Module 4

Question 1

What is the primary function of the Cobalt Strike framework?

Answer 1

It provides a post-exploitation agent to simulate stealthy, long-term embedded actors in a network.

Question 2

What are the three main components of the Cobalt Strike framework?

Answer 2

Beacon, Team Server, and Client.

Question 3

In Cobalt Strike, what is the ‘Beacon’ component?

Answer 3

Beacon is the post-exploitation agent that runs on a compromised endpoint, communicating with a team server to execute jobs.

Question 4

The Beacon agent is implemented as a Windows DLL but can be packaged into various formats, including executables, PowerShell scripts, and _____.

Answer 4

position independent shellcode

Question 5

What is the role of the ‘Team Server’ in Cobalt Strike?

Answer 5

The team server is the central control and logging system that stores engagement information and manages Beacon communications.

Question 6

What component do red team operators use to connect to team servers and interact with Beacon payloads?

Answer 6

The Client.

Question 7

What is the recommended design pattern for distributed operations in Cobalt Strike?

Answer 7

To stand up dedicated team servers for each phase of an engagement (e.g., initial access, post-exploitation, persistence).

Question 8

Why does Cobalt Strike recommend using separate team servers for different engagement phases?

Answer 8

If one part of an operation is discovered and blocked, other channels can be used to maintain access.

Question 9

In Cobalt Strike, what is a ‘listener’?

Answer 9

A listener defines the protocol and parameters by which a Beacon payload will communicate with the team server.

Question 10

What are the five out-of-the-box communication protocols provided by Cobalt Strike listeners?

Answer 10

DNS, HTTP, HTTPS, SMB, and TCP.

Question 11

Listeners that communicate directly from the target environment to a team server are known as _____ listeners.

Answer 11

Egress

Question 12

Which two Cobalt Strike protocols are examples of Egress listeners?

Answer 12

DNS and HTTP/S.

Question 13

A Beacon that does not communicate directly with the team server but routes traffic through another Beacon is called a _____ Beacon.

Answer 13

Peer-to-Peer (P2P)

Question 14

Which two Cobalt Strike protocols are examples of Peer-to-Peer (P2P) listeners?

Answer 14

SMB and TCP.

Question 15

How does an HTTP listener in Cobalt Strike typically communicate with the team server by default?

Answer 15

It uses HTTP GET requests to fetch tasks and HTTP POST requests to send back results.

Question 16

What is a ‘redirector’ in the context of Cobalt Strike’s HTTP listeners?

Answer 16

An intermediary host that sits between a Beacon and a team server, proxying traffic between them.

Question 17

Name two popular software choices that can act as redirectors for Cobalt Strike.

Answer 17

iptables, socat, Apache, or NGINX.

Question 18

In an HTTP listener with multiple hosts, which rotation strategy involves looping through the list, using each host for one request before moving to the next?

Answer 18

Round robin.

Question 19

What is the ‘failover’ host rotation strategy for an HTTP listener?

Answer 19

Beacon uses the same host until a specified failure condition (e.g., number of failed attempts) is met, then moves to the next.

Question 20

What is the ‘rotate’ host rotation strategy for an HTTP listener?

Answer 20

Similar to round-robin, but each host is used for a specified time period before moving to the next.

Question 21

What does the ‘Max retry strategy’ configure for a Beacon payload?

Answer 21

It configures Beacon’s self-destruct strategy if it completely loses its ability to communicate with all configured hosts.

Question 22

In the max retry strategy ‘exit-50-25-1h’, what does the number ‘25’ signify?

Answer 22

After 25 consecutive failed attempts, Beacon increases its sleep time to 1 hour.

Question 23

What is the purpose of the ‘HTTP host (stager)’ setting in a listener configuration?

Answer 23

It specifies the single host that a stager payload will use to fetch the full Beacon stage.

Question 24

When would you set the ‘HTTP port (bind)’ to a different value than the ‘HTTP port (C2)’?

Answer 24

To perform port bending, where a redirector listens on the C2 port and forwards traffic to the team server on a different bind port.

Question 25

Setting the 'HTTP host header' in a listener configuration is a convenient way to leverage what technique without hardcoding it in a profile?

Answer 25

Domain fronting.

Question 26

What is the purpose of the 'Guardrails' feature in Cobalt Strike payload generation?

Answer 26

It prevents stageless Beacon payloads from running unless specified criteria (e.g., IP address, username, hostname) have been met.

Question 27

A DNS listener directs a Beacon to communicate with a team server via which types of DNS record lookups?

Answer 27

A, AAAA, or TXT record lookups.

Question 28

What happens to the metadata of a new DNS Beacon when it first checks in?

Answer 28

The metadata is not sent until the Beacon is tasked with a job, causing it to initially appear as an 'empty' session.

Question 29

What is the primary characteristic of an SMB listener regarding the team server?

Answer 29

It does not bind or listen on the team server; it only serves as a template for payload generation.

Question 30

When an SMB Beacon payload is executed, what does it create on the compromised host?

Answer 30

It creates an SMB named pipe using the 'pipename' specified in the listener configuration.

Question 31

By default, Cobalt Strike uses the pipe name _____ for SMB listeners, where ## are random hex values.

Answer 31

msagent_##

Question 32

Like an SMB listener, a TCP listener does not direct the team server to listen on any ports; instead, it provides _____ for generating TCP Beacon payloads.

