Jump winrm (Run a PowerShell script via WinRM on remote host) Jump psexec_psh (Run a PowerShell one-liner on remote host via a service) Jump psexec (Run service EXE on remote host) Net (commands to find targets on the domain) Getsystem (SYSTEM account impersonation using named pipes)Įlevate svc-exe (creates a services that runs a payload as SYSTEM)Ĭhromedump (Recover Google Chrome passwords from current user) In the table below, the “Documented Features” correspond to the Cobalt Strike execution commands via the interactive shell as per official documentation: Capabilitiesĭllinject (for reflective dll injection)ĭllload ( for loading an on-disk DLL to memory) This is not an exhaustive list of commands available, but it contains most of the built-in features that we encounter in most cases. Below are some of the capabilities that we see being used by operators. His videos are handy to watch if you want to get a glimpse of all the features that Cobalt Strike has to offer in various phases of the intrusion. Raphael has an extensive playlist on youtube that demonstrates the many features of Cobalt Strike and step-by-step guides on how to use its full potential.
Raphael Mudge was the primary maintainer for many years before the acquisition from Core Security. Thanks to Kostastsale for helping put this guide together! Cobalt Strike CapabilitiesĬobalt Strike has many features, and it is under constant development by a team of developers at Core Security by Help Systems. Threat actors turn to Cobalt Strike for its ease of use and extensibility. Cobalt Strike is chosen for the second stage of the attack as it offers enhanced post-exploitation capabilities. QakBot), Ursnif, Hancitor, Bazar and TrickBot.
Some of the most common droppers we see are IcedID (a.k.a. Having said that, not all of Cobalt Strike’s features will be discussed.Īs you have noticed from our reporting so far, Cobalt Strike is used as a post-exploitation tool with various malware droppers responsible for the initial infection stage. The primary purpose of this post is to expose the most common techniques that we see from the intrusions that we track and provide detections. Therefore, defenders should know how to detect Cobalt Strike in various stages of its execution. In most of our cases, we see the threat actors utilizing Cobalt Strike. In our research, we expose adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools they use to execute their mission objectives.
0 kommentar(er)
