{"description": "Enterprise techniques used by Cobalt Strike, ATT&CK software S0154 (v1.13)", "name": "Cobalt Strike (S0154)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use a number of known techniques to bypass Windows UAC.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1548.003", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use sudo to run a command.(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.001", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can steal access tokens from exiting processes.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1134.003", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can make tokens from known credentials.(Citation: cobaltstrike manual)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1134.004", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can spawn processes with alternate PPIDs.(Citation: CobaltStrike Daddy May 2017)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can determine if the user on an infected machine is in the admin or domain admin group.(Citation: Cyberreason Anchor December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use a custom command and control protocol that can be encapsulated in HTTP or HTTPS. All protocols use their standard assigned ports.(Citation: cobaltstrike manual)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)(Citation: Securelist APT10 March 2021)(Citation: Kaspersky ToddyCat Check Logs October 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.002", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can conduct peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.(Citation: cobaltstrike manual)(Citation: Talos Cobalt Strike September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.004", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use a custom command and control protocol that can be encapsulated in DNS. All protocols use their standard assigned ports.(Citation: cobaltstrike manual)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1197", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can download a hosted \"beacon\" payload using [BITSAdmin](https://attack.mitre.org/software/S0190).(Citation: CobaltStrike Scripted Web Delivery)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1185", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can perform browser pivoting and inject into a user's browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can execute a payload on a remote host with PowerShell. This technique does not write any data to disk.(Citation: cobaltstrike manual)(Citation: Cyberreason Anchor December 2019) [Cobalt Strike](https://attack.mitre.org/software/S0154) can also use [PowerSploit](https://attack.mitre.org/software/S0194) and other scripting frameworks to perform execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: CobaltStrike Daddy May 2017)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) uses a command-line interface to interact with systems.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)(Citation: Trend Micro Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use VBA to perform execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: CobaltStrike Daddy May 2017)(Citation: Talos Cobalt Strike September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use Python to perform execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: CobaltStrike Daddy May 2017)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "The [Cobalt Strike](https://attack.mitre.org/software/S0154) System Profiler can use JavaScript to perform reconnaissance actions.(Citation: Talos Cobalt Strike September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can install a new service.(Citation: Cobalt Strike TTPs Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use Base64, URL-safe Base64, or NetBIOS encoding in its C2 traffic.(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can collect data from a local system.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.003", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can leverage the HTTP protocol for C2 communication, while hiding the actual data in either an HTTP header, URI parameter, the transaction body, or appending it to the URI.(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1030", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) will break large data sets into smaller chunks for exfiltration.(Citation: cobaltstrike manual)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can deobfuscate shellcode using a rolling XOR and decrypt metadata from Beacon sessions.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) has the ability to use AES-256 symmetric encryption in CBC mode with HMAC-SHA-256 to encrypt task commands and XOR to encrypt shell code and configuration data.(Citation: Talos Cobalt Strike September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use RSA asymmetric encryption with PKCS1 padding to encrypt data sent to the C2 server.(Citation: Talos Cobalt Strike September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1203", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can exploit Oracle Java vulnerabilities for execution, including CVE-2011-3544, CVE-2013-2465, CVE-2012-4681, and CVE-2013-2460.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1068", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can exploit vulnerabilities such as MS14-058.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can explore files on a compromised system.(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.010", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use spoof arguments in spawned processes that execute beacon commands.(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) has the ability to use Smart Applet attacks to disable the Java SecurityManager sandbox.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can timestomp any files or payloads placed on a target machine to help them blend in.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can deliver additional payloads to victim machines.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can track key presses with a keylogger module.(Citation: cobaltstrike manual)(Citation: Amnesty Intl. Ocean Lotus February 2021)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can modify Registry values within HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\\Excel\\Security\\AccessVBOM\\ to enable the execution of additional code.(Citation: Talos Cobalt Strike September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154)'s Beacon payload is capable of running shell commands without cmd.exe and PowerShell commands without powershell.exe(Citation: cobaltstrike manual)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can perform port scans from an infected host.(Citation: cobaltstrike manual)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can query shared drives on the local system.(Citation: Cobalt Strike TTPs Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can be configured to use TCP, ICMP, and UDP for C2 communications.