Archive for the ‘Cobalt Strike’ Category


Why is rundll32.exe connecting to the internet?

July 22, 2016

Previously, I wrote a blog post to answer the question: why is notepad.exe connecting to the internet? This post was written in response to a generation of defenders zeroing in on the notepad.exe malware epidemic that was plaguing them. Many offensive actions require spawning a new process to inject something into. In the Metasploit Framework (and ancient versions of Cobalt Strike), notepad.exe was the default process to spawn for these actions.

Today, rundll32.exe is the process Cobalt Strike will spawn when it needs a one-off process to inject something into. I’ve had many people write and ask: “Raphael, why rundll32.exe?” Others ask, “how do I switch from rundll32.exe to something else?” This blog post aims to answer these questions.

User-driven Attacks

Several of Cobalt Strike’s user-driven attacks automatically migrate the payload stager to a new process and then run it. I do this for two reasons:

First, the user-driven attack might land code execution in an x64 process. We can’t run an x86 payload in an x64 process. The solution here is to migrate. Cobalt Strike’s Java Applet attacks and the Microsoft Office macro attacks both migrate to rundll32.exe (by default).

Cobalt Strike’s user-driven attacks migrate for another good reason. What happens if the user closes the application we used to get code execution? If our payload ran within that application, our access would go away with it. If our payload lives elsewhere, our access is safe. This is another reason Cobalt Strike’s attacks migrate.

So, why rundll32.exe? Why not something else? Honestly, it doesn’t matter what I pick. Anything I pick is now the default. Because people rarely change defaults, it will show up enough that someone will notice. The right thing here, for all parties, is to know how to change the defaults. Fortunately, this isn’t too hard to do.

Cobalt Strike does not provide a way to override the default macro attack. Fortunately, its choice of rundll32.exe is a string inside of the macro that you can edit. If this choice does not work for you, change this to another process. Many times, I have edited Cobalt Strike’s VBA macro to spawn Internet Explorer and inject my stager into it. I found this was necessary for security postures that restricted which applications could make outbound connections.

The Java Applet is also easy to fix. If you’re using the Java Signed Applet attack with Cobalt Strike, chances are you’re familiar with the Applet Kit. This is the source code to Cobalt Strike’s Java Applet attack and the scripts necessary to build it. You’ve probably downloaded this kit to sign Cobalt Strike’s Applet with your code signing certificate. If you want the Java Applet to migrate elsewhere, edit src/injector.c, change rundll32.exe to something else, and rebuild the Applet Kit. This will require that you have the mingw-w64 package installed.

Executable and DLL Artifacts

Cobalt Strike’s options to export an x64 DLL to deliver an x86 Beacon also migrate to rundll32.exe. I do this for good reason. I can’t host the x86 Beacon inside of an x64 process! Again, the answer here is to migrate and I migrate to a default: rundll32.exe.

Cobalt Strike also generates executables that respond to commands from the Windows Service Control Manager. Cobalt Strike uses these executables with its psexec command and it lets you export them as well. These service executables automatically migrate your payload or stager. Why? I do this to make the service easier to cleanup. In the case of psexec, I can’t get rid of the executable until it stops running. If the service executable didn’t migrate, Cobalt Strike’s psexec command would have to wait until your session stopped to clean up the executable it put on target. That’s no good! This is why the service executables migrate.

Fortunately, changing the rundll32.exe indicator is pretty easy to do as well. Cobalt Strike allows users to change it process to generate executables and DLLs. This is possible through the Artifact Kit. The Artifact Kit is source code to Cobalt Strike’s executable/DLL templates and it’s a script to override Cobalt Strike’s internal process to patch shellcode into these templates.

If you edit src-common/patch.c, you can change the migrate process from rundll32.exe to something else. Rebuild the artifact kit, load its script into your Cobalt Strike client, and from that point on—you’re free of rundll32.exe in your service executable and x64 DLL artifacts.

Spawning Sessions

rundll32.exe rears its ugly head in other places too. A favorite workflow in Cobalt Strike is the ability to right-click a session, select Spawn, and send a session to another listener. This command spawns a process and injects a payload stager for the chosen listener into it. I spawn a process because stagers do crash from time to time. Injecting the stager into another process protects your access from that crash.

When Beacon spawns an executable for session passing, which one does it spawn? Why our friend, rundll32.exe. Of course!

You may ask, how do I change this? There are a few answers to this question. The first answer is to reconsider your use of the spawn command. The spawn command creates a child process off of your Beacon process. This child process makes outbound network connections. If a hunt team is watching process creates and network connections, your access will stand out like a sore thumb. I recommend using the inject command to pass sessions instead.

That aside, let’s say you want to continue to use the spawn command. Your choice! Here’s how to move away from rundll32.exe: First, you may change which command Beacon spawns with the built-in spawnto command. This command will change the spawn process for that Beacon instance to something else.

You may also change the default for all of your Beacon sessions with a Malleable C2 profile. Malleable C2 is Cobalt Strike’s technology to allow you to change indicators and behaviors in the Beacon payload. It’s quite handy if you want to make Beacon look like other malware or blend-in to look like something totally innocuous. Malleable C2 has an option, spawnto, that changes this default to something else.

