ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool Cobalt Strike

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Cobalt Strike

NamesCobalt Strike
BEACON
CategoryTools
TypeBackdoor, Vulnerability scanner, Keylogger, Tunneling, Loader, Exfiltration
DescriptionCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.

The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
Information<https://www.cobaltstrike.com/>
<https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html>
<https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html>
<https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py>
<https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html>
<http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems>
<https://www.lac.co.jp/lacwatch/people/20180521_001638.html>
<https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/>
<https://www.bleepingcomputer.com/news/security/threat-actors-use-older-cobalt-strike-versions-to-blend-in/>
<https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf>
<https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html>
<https://www.bleepingcomputer.com/news/security/alleged-source-code-of-cobalt-strike-toolkit-shared-online/>
<https://www.darkreading.com/threat-intelligence/how-to-identify-cobalt-strike-on-your-network/a/d-id/1339357>
MITRE ATT&CK<https://attack.mitre.org/software/S0154/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:Cobalt%20Strike>

Last change to this tool card: 06 January 2021

Download this tool card in JSON format

Previous: Cmstar
Next: CobInt

All groups using tool Cobalt Strike

ChangedNameCountryObserved

APT groups

XAPT 19, Deep Panda, C0d0so0China2013-May 2019X
 APT 29, Cozy Bear, The DukesRussia2008-2020X
XAPT 32, OceanLotus, SeaLotusVietnam2013-Dec 2020 HOTX
XAPT 41China2012-Aug 2020X
 BariumChina2016-Nov 2017X
 Carbanak, AnunakUkraine2013-Aug 2018X
 Chimera[Unknown]2018-Late 2018 
 Cobalt GroupRussia2016-Oct 2019X
 CopyKittens, Slayer KittenIran2013-Jan 2017 
 DarkHydrus, LazyMeerkatIran2016-Jan 2019 
XEarth WendigoChina2019 
XFIN6, Skeleton Spider[Unknown]2015-Mar 2020 
XFIN7Russia2013-Dec 2020 HOTX
XKe3chang, Vixen Panda, APT 15, GREF, Playful DragonChina2010-May 2020 
 LeadChina2016 
 Leviathan, APT 40, TEMP.PeriscopeChina2013-Jan 2020 
XMuddyWater, Seedworm, TEMP.Zagros, Static KittenIran2017-Dec 2020 HOTX
XMustang Panda, Bronze PresidentChina2014-Mar 2020 
 Operation DRBControlChina2019 
 PassCVChina2016 
 RancorChina2017 
XRedDeltaChina2020-Sep 2020 
XStone Panda, APT 10, menuPassChina2006-Jul 2020X
XTA2101, Maze Team[Unknown]2019-Oct 2020 HOT 
XTurbine Panda, APT 26, Shell Crew, WebMasters, KungFu KittensChina2010-Oct 2018X
XUNC2452, Dark Halo, SolarStormRussia2019 
 Winnti Group, Blackfly, Wicked PandaChina2010-Feb 2020 

Other groups

XIndrik SpiderRussia2014-Jul 2020X
 OldGremlinRussia2020 
XPinchy Spider, Gold SouthfieldRussia2018-Nov 2020 HOTX
XUNC1878[Unknown]2020 
XWizard Spider, Gold BlackburnRussia2014-Nov 2020 HOTX

32 groups listed (27 APT, 5 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key