Strike – Innovative Offense or “just a GUI”?
In June 2012, I announced Cobalt Strike to the world. Thanks to Cobalt Strike‘s users, I build and research offensive technologies, full-time, and have done so for the past
Four Levels of Hacking Sophistication with Beacon
Beacon is Cobalt Strike’s payload for red team actions. Beacon is a stable lifeline that can serve as a communication layer. Meterpreter is a fantastic post-exploitation agent
Cobalt Strike 01.08.14 – EXE Artifacts: A New Hope
Cobalt Strike has always exposed the Metasploit Framework’s tool to generate executables. Unfortunately, these executables are caught by anti-virus products. I’ve had a lot of
Why do I always use 32-bit payloads?
Yesterday, one of my customers asked about x64 payloads in Cobalt Strike. Specifically, he wanted to know why Cobalt Strike doesn’t expose them. I’ve already
Stealthy Peer-to-peer C&C over SMB pipes
Beacon is my payload for low and slow control of a compromised system. Recently, I added peer-to-peer communication to Beacon. When two Beacons are linked,