Cobalt Strike Capabilities Mapped to TLCTC Framework (Comprehensive)
- This table maps Cobalt Strike features/techniques to the primary TLCTC cluster representing the vulnerability exploited at the initiation of that specific action.
- Cobalt Strike is heavily reliant on sequences. Many actions require prerequisites (e.g., credentials from #4, existing access via #7) and enable subsequent actions (e.g., lateral movement using #1 enables running #7 on a new host).
- The Data Risk Event column indicates potential direct consequences (LoC = Loss of Confidentiality, LoI = Loss of Integrity, LoA = Loss of Availability) resulting from the action, distinct from the threat cluster itself.
- #7 Malware specifically refers to running foreign/untrusted code via a system's designed execution capabilities. The Beacon agent itself falls under this once running.
Reconnaissance & Staging
| Cobalt Strike Capability/Technique |
Primary TLCTC Cluster |
Generic Vulnerability Exploited (TLCTC Context) |
Description/Context/Sequence Notes |
Potential Direct Data Risk Event |
| System Profiler (Pre-Compromise Use) |
(Supports #9, #3) |
N/A (Reconnaissance Tool) |
Gathers client info to inform attacks. Not a threat itself, enables #3/#9. |
N/A |
| System Profiler (Post-Compromise Use) |
#1 Abuse of Functions |
Legitimate system/browser APIs for information query |
Initiated via Beacon (#7), uses legitimate APIs (#1) to gather system details. Intelligence enables further attacks. |
LoC |
| Clone a Site |
(Supports #9) |
N/A (Support Tool) |
Creates replica sites for #9 Social Engineering (e.g., credential harvesting -> #4). Can host exploits (#3) or keyloggers (#7 executed via #1 browser API abuse). |
(LoC if keylogger hosted) |
| Host File |
(Supports #9, #3, #7) |
N/A (Support Tool) |
Hosts files for delivery via other clusters. |
N/A |
Initial Access & Delivery
| Cobalt Strike Capability/Technique |
Primary TLCTC Cluster |
Generic Vulnerability Exploited (TLCTC Context) |
Description/Context/Sequence Notes |
Potential Direct Data Risk Event |
| Spear Phishing Tool |
#9 Social Engineering |
Human psychological factors |
Crafts/sends emails to manipulate users (#9). Leads to #3, #4, #7. |
N/A |
| HTML Application / MS Office Macro (Generation & Delivery) |
#7 Malware |
Environment's designed capability to execute scripts/macros |
Generates HTA/Macro (#7 artifact). Delivery usually via #9. User interaction enables execution (#7). |
Leads to #7 Execution |
| Payload Generator (Stagers/Stageless Artifacts) |
(Supports #7, #3, #2) |
N/A (Tool Feature) |
Creates malware (#7) or exploit code (#2/#3) artifacts for delivery. |
N/A |
| Client-Side Exploits (Delivery & Execution via CS) |
#3 Exploiting Client |
Exploitable flaws in client-side software source code |
Delivers/triggers exploits targeting client software (#3). Usually requires #9 lure. Successful exploit leads to payload execution (#7). |
Leads to #7 Execution |
Beacon C2 & Core Operations
| Cobalt Strike Capability/Technique |
Primary TLCTC Cluster |
Generic Vulnerability Exploited (TLCTC Context) |
Description/Context/Sequence Notes |
Potential Direct Data Risk Event |
| Beacon Payload Execution (Initial & Ongoing) |
#7 Malware |
Environment's designed capability to execute foreign code/binaries |
The running Beacon agent. Its presence signifies successful exploitation of the #7 vulnerability, enabled by a prior step. |
Enables C2 |
| Beacon C2 Communication (All Channels) |
#7 Malware |
Malware requiring C2 communication |
The inherent command/control function of the running malware (#7). Uses various protocols. |
N/A |
| Inline Execute (BOF Execution) |
#7 Malware |
Environment's designed capability to execute code within a process |
Executes compiled C code (BOF) within the running Beacon (#7) process. |
Enables specific actions |
