{ "id": "bb70d57e-339f-455f-a7ca-85c8b5c99964", "created_at": "2026-04-06T00:16:20.699087Z", "updated_at": "2026-04-10T03:37:32.869128Z", "deleted_at": null, "sha1_hash": "dcebda6cc76878ca0859ef7c2f797b67c3ac7da3", "title": "Cobalt Strike, a Defender's Guide", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3815457, "plain_text": "Cobalt Strike, a Defender's Guide\r\nBy editor\r\nPublished: 2021-08-29 · Archived: 2026-04-05 16:44:57 UTC\r\nIntro\r\nIn our research, we expose adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools they use to\r\nexecute their mission objectives. In most of our cases, we see the threat actors utilizing Cobalt Strike. Therefore,\r\ndefenders should know how to detect Cobalt Strike in various stages of its execution. The primary purpose of this\r\npost is to expose the most common techniques that we see from the intrusions that we track and provide\r\ndetections. Having said that, not all of Cobalt Strike’s features will be discussed.\r\nAs you have noticed from our reporting so far, Cobalt Strike is used as a post-exploitation tool with various\r\nmalware droppers responsible for the initial infection stage. Some of the most common droppers we see are\r\nIcedID (a.k.a. BokBot), ZLoader, Qbot (a.k.a. QakBot), Ursnif, Hancitor, Bazar and TrickBot. Cobalt Strike is\r\nchosen for the second stage of the attack as it offers enhanced post-exploitation capabilities. Threat actors turn to\r\nCobalt Strike for its ease of use and extensibility.\r\nThanks to @Kostastsale for helping put this guide together!\r\nThe DFIR Report Services\r\nPrivate Threat Briefs: Over 20 private DFIR reports annually.\r\nThreat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver,\r\netc.\r\nAll Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, opendir\r\nreports, long-term tracking, data clustering, and other curated intel.\r\nPrivate Sigma Ruleset: Features 100+ Sigma rules derived from 40+ cases, mapped to ATT\u0026CK with test\r\nexamples.\r\nDFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions.\r\nInteractive labs are available with different difficulty levels and can be accessed on-demand,\r\naccommodating various learning speeds.\r\nContact us today for pricing or a demo!\r\nCobalt Strike Capabilities\r\nCobalt Strike has many features, and it is under constant development by a team of developers at Core Security by\r\nHelp Systems. Raphael Mudge was the primary maintainer for many years before the acquisition from Core\r\nSecurity. Raphael has an extensive playlist on youtube that demonstrates the many features of Cobalt Strike and\r\nstep-by-step guides on how to use its full potential. His videos are handy to watch if you want to get a glimpse of\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 1 of 28\n\nall the features that Cobalt Strike has to offer in various phases of the intrusion. Below are some of the capabilities\r\nthat we see being used by operators. This is not an exhaustive list of commands available, but it contains most of\r\nthe built-in features that we encounter in most cases. In the table below, the “Documented Features” correspond to\r\nthe Cobalt Strike execution commands via the interactive shell as per official documentation:\r\nCapabilities Documented features/commands\r\nUpload and Download\r\npayloads and files\r\nDownload \u003cfile\u003e\r\nUpload \u003cfile\u003e\r\nRunning Commands\r\nshell \u003ccommand\u003e\r\nrun \u003ccommand\u003e\r\npowershell \u003ccommand\u003e\r\nProcess Injection\r\ninject \u003cpid\u003e\r\ndllinject \u003cpid\u003e (for reflective dll injection)\r\ndllload \u003cpid\u003e (for loading an on-disk DLL to memory)\r\nspawnto \u003carch\u003e \u003cfull-exe-path\u003e (for process hollowing)\r\nSOCKS Proxy socks \u003cport number\u003e\r\nPrivilege Escalation\r\ngetsystem (SYSTEM account impersonation using named pipes)\r\nelevate svc-exe [listener] (creates a services that runs a payload\r\nas SYSTEM)\r\nCredential and Hash\r\nHarvesting\r\nhashdump\r\nlogonpasswords (Using Mimikatz)\r\nchromedump (Recover Google Chrome passwords from current\r\nuser)\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 2 of 28\n\nNetwork Enumeration\r\nportscan [targets] [ports] [discovery method]\r\nnet \u003ccommands\u003e (commands to find targets on the domain)\r\nLateral Movement\r\njump psexec (Run service EXE on remote host)\r\njump psexec_psh (Run a PowerShell one-liner on remote host\r\nvia a service)\r\njump winrm (Run a PowerShell script via WinRM on remote\r\nhost)\r\nremote-exec \u003cany of the above\u003e (Run a single command using\r\nthe above methods on remote host)\r\nCobalt Strike Infrastructure\r\nChanging infrastructure will always be inconvenient for the threat actors, but it is not a difficult task. Additionally,\r\nCobalt Strike is able to make use of “redirectors.” Therefore, some of these servers could be a redirector instead of\r\nthe actual Cobalt Strike C2 server. Redirectors are hosts that do what the name implies, redirect traffic to the real\r\nC2 server. Threat actors can hide their infrastructure behind an army of redirectors and conceal the actual C2\r\nserver. This makes the malicious infrastructure harder for the defenders to discover and block.