Collaborate Disseminate
Over the past few years, there has been a massive proliferation of YARA signatures for Beacon. We know from conversations with our customers that this has become problematic when using Cobalt Strike for red team engagements and that there has been some confusion over how Cobalt Strike’s malleable C2 options can help. Therefore, this blog […]
Continue reading Cobalt Strike and YARA: Can I Have Your Signature?
This blog introduces a PoC technique for spoofing call stacks using timers. Prior to our implant sleeping, we can queue up timers to overwrite its call stack with a fake one and then restore the original before resuming execution. Hence, in the same way we can mask memory belonging to our implant during sleep, we […]
Continue reading Behind the Mask: Spoofing Call Stacks Dynamically with Timers
One of the things I find fascinating about being on the Cobalt Strike team is the community. It is amazing to see how people overcome unique challenges and push the tool in directions never considered. I want explore this with CredBandit (https://github.com/xforcered/CredBandit). This tool has had updates since I started exploring. I’m specifically, looking at […]
The post CredBandit (In memory BOF MiniDump) – Tool review – Part 1 appeared first on Cobalt Strike Research and Development.
Continue reading CredBandit (In memory BOF MiniDump) – Tool review – Part 1
There are a lot of people who talk about threat emulation. Use our super-duper-elitesy-neatsy-malware to emulate these tactics in your network. I say stuff like that too. It’s cool. In this post, I’d like to write about what threat emulation means to me, really. I see a red teams as offensive operators capable of executing […]
Continue reading The Threat Emulation Problem