Here is a professionally structured skill.md for Cobalt Strike, tailored to your background in Windows reverse engineering and security research.
Cobalt Strike Core Competencies (skill.md)
- Architecture & Command & Control (C2) Infrastructure Setup: Deploying and securing the Teamserver on Linux instances using customized ports and valid SSL certificates.
Malleable C2 Profiles: Expertly configuring .profile files to modify Beacon's network traffic patterns, successfully impersonating legitimate services (e.g., Cloudflare, jQuery, or Amazon) to evade Deep Packet Inspection (DPI) and EDR heuristics.
Beacon Communication: Deep understanding of egress protocols including HTTP/HTTPS, DNS (A/TXT records), and staged vs. stageless payloads.
- Advanced Post-Exploitation Process Injection: Leveraging Windows API knowledge to customize process injection techniques (e.g., CreateRemoteThread, NtCreateThreadEx) for better OpSec.
Memory Analysis: Using obfuscate-and-sleep and cleanup settings to minimize the Beacon's footprint in memory and bypass scanners like Moneta or PE-Sieve.
Privilege Escalation: Utilizing built-in modules (elevate) and integrating custom Aggressor Scripts to exploit local vulnerabilities (LPE).
- Defensive Evasion & Antivirus (AV) Bypass Artifact Kit Customization: Modifying the C source code of the Artifact Kit to bypass signature-based detection by altering the way the Beacon is loaded into memory.
Shellcode Obfuscation: Applying encryption and encoding techniques (XOR, AES, or custom ROR/ROL rotations) to raw shellcode before delivery.
User-Defined Reflective Loader (UDRL): Implementing custom reflective loaders to gain control over how the Beacon DLL is mapped into memory, a critical skill for bypassing modern EDR memory hooks.
- Lateral Movement & Pivoting Credential Harvesting: Executing hashdump and logonpasswords via Mimikatz integration while managing risk through selective memory access.
Pivoting: Establishing multi-hop C2 chains using SMB and TCP Beacons to navigate through isolated network segments (intranets) without direct internet access.
SOCKS Proxying: Setting up reverse SOCKS proxies to tunnel external tools (like Proxychains or Impacket) through the Beacon.
- Automation with Aggressor Script (CNA) UI Customization: Extending the Cobalt Strike GUI by adding custom popup menus and aliases for frequently used terminal commands.
Event Hooks: Scripting automated actions upon new Beacon check-ins, such as automatic system reconnaissance or persistent backdoor installation.
Bof Integration: Developing and executing Beacon Object Files (BOF)—small, C-compiled programs that run inside the Beacon process without spawning a new process (sacrificial process), significantly reducing the chance of detection.
Scan to join WeChat group