\r\nImage taken from the official cobalt strike documentation:\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 3 of 28\n\nOur Threat Feed service tracks hundreds of Cobalt Strike servers and other C2 infrastructure. More information on\r\nthis service and others can be found here.\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 4 of 28\n\nMalleable C2 profiles\r\nCobalt Strike has adopted Malleable profiles and allows the threat actors to customize almost every aspect of the\r\nC2 framework. This makes life harder for defenders as the footprint can change with each profile modification.\r\nThe threat actors have the ability to change anything from the network communication (like user agent, headers,\r\ndefault URIs) to individual post-exploitation functions such as process injection and payload obfuscation\r\ncapabilities.\r\nAcross many of our investigations the profiles used differ, but you can see that actors do often reuse or pattern\r\nemege among intrusion like in the following 3 cases:\r\n1. Bazar Drops the Anchor – March 8, 2021\r\n2. Bazar No Ryuk – January 31, 2021\r\n3. TrickBot still alive and well – January 11, 2021\r\nAll the above intrusions made use of the same profile that mimics a legitimate jquery request. The self-signed\r\ncertificates for intrusions 2 and 3 also contained the same fake attributes trying to pose as regular jquery traffic.\r\nCommon Cobalt Strike config:\r\n| grab_beacon_config:\r\n| x86 URI Response:\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 5 of 28\n\n| BeaconType: 0 (HTTP)\r\n| Port: 80\r\n| Polling: 45000\r\n| Jitter: 37\r\n| Maxdns: 255\r\n| C2 Server: 195.123.217.45,/jquery-3.3.1.min.js\r\n| User Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n| HTTP Method Path 2: /jquery-3.3.2.min.js\r\n| Header1:\r\n| Header2:\r\n| PipeName:\r\n| DNS Idle: J}\\xC4q\r\n| DNS Sleep: 0\r\n| Method1: GET\r\n| Method2: POST\r\n| Spawnto_x86: %windir%\\syswow64\\dllhost.exe\r\n| Spawnto_x64: %windir%\\sysnative\\dllhost.exe\r\n| Proxy_AccessType: 2 (Use IE settings)\r\n|\r\n|\r\n| x64 URI Response:\r\n| BeaconType: 0 (HTTP)\r\n| Port: 80\r\n| Polling: 45000\r\n| Jitter: 37\r\n| Maxdns: 255\r\n| C2 Server: 195.123.217.45,/jquery-3.3.1.min.js\r\n| User Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n| HTTP Method Path 2: /jquery-3.3.2.min.js\r\n| Header1:\r\n| Header2:\r\n| PipeName:\r\n| DNS Idle: J}\\xC4q\r\n| DNS Sleep: 0\r\n| Method1: GET\r\n| Method2: POST\r\n| Spawnto_x86: %windir%\\syswow64\\dllhost.exe\r\n| Spawnto_x64: %windir%\\sysnative\\dllhost.exe\r\n| Proxy_AccessType: 2 (Use IE settings)\r\n|_\r\n443/tcp open https\r\n| grab_beacon_config:\r\n| x86 URI Response:\r\n| BeaconType: 8 (HTTPS)\r\n| Port: 443\r\n| Polling: 45000\r\n| Jitter: 37\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 6 of 28\n\n| Maxdns: 255\r\n| C2 Server: gloomix.com,/jquery-3.3.1.min.js\r\n| User Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n| HTTP Method Path 2: /jquery-3.3.2.min.js\r\n| Header1:\r\n| Header2:\r\n| PipeName:\r\n| DNS Idle: J}\\xC4q\r\n| DNS Sleep: 0\r\n| Method1: GET\r\n| Method2: POST\r\n| Spawnto_x86: %windir%\\syswow64\\dllhost.exe\r\n| Spawnto_x64: %windir%\\sysnative\\dllhost.exe\r\n| Proxy_AccessType: 2 (Use IE settings)\r\n|\r\n|\r\n| x64 URI Response:\r\n| BeaconType: 8 (HTTPS)\r\n| Port: 443\r\n| Polling: 45000\r\n| Jitter: 37\r\n| Maxdns: 255\r\n| C2 Server: gloomix.com,/jquery-3.3.1.min.js\r\n| User Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n| HTTP Method Path 2: /jquery-3.3.2.min.js\r\n| Header1:\r\n| Header2:\r\n| PipeName:\r\n| DNS Idle: J}\\xC4q\r\n| DNS Sleep: 0\r\n| Method1: GET\r\n| Method2: POST\r\n| Spawnto_x86: %windir%\\syswow64\\dllhost.exe\r\n| Spawnto_x64: %windir%\\sysnative\\dllhost.exe\r\n| Proxy_AccessType: 2 (Use IE settings)\r\n|_\r\nExamples of malleable C2 profiles can be found on the official GitHub repository of Raphael Mudge. There are a\r\nnumber of GitHub repositories that allow for generation of randomized malleable profiles. These randomized\r\nprofiles could be either based on completely random values or values based on an existing collection of existing\r\nmalleable profiles. Two of the most notable repos are:\r\nMalleable-C2-Randomizer https://github.com/bluscreenofjeff/Malleable-C2-Randomizer\r\nC2concealer – https://github.com/FortyNorthSecurity/C2concealer\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 7 of 28\n\nA couple of very recent examples where threat actors used customized malleable profiles were in the Solarwinds\r\nattack as well as in latest campaigns from Nobelium as attributed by Microsoft.