Rachit Arora

Cobalt Strike - Operations

Mar 31, 2024

Notes from “Red Team Operations with Cobalt Strike (2019)” by Raphael Mudge on Youtube here


General Overview of a Red Team Operation

There are four goals of a typical attack


The screenshot provided outlines the four objectives and the difficulties associated with each of them.

Challenges in Email Delivery:

  1. We face obstacles when sending emails, such as antivirus gateways or sandbox technology that dynamically inspect attachments to check for malicious content.
  2. Dealing with various anti-spam and filtering mechanisms.
  3. Implementing security protocols like SPF, DKIM, and DMARC can make it more challenging to ensure the email successfully reaches its destination.

Challenges Before Code Execution:

  1. Endpoint security products can interfere before the malicious code is executed.
  2. Both static and dynamic analysis are conducted on our content and payload to determine potential threats.
  3. Everything in our environment is monitored, including antivirus software and EDR (Endpoint Detection and Response) systems.
  4. Events generate telemetry, which is then sent to the Security Operations Center (SOC) for analysis by individuals looking for signs of security breaches.

Challenges Before Establishing Command and Control (C2):

  1. Communicating with a domain that is not categorized, making it difficult to establish a connection.
  2. Coping with network security monitoring, like detecting unusual user agents, which could trigger investigations.

Challenges in Post-Exploitation:

  1. Evaluating the risk versus reward for each action taken.
  2. Every action generates observable events that are monitored by a local agent or produce telemetry data sent to the SOC for analysis.

Cobalt Strike and its functionalities

Mission: Minimize the gap between penetration testing and advanced threat malware. Vision: Attain adversary simulation that is pertinent and trustworthy.


Malleable C2


Aggressor Script

  1. Customization: It’s possible to incorporate pop-up menus, introduce additional commands, and enable scripts to react to emerging events within the tool.
  2. Enhanced Privilege Escalation and Lateral Movement: We can implement new methods for privilege escalation and lateral movement automation.
  3. Versatile Scripting: These scripts have the capability to modify the tool’s behavior, resulting in the creation of various file types, including executables (exe), dynamic link libraries (DLLs), and even PowerShell scripts.

Collaboration Features in Cobalt Strike


The “team server” functions as the command center for the tool, coordinating offensive actions. It serves as the controller, hosts a web server, and is instrumental in facilitating spear phishing. The Cobalt Strike graphical user interface (GUI) client connects to this server.

Starting a Team Server


Starting a team server screenshot


Connecting to a team Server


username: leet hacker nickname

we can match the sha256 hash


Basic Interface of Cobalt Strike


Three elements of a collaborative red team tool include:

  1. Sharing Sessions: Collaborators can jointly access and control sessions.
  2. Data Collaboration: Both parties have access to the same data model for shared information.
  3. Instant Communication: Real-time communication akin to an event log, functioning similar to an internet relay chat.

/sc to show channel

/me to display an action

/msg to message our teammates


Distributed Operations


Employing distributed operations to prevent dependence on a single vulnerable point.


Team Infrastructure:

Team Roles:

Logging & Reporting








More information about Cobalt Strike in the upcoming blogs.

Have any questions

Do you have any questions? Feel free to reach out to me on twitter or on LinkedIn.