Why is cobalt strike so relevant among blackhat hackers and APTs groups? is it any different from metasploit or empire frameworks?
-
XSS.stack #1 – первый литературный журнал от юзеров форума
прочее Why Cobal Strike?
- Автор темы cocacolaz
- Дата начала
Hi!
There is not much difference, but it is.
1) As far as I know, the purchased version contains it's own encoder with Artifact Kit, which greatly simplifies the bypass of many antiviruses (with exe/dll)(I may be mistaken here, I never dealt with official cobalt, but I had experience with obfuscating powershell payload, but it was also detected by antiviruses on a paid product without third-party modification. ).
2) Cobalt allows multiple operators to work conveniently at once, allows you to regulate their access, leave comments. Very cool when working in a team. msf(not pro) and empire don't have this cool feature
3) Convenient and simple GUI. You can add third-party aggressor scripts and it will be displayed in gui. For example, you can generate payload in a couple of mouse clicks. Compare this with writing several commands in msf. GUI has logs for every target,listener and display it in tabs.
4) Malleable C2 profiles. You can easy configure and write your own C2 profile for your target. Very quickly you can make a new way of server-client communication. This is extremely useful for large networks(which, for example, have traffic analysis systems or SIEM).
5)Extensibility. There are a lot of aggressor scripts for cobalt on the github(For new vulnerabilities, for privilege escalation, for network analysis). They appear very quickly, often even faster than for msf. And empire is no longer developing at all.
6) By default it contains a mountain of delivery methods. exe/dll/shellcode/c#/powershell/jscipt/vbs.
7) Easy to modify. In order to modify the empire you need to know both python(This is usually not a problem) and powershel(But this is a big problem. As far as I know, it’s very difficult to find good powershell developer). Cobalt is very easily and quickly modified to the needs of team, cause learn how to write Agressors is very easy. You can turn 1-day vuln into aggressor scripts fast. You can write aggressor for automation your attack. Need new channel for C2 - just write new Malleable profile. It's fast and easy. For example, on MSF and empire it is quite a long time to do a simple thing - to make sure that a specific action is launched on each target (for example, we collect information about user rights), and then, depending on the result, the desired action is performed (for example, bypassing the UAK or adding us to persistence).
8) Updates. Empire not updating anymore. msf in updates most often gets simply the integration of new vulnerabilities. In cobalt, updates contain a variety of improvements - stability, convenience, speed. Sometimes brand new tasty things are added.
Sorry for bad Eng
There is not much difference, but it is.
1) As far as I know, the purchased version contains it's own encoder with Artifact Kit, which greatly simplifies the bypass of many antiviruses (with exe/dll)(I may be mistaken here, I never dealt with official cobalt, but I had experience with obfuscating powershell payload, but it was also detected by antiviruses on a paid product without third-party modification. ).
2) Cobalt allows multiple operators to work conveniently at once, allows you to regulate their access, leave comments. Very cool when working in a team. msf(not pro) and empire don't have this cool feature
3) Convenient and simple GUI. You can add third-party aggressor scripts and it will be displayed in gui. For example, you can generate payload in a couple of mouse clicks. Compare this with writing several commands in msf. GUI has logs for every target,listener and display it in tabs.
4) Malleable C2 profiles. You can easy configure and write your own C2 profile for your target. Very quickly you can make a new way of server-client communication. This is extremely useful for large networks(which, for example, have traffic analysis systems or SIEM).
5)Extensibility. There are a lot of aggressor scripts for cobalt on the github(For new vulnerabilities, for privilege escalation, for network analysis). They appear very quickly, often even faster than for msf. And empire is no longer developing at all.
6) By default it contains a mountain of delivery methods. exe/dll/shellcode/c#/powershell/jscipt/vbs.
