SentinelOne discovered a denial of service (DoS) vulnerability in Cobalt Strike. The bug (aka Hotcobalt) can cause a denial of service on a teamserver by using a fake beacon sending abnormally large screenshots. This bug has been fixed in Cobalt Strike 4.4 Consider mitigating this risk to a teamserver by hardening your C2 infrastructure. Thank you, […]
Read More… from Cobalt Strike DoS Vulnerability (CVE-2021-36798)
You can now update Mimikatz between Cobalt Strike releases. Updates will periodically be made available to licensed users via the Arsenal as the Mimikatz Kit. Usage: Download and extract the .tgz from the Arsenal (Note: The version uses the Mimikatz release version naming (i.e., 2.2.0.20210724) Load the mimikatz.cna aggressor script Use mimikatz functions as normal […]
One of the things I find fascinating about being on the Cobalt Strike team is the community. It is amazing to see how people overcome unique challenges and push the tool in directions never considered. I want explore this with CredBandit (https://github.com/xforcered/CredBandit). This tool has had updates since I started exploring. I’m specifically, looking at […]
Read More… from CredBandit (In memory BOF MiniDump) – Tool review – Part 1
The Cobalt Strike references (malleable c2 profiles, scripts, Elevate Kit, etc.) have been consolidated under a new GitHub account. https://github.com/cobalt-strike We understand that many blog posts (and even our documentation) have references to the original links. The original links will be available for the time being but may not be in the future. Update your […]
Read More… from New home for Cobalt Strike malleable c2 profiles and scripts
This short post is a follow up to the post “Manage Cobalt Strike with Services” where I described a method to automate Cobalt Strike teamservers by creating services. In this post, I will take a closer look at the aggressor function that is used to create listeners listener_create_ext to expanded on the documentation and provide an […]
Read More… from Create listeners with an aggressor script – listener_create_ext
This post is part of a “Quality of Life” series, where tips and tricks will be shared to make using Cobalt Stike easier. Cobalt Strike is a post-exploitation framework and requires customization to meet your specific needs. This flexibility is one of the most powerful features of Cobalt Strike. While this is great, some may […]
It’s been less than a month since I joined the Cobalt Strike team. My first impressions of this team have been overwhelmingly positive. As Raphael transitioned out, He left us with a message “Cobalt Strike is in good hands.” I couldn’t agree more. What can you expect from me? I’m here to provide input and […]
UPDATE: This has now been fixed. I’ve amended this post to reflect that. If you ran the Cobalt Strike update program today, you may have seen an error message about the failed SSL certificate verification for www.cobaltstrike.com: The update program pins the certificate for this server. When the certificate does not match what the update […]
This post, from Ernesto Alvarez Capandeguy of Core Security’s CoreLabs Research Team, describes techniques used for creating UDP redirectors for protecting Cobalt Strike team servers. This is one of the recommended mechanisms for hiding Cobalt Strike team servers and involves adding different points which a Beacon can contact for instructions when using the HTTP channel. […]
Friday was my last day at HelpSystems. I spent the day on the #Aggressor channel on Slack, put some final touches on a 12 month roadmap document, and worked with my colleagues to remove myself from a few systems I had originally designed. I had planned to get a blog post out yesterday, but the […]