Cobalt Strike

Overview

Cobalt Strike is a commercial adversary simulation tool designed for penetration testing. Its powerful capabilities have made it the most commonly abused tool by both cybercriminals and nation-state actors. Cracked versions circulate widely, and Cobalt Strike beacons are present in the majority of serious intrusions.

Also Known As

Cobalt Strike Beacon, CS Beacon, CobaltStrike

How It Spreads

• • Delivered via other malware (loaders, stealers)
• • Exploited vulnerabilities in public-facing systems
• • Phishing emails with weaponized documents
• • Post-exploitation after initial access
• • Supply chain compromises

What It Does

• • Provides persistent backdoor access (Beacon)
• • Enables lateral movement within networks
• • Facilitates credential harvesting
• • Allows execution of arbitrary commands
• • Supports pivoting through compromised systems
• • Often precedes ransomware deployment

Target Platforms

Windows 7, Windows 10, Windows 11, Linux, macOS

Detection Tips

• • Monitor for named pipes matching Cobalt Strike patterns
• • Detect HTTPS beaconing at regular intervals (jitter)
• • Alert on process injection into legitimate Windows processes
• • Watch for Mimikatz-like credential dumping
• • Monitor for malleable C2 traffic patterns

MITRE ATT&CK Techniques

T1071.001, T1055, T1003, T1021, T1059.001