Post Exploitation Jobs

Let’s cover the last place rundll32.exe likes to show itself, post-exploitation jobs. Beacon is a very small payload. It’s single threaded. It’s designed to do a few very simple things. It calls home, it executes a few base things, and it monitors jobs.

Post-exploitation features such as hashdump, mimikatz, screenshots, keystroke loggers, and others run as jobs. In Beacon parlance, a job is a post-exploitation task that lives in another process. This design serves a few purposes. First, it makes it possible for you to inject a capability (e.g., the screenshot tool) into a process of your choosing. This allows you to get results from the right place without migrating your access. That’s nice! Second, some post-exploitation tasks absolutely must run from a process that matches the operating system’s architecture. This scheme allows an x86 Beacon to seamlessly run x64 post-exploitation jobs without any bother to the operator. Things just work! Third, this scheme protects your access. If, for some reason (heaven forbid!) a post-exploitation task were to crash, this scheme isolates your access from that failure.

Anyways, you have the option to inject some jobs into a process of your choosing. Others jobs just kick off a process, inject the capability, let it run, get results, and tear the process down. These jobs that kick off a process happen to spawn, our old friend, rundll32.exe.

You may ask, how do I change this? Fortunately, there’s not a lot of new advice to offer here. Post-exploitation jobs use the same spawnto process that the spawn command uses. If you edit your Malleable C2 profile to ask that Beacon spawn another placeholder, your post-exploitation jobs will use this placeholder as well.

There is one caveat here. The spawnto command only affects which x86 process the x86 Beacon kicks off. If x86 Beacon has to kick off an x64 process, it doesn’t change this. I do not have a means to change the x64 spawnto process, yet. I’ll take care of this.

And, for the sake of completeness: the spawnto command does not affect which x86 process the x64 Beacon kicks off, when it needs to run an x86 job. If x64 Beacon has to kick off an x86 process, it will use rundll32.exe. I do not have a means to change this yet either. Again, this is one of those todo items.

Update 13 December 2016: Cobalt Strike 3.6 allows you to set the x86 and x64 spawnto value via the spawnto command and Malleable C2.

You’re now empowered!

This post was a lovely stroll through the migrate and spawning behavior of Cobalt Strike 3.0 and later. There are three take-aways for this post:

1. Cobalt Strike migrates stagers and tasks to other processes. It does this a lot. Usually for good reasons!

2. The default process Cobalt Strike migrates to is rundll32.exe.

3. You have the power to change this behavior in most cases.


HOWTO: Reset Your Cobalt Strike License Key

July 15, 2016

Time to time, I hand out Cobalt Strike license keys to non-customers. Sometimes these are to support an event (e.g., the National CCDC Red Team). Other times, these license keys allow a potential customer to evaluate Cobalt Strike without the deliberate tells present in the trial.

Cobalt Strike’s license key is primarily used with the built-in update program. My server uses this key to verify that you’re still licensed to use the Cobalt Strike product and receive updates for it.

The built-in update program asks for this key once. Afterwards, it does not ask for this key again.

This presents a small problem. ☺ When you go from evaluator to customer, you’ll want to remove your evaluation key. If you don’t, Cobalt Strike will continue to use this key instead of the one tied to your license. Once that key expires, you can’t update Cobalt Strike or access the Cobalt Strike Arsenal.

With all that out of the way, let’s get to the question that prompted this post. How do you reset your Cobalt Strike License Key? Easy.

Cobalt Strike stores your license key in the .cobaltstrike.license file in your home directory. Simply remove this file and the update program will ask you for a new key when you run it next.

rm –f ~/.cobaltstrike.license

That’s it!


Who let the logs out? Woof.

June 29, 2016

Logging is an important feature in any red team operations platform. Logs serve multiple purposes. Good logs aid reporting. If an operator needs output for some action or forgot what they did and when, logs help refresh the operator’s memory. Good logs also help with ground truth. Anyone who has worked red operations long enough knows that red teams get accused of all kinds of things. Good logs help put these matters to rest. Finally, good logs help with deconfliction. You want to know which activities are attributable to your operators and which ones are not theirs. Heaven forbid an adversary is already present in your customer’s network. Deconfliction matters.

With these points in mind, I put a great deal of effort to re-design Cobalt Strike’s logging in the 3.0 release. This blog post will take you through the information you need to get the most from these changes.

Where do the logs live?

Cobalt Strike 3.0 and later log everything on the team server. This is a departure from previous releases where logs lived with the client. The advantage to this scheme is twofold: (1) Cobalt Strike logs, whether a client is connected or not, and (2) the ground truth activity for a team server lives in one place.

Cobalt Strike’s logs are in the logs/ folder co-located with your team server’s current working directory. If your team server was run from /root/cobaltstrike, then the logs are in /root/cobaltstrike/logs.

Cobalt Strike organizes all of its logs by date. In the logs/ folder you’ll see folders with a YYMMDD format. For example, the folder logs/160629/ contains the logs from June 29, 2016.

Cobalt Strike has multiple types of logs to capture the different types of activity in the tool. Let’s go through these.


Beacon Session Transcripts

Cobalt Strike logs Beacon sessions to [target]/beacon_[session ID].log within the logs folder. These logs capture everything that occurred during a Beacon session. Each item in the log includes a date and timestamp, an entry type, and the information Cobalt Strike knows about the item.