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can hash functions to obfuscate calls to the Windows API and use a public/private key pair to encrypt Beacon session metadata.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.005", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) includes a capability to modify the Beacon payload to eliminate known signatures or unpacking methods.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1137", "showSubtechniques": true}, {"techniqueID": "T1137.001", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) has the ability to use an Excel Workbook to execute additional code by enabling Office to trust macros and execute code without user permission.(Citation: Talos Cobalt Strike September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can spawn a job to inject into LSASS memory and dump password hashes.(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.002", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can recover hashed passwords.(Citation: cobaltstrike manual)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.001", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use net localgroup to list local groups on a system.(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1069.002", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can identify targets by querying account groups on a domain contoller.(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154)'s Beacon payload can collect information on process details.(Citation: cobaltstrike manual)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can inject a variety of payloads into processes dynamically chosen by the adversary.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) has the ability to load DLLs via reflective injection.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use process hollowing for execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1572", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) uses a custom command and control protocol that is encapsulated in HTTP, HTTPS, or DNS. In addition, it conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.001", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can be configured to have commands relayed over a peer-to-peer network of infected hosts. This can be used to limit the number of egress points, or provide access to a host without direct internet access.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090.004", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) has the ability to accept a value for HTTP Host Header to enable domain fronting.(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can query HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\\Excel\\Security\\AccessVBOM\\  to determine if the security setting for restricting default programmatic access is enabled.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1620", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154)'s execute-assembly command can run a .NET executable within the memory of a sacrificial process by loading the CLR.(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can start a VNC-based remote desktop server and tunnel the connection through the already established C2 channel.(Citation: cobaltstrike manual)(Citation: Cybereason Bumblebee August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use Window admin shares (C$ and ADMIN$) for lateral movement.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: Trend Micro Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.003", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can deliver Beacon payloads for lateral movement by leveraging remote COM execution.(Citation: Cobalt Strike DCOM Jan 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.004", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can SSH to a remote service.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.006", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use WinRM to execute a payload on a remote host.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) uses the native Windows Network Enumeration APIs to interrogate and discover targets in a Windows Active Directory network.(Citation: cobaltstrike manual)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1029", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can set its Beacon payload to reach out to the C2 server on an arbitrary and random interval.(Citation: cobaltstrike manual)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154)'s Beacon payload is capable of capturing screenshots.(Citation: cobaltstrike manual)(Citation: Amnesty Intl. Ocean Lotus February 2021)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "comment": "The [Cobalt Strike](https://attack.mitre.org/software/S0154) System Profiler can discover applications through the browser and identify the version of Java the target has.(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use self signed Java applets to execute signed applet attacks.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use `rundll32.exe` to load DLL from the command line.(Citation: Cobalt Strike Manual 4.3 November 2020)(Citation: DFIR Conti Bazar Nov 2021)(Citation: Trend Micro Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can determine the NetBios name and  the IP addresses of targets machines including domain controllers.(Citation: Cyberreason Anchor December 2019)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can produce a sessions report from compromised hosts.(Citation: Talos Cobalt Strike September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can enumerate services on compromised hosts.(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use [PsExec](https://attack.mitre.org/software/S0029) to execute a payload on a remote host. It can also use Service Control Manager to start new services.(Citation: cobaltstrike manual)(Citation: Cobalt Strike TTPs Dec 2017)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1550", "showSubtechniques": true}, {"techniqueID": "T1550.002", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can perform pass the hash.(Citation: Cobalt Strike TTPs Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078", "showSubtechniques": true}, {"techniqueID": "T1078.002", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use known credentials to run commands and spawn processes as a domain user account.(Citation: cobaltstrike manual)(Citation: CobaltStrike Daddy May 2017)(Citation: Cobalt Strike Manual 4.3 November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078.003", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use known credentials to run commands and spawn processes as a local user account.(Citation: cobaltstrike manual)(Citation: CobaltStrike Daddy May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use WMI to deliver a payload to a remote host.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Cobalt Strike", "color": "#66b1ff"}]}