Revisiting the UDRL Part 3: Beacon User Data
The UDRL and the Sleepmask are key components of Cobalt Strike’s evasion strategy, yet historically they have not worked well together. For example, prior to
Introducing the Mutator Kit: Creating Object File Monstrosities with Sleep Mask and LLVM
This is a joint blog written by William Burgess (@joehowwolf) and Henri Nurmi (@HenriNurmi). In our ‘Cobalt Strike and YARA: Can I Have Your Signature?’
Revisiting the User-Defined Reflective Loader Part 2: Obfuscation and Masking
This is the second installment in a series revisiting the User-Defined Reflective Loader (UDRL). In part one, we aimed to simplify the development and debugging
Simplifying BOF Development: Debug, Test, and Save Your B(e)acon
Beacon Object Files (BOFs) were introduced in Cobalt Strike 4.1 in 2020. Since their release, BOFs have played a key role in post-exploitation activities, surpassing
Cobalt Strike and YARA: Can I Have Your Signature?
Over the past few years, there has been a massive proliferation of YARA signatures for Beacon. We know from conversations with our customers that this
Revisiting the User-Defined Reflective Loader Part 1: Simplifying Development
This blog post accompanies a new addition to the Arsenal Kit – The User-Defined Reflective Loader Visual Studio (UDRL-VS). Over the past few months, we
Behind the Mask: Spoofing Call Stacks Dynamically with Timers
This blog introduces a PoC technique for spoofing call stacks using timers. Prior to our implant sleeping, we can queue up timers to overwrite its
Incorporating New Tools into Core Impact
Core Impact has further enhanced the pen testing process with the introduction of two new modules. The first module enables the use of .NET assemblies,
Writing Beacon Object Files: Flexible, Stealthy, and Compatible
Our colleagues over at Core Security have been doing great things with Cobalt Strike, making use of it in their own engagements. They wrote up
Process Injection Update in Cobalt Strike 4.5
Process injection is a core component to Cobalt Strike post exploitation. Until now, the option was to use a built-in injection technique using fork&run. This