CTA Type: Resource

Process Injection Update in Cobalt Strike 4.5

Posted on

Process injection is a core component to Cobalt Strike post exploitation. Until now, the option was to use a built-in injection technique using fork&run. This has been great for stability, but does come at the cost of OPSEC. Cobalt Strike 4.5 now supports two new Aggressor Script hooks: PROCESS_INJECT_SPAWN and PROCESS_INJECT_EXPLICIT.  These hooks allow a user to define how the fork&run and explicit injection techniques are implemented when executing post-exploitation […]

Read More… from Process Injection Update in Cobalt Strike 4.5

Cobalt Strike 4.5: Fork&Run – you’re “history”

Posted on

Cobalt Strike 4.5 is now available. This release sees new options for process injection, updates to the sleep mask and UDRL kits, evasion improvements and a command history update along with other, smaller changes. Security Updates Before getting into the details of the release, I just wanted to impress upon you how seriously we take […]

Read More… from Cobalt Strike 4.5: Fork&Run – you’re “history”

Cobalt Strike infrastructure changes

Posted on

We will be making some changes to the Cobalt Strike infrastructure in late November/early December. We are not anticipating any downtime but we wanted to make you aware of what is changing and when. TLS certificate updates The current TLS certificates for www.cobaltstrike.com and verify.cobaltstrike.com both expire on 6th December. The certificates will be updated […]

Read More… from Cobalt Strike infrastructure changes

Nanodump: A Red Team Approach to Minidumps

Posted on

Motivation It is known that dumping Windows credentials is a technique often utilized for everyday attacks by adversaries and, consequently, Red Teamers. This process has been out there for several years and is well documented by MITRE under the T1003.001 technique. Sometimes, when conducting a Red Team engagement, there may be some limitations when trying […]

Read More… from Nanodump: A Red Team Approach to Minidumps

Cobalt Strike Sleep Python Bridge

Posted on

This project started after seeing how the user community tweaks and tunes Cobalt Strike. I was inspired by @BinaryFaultline and @Mcgigglez16 in their project https://github.com/emcghee/PayloadAutomation and blog post http://blog.redxorblue.com/2021/06/introducing-striker-and-payload.html. They created a clever way to interact with a teamserver without the GUI. Before I get too far, I’ll touch on Aggressor scripting and the Sleep […]

Read More… from Cobalt Strike Sleep Python Bridge

How to Extend Your Reach with Cobalt Strike 

Posted on

We’re often asked, “what does Cobalt Strike do?” In simple terms, Cobalt Strike is a post-exploitation framework for adversary simulations and Red Teaming to help measure your security operations program and incident response capabilities. Cobalt Strike provides a post-exploitation agent, Beacon, and covert channels to emulate a quiet long-term embedded actor in a network.   If […]

Read More… from How to Extend Your Reach with Cobalt Strike 

TeamServer.prop

Posted on

Following the 4.4 release, you may have noticed a warning message when starting your teamserver: The missing file is optional and its absence does not break the teamserver. It contains a number of optional parameters that can be used to customize the settings used to validate screenshot and keylog callback data, which allows you to […]

Read More… from TeamServer.prop

Cobalt Strike 4.4: The One with the Reconnect Button

Posted on

Cobalt Strike 4.4 is now available. This release puts more control into your hands, improves Cobalt Strike’s evasive qualities and addresses a number of smaller changes requested by our users… and yes! We’ve added a reconnect button! User Defined Reflective DLL Loader Cobalt Strike has a lot of flexibility in its Reflective Loading foundation but […]

Read More… from Cobalt Strike 4.4: The One with the Reconnect Button