Cobalt Strike is a tool for adversary simulations and Red Team Operations, as described on their website. It is used for Infosec teams to replicate the techniques and tactics of an adversary in the network. Recently, threat actors have been getting a hold of the tool and using it for their ransomware operations. Once inside a network, Cobalt Strike is installed on a host system. From this system the attackers call home to a command and control server and now have full control into a victims network to install malware, exfiltrate data and trigger ransomware. You should be explicitly blocking all outbound traffic which is detecting the Cobalt Strike operation on your networks unless you have a very specific reason not too. 

Leave a Reply

Your email address will not be published. Required fields are marked *