Abstract
This document maps Cobalt Strike features and techniques to the primary TLCTC cluster representing the generic vulnerability exploited at the initiation of that specific action. Classification follows TLCTC v2.0 normative rules (R-ROLE, R-CRED, R-EXEC, R-ABUSE). This update corrects credential dumping classifications per R-CRED (acquisition ≠ application) and adds explicit #7 recording per R-EXEC for LOLBAS-style execution patterns.
Introduction & Methodology
Cobalt Strike is heavily reliant on sequences. Many actions require prerequisites (e.g., credentials from #4, existing access via #7) and enable subsequent actions.
- R-CRED Application: Credential acquisition maps to the enabling cluster; credential application (use/presentation) maps to #4. Dumping credentials is acquisition via #7 (FEC execution); using them is #4.
- R-EXEC Application: Whenever FEC executes, #7 must be recorded. LOLBAS invocation (#1) followed by attacker command execution = #1 → #7.
- Data Risk Events: The Data Risk Event column indicates potential direct consequences (LoC = Loss of Confidentiality, LoI = Loss of Integrity, LoA = Loss of Availability) resulting from the action, distinct from the threat cluster itself.
V2.0 Revision Note
This update corrects credential dumping classifications per R-CRED (acquisition ≠ application) and adds explicit #7 recording per R-EXEC for LOLBAS-style execution patterns.
Reconnaissance & Staging
| Capability | Cluster | Generic Vulnerability | Context/Sequence | Data Risk |
|---|---|---|---|---|
| System Profiler (Pre-Compromise) | N/A | Reconnaissance tool | Gathers client info to inform attacks. Not a threat itself, enables #3/#9. | N/A |
| System Profiler (Post-Compromise) | #1 | Legitimate system/browser APIs for information query | Initiated via Beacon (#7), uses legitimate APIs (#1) to gather system details. | LoC |
| Clone a Site | N/A | Support tool for #9 | Creates replica sites for Social Engineering. Can host exploits (#3) or keyloggers (#7 via #1). | (LoC) |
| Host File | N/A | Support tool | Hosts files for delivery via other clusters. | N/A |
Initial Access & Delivery
| Capability | Cluster | Generic Vulnerability | Context/Sequence | Data Risk |
|---|---|---|---|---|
| Spear Phishing Tool | #9 | Human psychological factors | Crafts/sends emails to manipulate users. Leads to #3, #4, #7. | N/A |
| HTML Application / MS Office Macro | #7 | Environment's designed capability to execute scripts/macros | Generates HTA/Macro (#7 artifact). Delivery usually via #9. User interaction enables execution. | → #7 |
| Payload Generator | N/A | Tool feature | Creates malware (#7) or exploit code (#2/#3) artifacts for delivery. | N/A |
| Client-Side Exploits | #3 | Exploitable flaws in client-side software source code | Delivers/triggers exploits targeting client software. Usually requires #9 lure. Successful exploit leads to #7. | → #7 |
Beacon C2 & Core Operations
| Capability | Cluster | Generic Vulnerability | Context/Sequence | Data Risk |
|---|---|---|---|---|
| Beacon Payload Execution | #7 | Environment's designed capability to execute foreign code/binaries | The running Beacon agent. Its presence signifies successful exploitation of #7 vulnerability. | Enables C2 |
| Beacon C2 Communication | #7 | Malware requiring C2 communication | The inherent command/control function of running malware (#7). Uses various protocols. | N/A |
| Inline Execute (BOF) | #7 | Environment's designed capability to execute code within a process | Executes compiled C code (BOF) within the running Beacon (#7) process. | Enables actions |
| Internal Commands (sleep, checkin, mode) | #7 | Malware requiring C2 commands | Commands controlling state/behavior of the running malware agent (#7). | N/A |
Credential Access & Theft
CORRECTED per R-CRED: Credential acquisition (dumping, capture) maps to the enabling cluster. Credential application (use, presentation) maps to #4. This section distinguishes acquisition vs. application.