\r\nIn the case of the Solarwinds attack, the threat actors used several customized Cobalt Strike beacons to execute the\r\nsecond-stage payload on their victims. According to Microsoft, “No two Beacon instances shared the same C2\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 8 of 28\n\ndomain name, Watermark, or other aforementioned configuration values. Other than certain internal fields, most\r\nBeacon configuration fields are customizable via a Malleable C2 profile.” – Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop.\r\nCobalt Strike in Action\r\nExecution\r\nA lot of the Cobalt Strike post-exploitation tools are implemented as windows DLLs. This means that every time a\r\nthreat actor runs these built-in tools, Cobalt Strike spawns a temporary process and uses rundll32.exe to inject the\r\nmalicious code into it and communicates the results back to the beacon using named pipes. Defenders should pay\r\nclose attention to command line events that rundll32 is executing without any arguments.\r\nExample execution:\r\nNamed pipes are used to send the output of the post-exploitation tools to the beacon. Cobalt Strike is using default\r\nunique pipe names, which defenders can use for detection. However, Cobalt Strike allows the operators to change\r\nthe name of the pipes to any name of their choosing by configuring the malleable C2 profile accordingly. Even\r\nthough this is very easy to create, it is an inconvenience for the average attacker, and we do not see it being done\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 9 of 28\n\noften. For more information Cobalt Strike has an extensive documentation on named pipes here.\r\nThe default Cobalt Strike pipes are (the “*” symbolize the prefix/suffix):\r\n\\postex_*\r\n\\postex_ssh_*\r\n\\status_*\r\n\\msagent_*\r\n\\MSSE-*\r\n\\*-server\r\nSysmon event 17 and 18 are able to log named pipes. Note that Sysmon should be explicitly configured to log\r\nnamed pipes. F-Secure Labs created a great write up for detecting Cobalt Strike through named pipes: Detecting\r\nCobalt Strike Default Modules via Named Pipe Analysis.\r\nAdditionally, we commonly see three methods regularly used by threat actors to download and execute the Cobalt\r\nStrike beacon.\r\n1. Using PowerShell to load and inject shellcode directly into memory\r\nEncrypted PowerShell command with embedded Cobalt Strike SMB beacons from the report: From word to\r\nlateral movement in 1 hour.\r\nThe PowerShell is base64 encoded. Decoding the PowerShell command, we are presented with the shellcode that\r\nwill be pushed into memory.\r\nFor a detailed analysis of this PowerShell stager, you can checkout the helpful blog post from @Paulsec4 here.\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 10 of 28\n\n2. Download to disk and execute manually on the target\r\nIn the example below, you can see the TrickBot process downloading to disk, and then loading the beacon into\r\nmemory.\r\nThe event IDs in this case for Sysmon logs are:\r\n11 – File Creation\r\n7 – Image Loaded\r\n1 – Process Creation\r\n3 – Network Connection\r\nAnd for windows Security logs:\r\n4663 – File Creation\r\n4688 – Process Creation (Command Line logging should be explicitly configured as it is not on by default)\r\n5156 – Network Connection\r\nA recent example of this activity can be found in one of our latest reports Hancitor Continues to Push Cobalt\r\nStrike , where the malicious Hancitor injected process(svchost.exe) downloaded the Cobalt Strike DLL beacon to\r\ndisk and then proceeded with allocating a new memory region inside the current rundll32.exe process and loaded\r\nit into the memory.\r\n3. Executing the beacon in memory via the initial malware infection\r\nThis case is a little bit more difficult to capture, thankfully, we have plenty of examples from our reporting to\r\ndemonstrate the execution flow. Below is an example from the case Sodinokibi (aka REvil) Ransomware.