What is our primary use case?
I use it a lot for independent research. I have a copy with me on my Kali box. There’s a good reason that it’s currently the best C2 in the market right now. It’s because of its versatility; you can modify it a lot and tamper with it.
As a C2, it does its job extremely well. It can adapt to a lot of situations. You can write malleable C2 profiles in its own specific language named Aggressor Script, which is mostly used for threat emulation. Like, if you want to emulate a specific TTP, you write a specific C2 profile so that in your red team engagements, you can mimic an enemy adversary that you want to protect against.
It uses a lot of industry-standard tools. For example, it can use Mimikatz very well. It integrates very well with other tools necessary for Red Team operations, like Mimikatz or Rubeus. You don’t have to upload the executable on the machine; it can run everything in memory. It has modules for all these tools I’ve mentioned.
How has it helped my organization?
It’s very compact and versatile. You can create shell codes for bypassing antivirus, create executables for both Windows and Linux, or any other technology you want to create a beacon to connect to your C2 server. The best thing about Cobalt Strike is that it is the most widely known C2. For that reason, there is a lot of threat intelligence about Cobalt Strike. Most companies are actually threat-hunting for Cobalt Strike beacons.
A lot of IP addresses are widely known as C2 servers of Cobalt Strike or IPs that contain a dropper that connects to the C2 server. This means you might have to work a lot harder to make Cobalt Strike work in a mature security environment if it has XDR or EDR solutions. But overall, in my honest opinion, it’s currently the best C2 that I have ever used.
I use it on a network in TryHackMe. It was not a big network, but it really helped me avoid creating multiple terminal sessions. It made things a lot easier for me to conduct my post-exploitation phase. There was not a big challenge because only a couple of endpoints might have used antivirus. Even if they did, I managed to deactivate it and set up a beacon to connect to my server.
Thanks to Cobalt Strike Beacon, I significantly reduced the time to compromise this specific network in TryHackMe instead of doing it manually with different terminal sessions. It also made a lot of post-exploitation activities easier. For example, I could DC sync the domain controller a lot easier than if I did it in a terminal session because it has a module to do the DC sync instead of using the Impacket module. Although both are one-liner commands, being connected inside the network through my C2 server made it a lot easier. Plus, because the C2 operations operate mostly in memory, it’s easier to execute things even when an antivirus is present, although the EDR might be a bit of a problem sometimes.
What is most valuable?
Cobalt Strike uses a GUI. Its client has a GUI. As far as I know, Cobalt Strike is based on the code from Metasploit and Armitage, which explains that it has similar GUI features and the same feeling. A really good thing about Cobalt Strike is that you have graphs for each machine you compromise. You can graph the entire network, showing which machines you have compromised, the names of the machines, and the beacons you use. It’s extremely easy to use on a big network because you can keep track of which machines and users you compromise. It collects any credentials you might dump into its own database, so you can come back to them and use them at your discretion.
Also, the GUI really helps a lot in red team operations because, as I said, you keep track of everything. It even has its own report templates. When you complete the red team assessment, it has templates showing which machines have been compromised and how they have been compromised. This means you do minimal effort to actually send a quality report to your customer.
The beacon payload has enhanced the penetration testing capabilities and penetration testing overall.
The beacon payload has features that allow communication with the C2 server based on different protocols. The basic protocols that the beacon communicates with the server are DNS, HTTPS, and SMB if you’re doing lateral movement within the network. It can communicate with A records and AAAA records as well, which means it blends in with traffic very well, making it harder to detect during network traffic analysis.
Cobalt Strike Beacon has its own signature. If you reverse engineer it and have some knowledge of how Cobalt Strike works, and if you’ve experimented with it for a bit, you’ll see that at the last bytes of the payload, there’s a specific signature indicating it is a Cobalt Strike Beacon payload. You can modify that too, but it takes considerable effort.
What needs improvement?
Probably its delivery methods could be improved. It might need some improvements on its spear phishing module. You can clone a web page, and then you can spear phish a target, and the target connects to your beacon. I believe that it needs to be more modernized to the current standards of multi-factor authentication bypass.
Although there are already tools that actually do that, like Evilginx that’s been used as a proxy server, I truly believe Cobalt Strike could do something like that.
