Raphael’s Transition
Friday was my last day at HelpSystems. I spent the day on the #Aggressor channel on Slack, put some final touches on a 12 month
Raffi’s Abridged Guide to Cobalt Strike
This blog post is a fast overview of Cobalt Strike. I assume that you are familiar with Meterpreter, Mimikatz, and make use of Offensive PowerShell in
Puttering my Panda and other Threat Replication Case Studies
Cobalt Strike 2.0 introduced Malleable C2, a technology to redefine network indicators in the Beacon payload. What does this mean for you? It means you
Pushing back on userland hooks with Cobalt Strike
When I think about defense in the current era, I think of it as a game of instrumentation and telemetry. A well-instrumented endpoint provides a
Process Injection Update in Cobalt Strike 4.5
Process injection is a core component to Cobalt Strike post exploitation. Until now, the option was to use a built-in injection technique using fork&run. This
PowerShell Shellcode Injection on Win 10 (v1803)
Cobalt Strike’s process to inject shellcode, via PowerShell, does not work with the latest Windows 10 update (v1803). While it’s possible to work without this
Post-Mortem of a Metasploit Framework Bug
Two weekends ago, I ran my Advanced Threat Tactics course with a group of 19 people. During the end exercise, one of the teams was frustrated. Their
Post-Exploitation Only (Not Really)
During a recent conversation, a friend had mentioned that they saw Cobalt Strike as a post-exploitation only tool. This strikes me as a little odd.
Playing in the (Tradecraft) Garden of Beacon: Finding Eden
We have previously blogged about using BeaconGate to dynamically instrument Beacon at run time. However, one of BeaconGate’s limitations is that it is not applied throughout Beacon’s entire lifecycle. Specifically, it does
Pivoting through SSH
This is a pretty quick tip, but still useful. When you SSH to a host, you may use the -D flag to setup “dynamic” application-level