Here are the types of session events Cobalt Strike logs:

The metadata entry provides information about the session. This information is usually found at the top of a Beacon log file. Consult this entry to see who the session ran as, which process it lived in, the computer name, and IP address of the target.

The input entry indicates that a command was issued. The log includes the command, its arguments, and the operator that issued the command.

The task entry is Cobalt Strike’s acknowledgement of input. This information shows you how Cobalt Strike interpreted the command given to it. These entries make a great running narrative of what happened in a Beacon session. In fact, I use this information quite heavily in Cobalt Strike’s reports.

The checkin entry documents when Beacon called home to grab tasks that were in its queue. This is helpful if you need to approximate when a queued command was run.

The output entry is the output of a command or action taken with Beacon.

Finally, Cobalt Strike tracks indicators made by some of it commands. For example, if you upload a file, Cobalt Strike will generate the MD5 hash of the file, and store this in its data model. Cobalt Strike also tracks these indicators as indicator entries in its log file. This information is helpful if you need to quickly de-conflict whether or not a file was put on target by one of your red team members.

Beacon’s logs surround the entry type with square brackets. This makes it easy to grep for different types of log entries. For example, if you want to find all of the indicators in your logs, use grep –r “\[indicator\]”. from the logs folder.



The events.log file documents activity from Cobalt Strike’s event log. The event log is essentially an operator chat and a central place to push notices to members of your team.

Keystrokes (Session Specific)

Keystrokes captured by Beacon are stored in the [target]/keystrokes/ folder within that day’s logs folder. Cobalt Strike stores these in keystrokes_[Session ID].txt. The Session ID is the Beacon’s session ID. The contents of these files is the same information you see when you go to View -> Keystrokes in Cobalt Strike.

Phishing Information

Cobalt Strike also tracks information about each of your phishing engagements too. These are located in phishes/campaign_[unique ID].log. Each phishing salvo from Cobalt Strike is assigned a unique campaign ID and each salvo gets its own log file. This file documents meta-information about the campaign, who you sent the phish to, when, and whether or not the message was accepted by the mail server.


Screenshots (Session Specific)

Screenshots taken with Beacon are stored with the logs as well. Cobalt Strike stores these in the [target]/screenshots folder. The naming convention of these files is screen_HHMMSS_SessionID.jpg. The HHMMSS represents the time the screenshot was reported by your Beacon. The Session ID part of the filename is the Beacon session the screenshot came from.

Screenshots (Global)

Cobalt Strike has several keyboard shortcuts to take screenshots while you use Cobalt Strike. Ctrl+P takes a screenshot of the current active visualization. Ctrl+T takes a screenshot of the current tab. Ctrl+Shift+T takes a screenshot of the entire Cobalt Strike window.

Cobalt Strike pushes these screenshots to the team server and they live in the screenshots/[operator name] folder within the logs directory. The screenshots are named HHMMSS_[screenshot title].png. The HHMMSS part is the time the screenshot was taken. The title is dependent on the type of screenshot taken and where. For example, in the case of Ctrl+T, the title part of the filename is the tab’s title.

Website Hits

The weblog.log file tracks hits on Cobalt Strike’s web server. This file follows Apache’s logging conventions.

Website Keystrokes

Cobalt Strike’s Website Clone Tool has an option to log keystrokes on the cloned website. These keystrokes show up under View -> Web Log in Cobalt Strike’s user interface. The webkeystrokes.log file captures these keystrokes in a central place for review after the engagement.


The logs in Cobalt Strike 3.0 and later are a vast improvement over the tool’s previous logging implementation. The new logs make it easier to get ground truth on red team activity, to perform deconfliction, and to revisit key information from your engagement (commands, keystrokes, screenshots, output) to make better reports. I hope this post helps you get the most from this very important feature.


Talk to your children about Payload Staging

June 22, 2016

Time to time, I find myself in an email exchange about payload security and payload staging. The payload security discussion revolves around Beacon’s security features. Once it is running on target, Beacon takes steps to authenticate its controller and establish a session-specific key to decrypt tasks and encrypt output. I discuss these security features at the end of the Infrastructure lecture in Advanced Threat Tactics. Questions on this topic are usually easy to field.

Payload Staging is a different animal though. Payload Stagers are tiny programs that connect to a controller, download a payload, and run it. Payload Staging is helpful to pair large payloads (e.g., Beacon, Meterpreter, etc.) with attacks that have size constraints. The payload stagers in Cobalt Strike do not authenticate the controller or verify the payload they download. Questions on this topic usually spawn discussion.

In this post, I’ll explain why Cobalt Strike’s stagers are the way they are. I’ll also discuss ways you can adapt your use of Cobalt Strike to limit payload staging over a hostile network.

The Threat Model

People who ask questions about staging and payload security have a threat model in mind. They assume that there is an actor present in the communication path between their targets and their Cobalt Strike controller. They also assume that this actor has the ability to observe and manipulate data that traverses this communication path.

This is a fair assumption. A traceroute between a target system and an externally hosted Cobalt Strike team server will yield many systems that you and your customer do not control.

A malicious actor, present in your payload communication path, could man-in-the-middle the staging process and deliver their payload stage to your target. This would give the malicious actor access to your target. That’s no good!

