Get in Touch
Cobalt Strike Report
Home / Malware Reports /
Cobalt Strike is a notorious post-exploitation tool that is used by threat actors to gain access to target systems and for the purposes of maintaining persistence. The tool was originally designed as adversary simulation software used to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors1. It is often used in conjunction with additional malware payloads, such as: Clop, Conti, Emotet and QakBot. Cobalt strike allows threat actors to simulate legitimate network traffic and evade detection.
Originally a red teaming tool, the malware has since been cracked with reports of malicious activity dating back to at least 2019, the malware has been active for several years, with reports dating back to at least 2019. The exact method of initial access is not clear, but it is likely that threat actors implement social engineering, phishing, or exploit kits to gain a foothold on targeted systems. Cobalt Strike remains a significant threat to organisations and as such, network defenders should be vigilant with regards to monitoring for any signs of Cobalt Strike operations. In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.
The primary malicious operations associated with Cobalt Strike occur via its ability to establish command and control (C2) communications with target networks, thus creating a persistent access channel between the target and the threat actor. This is achieved through the Beacon feature of the tool, which can be installed as a client for the threat actor on the target system2. The Beacon allows files to be uploaded as well as for C2 communications to be sent in a mode of stealth, thus applying the mechanism of persistence. The post-exploitation tool has been attributed to numerous advanced persistent threat (APT) groups, including the Sangria Tempest (also known as FIN7), Forrest Blizzard (also known as APT28) and Gingham Typhoon (also known as APT40). LockBit ransomware has also recently been observed sideloading Cobalt Strike through Microsoft security tools.
