{
	"id": "560f22e6-b6e4-4053-84e8-59feccebdf49",
	"created_at": "2026-04-29T02:21:12.230649Z",
	"updated_at": "2026-04-29T08:22:24.159363Z",
	"deleted_at": null,
	"sha1_hash": "b93762d468df032aabf67332c0631706bcd179ff",
	"title": "Cobalt Strike 3.8 – Who’s Your Daddy?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54661,
	"plain_text": "Cobalt Strike 3.8 – Who’s Your Daddy?\r\nPublished: 2017-05-23 · Archived: 2026-04-29 02:10:06 UTC\r\nCobalt Strike 3.8 is now available. This release adds features to spawn processes with an alternate parent process.\r\nThis release also gives the operator control over the script templates Cobalt Strike uses in its attacks and\r\nworkflows.\r\nProcesses with Alternate Parents\r\nA favorite hunt technique is to instrument a host to report all new processes, their arguments, and the parent\r\nprocess. Hunt operators (and automated solutions) separate the noise from the interesting by looking for odd\r\nparent/child process relationships.\r\nThis release of Cobalt Strike pushes back on this technique with the ppid command. The PPID command tasks\r\nBeacon to launch cmd.exe, powershell.exe, and other processes with an alternate parent. This feature takes\r\nadvantage of an API, introduced with Windows Vista, to enable consent.exe to launch elevated processes with the\r\nnon-elevated requester as the parent.\r\nAn error occurred.\r\nTry watching this video on www.youtube.com, or enable JavaScript if it\r\nis disabled in your browser.\r\nThis opens a lot of possibilities. For example, if I’m in a user context, I might set explorer.exe as my parent with\r\nsomething plausible (e.g, iexplore.exe) for my temporary processes. If I’m in a SYSTEM context, I might use\r\nservices.exe as my parent process and ask Beacon to use svchost.exe for its temporary processes.\r\nTo benefit from the ppid command, your session must have rights to access the parent process. I also recommend\r\nthat you specify a parent process that exists in the same desktop session. If you don’t, random commands and\r\nworkflows may fail.\r\nAnother way to hop Desktop Sessions\r\nhttps://web.archive.org/web/20171009220105/https://blog.cobaltstrike.com/2017/05/23/cobalt-strike-3-8-whos-your-daddy/\r\nPage 1 of 2\n\nIt’s possible, with a few extra steps, to run commands under a parent that lives in another desktop session.\r\nPrograms run this way will take on the rights and identity of their parent.\r\nBeacon’s runu command runs an arbitrary command as a child of another parent. This command takes the\r\nnecessary extra steps to do this across session boundaries.\r\nThe spawnu command builds on this primitive to spawn a session with powershell.exe.\r\nThese commands offer means to spawn a payload, in another desktop session, without remote process injection.\r\nAs detection of remote process injection becomes more common, it’s important to have other ways to achieve our\r\ngoals without this offensive technique.\r\nThe Resource Kit\r\nCobalt Strike 3.8’s Resource Kit finally gives you a way to change Cobalt Strike’s built-in script templates! The\r\nResource Kit is a collection of Cobalt Strike’s default script templates and a sample Aggressor Script to bring\r\nthese into Cobalt Strike. Go to Help -\u003e Arsenal from a licensed copy of Cobalt Strike to download the Resource\r\nKit.\r\nThe Resource Kit benefits from new Aggressor Script hooks to provide the PowerShell, Python, and VBA script\r\ntemplates Cobalt Strike uses in its workflows.\r\nAn error occurred.\r\nTry watching this video on www.youtube.com, or enable JavaScript if\r\nit is disabled in your browser.\r\nCheck out the release notes to see a full list of what’s new in Cobalt Strike 3.8. Licensed users may use the update\r\nprogram to get the latest. A 21-day Cobalt Strike trial is also available.\r\nSource: https://web.archive.org/web/20171009220105/https://blog.cobaltstrike.com/2017/05/23/cobalt-strike-3-8-whos-your-daddy/\r\nhttps://web.archive.org/web/20171009220105/https://blog.cobaltstrike.com/2017/05/23/cobalt-strike-3-8-whos-your-daddy/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://web.archive.org/web/20171009220105/https://blog.cobaltstrike.com/2017/05/23/cobalt-strike-3-8-whos-your-daddy/"
	],
	"report_names": [
		"cobalt-strike-3-8-whos-your-daddy"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-29T06:58:56.262499Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1777429272,
	"ts_updated_at": 1777450944,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b93762d468df032aabf67332c0631706bcd179ff.pdf",
		"text": "https://archive.orkl.eu/b93762d468df032aabf67332c0631706bcd179ff.txt",
		"img": "https://archive.orkl.eu/b93762d468df032aabf67332c0631706bcd179ff.jpg"
	}
}