A payload stager could mitigate this problem in one of two ways. The stager could authenticate the server that hosts the stage. Or, the stager might take steps to verify that the stage it receives is the one you intended to send.

Simple enough. Why don’t Cobalt Strike’s stagers authenticate their controllers or verify the payload stage after staging completes? Let’s discuss that.

Size Matters

My first excuse to deflect this discussion is size. The larger a payload stager becomes, the fewer attacks you can use it with. This limits our ability to stick security features into a payload stager.

The above statement is true, but the excuse is somewhat thin with my product. Why? Cobalt Strike isn’t an exploit development framework. Cobalt Strike does have size constrained attack vectors, but the size constraints I deal with are nothing like what you’d see in an unforgiving memory corruption exploit.

Ok, if that’s all true, then why does Cobalt Strike use small stagers with no security features? Cobalt Strike uses these stagers to stay compatible with the Metasploit Framework. Remember, until 3.0, Cobalt Strike was a collection of features built on top of the Metasploit Framework. The easiest way to make Beacon work with the Metasploit Framework’s exploits and modules was to stay compatible with the Metasploit Framework’s staging process.

Even with Cobalt Strike as a separate platform, this compatibility with the Metasploit Framework has its benefits. For example, it’s quite easy to use a Metasploit Framework exploit to deliver a Cobalt Strike Beacon payload. Just set PAYLOAD to a Meterpreter payload that uses the same stager, point LHOST/LPORT at Cobalt Strike, and fire away!

The Chicken and the Egg

You may not buy the size excuse, that’s fine. Earlier, I mentioned that the purpose of payload staging is to pair a large payload with a size-constrained attack. Let’s assume that we have a stager with amazing security features. Let’s also assume that this attack is a file that the target downloads from your controller.

To reach your target, the attack with your secure stager must travel over a potentially hostile network. If we apply the same threat model to the attack delivery process, we find ourselves in a hopeless position. The attacker might choose to replace our secure stager in the attack with another stager that acts according to their wishes. We lose anyways.

This is the chicken and the egg problem. If we can’t securely deliver the stager that securely downloads our payload, then how can we trust the stager?

Sometimes there’s a Chicken. Let’s protect the Egg.

If you’ve read this far, you might feel the discussion is getting a little academic. Sure, if an attacker is at the vantage point where they can manipulate the stager, then all bets are off. There are situations where the “chicken and the egg” assumptions don’t apply.

Many of my customers work assume breach engagements. These engagements focus on the target’s detection and response capability, not their patch management or phishing awareness. In an assume breach engagement, the red team is often given a foothold to work from. It’s quite feasible to deliver an attack package over a channel that bypasses our hostile network described above.

If the red team’s foothold was setup in a secure way AND the red team’s payload is up to the task, then we can assume the red team has a safe channel to work with. In this case, the chicken and the egg problem doesn’t apply. The open question is, if these assumptions are in play, what are the best ways to operate with less staging risk? Let’s dig into that.

HOWTO: Reduce Network Staging in Your Operations

Last week, I wrote a blog post about stageless payloads and discussed why you might find this feature valuable. I mentioned that stageless payloads are attractive when the risks of payload staging are not acceptable to your organization. Here’s why: A stageless payload artifact contains Cobalt Strike’s Beacon payload and its configuration in one file. Stageless payloads don’t use stagers. If you can securely deliver and run a stageless payload artifact on your target, you benefit from Beacon’s security features right away.


In assume breach engagements, use a stageless payload artifact to seed your foothold. Attacks -> Packages -> Windows EXE (S) exports a stageless payload artifact. Cobalt Strike has several stageless payload artifact options. You can export Beacon as an executable, a DLL, a service executable, a PowerShell script, or shellcode. One of these options is bound to work for your target. Once a stageless Beacon is on target, you have a (presumably) secure channel to work with.

Staging isn’t just initial access though. Staging is a very convenient tactic and it’s present in many post-exploitation workflows. Multiple toolsets use staging in their session passing, privilege escalation, and lateral movement workflows. With some adjustments, it’s possible to perform these actions without staging a payload over a hostile network.

Session Passing

Let’s start with session passing. This tactic is a way to use an active payload to spawn another payload. Beacon’s spawn and inject commands are designed to pass sessions via stagers. It’s possible to pass sessions in Cobalt Strike without staging. Go to Attacks -> Packages -> Windows EXE (S) and export a raw stageless payload artifact. This file is essentially a large-blob of shellcode that contains the Beacon payload. Use the shinject command in Beacon to inject this shellcode into a process and run it. You can export and use shinject with the x86 and x64 raw stageless payload output.

Privilege Escalation

What about privilege escalation? Beacon’s elevate, spawnas, and bypassuac commands target a listener. These commands do not have alternatives to work with a stageless payload artifact. How do we avoid the risks of staging an elevated payload over a hostile network? Create a listener for Cobalt Strike’s SMB Beacon payload. For actions on the local target, this payload will use a stager that sets up a listening socket bound to localhost. The Beacon, running on the target, will then connect to that stager’s listening socket, send the payload stage, and the stager will clean itself up and run the stage. The stager and the stage communicate through Beacon’s existing communication channel. If you’re worried about the risks of staging an elevated payload over a hostile network, this is one way to work. Bonus: the SMB Beacon is the preferred payload to use with Beacon’s privilege escalation features anyways.

