Why do I always use 32-bit payloads?
Yesterday, one of my customers asked about x64 payloads in Cobalt Strike. Specifically, he wanted to know why Cobalt Strike doesn’t expose them. I’ve already
User-driven Attacks
A user-driven attack is an attack that relies on a feature to get code execution. Most penetration testers I know rely on user-driven attacks over
User Exploitation at Scale
Some hackers only think about access. It’s the precious. How to get that first shell? I don’t care too much about this. I’m concerned about
Use Armitage and Cobalt Strike on Amazon’s EC2
James Webb has an interesting blog post on how to use Armitage to manage a pen test through Amazon’s Elastic Computing Cloud. He does a
TeamServer.prop
Following the 4.4 release, you may have noticed a warning message when starting your teamserver: The missing file is optional and its absence does not
SSL certificate verification for failed
TL;DR a certificate for part of the Cobalt Strike update infrastructure changed. Download the 20200511 distribution package to avoid certificate verification errors. If you recently
SSL certificate verification failure
UPDATE: This has now been fixed. I’ve amended this post to reflect that. If you ran the Cobalt Strike update program today, you may have
Revisiting the User-Defined Reflective Loader Part 2: Obfuscation and Masking
This is the second installment in a series revisiting the User-Defined Reflective Loader (UDRL). In part one, we aimed to simplify the development and debugging
Revisiting the User-Defined Reflective Loader Part 1: Simplifying Development
This blog post accompanies a new addition to the Arsenal Kit – The User-Defined Reflective Loader Visual Studio (UDRL-VS). Over the past few months, we
Revisiting the UDRL Part 3: Beacon User Data
The UDRL and the Sleepmask are key components of Cobalt Strike’s evasion strategy, yet historically they have not worked well together. For example, prior to