Clik here to view.
Map of Cobalt Strike Features for Armitage Users
I wrote Cobalt Strike and I take it for granted that my users know where things are. This doesn’t come from nowhere though. The users who get the most from this tool have read the documentation,...
View ArticleClik here to view.
Cobalt Strike 2.2 – 1995 called, it wants its covert channel back…
Cobalt Strike’s Covert VPN feature now supports ICMP as one of its channels. Covert VPN is Cobalt Strike’s layer-2 pivoting capability. If you’re curious about how this technology works, I released...
View ArticleClik here to view.
Cobalt Strike 2.3 – I’ve always wanted runas
Cobalt Strike 2.3 is now available. This release adds a runas command to Beacon. This command allows you to specify a username and password for any user and run a command as them. Useful for situations...
View ArticleClik here to view.
Scripting Beacons and Deploying Persistence
One common Cobalt Strike feature request is an API to script the Beacon payload. Doing this right is a big project and it requires some architectural changes within Cobalt Strike. I’m working on it. I...
View ArticleClik here to view.
Cobalt Strike 2.4 – A Pittance for Post-Exploitation
Cobalt Strike 2.4 is now available. If you use Beacon for post-exploitation, you’ll find a lot to like in this release. Here’s the highlights: Post-Exploitation Jobs Beacon now supports long-running...
View ArticleClik here to view.
User-defined Storage-based Covert Communication
One of my favorite Cobalt Strike technologies is Malleable C2. This is a domain specific language for user-defined storage-based covert communication. That’s just a fancy way of saying that you, the...
View ArticleClik here to view.
Cobalt Strike Penetration Testing Labs (Download)
My primary conference give away is a DVD with a self-contained penetration testing lab. This DVD covers the Metasploit Framework‘s capability to target a server. It also covers the client-side attack...
View ArticleClik here to view.
Cobalt Strike 2.5 – Advanced Pivoting
I spend a lot of my red time in the Access Manager role. This is the person on a red team who manages callbacks for the red cell. Sometimes, I like to grab a Beacon and drive around a network. It’s...
View ArticleClik here to view.
The Aggressor Project (Preview)
If you’ve run into me at a conference during the 2015 calendar year, there’s a strong chance you’ve heard about or saw the Aggressor project. Aggressor is a ground-up rewrite of Cobalt Strike’s team...
View ArticleClik here to view.
Rethinking Reporting for Red Team Operations
Cobalt Strike 3.0 is coming in a few weeks. This upcoming release is the result of a large engineering effort that paralleled my existing efforts to maintain Cobalt Strike 2.x. One of the big...
View ArticleClik here to view.
Cobalt Strike 3.0 – Advanced Threat Tactics
Cobalt Strike’s mission is to help security professionals emulate “advanced threat tactics” during their engagements. I’ve executed on this since the product’s 2012 release. Cobalt Strike 3.0 is the...
View ArticleClik here to view.
Advanced Threat Tactics – Course and Notes
The release of Cobalt Strike 3.0 also saw the release of Advanced Threat Tactics, a nine-part course on red team operations and adversary simulations. This course is nearly six hours of material with...
View ArticleClik here to view.
Named Pipe Pivoting
One of my favorite features in Cobalt Strike is its ability to pivot over named pipes. A named pipe is a way for two programs on a Windows system to communicate with each other. From a programming...
View ArticleClik here to view.
The Cobalt Strike Trial’s Evil Bit
RFC 3514 proposes an IPv4 flag to allow traffic to flag itself as malicious or not. This RFC’s authors reason that if malicious programs opt into this standard, it will become easier for IDS and other...
View ArticleClik here to view.
Connection Refused Error in Cobalt Strike
I’ve had several folks write to me asking about the Connection Refused error when they try to use Cobalt Strike. This one: Cobalt Strike 3.0 requires you to start a team server before you attempt to...
View ArticleClik here to view.
How do I psexec without an initial Beacon?
Here and there, I’m getting questions that are variants of this post’s title. The inquiry usually goes like this: Dearest Raphael, I do a lot of internal engagements. I don’t expect that I will always...
View ArticleClik here to view.
Appropriate Covert Channels
As a product vendor, I regularly receive suggestions from my users. It’s easy to break these suggestions up into different categories. One such category would be Beacon communication channels. I get...
View ArticleClik here to view.
Cobalt Strike 3.1 – Scripting Beacons
Cobalt Strike 3.1 is now available. This release adds a lot of polish to the 3.x codebase and addresses several items from user feedback. Aggressor Script Aggressor Script is the scripting engine in...
View ArticleClik here to view.
Post-Exploitation Only (Not Really)
During a recent conversation, a friend had mentioned that they saw Cobalt Strike as a post-exploitation only tool. This strikes me as a little odd. Cobalt Strike has always had all the features...
View ArticleClik here to view.
Real-Time Feed of Red Team Activity
There are several research projects to collect raw data from red team activity, process this data, and try to turn it into information. In this blog post, I’ll show you how to instrument a Cobalt...
View Article