OVERVIEW
Cobalt Strike (also known as CobaltStrike, BEACON) is a fully-featured and commerically available penetration testing tool offered by Washington, DC-based Strategic Cyber LLC. The tool is advertised for "Adversary Simulations and Red Team Operations" however its significant customization and capabilities have lead to its use by a wide variety of threat actors for a variety of motivations. Cobalt Strike also incorporates a variety of other post-exploitation tools, such as Mimikatz, in order to expand its functionality.
TARGETING
The toolset is a commercially available toolset, and as such its targeting will depend on the actor.
DELIVERY
The toolset is capable of being delivered through a multitide of methods, including through malicious spam (malspam) campaigns, targeted spearphishing operations, or as a secondary infection.
INSTALLATION
The toolset can be run entirely in memory, or installed to disk.
COBALT STRIKE PERSISTENCE
Persistence can be established via a wide variety of methods, including scheduled tasks, Windows services, the use of various registry keys, WMI persistence through PowerShell and WMIC, use of local GPOs, Stickykeys through RDP, and Windows Startup.
COBALT STRIKE MODULES
The toolset is under active development, and features a number of unique modules which are termed "Aggressor Scripts."
