Clik here to view.
A Quick Guide to Bug Reports
One of the hardest parts of being a developer is working with bug reports and support requests disguised as bug reports. Some people write very good bug reports. These reports give me the information I...
View ArticleClik here to view.
A History of Cobalt Strike in Training Courses
In 2011, I was invited to Austin, TX by the local ISSA and OWASP chapters to teach a class on Armitage and the Metasploit Framework. I think we had 90 students. I remember the pain of burning DVDs in...
View ArticleClik here to view.
Cobalt Strike 3.2 – The Inevitable x64 Beacon
Cobalt Strike 3.2, the third release in the 3.x series, is now available. The 3.2 release focuses on fixes and improvements across the Cobalt Strike product. x64 Beacon Cobalt Strike’s x86 Beacon plays...
View ArticleClik here to view.
My Cobalt Strike Scripts from NECCDC
I just returned from the North East Collegiate Cyber Defense Competition event at the University of Maine. A big congratulations to the winners, Northeastern University, who will go on to represent the...
View ArticleClik here to view.
Pics or it didn’t happen…
One of the most important things in a red teamer’s job is evidence. If you can’t demonstrate impact and make a risk real, it’s as if you didn’t find the problem. Screenshots go a long way towards this....
View ArticleClik here to view.
Aggressor Script’s Secret mIRC Scripting Past
Aggressor Script is the scripting engine in Cobalt Strike 3.0 and later. If you want to learn more about it, I recommend reading the documentation. In this blog post, I’ll provide some history around...
View ArticleClik here to view.
User Exploitation at Scale
Some hackers only think about access. It’s the precious. How to get that first shell? I don’t care too much about this. I’m concerned about the problems that come from having a lot of accesses. One of...
View ArticleClik here to view.
Cobalt Strike 3.3 – Now with less PowerShell.exe
The fourth release in the Cobalt Strike 3.x series is now available. There’s some really good stuff here. I think you’ll like it. Unmanaged PowerShell How do you get your PowerShell scripts on target,...
View ArticleClik here to view.
Raffi’s Abridged Guide to Cobalt Strike
This blog post is a fast overview of Cobalt Strike. I assume that you are familiar with Meterpreter, Mimikatz, and make use of Offensive PowerShell in your work. This post does not replace the...
View ArticleClik here to view.
Session Passing from Cobalt Strike
Session passing is using one payload to spawn another payload. Sometimes, the payloads are from the same toolset. Other times, they’re not. Session passing options allow you to hand-off accesses...
View ArticleClik here to view.
What is a stageless payload artifact?
I’ve had a few questions about Cobalt Strike’s stageless payloads and how these compare to other payload varieties. In this blog post, I’ll explain stageless payloads and why you might prefer stageless...
View ArticleClik here to view.
Talk to your children about Payload Staging
Time to time, I find myself in an email exchange about payload security and payload staging. The payload security discussion revolves around Beacon’s security features. Once it is running on target,...
View ArticleClik here to view.
Who let the logs out? Woof.
Logging is an important feature in any red team operations platform. Logs serve multiple purposes. Good logs aid reporting. If an operator needs output for some action or forgot what they did and when,...
View ArticleClik here to view.
HOWTO: Reset Your Cobalt Strike License Key
Time to time, I hand out Cobalt Strike license keys to non-customers. Sometimes these are to support an event (e.g., the National CCDC Red Team). Other times, these license keys allow a potential...
View ArticleClik here to view.
Why is rundll32.exe connecting to the internet?
Previously, I wrote a blog post to answer the question: why is notepad.exe connecting to the internet? This post was written in response to a generation of defenders zeroing in on the notepad.exe...
View ArticleClik here to view.
Cobalt Strike 3.4 – Operational Details
Cobalt Strike 3.4 is now available. This release focuses on the DNS Beacon and a few additions to Malleable C2. Here are the highlights: New Malleable C2 Options This release extends the Malleable C2...
View ArticleClik here to view.
What happened to my Kill Date?
Cobalt Strike 3.4 introduced a Kill Date feature. This is a date that Cobalt Strike embeds into each Beacon stage. If a Beacon artifact is run on or after this date, it immediately exits. If a running...
View ArticleClik here to view.
Cobalt Strike Tapas
I’ve slowed down on my blogging since this year’s BlackHat and DEF CON. I’m hard at work on the 3.5 release and haven’t had spare cycles to put into blogging. That said, Cobalt Strike’s users have more...
View ArticleClik here to view.
Cobalt Strike 3.5 – UNIX Post Exploitation
Cobalt Strike 3.5 is now available. This release adds an SSH client with a Beacon-like interface. This client allows you to conduct post-exploitation actions against UNIX targets from Cobalt Strike. In...
View ArticleClik here to view.
Cobalt Strike RCE. Active Exploitation Reported.
Summary There is a remote code execution vulnerability in the Cobalt Strike team server. A hot fix that breaks this particular exploit chain is available. Customers may use the built-in update program...
View Article