OFFSITE.DARK
← Tools
  • c2
  • commercial

Market

Cobalt Strike

Overview

Cobalt Strike is a commercial adversary simulation and red team C2 platform. A team server coordinates Beacon implants deployed on compromised hosts. Operators interact through the Aggressor scriptable client (Java) or headless automation.

Beacon is a staged/post-exploitation agent supporting sleep/jitter, SMB/TCP/HTTP/HTTPS/DNS egress, pivoting, credential harvesting, and post-ex modules. Malleable C2 profiles customize HTTP indicators, transaction transforms, and server headers to blend with expected traffic.

The kill chain in CS terms: initial access (external) → Beacon staging → enumeration → lateral movement (psexec, WMI, SMB) → privilege escalation → objective. Built-in workflows mirror APT tradecraft for purple-team exercises.

Licensing is per-operator; unauthorized use violates terms and often law. Defenders study CS indicators (default certificates, profile artifacts, named pipes) because crimeware and APT groups have leaked or replicated CS tooling.

Primary use cases

  • Full-scope red team engagements with structured reporting
  • Purple-team detection validation against realistic C2 traffic
  • Training blue teams on Beacon lifecycle and lateral movement TTPs
  • Long-haul persistence and egress testing through restrictive proxies

Key commands

Start team server (operator host)

./teamserver 203.0.113.10 'SharedPassword' profile.ja

Generate HTTP Beacon (Aggressor)

Attacks → Packages → Windows Executable (S) → listener: https-beacon

Pivot via SOCKS (Beacon console)

beacon> socks 1080

Notable modules / features

  • Malleable C2 profiles: http-get, http-post, dns-beacon stanzas
  • Aggressor Script: automate sleep, spawn, lateral movement
  • Beacon Object Files (BOF): in-process post-ex without fork/spawn
  • External C2, pivoting, keystroke logging, screenshot, hashdump
  • Integration with Metasploit and third-party implants via bridges

Detection / defense notes

  • JA3/JA3S and HTTP header anomalies vs baseline corporate traffic
  • Named pipe patterns (e.g., MSSE-*), default CS certificate hashes
  • ETW/Sysmon: suspicious process ancestry from rundll32, regsvr32
  • Network: long-lived HTTPS to rare domains, DNS beaconing regularity

Related tools

  • Metasploit FrameworkMetasploit Framework is a modular exploitation platform maintained by Rapid7 and the open-source community. Ruby runtime, PostgreSQL database for workspace state, and a unified module interface for the full attack lifecycle.
  • ImpacketPython protocol implementations. secretsdump, psexec, getTGT, and SMB/Kerberos tooling for Windows networks.
  • BloodHoundAD attack path analysis. Ingests ACL/ACE and group membership into a graph of privilege escalation routes.
  • armitageMetasploit GUI. Team server for collaborative red team operations.
→ official site