![]() ![]() Image taken from the official cobalt strike documentation: This makes the malicious infrastructure harder for the defenders to discover and block. Threat actors can hide their infrastructure behind an army of redirectors and conceal the actual C2 server. Redirectors are hosts that do what the name implies, redirect traffic to the real C2 server. Additionally, Cobalt Strike is able to make use of “redirectors.” Therefore, some of these servers could be a redirector instead of the actual Cobalt Strike C2 server. Remote-exec (Run a single command using the above methods on remote host)Ĭhanging infrastructure will always be inconvenient for the threat actors, but it is not a difficult task. Jump winrm (Run a PowerShell script via WinRM on remote host) Jump psexec_psh (Run a PowerShell one-liner on remote host via a service) Jump psexec (Run service EXE on remote host) Net (commands to find targets on the domain) Getsystem (SYSTEM account impersonation using named pipes)Įlevate svc-exe (creates a services that runs a payload as SYSTEM)Ĭhromedump (Recover Google Chrome passwords from current user) In the table below, the “Documented Features” correspond to the Cobalt Strike execution commands via the interactive shell as per official documentation: Capabilitiesĭllinject (for reflective dll injection)ĭllload ( for loading an on-disk DLL to memory) This is not an exhaustive list of commands available, but it contains most of the built-in features that we encounter in most cases. Below are some of the capabilities that we see being used by operators. His videos are handy to watch if you want to get a glimpse of all the features that Cobalt Strike has to offer in various phases of the intrusion. ![]() Raphael has an extensive playlist on youtube that demonstrates the many features of Cobalt Strike and step-by-step guides on how to use its full potential. Raphael Mudge was the primary maintainer for many years before the acquisition from Core Security. Thanks to Kostastsale for helping put this guide together! Cobalt Strike CapabilitiesĬobalt Strike has many features, and it is under constant development by a team of developers at Core Security by Help Systems. Threat actors turn to Cobalt Strike for its ease of use and extensibility. Cobalt Strike is chosen for the second stage of the attack as it offers enhanced post-exploitation capabilities. QakBot), Ursnif, Hancitor, Bazar and TrickBot. Some of the most common droppers we see are IcedID (a.k.a. Having said that, not all of Cobalt Strike’s features will be discussed.Īs you have noticed from our reporting so far, Cobalt Strike is used as a post-exploitation tool with various malware droppers responsible for the initial infection stage. The primary purpose of this post is to expose the most common techniques that we see from the intrusions that we track and provide detections. Therefore, defenders should know how to detect Cobalt Strike in various stages of its execution. In most of our cases, we see the threat actors utilizing Cobalt Strike. In our research, we expose adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools they use to execute their mission objectives. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |