h1

The Aggressor Project (Preview)

September 2, 2015

If you’ve run into me at a conference during the 2015 calendar year, there’s a strong chance you’ve heard about or saw the Aggressor project. Aggressor is a ground-up rewrite of Cobalt Strike’s team server and client to better serve its Red Team Operations and Adversary Simulation use cases. I expect to ship this work as Cobalt Strike 3.0. It’s due for release at DerbyCon 2015 (September 2015).

At first glance, Cobalt Strike 3.0’s biggest change is the absence of the Metasploit Framework. Cobalt Strike 3.0 doesn’t depend on it. Instead, Cobalt Strike 3.0 builds its process and workflows on the Beacon post-exploitation agent. Many of my customers have moved their offensive process to the Beacon payload. Cobalt Strike 3.0 caters to this shift. Cobalt Strike 3.0 is also a fresh look at reporting and logging to aid accountability, deconfliction, and training.

If you want to know what Cobalt Strike 3.0 will look like, here’s a partial preview:

To some, this may sound very foreign. What’s the point of a penetration test without scans and exploits? Not all security assessments look like this. Adversary Simulations and Red Team Operations are security assessments that replicate the tactics and techniques of an advanced adversary in a network. While penetration tests tend to focus on unpatched vulnerabilities and misconfigurations, adversary simulations benefit security operations and incident response. There are different models/best practices for these engagements. I started this company and built this product to push these practice areas forward.

I’ve had several folks ask questions about Cobalt Strike 3.0. I wanted to take a few moments to answer them:

1) Is Cobalt Strike 3.0 available to existing customers or will I need to buy new licenses?

Cobalt Strike 3.0 is the anticipated successor to Cobalt Strike 2.5. As with other Cobalt Strike updates, Cobalt Strike 3.0 will be available to those with active Cobalt Strike licenses.

2) Will the price of Cobalt Strike go up when 3.0 hits?

The price of Cobalt Strike will not change as a result of the 3.0 release. Could the price go up in the future? Absolutely. Will it go up in the next month or two? No.

3) What will happen to browser pivoting in Cobalt Strike 3.0?

Browser Pivoting is present in Cobalt Strike 3.0.

4) How will you replace all the great things in Metasploit?

Cobalt Strike 3.0 does not replace the Metasploit Framework. Cobalt Strike 3.0 complements the Metasploit Framework as a separate platform. You can fire the Beacon payload with a Metasploit Framework exploit [demo]. You can pass accesses between the Metasploit Framework and Beacon [demo]. You can also pivot Metasploit Framework attacks [demo] and Meterpreter sessions through Beacon [demo].

5) Is Cobalt Strike’s name changing?

No. Aggressor is a codename. Cobalt Strike will still be called Cobalt Strike.

6) What will happen to Cobalt Strike 2.x and Armitage?

Armitage is its own project and will continue to stay much as it is now. I consider Armitage a mature product, but will maintain it as necessary. Cobalt Strike 2.x will be replaced by Cobalt Strike 3.0. I do not plan to maintain two lines of the Cobalt Strike product.

If you’d like to learn more about Cobalt Strike 3.0, hang tight, we only have a few weeks until DerbyCon. So far, we’re on track for a release at that time.

3 comments

  1. Can’t wait looking forward to all the great things 3.0 will bring.


  2. It would be good to overlap 2.5 and 3.0 for at least a month in order not to shoot in the foot in case 3.0 experiences some nasty bugs during a live engagement (hopefully not).


    • I agree. Here’s my “plan” for that [subject to change]:

      1. For folks who currently have a CS license: I’m going to keep the CS 2.5 packages available for download as either an arsenal item or something they can grab with their key.

      2. The current site for CS 2.5 with its documentation and references will continue to stay available in some sort of archive mode. I’m building CS 3.0’s site and documentation [same template] onto another server.

      3. The update program in the CS 2.5 trial will continue to pull the registered version of 2.5 as well. Those who want to use CS 3.0 will have to download its trial and use its update program to get the licensed version of 3.0. These updates will pull from different infrastructure as well.

      4. The above will apply to those who currently have licenses. After 3.0 drops, I no longer plan to sell or make a trial of 2.x available to the general public.

      The above will make it easy to play with 3.0 and become familiar with it, but to also allow 2.5 to function as a safety net for those who currently have licenses.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s