| Capability | Cluster | Generic Vulnerability | Context/Sequence | Data Risk |
|---|---|---|---|---|
| Hashdump / LogonPasswords | #7 | FEC execution to extract OS-stored credentials (acquisition) | Beacon runs FEC to dump credentials. Requires privileges. Acquisition, not application. | LoC |
| Mimikatz (Credential Dumping) | #7 | FEC execution via Mimikatz to dump credentials from memory (acquisition) | Runs Mimikatz code (FEC) to dump credentials from memory or abuse auth features. Acquisition step. | LoC |
| DCSync (via Mimikatz) | #1 | Legitimate domain replication protocol abuse (acquisition) | Abuses domain replication privileges via legitimate protocol. No FEC required for the replication itself. | LoC |
| Token Manipulation (steal_token, make_token, rev2self, getsystem) | #4 | Weak Identity Management / Access Tokens (application) | Stealing, creating, using, or reverting access tokens to impersonate or elevate. This IS credential application. | Enables Impersonation |
| Kerberos Ticket Use/Purge | #4 | Weak Identity Management / Kerberos Tickets (application) | Manipulating/using Kerberos tickets affects authentication state. Ticket USE is application. | Enables Impersonation |
| Keystroke Logging | #1 | Legitimate OS input monitoring APIs | Injects code (via #1 or #7) that abuses legitimate OS APIs (#1) to capture keystrokes. Credential acquisition. | LoC |
| Screenshotting | #1 | Legitimate OS display capture APIs | Injects code (via #1 or #7) that abuses legitimate OS APIs (#1) to capture screen content. | LoC |
Execution & Injection
CORRECTED per R-EXEC: LOLBAS-style execution must record #7 when attacker-controlled commands execute. Invocation of legitimate binary is #1; execution of attacker content is #7. Sequence: #1 → #7.
| Capability | Cluster | Generic Vulnerability | Context/Sequence | Data Risk |
|---|---|---|---|---|
| shell / run / execute | #1 → #7 | Legitimate OS command execution → FEC execution | Uses cmd.exe or CreateProcess (#1) to run attacker commands (#7). Both must be recorded. | Enables actions |
| powershell / powerpick | #1 → #7 | Legitimate PowerShell engine → FEC execution | Leverages PowerShell engine (#1) to execute attacker scripts/commands (#7). | Enables actions |
| psinject | #1 → #7 | Legitimate OS process APIs + PowerShell → FEC | Injects into process (#1) then uses PowerShell to execute attacker content (#7). | Enables actions |
| execute-assembly | #7 | Environment's designed capability to execute foreign code (.NET) | Leverages .NET runtime (#7) to load and run assemblies. Direct FEC execution. | Enables actions |
| dllinject / shinject / shspawn | #1 → #7 | Legitimate OS process APIs → shellcode/DLL execution | Uses OS APIs (#1) to inject shellcode/DLL (#7) into remote/new process. | → #7 |
| dllload | #1 → #7 | Legitimate OS DLL loading APIs → foreign DLL execution | Uses OS APIs (#1) to force loading of attacker DLL (#7) from disk. | Enables actions |
Defense Evasion
| Capability | Cluster | Generic Vulnerability | Context/Sequence | Data Risk |
|---|---|---|---|---|
| Malleable C2 / Artifact Kit / Resource Kit / Sleep Mask | N/A | Configuration/Tool Feature | Modifies appearance or artifacts of other clusters (#7, #1, #3) to evade detection. Not primary threats. | N/A |
| Alternate Parent Processes (ppid, runu) | #1 | Legitimate OS process creation/relationship APIs | Manipulates process parentage using OS APIs (#1) for evasion. | N/A |
| Process Argument Spoofing (argue) | #1 | Legitimate OS process memory manipulation APIs | Modifies arguments in memory using OS APIs (#1) for evasion. | N/A |
| Block DLLs (blockdlls) | #1 | Legitimate process security features (Mitigation Policies) | Configures process mitigation policies using OS APIs (#1) for evasion/disruption. | N/A |
| timestomp | #1 | Legitimate file system metadata APIs | Modifies file timestamps using OS APIs (#1) for evasion. | N/A |
Discovery
| Capability | Cluster | Generic Vulnerability | Context/Sequence | Data Risk |
|---|---|---|---|---|