7) Easy to modify. In order to modify the empire you need to know both python(This is usually not a problem) and powershel(But this is a big problem. As far as I know, it’s very difficult to find good powershell developer). Cobalt is very easily and quickly modified to the needs of team, cause learn how to write Agressors is very easy. You can turn 1-day vuln into aggressor scripts fast. You can write aggressor for automation your attack. Need new channel for C2 - just write new Malleable profile. It's fast and easy. For example, on MSF and empire it is quite a long time to do a simple thing - to make sure that a specific action is launched on each target (for example, we collect information about user rights), and then, depending on the result, the desired action is performed (for example, bypassing the UAK or adding us to persistence).
8) Updates. Empire not updating anymore. msf in updates most often gets simply the integration of new vulnerabilities. In cobalt, updates contain a variety of improvements - stability, convenience, speed. Sometimes brand new tasty things are added.
Sorry for bad Eng
GitHub - BC-SECURITY/Empire: Empire is a post-exploitation and adversary emulation framework that is used to aid Red Teams and Penetration Testers.
Empire is a post-exploitation and adversary emulation framework that is used to aid Red Teams and Penetration Testers. - BC-SECURITY/Empire
github.com
Ого, спасибо. Не знал, что форк есть развивающийся, не следил как ушёл с неё на https://github.com/cobbr/Covenant окончательно.GitHub - BC-SECURITY/Empire: Empire is a post-exploitation and adversary emulation framework that is used to aid Red Teams and Penetration Testers.
Empire is a post-exploitation and adversary emulation framework that is used to aid Red Teams and Penetration Testers. - BC-SECURITY/Empiregithub.com
I made a mistake saying that empire hasn't multiuser and access control. I read the new changelog, now it's in empire. So I could be mistaken on other points, unfortunately my knowledge about this framework is outdated.
Последнее редактирование:
- Автор темы
- Добавить закладку
- #5
Thank you for this easy to swallow explanation! it is much more clear nowHi!
There is not much difference, but it is.
1) As far as I know, the purchased version contains it's own encoder with Artifact Kit, which greatly simplifies the bypass of many antiviruses (with exe/dll)(I may be mistaken here, I never dealt with official cobalt, but I had experience with obfuscating powershell payload, but it was also detected by antiviruses on a paid product without third-party modification. ).
2) Cobalt allows multiple operators to work conveniently at once, allows you to regulate their access, leave comments. Very cool when working in a team. msf(not pro) and empire don't have this cool feature
3) Convenient and simple GUI. You can add third-party aggressor scripts and it will be displayed in gui. For example, you can generate payload in a couple of mouse clicks. Compare this with writing several commands in msf. GUI has logs for every target,listener and display it in tabs.
4) Malleable C2 profiles. You can easy configure and write your own C2 profile for your target. Very quickly you can make a new way of server-client communication. This is extremely useful for large networks(which, for example, have traffic analysis systems or SIEM).
5)Extensibility. There are a lot of aggressor scripts for cobalt on the github(For new vulnerabilities, for privilege escalation, for network analysis). They appear very quickly, often even faster than for msf. And empire is no longer developing at all.
6) By default it contains a mountain of delivery methods. exe/dll/shellcode/c#/powershell/jscipt/vbs.
7) Easy to modify. In order to modify the empire you need to know both python(This is usually not a problem) and powershel(But this is a big problem. As far as I know, it’s very difficult to find good powershell developer). Cobalt is very easily and quickly modified to the needs of team, cause learn how to write Agressors is very easy. You can turn 1-day vuln into aggressor scripts fast. You can write aggressor for automation your attack. Need new channel for C2 - just write new Malleable profile. It's fast and easy. For example, on MSF and empire it is quite a long time to do a simple thing - to make sure that a specific action is launched on each target (for example, we collect information about user rights), and then, depending on the result, the desired action is performed (for example, bypassing the UAK or adding us to persistence).
8) Updates. Empire not updating anymore. msf in updates most often gets simply the integration of new vulnerabilities. In cobalt, updates contain a variety of improvements - stability, convenience, speed. Sometimes brand new tasty things are added.
Sorry for bad Eng