\r\nIcedID reached out to two Cobalt Strike servers to download and execute the beacons in memory:\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 11 of 28\n\nDefense Evasion\r\nIn every intrusion, we see process injection taking place across the environment. It is mainly used to inject\r\nmalicious code into a remote process and inject it into lsass.exe to extract credentials from memory. By injecting\r\nthe malicious payload into a remote process, the threat actors are spawning a new session in the user context that\r\nthe injected process belongs to. There are many ways in which process injection can be used. You can check out a\r\nhelpful post by Boschko that goes through all the various methods that Cobalt Strike uses. \r\nDetect the Cobalt Strike default process injection with Sysmon by looking for the below EIDs in consecutive\r\norder:\r\n10 – Process accessed\r\n8 – CreateRemoteThread detected\r\n3/22 – Network query/DNS query\r\nExample process injection on remote process (RuntimeBroker.exe):\r\nThere are other ways to detect this activity. In other methods of process injection, such as process hollowing, EID\r\n8 will not be present.  Unfortunately, it is very difficult to detect this process injection activity via security\r\nwindows logs without Sysmon to monitor for the event IDs above.\r\nAn example from the Sodinokibi report, multiple process injections across the environment using Cobalt Strike\r\nBeacons (Sysmon EID 8):\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 12 of 28\n\nDiscovery\r\nIn every Cobalt Strike occasion that we report, we see threat actors executing reconnaissance commands with the\r\nhelp of the “shell” command. The commands are based on native windows utilities such as nltest.exe,\r\nwhoami.exe, and net.exe to help with discovery. Red Canary has a detailed article which goes through the reasons\r\nthat adversaries use native windows tools for domain trust discovery, that article can be found here. Below are\r\nsome recent examples from the Conti infection; however, these commands remain consistent with other intrusions\r\nwe track.\r\nConti operators executing reconnaissance commands through Cobalt Strike:\r\nThe most used tools for discovery purposes that threat actors are dropping with the help of Cobalt Strike are\r\nAdFind and BloodHound. Adfind is by far the most used among those two. It is also worth mentioning that\r\nPowerShell is also used for enumerating the network looking for interesting targets. When it comes to PowerShell,\r\nunmodified PowerSploit and PowerView modules are a very common method threat actors are using to collect\r\ninformation.\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 13 of 28\n\nPrivilege Escalation\r\nThe most common technique that threat actors use to obtain SYSTEM level privileges is the GetSystem method\r\nvia named-pipe impersonation. Example execution on a target system as observed in the TrickBot Still Alive and\r\nWell  report:\r\nThere are also other methods for elevating privileges with Cobalt Strike, such as using the “elevate” command.\r\nThe elevate command uses two options to escalate privileges. The first one is the svc-exe. It attempts to drop an\r\nexecutable under “c:\\windows” and creates a service to run the payload as SYSTEM. The second one is the uac-token-duplication method, which attempts to spawn a new elevated process under the context of a non-privileged\r\nuser with a stolen token of an existed elevated process. However, as mentioned above, the most used method is the\r\nname pipe impersonation escalation via “getsystem” command. A detailed explanation can be found at the bottom\r\nof this Cobalt Strike official documentation page.\r\nAs you can see below, Sysmon generates a lot more logs related to the successful privilege escalation using the\r\n“elevate svc-exe” option. In this case, spoolsv.exe is the executable that was dropped by Cobalt Strike to run a\r\npayload.\r\nSysmon Event IDs:\r\n11 – File Created\r\n1 – Process Create\r\n25 – Process tampering\r\n12 \u0026 13 – Registry value set\r\nWindows Event IDs:\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 14 of 28\n\nService installation: 4697(Security) and 7045(System)\r\n \r\nProcess Creation: 4688\r\nCredential Access\r\nAfter getting access to the target using Cobalt Strike, one of the first tasks that operators take is to collect\r\ncredentials and hashes from LSASS. There are a couple of ways to achieve this with Cobalt Strike. The first one\r\nuses the “hashdump” command to dump password hashes; the second one uses the command “logonpasswords”\r\nto dump plaintext credentials and NTLM hashes with Mimikatz.\r\nHere’s an example of accessing LSASS to steal credentials from memory using “hashdump” command in Cobalt\r\nStrike:\r\nSysmon EIDs 1,8,10,17:(Event ID 8 will not always be present depending on the technique used.)\r\nAs you can see below, the only Event IDs that we manage to capture using this technique are process creation and\r\nprocess termination events.\r\n4688 – Process Creation (Rundll32.exe is loading the DLL payload upon execution)\r\n4689 – Process Termination\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 15 of 28\n\nWe have also seen Lazagne being used on two occasions to extract credentials from various applications on the\r\ntarget system.