| Internal Beacon Commands (sleep, checkin, mode, etc.) |
#7 Malware |
Malware requiring C2 commands |
Commands controlling the state/behavior of the running malware agent (#7). |
N/A |
Credential Access & Theft
| Cobalt Strike Capability/Technique |
Primary TLCTC Cluster |
Generic Vulnerability Exploited (TLCTC Context) |
Description/Context/Sequence Notes |
Potential Direct Data Risk Event |
| Hashdump / LogonPasswords |
#4 Identity Theft |
Weak Identity Management / Inadequate Credential Protection (OS storage) |
Techniques initiated via Beacon (#7) to directly target/extract OS-stored credentials (#4). Requires privileges (obtained via #1, #2, #4). |
LoC |
| Mimikatz Integration (Credential Dumping) |
#4 Identity Theft |
Weak Identity Management / Inadequate Credential Protection (Memory/OS features) |
Runs Mimikatz code (via #7 or #1) specifically to dump credentials from memory or abuse auth features (#4). |
LoC |
| DCSync (via Mimikatz) |
#4 Identity Theft |
Weak Identity Management / Inadequate Credential Protection (Domain Replication Privs) |
Abuses domain replication privileges (requires prior #4 usually) to request credential data (#4). |
LoC |
| Kerberos Ticket Use/Purge (kerberos_ticket_use/purge) |
#4 Identity Theft |
Weak Identity Management / Inadequate Credential Protection (Kerberos Tickets) |
Manipulating/using Kerberos tickets affects the authentication state (#4). |
Enables Impersonation |
| Token Manipulation (steal_token, make_token, rev2self, getsystem) |
#4 Identity Theft |
Weak Identity Management / Inadequate Credential Protection (Access Tokens) |
Stealing, creating, using, or reverting access tokens to impersonate or elevate (#4). getsystem aims specifically for SYSTEM token. |
Enables Impersonation/PrivEsc |
| Keystroke Logging (keylogger) |
#1 Abuse of Functions |
Legitimate OS input monitoring APIs |
Injects code (via #1 or #7) that then abuses legitimate OS APIs (#1) to capture keystrokes. |
LoC |
| Screenshotting (screenshot, screenwatch) |
#1 Abuse of Functions |
Legitimate OS display capture APIs |
Injects code (via #1 or #7) that then abuses legitimate OS APIs (#1) to capture screen content. |
LoC |
Execution & Injection
| Cobalt Strike Capability/Technique |
Primary TLCTC Cluster |
Generic Vulnerability Exploited (TLCTC Context) |
Description/Context/Sequence Notes |
Potential Direct Data Risk Event |
| shell / run / execute |
#1 Abuse of Functions |
Legitimate OS command/process execution capabilities |
Uses cmd.exe or CreateProcess API (#1) to run commands/programs. |
Enables further actions |
| powershell / powerpick |
#1 Abuse of Functions |
Legitimate scripting engine (PowerShell) |
Leverages the PowerShell engine (#1) to execute scripts/commands. |
Enables further actions |
| psinject |
#1 Abuse of Functions |
Legitimate OS process interaction APIs + PowerShell engine |
Injects into a process (#1) and then uses PowerShell engine (#1). |
Enables further actions |
| execute-assembly |
#7 Malware |
Environment's designed capability to execute foreign code (.NET Runtime) |
Leverages the .NET runtime (#7) to load and run assemblies. |
Enables further actions |
| dllinject / shinject / shspawn |
#1 Abuse of Functions |
Legitimate OS process interaction APIs (code/DLL injection) |
Uses OS APIs like CreateRemoteThread, WriteProcessMemory (#1) to inject shellcode/DLL (#7) into a remote/new process. |
Leads to #7 execution |
| dllload |
#1 Abuse of Functions |
Legitimate OS process interaction APIs (DLL loading from disk) |
Uses OS APIs (#1) to force loading of a DLL from disk. |
Enables further actions |
Defense Evasion
| Cobalt Strike Capability/Technique |
Primary TLCTC Cluster |
Generic Vulnerability Exploited (TLCTC Context) |
Description/Context/Sequence Notes |
Potential Direct Data Risk Event |
