This post is more like a self-note or a quick reference cheat-sheet to remember various components that make up Cobalt Strike (so not a sponsored post). All of the information in this post can also be found in Cobalt Strike’s official documentation.

On a side note, if you need a primer on basics of Command and Control, check out my earlier post It’s all about Command and Control.

1. Teamserver – The backend server that acts as the command-and-control (C2) hub for Cobalt Strike operations. It handles all beacon communications, logs events, and facilitates collaboration among red team operators. The teamserver is typically hosted on a remote system.

2. Client – The graphical user interface (GUI) that operators use to interact with the teamserver. The client allows users to manage beacons, issue commands, launch attacks, and perform post-exploitation activities. It provides visualization tools, reporting features, and scripting support via Aggressor Scripts.

3. Beacon – The primary implant (payload) used in Cobalt Strike. Beacons support a variety of communication channels (HTTP, HTTPS, DNS, SMB, and TCP), execute post-exploitation commands, escalate privileges, and pivot within networks. Beacons operate in two modes: interactive (low-latency command execution) and sleeping (low-noise operations to evade detection).

4. Beacon Object File (BOF) – A lightweight, in-memory execution format that enables direct execution of C code inside a running beacon process. BOFs are preferred over traditional PowerShell or shellcode execution because they do not create new processes, reducing detection by security tools. BOFs can be used for reconnaissance, credential theft, and privilege escalation.

5. Aggressor Scripts – A scripting framework based on JavaScript-like syntax that allows operators to automate tasks, modify UI elements, and create custom workflows. Aggressor scripts are used to extend Cobalt Strike’s functionality.

6. Malleable C2 – A C2 profile customization framework that allows red team operators to modify HTTP request structures, response patterns, and communication indicators to blend beacon traffic with normal network activity. Malleable C2 profiles can simulate legitimate web services (e.g., mimicking Microsoft updates) to evade detection.

7. The Arsenal Kit - A collection of customizable tools that allows red team operators to extend Cobalt Strike’s capabilities by developing custom features. This kit provides an open framework for building new functionalities that can be integrated into Cobalt Strike, allowing red teamers to create bespoke payloads, modify existing components, or develop entirely new post-exploitation techniques. The arsenal kit includes:

   1. User-Defined Reflective Loaders (UDRLs) – Custom DLL loaders that replace the default reflective loading mechanism used by Cobalt Strike beacons. UDRLs help evade security detections by incorporating unique injection techniques and obfuscation strategies tailored to bypass Endpoint Detection and Response (EDR) solutions.

   2. Mutator Kit –Helps in obfuscating Beacon’s sleep mask to evade memory-based detection. It leverages LLVM-based transformations such as bogus control flow, instruction substitution, and basic block splitting to generate unique variations (i.e. mutate) of the sleep mask on each compilation. This prevents static signature detection by security tools like YARA.

   3. Artifact Kit – Helps in generating executables and DLLs that evade anti-virus detection. It employs techniques that exploit limitations in anti-virus emulation, such as using named pipes to deliver shellcode to the payload, thereby bypassing signature-based and sandbox analyses. Red team operators can customize the Artifact Kit's source code to create unique artifacts, enhancing their ability to circumvent security measures.

   4. Resource Kit – Helps in modifying built-in resources, such HTA, PowerShell, Python, VBA, and VBS script templates. This enables red team operators to create payloads that do not match known Cobalt Strike indicators, improving evasion techniques.

   5. Sleep Mask Kit – A customization kit designed to modify how a beacon appears in memory while it is in a sleep state. It allows operators to obfuscate memory patterns, making it more difficult for security tools to detect and analyze beacons during memory forensic analysis.

   6. PostEx Kit – Enables users to develop custom post-exploitation tasks. It provides a Visual Studio project with a library of functions allowing developers to focus on creating tailored tooling. The kit supports bi-directional communication between Beacon and the custom DLLs via named pipes. Additionally, it integrates with Aggressor Script, enabling the execution of these custom tasks and the passing of arguments using functions like beacon_execute_postex_job().

8. Veil Evasion Framework – A separate but widely used tool that generates obfuscated payloads to bypass AV and EDR solutions. Veil is often used alongside Cobalt Strike to generate shellcode or executable payloads that can be delivered through phishing or initial access exploits.

Red Team Notes
- All of the information in this post can also be found in Cobalt Strike’s official documentation.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.