\r\nCobalt Strike has implemented the DCSync functionality as introduced by mimikatz. DCSync uses windows APIs\r\nfor Active Directory replication to retrieve the NTLM hash for a specific user or all users. To achieve this, the\r\nthreat actors must have access to a privileged account with domain replication rights (usually a Domain\r\nAdministrator). By running the DCSync command, threat actors attempt to masquerade as a domain controller to\r\nsync with another domain controller to collect credentials.\r\nCommand and Control\r\nCobalt Strike is using GET and POST requests to communicate with the C2 server. The threat actors can choose\r\nbetween HTTP, HTTPS and DNS network communication. When it comes to C2, we typically see HTTP and\r\nHTTPS beacons. By default, Cobalt Strike will use GET requests to retrieve information and POST requests to\r\nsend information back to the server. As explained above, all the default configurations can change with the use of\r\nmalleable profiles. Even though we don’t see this very often, the beacon could also be configured to send back\r\ninformation with GET requests in small chunks. If you want a deep dive into detecting Cobalt Strike CnC,\r\nthis article from UnderDefense is a great resource.\r\nThe metadata is encrypted with a public key that is injected into the beacon.\r\n“Example of a get request from our latest ransomware report on Conti“\r\n“Results of executed commands are sent to the server using POST requests.”\r\nLateral Movement\r\nOnce Cobalt Strike beacons are established, usually minutes later, we see operators moving laterally on servers of\r\ninterest inside the network. Even though they are generally fast at picking their targets, we infer that their\r\ndecisions are based on the results from the discovery phase. According to our reporting, the most frequent\r\ntechniques that attackers use for pivoting are:\r\nSMB/WMI executable transfer and exec\r\nPass the Hash\r\nRDP\r\nRemote service execution\r\nCobalt Strike can facilitate all the above techniques and even RDP using SOCKS proxy.\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 16 of 28\n\nSMB/WMI executable transfer and exec\r\nAccording to our telemetry, this method is used the most by threat actors. We see them uploading their executable\r\nto their desired host with the “upload” Cobalt Strike command and execute it using the “remote-exec” command\r\nas documented in the capabilities section above but it can use psexec, winrm or wmi to execute a command and/or\r\na beacon.\r\nThis is what we see when the beacon is uploaded using the upload command.\r\nThe following EIDs are created when executing remote-exec:\r\n4697: A service was installed in the system\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 17 of 28\n\n4624: Account logged on\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 18 of 28\n\nPass the Hash\r\nCobalt Strike can use Mimikatz to generate and impersonate a token that can later be used to accomplish tasks in\r\nthe context of that chosen user resource. The Cobalt Strike beacon can also use this token to interact with network\r\nresources and run remote commands.\r\nAs you can see from the below execution example, executing Pass The Hash via Cobalt Strike will run cmd.exe to\r\npass the token back to the beacon process via a named pipe :\r\nC:\\Windows\\system32\\cmd.exe /c echo 0291f1e69dd \u003e \\\\.\\pipe\\82afc1\r\nWe also see that the beacon interacts with LSASS (Sysmon EID 10). There are many detection opportunities that\r\ndefenders can take advantage of with the proper endpoint visibility.\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 19 of 28\n\nPass the hash can also be detected by looking for:\r\nWindows EID 4624\r\nLogon Type = 9\r\nAuthentication Package = Negotiate\r\nLogon Process = seclogo\r\nYou can read more about detecting Pass The Hash here by Stealthbits and here by Hausec.\r\nSMB remote service execution\r\nIn the below example, the threat actors executed the “jump psexec” command to create a remote service on the\r\nremote machine (DC) and execute the service exe beacon. Cobalt Strike specifies an executable to create the\r\nremote service. Before it can do that, it will have to transfer the service executable to the target host.  The name of\r\nthe service executable is created with seven random alphanumeric -characters, e.g. “\u003c7-alphanumeric-characters\u003e.exe”. This was changed after version 4.1 of Cobalt Strike (Getting the Bacon from the Beacon).\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 20 of 28\n\nThe attacker must have administrative privileges to complete this task.