ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool Cobalt Strike

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Cobalt Strike

NamesCobalt Strike
BEACON
CategoryTools
TypeBackdoor, Vulnerability scanner, Keylogger, Tunneling, Loader, Exfiltration
DescriptionCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.

The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
Information<https://www.cobaltstrike.com/>
<https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html>
<https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html>
<https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py>
<https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html>
<http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems>
<https://www.lac.co.jp/lacwatch/people/20180521_001638.html>
<https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/>
<https://www.bleepingcomputer.com/news/security/threat-actors-use-older-cobalt-strike-versions-to-blend-in/>
<https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf>
<https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html>
<https://www.bleepingcomputer.com/news/security/alleged-source-code-of-cobalt-strike-toolkit-shared-online/>
<https://www.darkreading.com/threat-intelligence/how-to-identify-cobalt-strike-on-your-network/a/d-id/1339357>
<https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/>
<https://www.darkreading.com/attacks-breaches/cobalt-strike-becomes-a-preferred-hacking-tool-by-cybercrime-apt-groups/d/d-id/1341073>
<http://www.intel471.com/blog/cobalt-strike-cybercriminals-trickbot-qbot-hancitor>
<https://blog.malwarebytes.com/researchers-corner/2021/06/cobalt-strike-a-penetration-testing-tool-popular-among-criminals/>
MITRE ATT&CK<https://attack.mitre.org/software/S0154/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:Cobalt%20Strike>

Last change to this tool card: 15 June 2021

Download this tool card in JSON format

All groups using tool Cobalt Strike

ChangedNameCountryObserved

APT groups

 APT 19, Deep Panda, C0d0so0China2013-May 2019X
 APT 29, Cozy Bear, The DukesRussia2008-Jun 2021 HOTX
 APT 32, OceanLotus, SeaLotusVietnam2013-Dec 2020X
 APT 41China2012-Mar 2021X
 BariumChina2016-Nov 2017X
 Carbanak, AnunakUkraine2013-May 2021 HOTX
 ChimeraChina2018-Oct 2019 
 Cobalt GroupRussia2016-Oct 2019X
 CopyKittens, Slayer KittenIran2013-Jan 2017 
 DarkHydrus, LazyMeerkatIran2016-Jan 2019 
 Earth WendigoChina2019 
 FIN6, Skeleton Spider[Unknown]2015-Mar 2020 
 FIN7Russia2013-Apr 2021X
 Indrik SpiderRussia2014-Jun 2021 HOTX
 Ke3chang, Vixen Panda, APT 15, GREF, Playful DragonChina2010-May 2020 
 LeadChina2016 
 Leviathan, APT 40, TEMP.PeriscopeChina2013-Jan 2020 
 MuddyWater, Seedworm, TEMP.Zagros, Static KittenIran2017-Feb 2021X
 Mustang Panda, Bronze PresidentChina2014-Mar 2020 
 OldGremlinRussia2020 
 PassCVChina2016 
 Pinchy Spider, Gold SouthfieldRussia2018-Jun 2021 HOTX
 RancorChina2017 
 RedDeltaChina2020-Mar 2021 
 Sprite Spider, Gold Dupont[Unknown]2015-Feb 2021 
 Stone Panda, APT 10, menuPassChina2006-Feb 2021X
 TA2101, Maze Team[Unknown]2019-Mar 2021X
 Turbine Panda, APT 26, Shell Crew, WebMasters, KungFu KittensChina2010-Oct 2018X
 UNC2447[Unknown]2020 
 Winnti Group, Blackfly, Wicked PandaChina2010-Mar 2021 
 Wizard Spider, Gold BlackburnRussia2014-Jun 2021 HOTX

Other groups

 TA511[Unknown]2018-Oct 2020 
 UNC1878[Unknown]2020 

33 groups listed (31 APT, 2 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key