Be aware, there is a potential race if an adversary is co-habitating with you. An adversary, on the same system, might connect to the stager socket first and elevate their payload instead of yours. This isn’t part of the original threat model that provoked this discussion. 🙂

What about privilege escalation based on misconfigurations? For example, you might find that you have an opportunity to elevate via a service with weak permissions. One way to take advantage of this is to drop a service executable to disk, reconfigure the service, and start it with your executable. How do you avoid staging in this case? Use a stageless windows service exe artifact.

Lateral Movement

How about lateral movement? You have options here too. Cobalt Strike’s psexec, psexec_psh, winrm, and wmi commands each depend on payload stagers. That said, you do not have to use this built-in automation for lateral movement. I do most of my lateral movement by exporting a stageless payload artifact, dropping it to an intermediate session, and using built-in Windows capability to copy the artifact to my target and run it. This plays very well with Cobalt Strike’s ability to steal tokens and create tokens from various types of credential material.

What are options to run a payload on a remote system? Look at PowerShell’s Invoke-Command, wmic, sc, schtasks, and at. There’s more, but this is a good starter set of options. I wrote a blog post with various lateral movement recipes a few years ago. The material is still relevant. If you use stageless payload artifacts for lateral movement, you can avoid staging a payload over a hostile network.

Update 8 December 2016

Cobalt Strike 3.5.1 added a host_stage option to Malleable C2. Set this option to false and Cobalt Strike will not host a public HTTP/HTTPS/DNS stage. This option will also remove HTTP/HTTPS/DNS stagers from Cobalt Strike’s workflows.

The Talk

Some of you will read this post and scratch your head. “What is Raphael talking about? I stage payloads all day long, and I like it”. The point of this post is twofold.

First, I hope to get you thinking about your tools, how they work, and the potential risk associated with that. This will allow you to evaluate the risk and make the best decision for your situation. You may decide that the one-off risks of payload staging are worth the benefits. That’s fine.

You may decide otherwise though. This gets to the second point. I have customers who care a great deal about this particular risk. They adjust their operations to work without it. This post is my opportunity to disseminate best practices for future and existing customers with this particular need. If this is you, I hope you found this post useful.

Epilogue: What about TLS Certificate Pinning?

This section doesn’t fit into the narrative of this post, but I field questions on this too:

Earlier, I mentioned that one way to add protection to the staging process is to authenticate the staging server. Last year, the Metasploit Framework gained an optional HTTPS stager that does this. This stager ships with the expected hash of the staging server’s SSL certificate. When the stager connects to the staging server, it checks the server’s SSL cert hash against the value it expects. If they don’t match, it doesn’t download and act on the payload. If they do, it assumes things are good. Pretty neat, right? Ignoring the chicken and the egg problem, this is a way to solve this problem for one protocol.

Occasionally, I get asked, “Raphael, why don’t you add this to Cobalt Strike?” While I think this technique is interesting, I don’t feel this is the right approach for Cobalt Strike. Here’s why:

This technique applies to only one protocol: HTTPS. The HTTPS Beacon isn’t as heavily used as other Beacon options. The HTTPS Beacon’s default self-signed certificate is likely to stick out like a sore thumb. It’s possible to bring a valid certificate into Cobalt Strike, but this is a barrier to fully benefiting from the HTTPS Beacon payload. My customers tend to rely on the HTTP Beacon much more. Thanks to Malleable C2 it’s easy to disguise your Cobalt Strike HTTP traffic to look like something innocuous. The HTTP Beacon isn’t “less secure” than the HTTPS Beacon either. After staging, Beacon’s payload security features are in effect, no matter which data transport you use. If I were to tackle the problem of secure staging, I’d rather focus on an implementation that is transport agnostic.

This verification technique relies on an API specific to WinHTTP. Windows has two APIs for easily making HTTP requests: WinHTTP and WinINet. The Beacon payload and its stagers use WinINet for communication. This is the preferred option for desktop applications. The Metasploit Framework offers the WinHTTP stager (with the verification option) and WinINet stagers with no verification built-in. The Metasploit Framework offers both options because there are certain types of proxy servers that the WinHTTP APIs don’t do well with. Consult The ins and outs of HTTP and HTTPS communications in Meterpreter and Metasploit Stagers for more on this. I don’t believe the benefits of this choose-the-right-stager-API approach outweigh the complexity it would add to Cobalt Strike. Again, this is an opinion specific to my product and user community.


What is a stageless payload artifact?

June 15, 2016

I’ve had a few questions about Cobalt Strike’s stageless payloads and how these compare to other payload varieties. In this blog post, I’ll explain stageless payloads and why you might prefer stageless payload artifacts in different situations.

What is payload staging?

A stageless payload artifact is an artifact [think executable, DLL, etc.] that runs a payload without staging. To understand stageless payloads, it helps to understand payload staging first.

Many of Cobalt Strike’s attacks and workflows deliver a payload as multiple stages. The first stage is called a stager. The stager is a very tiny program, often written in hand-optimized assembly, that: connects to Cobalt Strike, downloads the Beacon payload (also called the stage), and executes it.

