{
	"id": "bc4565b3-920f-4395-a433-d06786df5a10",
	"created_at": "2026-04-06T00:15:31.803888Z",
	"updated_at": "2026-04-10T03:24:23.835977Z",
	"deleted_at": null,
	"sha1_hash": "929fa6c363f8680c02e08814039ee5de29caa9c4",
	"title": "Cobalt Strike – Post-Exploitation Attackers Toolkit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59891,
	"plain_text": "Cobalt Strike – Post-Exploitation Attackers Toolkit\r\nBy Ben GrossThreat Researcher\r\nPublished: 2021-03-18 · Archived: 2026-04-05 16:58:18 UTC\r\nIntroduction to the Framework\r\nCobalt Strike (CS) is a paid penetration testing toolkit that allows an attacker to deploy a component named\r\nBeacon on a victim’s machine. The simplicity, reliability, and versatility of CS make it very popular among threat\r\nactors—and there are plenty of cracked versions of CS available on the dark web[1]. Given this reality, it’s been\r\nused frequently in recent cyber-attacks[2].\r\nCS provides a wealth of functionality to the attacker, including command execution, key logging[3], file transfer,\r\nprivilege escalation, port scanning, lateral movement, and more. The framework is split into two components:\r\nclient and server. The server module, aka team server, is the controller of the Beacon payload. By using this\r\nmodule the attacker can track and execute commands on an infected host and utilize all of the framework\r\ncapabilities.\r\nCobalt Strike Beacon\r\nThe Beacon, which is the main component being used to target accounts, allows its operators to execute\r\ncommands, log keystrokes, drop files, and communicate with targeted systems. CS is primarily used as a post-exploitation tool; leveraged by attackers after they have a foothold in a system and want to remain hidden.\r\nDeploying a Beacon and making sure its communication will stay hidden from cybersecurity products and teams\r\nis a critical task for adversaries. The Beacon has several communication methods[4] to make this happen,\r\nincluding HTTP, HTTPS, DNS, and SMB. By default, the Beacon will reach out to its C2 periodically, sending\r\nmeta-data back and gathering any commands issued by the operator. The Beacon console allows the attacker to\r\nmonitor which tasks were issued to a Beacon and track their status, check the output of commands, and find\r\nadditional information on targets.\r\nHow Attackers Use Cobalt Strike\r\nEven though CS is a paid penetration testing product, it is incredibly popular due to its wealth of capabilities and\r\nits ability to add new features and modify existing ones. This flexibility allows attackers to implement their own\r\ntools, use built-in tools, or integrate other penetration testing tools such as the Metasploit framework and\r\nMimikatz. By design the main use of CS is to act as a post-exploitation tool that allows attackers to gather\r\ninformation, harvest credentials, and deploy other payloads on an infected host. That also means that is not\r\ndesigned to gain initial access to a system, even though it does have components that can help to gain access such\r\nas its VBA macros and Windows-executable generators.\r\nCS provides the attacker a wide set of tools; we will cover some of the framework capabilities from an attack-chain point of view. The full list of capabilities is available in the MITRE matrix[5].\r\nhttps://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/\r\nPage 1 of 4\n\nInitial Access\r\nSystem Profiler: A honeypot used as a reconnaissance tool to collect information about a target. It is\r\ndesigned to collect information on systems or users that visit CS-controlled servers and provide a list of\r\napplications and plug-ins discovered (it is not designed to infect a host).\r\nMS-Macros Generator: CS can generate VBA code to embed in Office documents.\r\nWebsite Clone Tool: This tool can create a local copy of a website with some code added to fix links and\r\nimages so they work as they should. An attacker can lure a victim to enter the cloned website to collect\r\ninformation about the victim’s network.\r\nWindows Loaders and Payload Generator: CS can generate a Windows executable, a script (e.g.,\r\nPowerShell, HTA), or a raw blob of position-independent code that contains a Beacon. CS provides an\r\ninternal kit for building shellcode and executables. The kit can be easily modified to suit attacker’s needs.\r\nPhishing: The CS phishing module helps an attacker replace links and text to build a convincing phish in\r\nan email template, which it can send to multiple recipients and track who entered them. This module can be\r\nused along with the website clone tool to lure a victim into CS-owned websites.