Skip to content

S0154 Cobalt Strike

Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.1

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.1

Item Value
ID S0154
Associated Names
Type MALWARE
Version 1.10
Created 14 December 2017
Last Modified 07 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Cobalt Strike can use a number of known techniques to bypass Windows UAC.12
enterprise T1548.003 Sudo and Sudo Caching Cobalt Strike can use sudo to run a command.2
enterprise T1134 Access Token Manipulation -
enterprise T1134.001 Token Impersonation/Theft Cobalt Strike can steal access tokens from exiting processes.12
enterprise T1134.003 Make and Impersonate Token Cobalt Strike can make tokens from known credentials.1
enterprise T1134.004 Parent PID Spoofing Cobalt Strike can spawn processes with alternate PPIDs.72
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account Cobalt Strike can determine if the user on an infected machine is in the admin or domain admin group.9
enterprise T1071 Application Layer Protocol Cobalt Strike can conduct peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.16
enterprise T1071.001 Web Protocols Cobalt Strike can use a custom command and control protocol that can be encapsulated in HTTP or HTTPS. All protocols use their standard assigned ports.16210
enterprise T1071.004 DNS Cobalt Strike can use a custom command and control protocol that can be encapsulated in DNS. All protocols use their standard assigned ports.162
enterprise T1197 BITS Jobs Cobalt Strike can download a hosted “beacon” payload using BITSAdmin.1362
enterprise T1185 Browser Session Hijacking Cobalt Strike can perform browser pivoting and inject into a user’s browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Cobalt Strike can execute a payload on a remote host with PowerShell. This technique does not write any data to disk.19 Cobalt Strike can also use PowerSploit and other scripting frameworks to perform execution.5762
enterprise T1059.003 Windows Command Shell Cobalt Strike uses a command-line interface to interact with systems.5624
enterprise T1059.005 Visual Basic Cobalt Strike can use VBA to perform execution.576
enterprise T1059.006 Python Cobalt Strike can use Python to perform execution.5762
enterprise T1059.007 JavaScript The Cobalt Strike System Profiler can use JavaScript to perform reconnaissance actions.6
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Cobalt Strike can install a new service.5
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Cobalt Strike can use Base64, URL-safe Base64, or NetBIOS encoding in its C2 traffic.2
enterprise T1005 Data from Local System Cobalt Strike can collect data from a local system.52
enterprise T1001 Data Obfuscation -
enterprise T1001.003 Protocol Impersonation Cobalt Strike can mimic the HTTP protocol for C2 communication, while hiding the actual data in either an HTTP header, URI parameter, the transaction body, or appending it to the URI.2
enterprise T1030 Data Transfer Size Limits Cobalt Strike will break large data sets into smaller chunks for exfiltration.1
enterprise T1140 Deobfuscate/Decode Files or Information Cobalt Strike can deobfuscate shellcode using a rolling XOR and decrypt metadata from Beacon sessions.62
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Cobalt Strike has the ability to use AES-256 symmetric encryption in CBC mode with HMAC-SHA-256 to encrypt task commands and XOR to encrypt shell code and configuration data.6
enterprise T1573.002 Asymmetric Cryptography Cobalt Strike can use RSA asymmetric encryption with PKCS1 padding to encrypt data sent to the C2 server.6
enterprise T1203 Exploitation for Client Execution Cobalt Strike can exploit Oracle Java vulnerabilities for execution, including CVE-2011-3544, CVE-2013-2465, CVE-2012-4681, and CVE-2013-2460.62
enterprise T1068 Exploitation for Privilege Escalation Cobalt Strike can exploit vulnerabilities such as MS14-058.52
enterprise T1083 File and Directory Discovery Cobalt Strike can explore files on a compromised system.2
enterprise T1564 Hide Artifacts -
enterprise T1564.010 Process Argument Spoofing Cobalt Strike can use spoof arguments in spawned processes that execute beacon commands.2
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Cobalt Strike has the ability to use Smart Applet attacks to disable the Java SecurityManager sandbox.62
enterprise T1070 Indicator Removal -
enterprise T1070.006 Timestomp Cobalt Strike can timestomp any files or payloads placed on a target machine to help them blend in.12
enterprise T1105 Ingress Tool Transfer Cobalt Strike can deliver additional payloads to victim machines.62
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Cobalt Strike can track key presses with a keylogger module.182
enterprise T1112 Modify Registry Cobalt Strike can modify Registry values within HKEY_CURRENT_USER\Software\Microsoft\Office\\Excel\Security\AccessVBOM\ to enable the execution of additional code.6
enterprise T1106 Native API Cobalt Strike‘s Beacon payload is capable of running shell commands without cmd.exe and PowerShell commands without powershell.exe162
enterprise T1046 Network Service Discovery Cobalt Strike can perform port scans from an infected host.162
enterprise T1135 Network Share Discovery Cobalt Strike can query shared drives on the local system.5