\r\nIn the screenshots below you can see the Windows Event IDs that are being generated as a result of this execution.\r\nThe first screenshot was from the security logs. However, defenders should pay close attention to service creation\r\nevents as they will be created and deleted\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 21 of 28\n\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 22 of 28\n\n4624: Logon\r\n4672: Special Logon\r\n4673: Sensitive Privilege Use\r\n4688: Process Creation\r\n5140: File Share\r\n4674: Sensitive Privilege Use\r\nService Creation events\r\n4697: A service was installed in the system. (security.evtx)\r\n7045: A service was installed in the system. (system.evtx)\r\n7034: A service terminated unexpectedly\r\nAggressor Scripts\r\nEven though Cobalt Strike has many features out of the box, it is also highly extensible thanks to the aggressor\r\nscripts. Aggressor scripts allows the operators to script and modify many of Cobalt Strike’s features. Operators\r\ncan quickly load various scripts via the GUI console.\r\nIn most of the cases we are working on, we observe the execution of discovery commands after the first beacon\r\ncheck-in with its C2 server. These events are very likely to be automated by the threat actors. We have taken the\r\nbelow example as presented in the official Cobalt Strike documentation page to demonstrate this use case.\r\non beacon_initial {\r\n$user = beacon_data($1) [\"user\"];\r\nbshell = ($1, \"net group \\\"Domain Admins\\\" /domain\")\r\n bshell = ($1, \"nltest /domain_trusts /all_trusts\")\r\n bshell = ($1, \"net localgroup \\\"Administrators\\\"\")\r\n bshell = ($1, \"nltest /dclist\")\r\n}\r\n(NOTE: The \"$1\" argument is the id for the beacon.)\r\nThe above script uses the function “on beacon_initial” to run the specified discovery commands upon initial\r\nexecution of the beacon. Cobalt Strike has comprehensive documentation on all available functions. Another\r\ninteresting function is the “alias” function. It creates an alias command in the Beacon console, which can override\r\nthe default Cobalt Strike commands.\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 23 of 28\n\nSearching for “Cobalt Strike aggressor scripts” on google will result in multiple GitHub repositories. These\r\nrepositories contain a collection of aggressor scripts to share with the open-source community. Threat actors are\r\nalso utilizing these freely available resources for accomplishing their objectives. Some of the most popular are:\r\nhttps://github.com/harleyQu1nn/AggressorScripts\r\nhttps://github.com/timwhitez/Cobalt-Strike-Aggressor-Scripts\r\nhttps://github.com/Und3rf10w/Aggressor-scripts\r\nThe recent Conti leak was a great insight into their tooling, which included the use of aggressor scripts. One of the\r\nmost notable scripts Conti is using is the ZeroLogon BOF script created by Raphael Mudge. The script compiles\r\nand runs the ZeroLogon exploit in memory.\r\nAnother file that we noticed was a collection of multiple aggressor scripts into one. This file was named\r\n“enhancement_chain.cna” which included some of the most used aggressor scripts available on GitHub, like the\r\nAV_query script by @r3dQu1nn.\r\nYou can find the file here.\r\nAwesome Cobalt Strike Defense\r\nTo combat Cobalt Strike, the InfoSec community has come together to release tooling, research and detection\r\nrules. There are too many to add here, but we don’t have to, thanks to the Awesome-CobaltStrike-Defence GitHub\r\nrepository. It contains multiple sources that help defenders hunt, detect and prevent Cobalt Strike. The repository\r\nis maintained by MichaelKoczwara, WojciechLesicki and d4rk-d4nph3.\r\nPart 2 of our Cobalt Strike guide\r\nCobalt Strike, a Defender’s Guide – Part 2\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 24 of 28\n\nUseful Open Source Information\r\nDefining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis\r\nVolatility plugin for detecting Cobalt Strike Beacon and extracting its config\r\nDidier Stevens – Python script to decode and dump the config of Cobalt Strike beacon\r\nDetection opportunities by Tony Lambert and Red Canary\r\nSigma Rules\r\nMeterpreter or Cobalt Strike Getsystem Service Installation\r\nCobaltStrike Named Pipe\r\nMeterpreter or Cobalt Strike Getsystem Service Start\r\nSuspicious AdFind Execution\r\nSuspicious Encoded PowerShell Command Line\r\nRundll32 Internet Connection\r\nPossible DNS Tunneling\r\nSuccessful Overpass the Hash Attempt\r\nService Installs\r\nProcess Injection\r\nProcess Creation Cobalt Strike load by rundll32\r\nSysmon Cobalt Strike Service Installs\r\nSuspicious WMI Execution Using Rundll32\r\nRundll32 Internet Connection\r\nSuspicious Remote Thread Created\r\nPowerShell