The payload staging process exists for a reason. Staging makes it possible to deliver Beacon [or another payload] in an attack or artifact that has a size constraint. For example, several of Beacon’s lateral movement commands run a PowerShell one-liner to kick off the payload you specify. This PowerShell one-liner is limited to the maximum length of a Windows command + arguments. I can’t stuff a ~200KB payload stage into this space. A payload stager that is a few hundred bytes works just fine though.

What is a stageless payload artifact?

A stageless payload artifact is an artifact that contains the payload stage and its configuration in a self-contained package. Cobalt Strike has had the option to export stageless Beacon artifacts since its March 2014 release. I used to call these “staged” artifacts, but I adopted Metasploit’s nomenclature when the framework gained this capability. Stageless Beacon artifacts include: an executable, a service executable, DLLs, PowerShell, and a blob of shellcode that initializes and runs the Beacon payload.

Why would I use stageless payload artifacts?

Stageless payloads are beneficial in many circumstances. Stageless payloads are a way to work without the staging process. Payload staging is a fragile process and some defenses mitigate it. Stageless payloads allow you to benefit from Beacon’s security features, right away. Beacon authenticates its team server and encrypts communication to and from the team server. Beacon can do this because it does not have the same size constraints a stager has. Cobalt Strike’s stagers do not have any security features. If an attacker can intercept and manipulate the staging process, they can replace your stage with theirs. This is a concern in some situations.

What’s inside of a stageless payload artifact?

Cobalt Strike’s stageless payload executables and DLLs are not much different from its stager-delivering counterparts. Cobalt Strike’s Artifact Kit builds artifacts for stageless payloads and payload stagers from the same source code. The difference is the executables and DLL templates for stageless payloads have more space to hold the entire Beacon payload.

The common denominator for Cobalt Strike’s stageless payload artifacts is the raw output. Think of this as a big blob of shellcode that contains and runs Beacon. When you export a stageless payload artifact, Cobalt Strike patches this big blob of shellcode into the desired artifact template (PowerShell, executable, DLL, etc.).

What’s inside of the raw stageless payload artifact?

The raw stageless artifact is a self-bootstrapping Reflective DLL. A Reflective DLL is a Windows DLL compiled with a Reflective Loader function. The Reflective Loader function is like LoadLibrary, except it can load a DLL that resides somewhere in memory. Stephen Fewer developed the Reflective DLL loader that Cobalt Strike and other toolsets use.

Cobalt Strike’s Beacon is compiled as a Reflective DLL. This allows various payload stagers and the stageless artifacts to inject Beacon into memory.

Now, let’s discuss the self-bootstrapping part. If you’re with me so far, you understand that a Reflective DLL is a DLL with this loader function built into it. This does not make the Reflective DLL self-bootstrapping.

The way the Reflective DLL becomes self-bootstrapping is to overwrite the beginning of the DLL with a valid program that does the following things:

(1) Resolve the memory address where the (currently running) bootstrap program/Reflective DLL resides

(2) Call the Reflective Loader with (1) as an argument. The Reflective Loader lives at a predictable offset from (1). When you see “Offset is: 4432” in the Cobalt Strike console, that’s Cobalt Strike resolving the offset to the Reflective Loader within a DLL.

(3) After the Reflective Loader initializes a DLL, it calls the DLL’s DllMain function. This is when control is passed to Beacon.

In summary, the raw output of Cobalt Strike’s stageless payload is a Reflective DLL with a valid program patched in over the PE header. The patched in program performs steps (1), (2), and (3). This valid program is what makes the Reflective DLL blob self-bootstrapping.  This self-bootstrapping blob is a stageless Cobalt Strike payload.


Session Passing from Cobalt Strike

June 8, 2016

Session passing is using one payload to spawn another payload. Sometimes, the payloads are from the same toolset. Other times, they’re not. Session passing options allow you to hand-off accesses between toolkits and infrastructure.

In this blog post, I’ll take you through the session passing options in Cobalt Strike.

Multi-server Cobalt Strike (Beacon)

If you want to pass access from one Cobalt Strike instance to another, the best option is to connect your Cobalt Strike client to both servers. Go to Cobalt Strike –> New Connection. Once you connect, Cobalt Strike will show a server switchbar at the bottom of the Cobalt Strike window. This allows you to choose which Cobalt Strike server to work with.

When Cobalt Strike connects to multiple servers in this way, listeners from all servers are available in Cobalt Strike’s workflows. To pass a session from a Beacon on one server to a Beacon on another server, go to [beacon] -> Spawn and choose the listener on the other server. That’s it.

This form of session passing works with Cobalt Strike’s x86 and x64 Beacon. It also takes advantage of any Malleable C2 configuration associated with the payload stager (e.g., the User-Agent).

Foreign Listeners (Meterpreter)

Foreign Listeners are Cobalt Strike’s way to define a listener for a payload handler that is not in your immediate control. The foreign listener generates a stager that downloads and runs a payload from the host and port you specify. Cobalt Strike’s foreign listeners are compatible with the Metasploit Framework’s staging process. This means you can use a foreign listener to easily pass Meterpreter sessions to Metasploit Framework users.

You may use a foreign listener throughout Cobalt Strike’s workflows. To quickly pass a session, try the spawn command in Beacon. I also recommend that you look at the inject command too. The inject command will let you inject a payload listener (foreign or not) into a specific process.

