Cobalt Strike

Software for Adversary Simulations and Red Team Operations

Replicate the Tactics and Techniques of an Embedded Advanced Adversary

Cobalt Strike is a threat emulation tool for cybersecurity professionals running Adversary Simulations and Red Team operations. Ideal for measuring your security operations program and incident response capabilities, Cobalt Strike utlilizes its powerful post-exploitation agents and covert channels in order to mimic an advanced threat actor quietly embedded in an IT network. No two engagements are alike with malleable C2 enabling network indicators to emulate different malware and versatile social engineering processes. Realistic scenarios, along with collaboration capabilities and robust reporting features create an enriched Blue Team training experience.

Advanced Adversary Simulations

While penetration tests focus on access, Cobalt Strike narrows in on the next steps of a threat actor, focusing on post-exploitation, lateral movement, and persistence.

Dynamic Red Team Engagements

Red Teams utilize Cobalt Strike to launch a realistic attack, gain persistence, and capture information to demonstrate potential attack paths, ultimately enhancing Security Operations.

All in an Adaptable Framework

Cobalt Strike is intentionally flexible to enable users to modify scripts, write their own, or create extensions to tailor their experience.

Key Features

Post Exploitation

Execute PowerShell scripts, log keystrokes, take screenshots, download files, and spawn other payloads with Beacon, Cobalt Strike's post-exploitation payload.

Advanced Adversary Simulation

Beacon simulates an embedded attacker, remaining undetected using asynchronous “low and slow” communication and a malleable Command and Control language that can alter network indicators to blend in with normal traffic or cloak its activities.

Browser Pivoting

Cobalt Strike offers a unique approach to man-in-the-browser attacks, hijacking all of a comprimised target's authenticated web sessions.

Intelligence Gathering

Cobalt Strike’s System Profiler can fingerprint a target and discover their internal IP address, applications, plugins, and version information.

Shared Sessions

A shared team server enhances Red Team operations and ensures collaborative engagements with real-time communication, host sharing, data capture, and more.

Logging and Reporting

Cobalt Strike has multiple reporting options for data synthesis and further analysis. Report types include:

• Activity
• Hosts
• Indicators of Compromise
• Sessions
• Social Engineering
• Tactics, Techniques, Procedures

Interoperability and Extensions

Core Impact

Organizations with both Cobalt Strike and Core Impact, Core Security's powerful penetration testing tool, can benefit from interoperability between these two solutions, like session passing and tunneling. Beacon can be deployed from within Core Impact and users can spawn a Core Impact agent from within Cobalt Strike.

Outflank Security Tooling (OST)

Outflank Security Tooling (OST) is a broad set of evasive red team tools that cover every significant step in the attacker kill chain and can be used within Cobalt Strike out of the box. OST integrates directly with Cobalt Strike’s framework through BOFs and reflective DLL loading techniques, enabling users to efficiently perform complex post-exploitation tasks.

Community Kit

Our user community has created multiple extensions that escalate and enhance Cobalt Strike. The Community Kit was created to showcase these projects in a central repository, enabling fellow security professionals to benefit from these extensions.