I believe if Cobalt modernize this specific feature to try to bypass multi-factor authentication, it’s gonna be something. I’m not aware if it’s actually a feature in the latest Cobalt Strike updates, but from my version, I don’t see that it’s possible right now.
I don’t think AI is at the stage where it can conduct such complex operations. AI is mostly being used to create phishing templates, very simple stuff. AI is not mature enough to do something more complex, although I truly believe that in a few years, it might have such capabilities.
What do I think about the stability of the solution?
I did not have any issues or hiccups with its performance. It works like a charm
What do I think about the scalability of the solution?
The specific lab that I compromised was estimated to have about ten to twelve endpoints. It was quite a small network. It was just a lab, but it included two workstations, one VPN appliance that had access inside the network (a VPN gateway essentially), a couple of important servers of the Active Directory environment, a domain controller, a root domain controller, and another domain that contained two servers, a couple of workstations, and an important application. Essentially, it was the Red Team Capstone from TryHackMe that I’m describing. It had challenges, but Cobalt Strike certainly made it easier.
Cobalt Strike is extremely scalable, and that’s one of the big reasons that Cobalt Strike is the best C2 on the market, in my honest opinion. Because of its customizability and scalability, you can adapt it to any environment you want as soon as you have the know-how to program some beacon object files in C or Aggressor Script language.
There are a lot of open-source modules for Cobalt Strike that many researchers share, and they are very interesting. I have not tested them all yet, but I see the concept, and it’s really interesting that Cobalt Strike is so scalable and modifiable that you can adapt it to almost any situation.
Which solution did I use previously and why did I switch?
I was working a bit with Sliver, PowerShell Empire, and a little bit with Covenant, but I did not delve as deep as with Cobalt Strike. Maybe a bit with PowerShell Empire, which is open source. It’s not bad.
Cobalt Strike is the most widely known C2 framework in the market, it has a lot of threat intelligence being fed to SIEMs, XDR solutions, and firewalls based on Cobalt Strike IP addresses, beacons, etc., which means that it’s going to be harder to successfully deploy and connect a beacon with your server.
Other competitors might not have that much threat intelligence, which means that you might have an easier time deploying the specific implants or beacons to the C2 server. You might have to work harder to successfully deploy a Cobalt Strike instance, and you have to customize it a lot to deploy it successfully into a corporate environment. That’s my honest opinion on that.
How was the initial setup?
I don’t host it anywhere in a cloud environment, I use my own VM machine to host the C2 server because it’s a CTF environment after all. It’s very easy. You run the server file, and it launches the server. It opens the port, and then you run the client. You verify the SHA-256 checksum to verify the integrity of the server and the certificate that you’re running. And that’s it. You set the IP, set a username and a password for anyone that might want to sign in if you want to give them access, and that’s it. You have already deployed the GUI and the server.
Each time you create a beacon to connect to your server, if you successfully exploit it, you already have the connections back to your machine. So, it’s pretty easy to set up.
But, I don’t maintain it. I have used Cobalt Strike for a couple of months lately, but I’m on a break right now. So, I have not tried to maintain it or anything like that yet.
What was our ROI?
ROI depends on the clientele of the organization. If the clientele is big corporations that have to be audited in a specific security framework for compliance issues, then even with the pricing of Cobalt Strike, you can get a decent return on investment over time.
What's my experience with pricing, setup cost, and licensing?
As far as I know, at my previous job, our Red Teamers were using Cobalt Strike. It was heavily customized for their own engagement.
The license is about € 6,000.00 per year or maybe more. It’s very expensive.
If you want to deploy a Cobalt Strike solution for a team engagement, you must have a lot of money as a corporation. You have to pay your red teamers decent salaries, pay for infrastructure, and also pay for the Cobalt Strike license. The money is insane.
What other advice do I have?
I would recommend Cobalt Strike to other organizations for advanced threat simulation.
The tool does everything excellently. The learning curve is very steep.
It has huge potential. You can do so many things with Cobalt Strike that it’s going to take a while to actually become a master of the tool. So, I recommend it one hundred percent.
Overall, I would rate it a nine out of ten because it has its own problems.