| Port Scanning (portscan) | #1 | Legitimate network socket APIs | Uses standard socket functions (#1) for unauthorized scanning. | N/A |
| Network/Host/Domain Enumeration | #1 | Legitimate system/network query APIs & commands | Uses built-in tools and APIs (#1) for reconnaissance. | (LoC) |
| File System Ops (ls, cd, pwd, drives, etc.) | #1 | Legitimate file system access APIs | Uses standard file system APIs (#1) for interaction. Unauthorized access/modification is abuse. | LoC/LoI/LoA |
| Registry Query (reg query) | #1 | Legitimate registry access APIs | Uses standard registry APIs (#1) for discovery. | (LoC) |
Lateral Movement
| Capability | Cluster | Generic Vulnerability | Context/Sequence | Data Risk |
|---|---|---|---|---|
| jump / remote-exec (psexec, winrm, wmi) | #1 | Legitimate administrative protocols/services (SMB, WinRM, WMI) | Uses legitimate remote admin protocols (#1). Requires credentials/tokens (prior #4). Often delivers #7. | → compromise |
| Pass-the-Hash / Pass-the-Ticket | #4 | Weak Identity Management / Credential Protection (application) | Uses stolen hashes/tickets (#4) to authenticate for lateral movement. This is credential APPLICATION. | → compromise |
| SMB/TCP Beacon Peer-to-Peer (link, unlink) | #7 | Malware requiring C2 communication | Establishes internal C2 channels for Beacon (#7) using legitimate protocols. | N/A (Internal C2) |
Collection & Exfiltration
| Capability | Cluster | Generic Vulnerability | Context/Sequence | Data Risk |
|---|---|---|---|---|
| File Download (download) | #1 | Legitimate file system access APIs & network protocols | Reads files via OS APIs (#1), transfers over C2 (#7). | LoC |
Pivoting
| Capability | Cluster | Generic Vulnerability | Context/Sequence | Data Risk |
|---|---|---|---|---|
| SOCKS Proxy / Reverse Port Forward | #1 | Legitimate networking capabilities (sockets, port binding) | Uses Beacon (#7) to manipulate host's networking stack via OS APIs (#1) to relay traffic. | Enables access |
| Browser Pivoting | #1 | Legitimate browser process APIs & IPC | Injects code (via #1 or #7) which abuses browser IPC/APIs (#1) to leverage existing web sessions. | LoC, LoI |
| Covert VPN | #1 | Legitimate network interface/tunneling APIs | Uses Beacon (#7) to interact with OS networking APIs (#1) to create tunnel interface. | Enables access |
Conclusion
This detailed mapping reinforces that Cobalt Strike's power comes from its ability to seamlessly combine techniques across multiple TLCTC clusters, executing complex attack sequences.
Typical Attack Sequence Pattern
#9 or #3 → #7 (foothold) → #4 (credential use) → #1 (lateral movement/actions)
Understanding these sequences and the generic vulnerabilities exploited at each step is essential for effective defense. Control strategies should address the full attack path, not just individual techniques.
Key V2.0 Corrections Applied
- Credential Dumping (R-CRED): Hashdump, LogonPasswords, Mimikatz credential dumping reclassified from #4 to #7 — these are credential acquisition via FEC execution, not credential application.
- DCSync (R-CRED): Reclassified from #4 to #1 — DCSync abuses legitimate domain replication protocol without requiring FEC for the replication itself.
- LOLBAS Execution (R-EXEC): shell/run/execute, powershell/powerpick, psinject changed from #1 to #1 → #7 — legitimate binary invocation plus FEC execution must both be recorded.
- Token/Ticket USE (R-CRED): Correctly remains #4 — steal_token, make_token, Kerberos ticket use are credential APPLICATION (presenting identity artifacts).
- Keystroke Logging: Correctly #1 — abuses legitimate OS APIs; captured credentials would be used in a subsequent #4 step.
Framework Reference: TLCTC v2.0 White Paper — tlctc.net
Classification Rules Applied: R-ROLE, R-CRED, R-EXEC, R-ABUSE, R-FLOOD, R-MITM, R-SUPPLY
References
- Cobalt Strike Manual (Help Systems)
- Kreinz, B. Top Level Cyber Threat Clusters (TLCTC), White Paper V2.0
- TLCTC Implementation Guide — Cobalt Strike Mapping v2.0