enterprise T1095 Non-Application Layer Protocol Cobalt Strike can be configured to use TCP, ICMP, and UDP for C2 communications.62
enterprise T1027 Obfuscated Files or Information Cobalt Strike can hash functions to obfuscate calls to the Windows API and use a public/private key pair to encrypt Beacon session metadata.62
enterprise T1027.005 Indicator Removal from Tools Cobalt Strike includes a capability to modify the Beacon payload to eliminate known signatures or unpacking methods.12
enterprise T1137 Office Application Startup -
enterprise T1137.001 Office Template Macros Cobalt Strike has the ability to use an Excel Workbook to execute additional code by enabling Office to trust macros and execute code without user permission.6
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Cobalt Strike can spawn a job to inject into LSASS memory and dump password hashes.2
enterprise T1003.002 Security Account Manager Cobalt Strike can recover hashed passwords.1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups Cobalt Strike can use net localgroup to list local groups on a system.2
enterprise T1069.002 Domain Groups Cobalt Strike can identify targets by querying account groups on a domain contoller.2
enterprise T1057 Process Discovery Cobalt Strike‘s Beacon payload can collect information on process details.162
enterprise T1055 Process Injection Cobalt Strike can inject a variety of payloads into processes dynamically chosen by the adversary.123
enterprise T1055.001 Dynamic-link Library Injection Cobalt Strike has the ability to load DLLs via reflective injection.62
enterprise T1055.012 Process Hollowing Cobalt Strike can use process hollowing for execution.52
enterprise T1572 Protocol Tunneling Cobalt Strike uses a custom command and control protocol that is encapsulated in HTTP, HTTPS, or DNS. In addition, it conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.12
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy Cobalt Strike can be configured to have commands relayed over a peer-to-peer network of infected hosts. This can be used to limit the number of egress points, or provide access to a host without direct internet access.12
enterprise T1090.004 Domain Fronting Cobalt Strike has the ability to accept a value for HTTP Host Header to enable domain fronting.2
enterprise T1012 Query Registry Cobalt Strike can query HKEY_CURRENT_USER\Software\Microsoft\Office\\Excel\Security\AccessVBOM\ to determine if the security setting for restricting default programmatic access is enabled.62
enterprise T1620 Reflective Code Loading Cobalt Strike‘s execute-assembly command can run a .NET executable within the memory of a sacrificial process by loading the CLR.2
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Cobalt Strike can start a VNC-based remote desktop server and tunnel the connection through the already established C2 channel.111
enterprise T1021.002 SMB/Windows Admin Shares Cobalt Strike can use Window admin shares (C$ and ADMIN$) for lateral movement.54
enterprise T1021.003 Distributed Component Object Model Cobalt Strike can deliver Beacon payloads for lateral movement by leveraging remote COM execution.12
enterprise T1021.004 SSH Cobalt Strike can SSH to a remote service.52
enterprise T1021.006 Windows Remote Management Cobalt Strike can use WinRM to execute a payload on a remote host.12
enterprise T1018 Remote System Discovery Cobalt Strike uses the native Windows Network Enumeration APIs to interrogate and discover targets in a Windows Active Directory network.162
enterprise T1029 Scheduled Transfer Cobalt Strike can set its Beacon payload to reach out to the C2 server on an arbitrary and random interval.1
enterprise T1113 Screen Capture Cobalt Strike‘s Beacon payload is capable of capturing screenshots.182
enterprise T1518 Software Discovery The Cobalt Strike System Profiler can discover applications through the browser and identify the version of Java the target has.2
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Cobalt Strike can use self signed Java applets to execute signed applet attacks.62
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Cobalt Strike can use rundll32.exe to load DLL from the command line.234
enterprise T1016 System Network Configuration Discovery Cobalt Strike can determine the NetBios name and the IP addresses of targets machines including domain controllers.92
enterprise T1049 System Network Connections Discovery Cobalt Strike can produce a sessions report from compromised hosts.6
enterprise T1007 System Service Discovery Cobalt Strike can enumerate services on compromised hosts.2
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Cobalt Strike can use PsExec to execute a payload on a remote host. It can also use Service Control Manager to start new services.152
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.002 Pass the Hash Cobalt Strike can perform pass the hash.5
enterprise T1078 Valid Accounts -
enterprise T1078.002 Domain Accounts Cobalt Strike can use known credentials to run commands and spawn processes as a domain user account.172
enterprise T1078.003 Local Accounts Cobalt Strike can use known credentials to run commands and spawn processes as a local user account.17
enterprise T1047 Windows Management Instrumentation Cobalt Strike can use WMI to deliver a payload to a remote host.123

