Category Archives: Cobalt Strike

Cobalt Strike 3.3 – Now with less PowerShell.exe. 🙂 Continue reading Cobalt Strike 3.3 – Now with less PowerShell.exe→

Some hackers only think about access. It’s the precious. How to get that first shell? I don’t care too much about this. I’m concerned about the problems that come from having a lot of accesses. One of these problems has to do with user exploitation. If you have access to 50 or more systems at […] Continue reading User Exploitation at Scale→

Aggressor Script is the scripting engine in Cobalt Strike 3.0 and later. If you want to learn more about it, I recommend reading the documentation. In this blog post, I’ll provide some history around Aggressor Script so you can better understand it and where it comes from. The mIRC Factor mIRC is a popular client for […] Continue reading Aggressor Script’s Secret mIRC Scripting Past→

One of the most important things in a red teamer’s job is evidence. If you can’t demonstrate impact and make a risk real, it’s as if you didn’t find the problem. Screenshots go a long way towards this. Cobalt Strike has several options to capture screenshots during your engagement. In this post, I’ll quickly take […] Continue reading Pics or it didn’t happen…→

I just returned from the North East Collegiate Cyber Defense Competition event at the University of Maine. A big congratulations to the winners, Northeastern University, who will go on to represent the North East region at the National event in April. The more I use Cobalt Strike 3.x, the more I appreciate Aggressor Script. Aggressor […] Continue reading My Cobalt Strike Scripts from NECCDC→

Cobalt Strike 3.2, the third release in the 3.x series, is now available. The 3.2 release focuses on fixes and improvements across the Cobalt Strike product. x64 Beacon Cobalt Strike’s x86 Beacon plays pretty well in an x64 world. You can inject the keystroke logger and screenshot tools into 64-bit processes. If you run mimikatz […] Continue reading Cobalt Strike 3.2 – The Inevitable x64 Beacon→

In 2011, I was invited to Austin, TX by the local ISSA and OWASP chapters to teach a class on Armitage and the Metasploit Framework. I think we had 90 students. I remember the pain of burning DVDs in preparation for this class. Myself and two of the organizers agreed to split the DVD burning […] Continue reading A History of Cobalt Strike in Training Courses→

One of the hardest parts of being a developer is working with bug reports and support requests disguised as bug reports. Some people write very good bug reports. These reports give me the information I need to reproduce the problem and advise from there. Others offer a vague description of their problem with no context. […] Continue reading A Quick Guide to Bug Reports→

There are several research projects to collect raw data from red team activity, process this data, and try to turn it into information. In this blog post, I’ll show you how to instrument a Cobalt Strike team server and generate a real-time feed of engagement activity. Aggressor Script is the scripting engine in Cobalt Strike […] Continue reading Real-Time Feed of Red Team Activity→

During a recent conversation, a friend had mentioned that they saw Cobalt Strike as a post-exploitation only tool. This strikes me as a little odd. Cobalt Strike has always had all the features necessary to execute a full attack chain. The system profiler, spear phishing tool, and user-driven attacks support a social engineering process designed […] Continue reading Post-Exploitation Only (Not Really)→