ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool Cobalt Strike

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Cobalt Strike

NamesCobalt Strike
BEACON
CategoryTools
TypeBackdoor, Vulnerability scanner, Keylogger, Tunneling, Loader, Exfiltration
DescriptionCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.

The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
Information<https://www.cobaltstrike.com/>
<https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html>
<https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html>
<https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py>
<https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html>
<http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems>
<https://www.lac.co.jp/lacwatch/people/20180521_001638.html>
<https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/>
<https://www.bleepingcomputer.com/news/security/threat-actors-use-older-cobalt-strike-versions-to-blend-in/>
<https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf>
<https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html>
MITRE ATT&CK<https://attack.mitre.org/software/S0154/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:Cobalt%20Strike>

Last change to this tool card: 19 October 2020

Download this tool card in JSON format

All groups using tool Cobalt Strike

ChangedNameCountryObserved

APT groups

 APT 19, Deep Panda, C0d0so0China2013-May 2019X
 APT 29, Cozy Bear, The DukesRussia2008-2020X
 APT 32, OceanLotus, SeaLotusVietnam2013-Jan 2020 
 APT 41China2012-Aug 2020 HOTX
 BariumChina2016-Nov 2017X
 Carbanak, AnunakUkraine2013-Aug 2018X
 Chimera[Unknown]2018-Late 2018 
 Cobalt GroupRussia2016-Oct 2019X
 CopyKittens, Slayer KittenIran2013-Jan 2017 
 DarkHydrus, LazyMeerkatIran2016-Jan 2019 
 FIN6, Skeleton Spider[Unknown]2015-Mar 2020 
 FIN7Russia2013-May 2020X
 Ke3chang, Vixen Panda, APT 15, GREF, Playful DragonChina2010-May 2020 
 LeadChina2016 
 Leviathan, APT 40, TEMP.PeriscopeChina2013-Jan 2020 
 Mustang Panda, Bronze PresidentChina2014-Mar 2020 
 Operation DRBControlChina2019 
 PassCVChina2016 
 RancorChina2017 
 RedDeltaChina2020-Aug 2020 HOT 
 Stone Panda, APT 10, menuPassChina2006-Jul 2020X
 TA2101, Maze Team[Unknown]2019-Sep 2020 HOT 
 Turbine Panda, APT 26, Shell Crew, WebMasters, KungFu KittensChina2010-Oct 2018X
 Winnti Group, Blackfly, Wicked PandaChina2010-Feb 2020 

Other groups

 Indrik SpiderRussia2014-Jul 2020X
 OldGremlinRussia2020 
 Pinchy Spider, Gold SouthfieldRussia2018-Sep 2020 HOTX
 Wizard Spider, Gold BlackburnRussia2014-Oct 2020 HOTX

28 groups listed (24 APT, 4 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key