The Arsenal Kit is a cornerstone of Cobalt Strike’s customizability, offering advanced security testers the ability to create and manage their own arsenals of attack payloads and extensions. Its core function lies in enhancing the stealth and flexibility of Cobalt Strike’s signature payload, Beacon, enabling advanced post-exploitation activities to remain undetected within target environments. The Arsenal Kit allows teams to move beyond Cobalt Strike’s defaults and implement unique tradecraft that helps accurately replicate tactics and techniques deployed by advanced attackers or evade specific security solutions.
Benefits of Arsenal Kit
The Arsenal Kit provides the capability to customize and modify the behaviors of Beacon in the different phases of its lifecycle: from initial access to comms and post-exploitation.
While the Arsenal Kit contains a number of templates and examples for use at different stages in the attack chain, users are not dependent on the Cobalt Strike development team to implement specific tradecraft. They can make adjustments based on engagement needs, new threat reports, etc.
Using the Arsenal Kit to emulate modern advanced threats, red teams can more accurately test the effectiveness of security operations centers (SOCs), incident response capabilities, and existing security controls. This is possible through several key advantages that the Arsenal Kit provides:
Evasion Capabilities
The Arsenal Kit enables Beacon to operate with a significantly reduced footprint in memory, increasing its resilience against detection mechanisms like in-memory YARA scanning or static signatures. Operators can make modifications as needed to alter injection techniques, memory allocation patterns, in-memory obfuscation, and more. These adjustments help maintain operational security and increase the effectiveness of engagements by changing default behaviors that might be signatured by security products.
Threat Emulation
The Arsenal Kit enables us to modify the Beacon’s behavior to mimic the techniques used by advanced persistent threats (APTs), such as initial access, lateral movement, and privilege escalation. Additionally, post-exploitation capabilities improve detection and response strategies by identifying the gaps in their defenses and improving incident response through realistic red team or purple team exercises.
Custom Payload Development
Operators can develop and compile payloads to specific target environments, tailoring them to the security controls known to be in place. Going beyond configuration options, the Arsenal Kit provides access to the source code, offering a deep level of control.
Centralized Management
Red teamers are empowered to integrate their own unique techniques and bypasses into Cobalt Strike’s workflow, reducing the operational complexity of using custom tools. Users can also take advantage of the collective knowledge of the Cobalt Strike community, deploying user-created tools shared in the Community Kit.
What’s in the Arsenal Kit?
The Arsenal Kit was introduced in version 4.6 of Cobalt Strike. To make it easier for operators to manage and deploy, the Arsenal Kit consolidates several individual toolkits to yield a single aggressor script that can be loaded instead of loading all of the separate kits individually. Currently, the Arsenal Kit consists of:
Initial Access Toolkits
Resource Kit – This kit allows users to change the HTA, PowerShell, Python, VBA, and VBS script templates Cobalt Strike uses in its workflows.
Artifact Kit – A collection of executable and DLL templates used for loading shellcode located inside of the binary.
Load Time Evasion
UDRL – Framework for compiling reflective DLL loaders, enabling operators to customize evasion techniques by redefining how Beacon is loaded into memory.
UDRL-VS – A repository of UDRL examples and templates for developing custom User-Defined Reflective Loaders.
Run Time Evasion
Sleepmask Kit – An evasive framework that obfuscates Beacon payloads in-memory during idle periods, handles API call masking, and provides memory cleanup on exit.
Sleepmask-VS – A collection of Sleepmask examples that can simplify the development of custom Sleepmask BOFs.
Mutator Kit – This kit alters sleep masks using an LLVM (Low Level Virtual Machine) mutator to change byte patterns and characteristics of the Beacon payload.
BeaconGate – BeaconGate enables users to customise how WinAPI functions are called by Beacon. With BeaconGate configured, Beacon will proxy its Windows API calls to be executed via the Sleepmask. One example is the implementation of call stack spoofing techniques.
Post-Exploitation
Process Inject Kit – This kit implements custom injection techniques using a Beacon Object File (BOF) and the Aggressor Script file.
Postex Kit – This kit enables users to easily develop Post-ex DLLs and plug them in the existing job architecture.
BOF-VS – This Visual Studio Project simplifies writing BOFs in C, Dynamic Function Resolution (DFR), debugging BOFs, and Unit Testing.
Highlights of the Arsenal Kit
UDRL Kit
The UDRLKit elevates reflective loading by allowing operators to customize the loading mechanism to better tailor their engagements. Without the constraints of the built-in loader, users can bring their own tradecraft to bear. This includes modifying memory allocation techniques, import parsing, relocation fixing, and entry point execution.
To lower the barrier to entry for UDRL development, the User-Defined Reflective Loader Visual Studio (UDRL-VS) is included in the UDRL kit. This simplifies the development process. In addition, various example/template UDRLS are provided including a “default-loader” and an “obfuscation-loader.”
Sleep Mask Kit
Sleep masking is a technique that hides Beacon in memory while it sleeps to evade memory-based detection. This protects the Beacon payload when it is dormant and reduces the likelihood of discovery by EDR solutions performing memory scans.
The Sleep Mask Kit provides sophisticated built-in sleep masking functionality. Additionally, users are provided with source code for this function, which allows operators to develop unique implementations of the sleep mask.
Mutator Kit
The Mutator Kit is designed to create alternate versions of the sleep mask. Its core functionality revolves actively breaking in-memory YARA scanning of sleep masks to further obfuscate them, producing a multi-layered defense against memory-based detection.
This is achieved by applying mutations using an LLVM (Low Level Virtual Machine) that alter the patterns and characteristics of each sleep mask, creating a unique build. This ultimately breaks the ability for pre-canned YARA signatures to target in memory sleep masks.
Postex Kit
The Postex Kit enables operators to develop their own post-ex DLLs for interoperability with Beacon by serving as a template for development.
The Postex Kit also includes a library of functions which provide an abstraction over the job architecture allowing operators to focus purely on developing custom tooling. Using the execute-dll command, a custom post-ex DLL is able to add a loader and execute it as a new job. It also supports passing arguments, which are accessible within the DLL.
In Cobalt Strike 4.11, a new Postex DLL, async-execute.dll was added. This DLL can be used to asynchronously execute BOFs (i.e.in a new thread while Beacon is sleeping). This means that operators can now run multiple BOFs at the same time all within the same process without blocking Beacon. This Dll was completely built using the PostEx Kit.