Why is rundll32.exe connecting to the internet?
Previously, I wrote a blog post to answer the question: why is notepad.exe connecting to the internet? This post was written in response to a generation
What is a stageless payload artifact?
I’ve had a few questions about Cobalt Strike’s stageless payloads and how these compare to other payload varieties. In this blog post, I’ll explain stageless
User-defined Storage-based Covert Communication
One of my favorite Cobalt Strike technologies is Malleable C2. This is a domain specific language for user-defined storage-based covert communication. That’s just a fancy
Use Cobalt Strike’s Beacon with Veil’s Evasion
The Veil Framework is a collection of red team tools, focused on evading detection. The Veil Evasion project is a tool to generate artifacts that
That’ll never work–we don’t allow port 53 out
One of my favorite Cobalt Strike features is its ability to quietly manage a compromised system with DNS. Being rather proud of this feature, I
Talk to your children about Payload Staging
Time to time, I find myself in an email exchange about payload security and payload staging. The payload security discussion revolves around Beacon’s security features.
Stealthy Peer-to-peer C&C over SMB pipes
Beacon is my payload for low and slow control of a compromised system. Recently, I added peer-to-peer communication to Beacon. When two Beacons are linked,
Simplifying BOF Development: Debug, Test, and Save Your B(e)acon
Beacon Object Files (BOFs) were introduced in Cobalt Strike 4.1 in 2020. Since their release, BOFs have played a key role in post-exploitation activities, surpassing
Simple DNS Redirectors for Cobalt Strike
This post, from Ernesto Alvarez Capandeguy of Core Security’s CoreLabs Research Team, describes techniques used for creating UDP redirectors for protecting Cobalt Strike team servers.
Scripting Beacons and Deploying Persistence
One common Cobalt Strike feature request is an API to script the Beacon payload. Doing this right is a big project and it requires some