Unmanaged PowerShell Injection (PowerShell Empire)

Beacon’s powerpick command runs a process and injects a DLL that runs PowerShell scripts via a .NET API, no powershell.exe needed. This command is one way to run a loader for a PowerShell agent (e.g., PowerShell Empire). Another option is the psinject command. The psinject command is like powerpick, except it injects into a process you specify. This is a way to spawn a PowerShell agent without creating a new process.

Shellcode Injection (Session Passing without Stagers)

Finally, there’s the shinject command. This command injects a local file containing shellcode into a process of your choosing. Use this to run payloads that have stages or stagers available as a binary blob of position-independent code.

The shinject command is also a way to pass Cobalt Strike sessions without a stager. Go to Attacks -> Packages -> Windows Executable (S) and export a stageless Beacon with raw output. This file is a position-independent blob of code that loads the Beacon stage and runs it. This file is ready-to-use with shinject. This method is the only way to pass SMB Beacon sessions between team servers.

Reflective DLL Injection

Beacon’s dllinject command will inject a Reflective DLL into a process of your choosing. Cobalt Strike is smart enough to pull the architecture from the DLL’s PE header. If you try to inject an x86 DLL into an x64 process it will complain. The dllinject command is a great way to spawn payloads compiled as a Reflective DLL.

Whatever your needs, Cobalt Strike has many options to spawn a payload into another process.


Raffi’s Abridged Guide to Cobalt Strike

May 25, 2016

This blog post is a fast overview of Cobalt Strike. I assume that you are familiar with Meterpreter, Mimikatz, and make use of Offensive PowerShell in your work. This post does not replace the documentation or videos, but it’s a quick way to become familiar with Cobalt Strike concepts that are not immediately obvious.

Starting Cobalt Strike

Cobalt Strike ships as a client program and a server program. The server is the team server. The team server must run on Linux with Java installed. To start it:

$ ./teamserver [your IP address] [team password]

The Windows, Linux, and MacOS X packages for Cobalt Strike include a launcher to start the client. Launch the client, put your name in the user field, set everything else properly and press Connect. You’re up and running.

Malleable Profiles

Cobalt Strike supports a concept of user-defined network indicators in its Beacon payload. This feature is Malleable C2. I do not recommend that you use Cobalt Strike with the default profile. Several example profiles are on Github. Use something from the normal folder. Specify the profile you want to use when you run your team server:

$ ./teamserver [your IP address] [team password] [/path/to/profile]


Cobalt Strike refers to its payload handlers as listeners. Go to Cobalt Strike -> Listeners. Press Add. Fill in the information for your team server host. The HTTP and HTTPS Beacon are straight forward to configure. You will want to read the documentation before you try out the DNS Beacon. Once a listener is setup, Cobalt Strike’s team server is listening for connections.

The First Foothold

“where are the exploits?” “how do I scan targets?” “how do I get that first Beacon on target?” Cobalt Strike is designed for engagements where you work as an external actor. It’s my assumption that you either have a foothold, through another means, or that you will gain one through a targeted attack. Cobalt Strike has tools to help with the targeted attack process.

User-driven Attacks

Cobalt Strike has several user-driven attack options to get a foothold in a target
network. These options exist under Attacks -> Packages and Attacks -> Web Drive-by. Each of these features ask you to choose a listener. This is the payload the attack will deliver.

Metasploit Framework Exploits

Optionally, you may use a Metasploit Framework exploit to deliver Beacon. Pick a Windows exploit, point LHOST and LPORT at your listener, and set PAYLOAD to windows/meterpreter/[type of stager]. Cobalt Strike is compatible with Metasploit’s staging protocol. So long as you match stagers, this process should work. I recommend setting PrependMigrate to True as well.

The Beacon Console

When you get an access, right-click on it and press Interact. This will open the Beacon console. You will spend most of your time here.

Asynchronous Post Exploitation

Beacon is an asynchronous agent. This means commands you type will not execute right away. Instead, they go into a queue. When the agent checks in, Beacon downloads them, and executes them [mostly] in order. Beacon then presents output to you. In between check-ins, Beacon goes to sleep. Your Malleable C2 profile sets the default sleep time. The sleep command changes it.

Beacon Help

Meterpreter users will feel at home with Beacon. The two have many commands in common. Type help to see a list of commands. Type help and a command name to get more information on a command.

Running Commands

The cd command changes Beacon’s current working directory. Don’t put quotes around the folder name (even if there are spaces). The shell command will run the command you specify with cmd.exe and present its output to you. The powershell-import command imports a local PowerShell script into Beacon. This command does not execute or check the script. Use the powershell command to evaluate your imported script and run the cmdlet and arguments you specify. The powerpick command does the same thing, but without powershell.exe.


Beacon does not have a migrate command. In general, you should not need this. Many post-exploitation tasks (e.g., screenshot, keylog) will inject into a process you specify and feed results back to your Beacon. Use the inject command to inject a Beacon into an x86 or x64 process.


Use the download command to download files. Downloaded files are stored on the team server. Go to View -> Downloads to see downloaded files. Highlight one or more files in this dialog and press Sync Files to bring files to your local system.

If you take screenshots or log keystrokes, be aware that Cobalt Strike presents these under View -> Screenshots and View -> Keystrokes. These windows will auto-update when there is new data.