Network Connections\r\nMalicious Base64 Encoded PowerShell Keywords in Command Lines\r\nSuspicious DNS Query with B64 Encoded String\r\nDefault Cobalt Strike Certificate\r\nHigh TXT Records Requests Rate\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 25 of 28\n\nCobalt Strike DNS Beaconing\r\nCobaltStrike Malleable Amazon Browsing Traffic Profile\r\nCobaltStrike Malformed UAs in Malleable Profiles\r\nCobaltStrike Malleable (OCSP) Profile\r\nCobaltStrike Malleable OneDrive Browsing Traffic Profile\r\nSuricata\r\nET INFO Suspicious Empty SSL Certificate – Observed in Cobalt Strike\r\nET MALWARE Cobalt Strike Beacon Activity (GET)\r\nET MALWARE Cobalt Strike Malleable C2 Profile wordpress_ Cookie Test\r\nETPRO TROJAN Cobalt Strike Beacon Observed\r\nETPRO TROJAN Cobalt Strike CnC Beacon\r\nETPRO TROJAN Cobalt Strike Covert DNS CnC Channel TXT Lookup (tcp)\r\nETPRO TROJAN Cobalt Strike Covert DNS CnC Channel TXT Lookup (udp)\r\nETPRO TROJAN Cobalt Strike DNS CnC Activity\r\nETPRO TROJAN CobaltStrike Malleable C2 Activity (OCSP Profile)\r\nETPRO TROJAN Cobalt Strike Malleable C2 JQuery Custom Profile\r\nETPRO TROJAN Cobalt Strike Malleable C2 JQuery Custom Profile M2\r\nETPRO TROJAN Cobalt Strike Malleable C2 (Unknown Profile)\r\nETPRO TROJAN Cobalt Strike Malleable JQuery Custom Profile M4\r\nETPRO TROJAN Cobalt Strike Trial HTTP Response Header (EICAR)\r\nETPRO TROJAN Cobalt Strike Trial HTTP Response Header (X-Malware)\r\nETPRO TROJAN Malicious Domain CStrike C2 (blockbitcoin .com in DNS Lookup)\r\nETPRO TROJAN Observed Cobalt Strike CnC Domain in TLS SNI\r\nETPRO TROJAN Observed CobaltStrike Style SSL Cert (Amazon Profile)\r\nETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike)\r\nETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)\r\nETPRO TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)\r\nETPRO TROJAN Possible CobaltStrike CnC Beacon (Fake Safe Browsing)\r\nETPRO TROJAN Possible Cobalt Strike CnC via DNS TXT\r\nETPRO TROJAN Possible Cobalt Strike DNS Tunneling\r\nETPRO TROJAN Suspected Cobalt Strike Stager DNS Activity\r\nETPRO TROJAN W32/Unknown Dropper Downloading Cobalt Strike Beacon\r\nETPRO TROJAN Win32/Cobalt Strike CnC Activity (OCSP Spoof)\r\nETPRO TROJAN Winnti Possible Meterpreter or Cobalt Strike Downloader\r\nET TROJAN Cobalt Strike Activity\r\nET TROJAN Cobalt Strike Beacon Activity\r\nET TROJAN Cobalt Strike Beacon Activity (GET)\r\nET TROJAN Cobalt Strike Beacon Activity (UNC2447)\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 26 of 28\n\nET TROJAN Cobalt Strike Beacon Activity (WordPress Profile)\r\nET TROJAN Cobalt Strike Beacon (Amazon Profile) M2\r\nET TROJAN Cobalt Strike Beacon (Bing Profile)\r\nET TROJAN Cobalt Strike Beacon Observed (MASB UA)\r\nET TROJAN Cobalt Strike Beacon (WooCommerce Profile)\r\nET TROJAN Cobalt Strike C2 Profile (news_indexedimages)\r\nET TROJAN Cobalt Strike Malleable C2 (Adobe RTMP)\r\nET TROJAN Cobalt Strike Malleable C2 Amazon Profile\r\nET TROJAN Cobalt Strike Malleable C2 (Havex APT)\r\nET TROJAN Cobalt Strike Malleable C2 JQuery Custom Profile M3\r\nET TROJAN Cobalt Strike Malleable C2 JQuery Custom Profile Response\r\nET TROJAN Cobalt Strike Malleable C2 (Meterpreter)\r\nET TROJAN Cobalt Strike Malleable C2 (Microsoft Update GET)\r\nET TROJAN Cobalt Strike Malleable C2 (MSDN Query Profile)\r\nET TROJAN Cobalt Strike Malleable C2 OCSP Profile\r\nET TROJAN Cobalt Strike Malleable C2 (OneDrive)\r\nET TROJAN Cobalt Strike Malleable C2 Profile (bg)\r\nET TROJAN Cobalt Strike Malleable C2 Profile (btn_bg)\r\nET TROJAN Cobalt Strike Malleable C2 Profile (extension.css)\r\nET TROJAN Cobalt Strike Malleable C2 Profile (__session__id Cookie)\r\nET TROJAN Cobalt Strike Malleable C2 Profile (Teams) M1\r\nET TROJAN Cobalt Strike Malleable C2 Profile (Teams) M2\r\nET TROJAN Cobalt Strike Malleable C2 (QiHoo Profile)\r\nET TROJAN Cobalt Strike Malleable C2 Request (Stackoverflow Profile)\r\nET TROJAN Cobalt Strike Malleable C2 (Safebrowse Profile) GET\r\nET TROJAN Cobalt Strike Malleable C2 (TrevorForget Profile)\r\nET TROJAN Cobalt Strike Malleable C2 (Unknown Profile)\r\nET TROJAN Cobalt Strike Malleable C2 Webbug Profile\r\nET TROJAN Cobalt Strike Malleable C2 (WooCommerce Profile)\r\nET TROJAN Cobalt Strike Stager Time Check M1\r\nET TROJAN Cobalt Strike Stager Time Check M2\r\nET TROJAN CopyKittens Cobalt Strike DNS Lookup (cloudflare-analyse . com)\r\nET TROJAN [eSentire] Cobalt Strike Beacon\r\nET TROJAN NOBELIUM Cobalt Strike CnC Domain in DNS Lookup\r\nET TROJAN Observed CobaltStrike CnC Domain (defendersecyrity .com in TLS SNI)\r\nET TROJAN Observed Cobalt Strike CnC Domain (dimentos .com in TLS SNI)\r\nET TROJAN Observed CobaltStrike CnC Domain in TLS SNI\r\nET TROJAN Observed Cobalt Strike CnC