{ "id": "086c369b-c6e5-422c-a660-1e8d89d2b3d6", "created_at": "2026-04-06T00:14:07.372148Z", "updated_at": "2026-04-10T13:12:44.218499Z", "deleted_at": null, "sha1_hash": "29e1cdac5c8aee785879287fbc4b7de192a099f8", "title": "Cobalt Strike Hunting — DLL Hijacking/Attack Analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 612366, "plain_text": "Cobalt Strike Hunting — DLL Hijacking/Attack Analysis\r\nBy Michael Koczwara\r\nPublished: 2022-06-13 · Archived: 2026-04-05 18:52:43 UTC\r\nDLL Hijacking via Cobalt Strike \u0026 Attack Analysis.\r\nPress enter or click to view image in full size\r\nAgenda\r\nHijack Execution Flow: DLL Search Order Hijacking.\r\nPayload extraction from the PCAP (VT, Triage, and CyberChef Analysis).\r\nAttack Analysis.\r\nDLL Hijacking via Cobalt Strike/Sysrep.\r\nHijack Execution Flow\r\nAdversaries may execute their own malicious payloads by hijacking the way operating systems run programs.\r\nHijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over\r\nhttps://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e\r\nPage 1 of 2\n\ntime. Adversaries may also use these mechanisms to elevate privileges or evade defences, such as application\r\ncontrol or other restrictions on execution.\r\nThere are many ways an adversary may hijack the flow of execution, including by:\r\nManipulating how the operating system locates programs to be executed.\r\nHow the operating system locates libraries to be used by a program can also be intercepted.\r\nLocations where the operating system looks for programs/resources, such as file directories and in the case\r\nof Windows the Registry, could also be poisoned to include malicious payloads.\r\nSource: https://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e\r\nhttps://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e" ], "report_names": [ "cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434447, "ts_updated_at": 1775826764, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/29e1cdac5c8aee785879287fbc4b7de192a099f8.pdf", "text": "https://archive.orkl.eu/29e1cdac5c8aee785879287fbc4b7de192a099f8.txt", "img": "https://archive.orkl.eu/29e1cdac5c8aee785879287fbc4b7de192a099f8.jpg" } }