Cobalt Strike
What is Cobalt Strike?
Cobalt StrikeA commercial adversary-simulation platform widely used for red-team operations and frequently abused by threat actors for post-exploitation and command-and-control.
Cobalt Strike is a commercial threat-emulation tool originally written by Raphael Mudge and now sold by Fortra. It provides a team server, the Beacon implant, malleable C2 profiles, and tooling for phishing, lateral movement, pivoting, and privilege escalation, allowing red teams to credibly simulate sophisticated intrusions. Cracked and leaked versions have been heavily adopted by ransomware affiliates and nation-state actors, making it one of the most observed offensive frameworks in real-world breaches. Defenders profile its Beacon traffic, jitter patterns, and named pipes through EDR, network analytics, and YARA rules. Lawful use requires a paid license and engagement authorization.
● Examples
- 01
A red team running a malleable C2 profile that mimics a Microsoft update server.
- 02
An incident responder pivoting on a Beacon named pipe to identify infected hosts.
● Frequently asked questions
What is Cobalt Strike?
A commercial adversary-simulation platform widely used for red-team operations and frequently abused by threat actors for post-exploitation and command-and-control. It belongs to the Defense & Operations category of cybersecurity.
What does Cobalt Strike mean?
A commercial adversary-simulation platform widely used for red-team operations and frequently abused by threat actors for post-exploitation and command-and-control.
How does Cobalt Strike work?
Cobalt Strike is a commercial threat-emulation tool originally written by Raphael Mudge and now sold by Fortra. It provides a team server, the Beacon implant, malleable C2 profiles, and tooling for phishing, lateral movement, pivoting, and privilege escalation, allowing red teams to credibly simulate sophisticated intrusions. Cracked and leaked versions have been heavily adopted by ransomware affiliates and nation-state actors, making it one of the most observed offensive frameworks in real-world breaches. Defenders profile its Beacon traffic, jitter patterns, and named pipes through EDR, network analytics, and YARA rules. Lawful use requires a paid license and engagement authorization.
How do you defend against Cobalt Strike?
Defences for Cobalt Strike typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Cobalt Strike?
Common alternative names include: Cobalt Strike Beacon, CS.
● Related terms
- malware№ 201
Command and Control (C2)
The infrastructure and channels attackers use to maintain communication with compromised systems and send them instructions.
- defense-ops№ 909
Red Team
An offensive security group that emulates real adversaries end-to-end to test how an organization detects, contains, and responds to attacks.
- defense-ops№ 674
Metasploit
An open-source exploitation framework that bundles exploits, payloads, and post-exploitation modules into a single platform for penetration testers and researchers.
- defense-ops№ 606
Lateral Movement
The MITRE ATT&CK tactic (TA0008) covering techniques that let an attacker pivot from one compromised host to others across the environment.
- cryptography№ 846
Post-Quantum Cryptography
Classical cryptographic algorithms designed to remain secure against attacks by both classical and large-scale quantum computers.
- malware№ 902
Ransomware-as-a-Service (RaaS)
A criminal business model in which ransomware operators rent their malware and infrastructure to affiliates who carry out attacks and share the proceeds.
● See also
- № 1070SolarWinds Sunburst
- № 887QakBot / QBot
- № 507IcedID / BokBot
- № 146Carbanak
- № 656Maze Ransomware
- № 954Ryuk Ransomware