Answer 32

configuration information

Question 33

In a TCP listener, what is the difference in binding if 'Bind to localhost only' is checked versus unchecked?

Answer 33

If unchecked, the Beacon binds to 0.0.0.0; if checked, it binds to 127.0.0.1.

Question 34

A TCP listener that binds to 0.0.0.0 would typically be used for _____, while one that binds to 127.0.0.1 would be used for _____.

Answer 34

lateral movement; privilege escalation

Question 35

Fundamentally, what type of file is a Cobalt Strike Beacon?

Answer 35

A Windows DLL.

Question 36

Beacon is implemented as a _____ DLL, which allows it to be loaded into a process purely from memory rather than from disk.

Answer 36

reflective

Question 37

The original Beacon reflective loader exports a function called _____ which, when called, maps a new copy of the DLL into memory.

Answer 37

ReflectiveLoader

Question 38

In older Beacon versions, a small shellcode stub is written over the _____ to jump code execution to the exported ReflectiveLoader function.

Answer 38

DOS Header

Question 39

Since Cobalt Strike 4.11, Beacon has used a new 'prepended' loader based on the one used by _____.

Answer 39

DoublePulsar

Question 40

What is a key advantage of a 'prepended' loader over a 'stomped' loader?

Answer 40

It is more stealthy and flexible, can load any PE, and does not require the PE to export any specific functions for loading.

Question 41

What is the purpose of 'payload staging' in attack frameworks?

Answer 41

To use a small program (stager) to fetch a larger, full payload (stage) over a different channel, bypassing exploit size limitations.

Question 42

What security mechanism is embedded in every stageless payload to encrypt its metadata?

Answer 42

The team server's public key.

Question 43

Why are stager payloads susceptible to hijacking when they are first executed?

Answer 43

They perform no validation to ensure they are communicating with a legitimate team server.

Question 44

From an OPSEC perspective, why are stageless payloads considered better than stagers regarding memory allocation?

Answer 44

Stageless payloads avoid using RWX memory, allocating memory as RW first and then flipping it to RX before execution.

Question 45

The HTML Application (.hta) payload generator can deliver a Beacon using which three methods?

Answer 45

Executable (on disk), PowerShell (in memory), and VBA (in memory via Office).

Question 46

What type of Beacon architecture is always delivered by the HTML Application and MS Office macro payload generators?

Answer 46

An x86 Beacon payload.

Question 47

The _____ payload generators in Cobalt Strike produce source code files, equivalent to Metasploit's msfvenom utility.

Answer 47

Stager/stageless

Question 48

In a stageless payload configuration, what is the difference between the 'Process' and 'Thread' exit functions?

Answer 48

'Process' calls ExitProcess to terminate the entire process, while 'Thread' calls ExitThread to terminate only the Beacon's thread.

Question 49

When should you use the 'xthread' (ExitThread) exit function for a Beacon payload?

Answer 49

When Beacon is injected into a process that is already running on a target system.

Question 50

What are the two 'System Call' options for a stageless Beacon payload?

Answer 50

'Direct' (uses the Nt* version of a function) and 'Indirect' (jumps to an instruction within the Nt* version).

Question 51

Besides a standard EXE, what are two other pre-built executable output options for Windows stageless payloads?

Answer 51

Windows Service EXE and Windows DLL.

Question 52

In the Cobalt Strike session view, what does the 'external' IP address column represent?

Answer 52

The external IP address of the target, as resolved by the Cobalt Strike web server.

Question 53

What does a red monitor icon with an asterisk next to the username signify in the Beacon session view?

Answer 53

The Beacon is running in high-integrity (local administrator or SYSTEM privileges).

Question 54

A blue monitor icon in the Cobalt Strike session view indicates that the Beacon is running in _____ integrity.

Answer 54

medium

Question 55

How does a Beacon prevent itself from being tasked by a different team server?

Answer 55

Its metadata is encrypted using the public key of the team server from which it was generated.

Question 56

How do you open an interactive tab for a specific Beacon session?

Answer 56

Double-click on its row in the session view or right-click and select 'Interact'.

Question 57

What command would you type in a Beacon console to see a list of available commands?

Answer 57

help

Question 58

In the Beacon console, how do you get more detailed help for a specific command like 'getuid'?

Answer 58

help getuid

Question 59

What does the log message '[+] host called home, sent: 8 bytes' indicate?

Answer 59

The Beacon has checked in, and the team server has sent it queued jobs to execute.

Question 60

What is the main advantage of using the session graph view over the table view?

Answer 60

It makes the relationship between egress and P2P Beacons immediately obvious.

Question 61

In the Cobalt Strike graph view, what does a dashed line represent?

Answer 61

An egress Beacon communicating directly with the team server.

Question 62

What does a solid line between two Beacons in the graph view represent?

Answer 62

A Peer-to-Peer (P2P) connection.

Question 63

In the session graph view, what color is used for HTTP/S egress traffic?

Answer 63

Dashed green.

Question 64

In the session graph view, what does a solid yellow line indicate?

Answer 64

An SMB peer-to-peer connection.

Question 65

What protocol is represented by a dashed yellow line in the session graph view?

Answer 65

DNS.

Question 66

What does a solid green line between two Beacons in the graph view represent?

Answer 66

A TCP peer-to-peer connection.