Cobalt Strike in 2013 – Closing the Gap Between Pen Testers and Advanced ThreatsDecember 30, 2013
2013 was a good year for Cobalt Strike. From a business perspective, I notice that the understanding of the product is much different from when I put it on the market in June 2012. That’s very helpful. 🙂 From a technical perspective, great strides were made closing the gap between penetration testing tools and advanced threat malware.
This year, I pushed twelve Cobalt Strike releases. Here are some of the highlights:
February 2013, Cobalt Strike introduced a distributed red team operations capability. This feature allows one Cobalt Strike client to connect to multiple team servers and coordinate their actions in an attack. Other penetration testing tools are still single server focused. This was an important move to bring our tools closer to how real threats operate.
Through most of this year, there was a lot of work on Cobalt Strike’s Beacon. This feature really evolved in a big way. It started out as a lifeline to request a Meterpreter session as needed. This year, Beacon has evolved into a multi-protocol communication layer for Meterpreter and the Metasploit Framework. It’s also functional as a remote administration tool. I’ve enhanced Beacon’s ability to stay low and slow, but also added the flexibility to use it interactively and tunnel traffic through it. This year, I also added the ability for Beacon to communicate over DNS and SMB.
October 2013, I introduced browser pivoting. This is a man-in-the-browser attack to hijack authenticated HTTP sessions and use them in an attacker’s browser. This has a lot of implications for government and financial institutions as it demonstrates how a motivated attacker defeats strong two-factor authentication. Conceptually, a lot of us are comfortable with the idea that once the end-point is owned, an attacker can do anything. When it comes to the prove it phase, we sometimes come up short on capability (fixing this is why I’m in business). Browser Pivoting is a risk demonstration tool to show that, without a doubt, once an attacker owns a system, they can access anything else that user has access to.
And, while it’s not a technical change, I cut Tradecraft, a free 9-part online course on red team operations. I took Strategic Cyber’s two-day Advanced Threat Tactics course and cut a video for each lecture. I didn’t hold anything back. I see documentation and code as equally important in a product. Cool insights and new features do no good if they’re not communicated. Cobalt Strike’s freely available educational materials and documentation are one of its great strengths. Tradecraft replaced the Penetration Testing with Cobalt Strike course from January 2012.
Overall 2013 was a pretty rocking year. I expect more of the same in 2014.