Privilege Escalation

Cobalt Strike has a few options to aid privilege escalation. The bypassuac command runs the Bypass UAC attack. Use this if your user is a local admin, but you’re in a medium integrity context. The spawnas command will let you use known credentials to spawn a session as another user. PowerUp works well with Beacon’s powershell and powerpick commands.

Credential Harvesting

Once you elevate, use hashdump to recover local account password hashes. Type logonpasswords to harvest credentials with mimikatz. The mimikatz command will run arbitrary mimikatz commands. Credentials are available under View -> Credentials.

x64 vs. x86

It helps to match Meterpreter’s architecture to the native architecture of your Windows target. Many post-exploitation actions fail otherwise. This is not necessary with Cobalt Strike. Beacon executes some of its post-exploitation tasks in new processes. If a task is architecture sensitive, Beacon will spawn a process that matches the native architecture and inject the post-exploitation capability into it.


Cobalt Strike supports SOCKS proxy pivoting. Type socks [port] to create a SOCKS server tied you to your Beacon. Use sleep 0 to ask Beacon to speed up its communication. The SOCKS server runs on your Cobalt Strike team server. Connection requests and traffic sent through this SOCKS server are passed to the associated Beacon to take action on.

Network Reconnaissance

The portscan command runs Beacon’s built-in port scanner. Beacon’s net computers command maps computer accounts in the domain’s Domain Computers group to IP addresses. PowerView works well with Beacon’s powershell and powerpick commands too. Known host and service information is available under View -> Targets.

Access Token Manipulation

When you interact with a remote target through Beacon, Windows will use the credentials from your access token’s Logon Session or the contents of your Kerberos Tray to authenticate you. Cobalt Strike has commands to manipulate these items.

The steal_token command impersonates a token from another process. The make_token command creates an access token to pass the plaintext credentials you provide. The pth command creates an access token to pass the domain, username, and password hash you provide.

Confusingly, the make_token and pth commands will report your current username, regardless of the user you specify. This is not a bug in Cobalt Strike. This is a by-product of how Windows creates tokens to pass unverified credentials. The make_token and pth commands create a new Logon Session to pass the credential material you specify. They then attach the Logon Session to a copy of your current token. The Logon Session’s contents only affect interactions with remote targets. Your identity on the current system is still the same. This is why your token’s username does not change.

Cobalt Strike relies heavily on token manipulation for lateral movement and interactions with remote targets. These commands allow you to execute manual or automated lateral movement actions with a different identity.

Lateral Movement

Beacon commands for lateral movement include: psexec, psexec_psh, winrm, and wmi. Each command accepts a target and a listener name. The psexec command requires that you specify a share (it drops an executable to that share).

While these commands are nice, I tend to execute lateral movement steps by hand. I feel this gives more flexibility. Here’s my process: (1) Go to Attacks -> Packages -> Windows Executable (S) to export a stageless Beacon payload. Choose the right artifact for your lateral movement method. (2) Use the upload command to upload that artifact to Beacon. (3) Use shell copy artifact \\target\C$\whatever to copy the lateral movement artifact to your target. (4) Use at, schtasks, sc, or wmic through Beacon’s shell command to start the artifact on the remote target. (5) If you ran an SMB Beacon this way, use link [target] to assume control of it.

Named pipe Pivoting

The SMB Beacon uses named pipes to receive commands and route output through another Beacon. Named pipes are a Windows method for inter-process communication. Processes may communicate with other processes on the same system or on remote systems. Windows encapsulates remote process-to-process communication in the SMB protocol. This is why I call the Beacon that communicates over named pipes the SMB Beacon.

One Beacon may control multiple Beacons over named pipes. You may also use an SMB Beacon to control other SMB Beacons. Cobalt Strike users often chain Beacons together, multiple levels deep. Beacon’s SOCKS pivoting and other features work well, even through a deep chain.

The SMB Beacon is ideal for privilege escalation. Target an SMB Beacon listener with bypassuac, elevate, or spawnas and your new access will stage and communicate through your current Beacon.

This feature is also nice for lateral movement. It allows you to control systems that can’t or shouldn’t egress through an existing access in the target’s network.

Cobalt Strike -> Set Target View -> Pivot Graph draws a nice picture that depicts your named pipe pivot chain. This will help you understand which Beacons are linked to each other. This feature is indispensable for complex pivoting situations.

Agentless Post-Exploitation

I’m a fan of agentless post-exploitation techniques to control hard targets (e.g., Invoke-Command, Invoke-WMICommand, and others). Cobalt Strike’s Access Token Manipulation capability and PowerShell integration makes Beacon a nice platform for these techniques. As you use Cobalt Strike, think beyond the commands built into Beacon. Native tools are a big part of Cobalt Strike’s offensive process.


Cobalt Strike logs everything on the team server. This logging happens regardless of whether a client is connected or not. To find the logs, go to the folder you ran the team server from. The logs live in a folder called logs. The logs folder is organized by date and then target. There are individual files for each Beacon session. Cobalt Strike saves screenshots and keystrokes here too.

Where to go from here…

This blog post is a quick orientation to Cobalt Strike. If you’d like to learn more, there are other resources. The product manual is kept up to date with each release. The 9-part Advanced Threat Tactics course is six hours of material on the concepts in this post. The Cobalt Strike Support page also documents individual features with most having a short demo video.