Evolution of a Modern Hacking Payload
One of the most important features in Cobalt Strike is its Beacon payload. This is my capability to model advanced attackers. In this post, I’d
How I tunnel Meterpreter through Beacon
I write so many blog posts about Beacon, I should just give up and call this the Beacon blog. Beacon is Cobalt Strike’s post-exploitation agent
Scripting Beacons and Deploying Persistence
One common Cobalt Strike feature request is an API to script the Beacon payload. Doing this right is a big project and it requires some
User-defined Storage-based Covert Communication
One of my favorite Cobalt Strike technologies is Malleable C2. This is a domain specific language for user-defined storage-based covert communication. That’s just a fancy
Appropriate Covert Channels
As a product vendor, I regularly receive suggestions from my users. It’s easy to break these suggestions up into different categories. One such category would
Cobalt Strike 3.1 – Scripting Beacons
Cobalt Strike 3.1 is now available. This release adds a lot of polish to the 3.x codebase and addresses several items from user feedback. Aggressor
Cobalt Strike 3.2 – The Inevitable x64 Beacon
Cobalt Strike 3.2, the third release in the 3.x series, is now available. The 3.2 release focuses on fixes and improvements across the Cobalt Strike
What is a stageless payload artifact?
I’ve had a few questions about Cobalt Strike’s stageless payloads and how these compare to other payload varieties. In this blog post, I’ll explain stageless
Talk to your children about Payload Staging
Time to time, I find myself in an email exchange about payload security and payload staging. The payload security discussion revolves around Beacon’s security features.
Why is rundll32.exe connecting to the internet?
Previously, I wrote a blog post to answer the question: why is notepad.exe connecting to the internet? This post was written in response to a generation