Red Team Operations with Cobalt Strike

Red Team Operations with Cobalt Strike is a free course on red team operations and adversary simulations. This course will provide the background and skills necessary to emulate an advanced threat actor with Cobalt Strike.

1. Operations


This course starts with an overview of the Cobalt Strike project, team server setup, and a deep dive into Cobalt Strike’s model for long-term distributed operations. Logging and Reporting are covered as well.

2. Infrastructure


This lecture covers listener management and how to configure the various Beacon flavors. Ample time is devoted to redirectors, domain fronting, DNS Beacon setup, and infrastructure troubleshooting. The peer-to-peer SMB and TCP Beacons are covered here. External C2 is touched on.

3. C2


This video introduces Malleable C2, Cobalt Strike’s domain-specific language to customize Beacon’s network indicators. Egress and Network-level evasion are covered here as well as infrastructure OPSEC. This lecture concludes with a discussion on payload security.

4. Weaponization


Weaponization is combining a payload with an artifact or exploit that will run it. This lecture covers various ways to weaponize Cobalt Strike’s Beacon payload. The Artifact Kit and Resource Kit are introduced. Ample time is devoted to the topic of tradecraft and how to get your payload into a safe-context for post-exploitation.

5. Initial Access


This lecture covers the client-side attack process, spear phishing, and tradecraft related to the delivery of phishes.

6. Post Exploitation


What happens once you get into a network? This video covers how to manage Beacons, pass sessions, run commands, exfiltrate data, log keystrokes, grab screenshots, and has a very healthy dose of post-exploitation tradecraft and theory.

7. Privilege Escalation


Privilege Escalation is elevating from standard user rights to full control of a system. This lecture introduces the Elevate Kit, covers the use of SharpUp to find misconfigurations, and how to elevate with credentials. Other topics include Kerberoasting (to potentially recover privileged credentials), how to bypass user account control, and how to elevate to SYSTEM. This lecture also discusses credential and hash harvesting with mimikatz.

8. Lateral Movement


Lateral Movement is abusing trust relationships to attack systems in an enterprise network. This video covers host and user enumeration, remote control of systems without using malware, and remote code execution with the Beacon payload. You’ll also learn to steal tokens, use credentials, pass-the-hash, and generate Kerberos Golden Tickets.

9. Pivoting


This video shows how to find targets with port scanning, tunnel the Metasploit® Framework and other tools through a SOCKS proxy pivot. Reverse TCP pivot listeners are demonstrated here. You’ll also learn how to pivot to and control UNIX targets with Cobalt Strike’s SSH sessions. The lecture concludes with a demonstration of Browser Pivoting, Cobalt Strike’s innovative man-in-the-browser session stealing attack.