Groups That Use This Software

ID Name References
G0079 DarkHydrus 2021
G0037 FIN6 22
G0092 TA505 23
G0080 Cobalt Group 31302829 26272425
G0073 APT19 32
G0096 APT41 333414
G0027 Threat Group-3390 35
G0046 FIN7 3637
G1006 Earth Lusca 38
G0065 Leviathan 394041
G0119 Indrik Spider 42
G0143 Aquatic Panda 43
G0052 CopyKittens 44
G0102 Wizard Spider 45464748495051
G0050 APT32 5253545556857
G0067 APT37 58
G1014 LuminousMoth 6059
G0045 menuPass 10
G0129 Mustang Panda 6162636465
G0114 Chimera 6667
G0016 APT29 1516707169687372757674

References

  1. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. 

  2. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  3. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. 

  4. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023. 

  5. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017. 

  6. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021. 

  7. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019. 

  8. Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021. 

  9. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. 

  10. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. 

  11. Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022. 

  12. Mudge, R. (2017, January 24). Scripting Matt Nelson’s MMC20.Application Lateral Movement Technique. Retrieved November 21, 2017. 

  13. Strategic Cyber, LLC. (n.d.). Scripted Web Delivery. Retrieved January 23, 2018. 

  14. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  15. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. 

  16. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. 

  17. Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023. 

  18. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. 

  19. Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019. 

  20. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. 

  21. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. 

  22. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. 

  23. Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022. 

  24. CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018. 

  25. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019. 

  26. Klijnsma, Y.. (2017, November 28). Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions. Retrieved October 10, 2018. 

  27. Klijnsma, Y.. (2018, January 16). First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks. Retrieved October 10, 2018. 

  28. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018. 

  29. Mesa, M, et al. (2017, June 1). Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions. Retrieved October 10, 2018. 

  30. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018. 

  31. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. 

  32. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018. 

  33. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020. 

  34. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021. 

  35. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  36. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. 

  37. The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022. 

  38. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  39. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. 

  40. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  41. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. 

  42. Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021. 

  43. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022. 

  44. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. 

  45. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. 

  46. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. 

  47. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. 

  48. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. 

  49. The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020. 

  50. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020. 

  51. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. 

  52. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. 

  53. Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. 

  54. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. 

  55. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  56. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020. 

  57. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021. 

  58. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021. 

  59. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022. 

  60. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. 

  61. Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021. 

  62. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. 

  63. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. 

  64. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021. 

  65. Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021. 

  66. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020. 

  67. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. 

  68. ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022. 

  69. Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021. 

  70. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021. 

  71. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. 

  72. Secureworks CTU. (2021, May 28). USAID-Themed Phishing Campaign Leverages U.S. Elections Lure. Retrieved February 24, 2022. 

  73. Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022. 

  74. Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023. 

  75. NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021. 

  76. UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.