Domain in TLS SNI (cs .lg22l .com)\r\nET TROJAN Observed Cobalt Strike CnC Domain (security-desk .com in TLS SNI)\r\nET TROJAN Observed CobaltStrike Loader Domain (cybersecyrity .com in TLS SNI)\r\nET TROJAN Observed Cobalt Strike Stager Domain in DNS Query\r\nET TROJAN Observed CobaltStrike/TEARDROP CnC Domain Domain in DNS Query\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 27 of 28\n\nET TROJAN Observed CobaltStrike/TEARDROP CnC Domain Domain in TLS SNI (mobilnweb .com)\r\nET TROJAN Observed Cobalt Strike User-Agent\r\nET TROJAN Observed Default CobaltStrike SSL Certificate\r\nET TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)\r\nET TROJAN Observed Malicious SSL Cert (CobaltStrike CnC)\r\nET TROJAN Possible UNC1878 Cobalt Strike CnC SSL Cert Inbound (lol)\r\nET TROJAN Possible UNC1878 Cobalt Strike CnC SSL Cert Inbound (Mountainvew)\r\nET TROJAN Possible UNC1878 Cobalt Strike CnC SSL Cert Inbound (office)\r\nET TROJAN Possible UNC1878 Cobalt Strike CnC SSL Cert Inbound (Texsa)\r\nET TROJAN [PTsecurity] Possible Cobalt Strike payload\r\nET TROJAN [TGI] Cobalt Strike Malleable C2 Request (O365 Profile)\r\nET TROJAN [TGI] Cobalt Strike Malleable C2 Request (YouTube Profile)\r\nET TROJAN [TGI] Cobalt Strike Malleable C2 Response (O365 Profile) M2\r\nET TROJAN Observed Default CobaltStrike SSL Certificate\r\nYara Rules\r\nMalpedia Cobalt Strike information and yara rule by Felix Bilstein\r\nRules from Elastic, Volexity, JPCERT\r\nRules from Marc Rivero with the McAfee ATR Team\r\nRules by yara@s3c.za.net\r\nRules by Avast\r\nEtienne Maynier tek@randhome.io\r\nSource: https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\r\nPage 28 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/" ], "report_names": [ "cobalt-strike-a-defenders-guide" ], "threat_actors": [ { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "ab9d6b30-7c60-4d0b-8f49-e2e913c28508", "created_at": "2022-10-25T16:07:24.584775Z", "updated_at": "2026-04-10T02:00:05.042135Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "ETDA:UNC1878", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "Ryuk", "Team9Backdoor", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "9fb19abe-4035-4f22-a595-641b7f3443a9", "created_at": "2022-10-25T15:50:23.748944Z", "updated_at": "2026-04-10T02:00:05.395401Z", "deleted_at": null, "main_name": "CopyKittens", "aliases": [ "CopyKittens" ], "source_name": "MITRE:CopyKittens", "tools": [ "Cobalt Strike", "TDTESS", "Matryoshka" ], "source_id": "MITRE", "reports": null }, { "id": "065b7ea2-5920-4270-824e-94ea8a79d197", "created_at": "2023-12-08T02:00:05.747632Z", "updated_at": "2026-04-10T02:00:03.492858Z", "deleted_at": null, "main_name": "UNC2447", "aliases": [], "source_name": "MISPGALAXY:UNC2447", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4557ed9-2455-44c5-a768-dfb80ccae259", "created_at": "2023-01-06T13:46:38.652329Z", "updated_at": "2026-04-10T02:00:03.055638Z", "deleted_at": null, "main_name": "CopyKittens", "aliases": [ "Slayer Kitten", "G0052" ], "source_name": "MISPGALAXY:CopyKittens", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0a4f4edc-ea8c-4a30-8ded-35394e29de01", "created_at": "2023-01-06T13:46:39.178183Z", "updated_at": "2026-04-10T02:00:03.23716Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "MISPGALAXY:UNC1878", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "467c5e72-55a6-40a9-9b73-bb764889c0a5", "created_at": "2022-10-25T16:07:23.486532Z", "updated_at": "2026-04-10T02:00:04.628477Z", "deleted_at": null, "main_name": "CopyKittens", "aliases": [ "CopyKittens", "G0052", "Operation Wilted Tulip", "Slayer Kitten" ], "source_name": "ETDA:CopyKittens", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "EmPyre", "EmpireProject", "Matryoshka", "Matryoshka RAT", "PowerShell Empire", "TDTESS", "Vminst", "ZPP", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf1c7efe-4464-4347-95d3-c86fb4d7db51", "created_at": "2022-10-25T16:07:24.35977Z", "updated_at": "2026-04-10T02:00:04.953882Z", "deleted_at": null, "main_name": "UNC2447", "aliases": [], "source_name": "ETDA:UNC2447", "tools": [ "7-Zip", "AdFind", "Agentemis", "Cobalt Strike", "CobaltStrike", "DEATHRANSOM", "DeathRansom", "FIVEHANDS", "FOXGRABBER", "HELLOKITTY", "HelloKitty", "KittyCrypt", "Mimikatz", "PCHUNTER", "RCLONE", "ROUTERSCAN", "Ragnar Locker", "RagnarLocker", "Rclone", "S3BROWSER", "SombRAT", "Thieflock", "WARPRISM", "cobeacon", "deathransom", "wacatac" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434580, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dcebda6cc76878ca0859ef7c2f797b67c3ac7da3.pdf", "text": "https://archive.orkl.eu/dcebda6cc76878ca0859ef7c2f797b67c3ac7da3.txt", "img": "https://archive.orkl.eu/dcebda6cc76878ca0859ef7c2f797b67c3ac7da3.jpg" } }