cobaltstrike

SKILL.md

Here is a professionally structured skill.md for Cobalt Strike, tailored to your background in Windows reverse engineering and security research.

Cobalt Strike Core Competencies (skill.md)
1. Architecture & Command & Control (C2)
Infrastructure Setup: Deploying and securing the Teamserver on Linux instances using customized ports and valid SSL certificates.

Malleable C2 Profiles: Expertly configuring .profile files to modify Beacon's network traffic patterns, successfully impersonating legitimate services (e.g., Cloudflare, jQuery, or Amazon) to evade Deep Packet Inspection (DPI) and EDR heuristics.

Beacon Communication: Deep understanding of egress protocols including HTTP/HTTPS, DNS (A/TXT records), and staged vs. stageless payloads.

2. Advanced Post-Exploitation
Process Injection: Leveraging Windows API knowledge to customize process injection techniques (e.g., CreateRemoteThread, NtCreateThreadEx) for better OpSec.

Memory Analysis: Using obfuscate-and-sleep and cleanup settings to minimize the Beacon's footprint in memory and bypass scanners like Moneta or PE-Sieve.

Privilege Escalation: Utilizing built-in modules (elevate) and integrating custom Aggressor Scripts to exploit local vulnerabilities (LPE).

3. Defensive Evasion & Antivirus (AV) Bypass
Artifact Kit Customization: Modifying the C source code of the Artifact Kit to bypass signature-based detection by altering the way the Beacon is loaded into memory.

Shellcode Obfuscation: Applying encryption and encoding techniques (XOR, AES, or custom ROR/ROL rotations) to raw shellcode before delivery.

User-Defined Reflective Loader (UDRL): Implementing custom reflective loaders to gain control over how the Beacon DLL is mapped into memory, a critical skill for bypassing modern EDR memory hooks.

4. Lateral Movement & Pivoting
Credential Harvesting: Executing hashdump and logonpasswords via Mimikatz integration while managing risk through selective memory access.

Pivoting: Establishing multi-hop C2 chains using SMB and TCP Beacons to navigate through isolated network segments (intranets) without direct internet access.

SOCKS Proxying: Setting up reverse SOCKS proxies to tunnel external tools (like Proxychains or Impacket) through the Beacon.

5. Automation with Aggressor Script (CNA)
UI Customization: Extending the Cobalt Strike GUI by adding custom popup menus and aliases for frequently used terminal commands.

Event Hooks: Scripting automated actions upon new Beacon check-ins, such as automatic system reconnaissance or persistent backdoor installation.

Bof Integration: Developing and executing Beacon Object Files (BOF)—small, C-compiled programs that run inside the Beacon process without spawning a new process (sacrificial process), significantly reducing the chance of detection.