\r\nPrivilege Escalation and Lateral Movement\r\nMimikatz: An open-source tool that allows users to view and save credentials, extract plaintext passwords,\r\nhash, PIN codes, and Kerberos tickets from the systems memory. Mimikatz is fully supported in CS.\r\nAttackers can run and execute Mimikatz commands directly from the CS command-line interface.\r\nUser-Account-Contraol (UAC) Bypass[6]: CS can bypass UAC by utilizing a method called reflective\r\nDLL injection.\r\nAntimalware Scan Interface (AMSI) Bypass: CS can bypass AMSI by patching OS functions that limit\r\nAMSI’s capabilities.\r\nCommands Execution\r\nAggressor Script: CS has its own scripting language which allows its users to modify and extend the\r\nBeacons functionality.\r\nRunning Commands: CS uses a command-line interface to interact with infected systems. The commands\r\nmay run via cmd.exe[7], powershell.exe[8], psinject[9], Powerpick[10], and more.\r\nNative API[11]: Beacon can run shell commands without cmd.exe or powershell.exe by directly calling the\r\nOS API functions or by using Powerpick, which is a program that allows the execution of Powershell\r\nwithout the use of Powershell.exe.\r\nCommand and Control Communication\r\nWeb Protocols: CS uses its own command-and-control communication protocol that can be encapsulated\r\nby HTTP/HTTPS/DNS.\r\nSMB (Server Message Block): CS can conduct P2P communication over Windows-named pipes\r\nencapsulated in the SMB protocol.\r\nProtection from Cobalt Strike\r\nhttps://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/\r\nPage 2 of 4\n\nDeep Instinct prevents the CS framework and its components at all attack stages. The first possible attack vector is\r\nloaders. Whether they are Windows executables or Office documents, we prevent them and stop the attack chain at\r\nthe earliest possible stage by using Deep-Learning based static analysis.\r\nIn the event that an attacker has already gained access into a victim’s system and is trying to deploy a Beacon, our\r\nbehavioral capabilities can spot in-memory actions such as DLL injection and shellcode execution and prevent\r\nthese post-exploitation attempts from running. In addition, our PowerShell Deep Learning-based static analysis\r\nand behavioral analysis will prevent all malicious PowerShell activities.\r\nSummary\r\nCobalt Strike is a paid penetration testing product that is in continual development and its team builds the\r\nframework with the most advanced and up-to-date security features and capabilities. Since CS is being used by\r\nboth security teams and threat actors for the same purposes it poses a serious and ongoing threat for security\r\nproducts, organizations, and individuals.\r\nUsing our advanced Deep Learning-based static analysis and behavioral capabilities, customers of Deep Instinct\r\ncan be rest assured that they have protection against Cobalt Strike and its capabilities as the attack is detected and\r\nprevented in a matter of milliseconds.\r\nTo see our capabilities for yourself, request a demo via our contact us form.\r\n----------------------------------------\r\n[1] https://www.bleepingcomputer.com/news/security/alleged-source-code-of-cobalt-strike-toolkit-shared-online/\r\n[2] https://www.bleepingcomputer.com/news/security/solarwinds-hackers-used-7-zip-code-to-hide-raindrop-cobalt-strike-loader/\r\n[3] https://attack.mitre.org/techniques/T1056/001\r\n[4] https://attack.mitre.org/techniques/T1071/001/\r\n[5] https://attack.mitre.org/software/S0154/\r\n[6] https://attack.mitre.org/techniques/T1548/002/\r\n[7] https://attack.mitre.org/techniques/T1059/003/\r\n[8] https://attack.mitre.org/techniques/T1059/001\r\n[9] https://github.com/EmpireProject/PSInject\r\n[10] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick\r\n[11] https://attack.mitre.org/techniques/T1106\r\nhttps://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/\r\nPage 3 of 4\n\nSource: https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/\r\nhttps://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/"
	],
	"report_names": [
		"cobalt-strike-post-exploitation-attackers-toolkit"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434531,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/929fa6c363f8680c02e08814039ee5de29caa9c4.pdf",
		"text": "https://archive.orkl.eu/929fa6c363f8680c02e08814039ee5de29caa9c4.txt",
		"img": "https://archive.orkl.eu/929fa6c363f8680c02e08814039ee5de29caa9c4.jpg"
	}
}