| Malleable C2 / Artifact Kit / Resource Kit / Sleep Mask |
(Configures/Modifies #7, #1, #3) |
N/A (Configuration/Tool Feature) |
These modify the appearance or artifacts of other threat clusters (#7, #1, #3) to evade detection. Not primary threats themselves. |
N/A |
| Alternate Parent Processes (ppid, runu) |
#1 Abuse of Functions |
Legitimate OS process creation/relationship APIs |
Manipulates process parentage using OS APIs (#1) for evasion. |
N/A |
| Process Argument Spoofing (argue) |
#1 Abuse of Functions |
Legitimate OS process memory manipulation APIs |
Modifies arguments in memory using OS APIs (#1) for evasion. |
N/A |
| Block DLLs (blockdlls) |
#1 Abuse of Functions |
Legitimate process security features (Mitigation Policies) |
Configures process mitigation policies using OS APIs (#1) for evasion/disruption. |
N/A |
| timestomp |
#1 Abuse of Functions |
Legitimate file system metadata APIs |
Modifies file timestamps using OS APIs (#1) for evasion. |
N/A |
Discovery
| Cobalt Strike Capability/Technique |
Primary TLCTC Cluster |
Generic Vulnerability Exploited (TLCTC Context) |
Description/Context/Sequence Notes |
Potential Direct Data Risk Event |
| Port Scanning (portscan) |
#1 Abuse of Functions |
Legitimate network communication capabilities (socket APIs) |
Uses standard socket functions (#1) for unauthorized scanning. |
N/A |
| Network/Host/Domain Enumeration (net cmds, ipconfig, etc.) |
#1 Abuse of Functions |
Legitimate system/network query APIs & commands |
Uses built-in tools and APIs (#1) for reconnaissance. |
LoC (Potentially) |
| File System Ops (ls, cd, pwd, drives, cp, mv, mkdir, rm, file_browser) |
#1 Abuse of Functions |
Legitimate file system access APIs |
Uses standard file system APIs (#1) for interaction. Unauthorized access/modification is abuse. |
LoC, LoI, LoA (Potentially) |
| Registry Query (reg query) |
#1 Abuse of Functions |
Legitimate registry access APIs |
Uses standard registry APIs (#1) for discovery. |
LoC (Potentially) |
Lateral Movement
| Cobalt Strike Capability/Technique |
Primary TLCTC Cluster |
Generic Vulnerability Exploited (TLCTC Context) |
Description/Context/Sequence Notes |
Potential Direct Data Risk Event |
| jump / remote-exec (psexec, winrm, wmi variants) |
#1 Abuse of Functions |
Legitimate administrative protocols/services (SMB, WinRM, WMI) |
Uses legitimate remote admin protocols/services (#1). Requires credentials/tokens (from prior #4). Often delivers #7. |
Leads to further compromise |
| Pass-the-Hash / Pass-the-Ticket (pth, Kerberos ticket use) |
#4 Identity Theft |
Weak Identity Management / Inadequate Credential Protection |
Uses stolen hashes/tickets (#4) to authenticate for lateral movement, typically enabling #1. |
Leads to further compromise |
| SMB/TCP Beacon Peer-to-Peer (link, unlink) |
#7 Malware |
Malware requiring C2 communication |
Establishes internal C2 channels for Beacon (#7) using legitimate protocols (SMB/TCP). |
N/A (Internal C2) |
Collection & Exfiltration
| Cobalt Strike Capability/Technique |
Primary TLCTC Cluster |
Generic Vulnerability Exploited (TLCTC Context) |
Description/Context/Sequence Notes |
Potential Direct Data Risk Event |
| File Download (download) |
#1 Abuse of Functions |
Legitimate file system access APIs & network protocols |
Reads files via OS APIs (#1), transfers over C2 (#7). |
LoC |
Pivoting
| Cobalt Strike Capability/Technique |
Primary TLCTC Cluster |
Generic Vulnerability Exploited (TLCTC Context) |
Description/Context/Sequence Notes |
Potential Direct Data Risk Event |
| SOCKS Proxy / Reverse Port Forward (socks, rportfwd) |
#1 Abuse of Functions |
Legitimate networking capabilities (sockets, port binding) |
Uses Beacon (#7) to manipulate the host's networking stack via OS APIs (#1) to relay traffic. |
N/A (Enables network access) |
| Browser Pivoting |
#1 Abuse of Functions |
Legitimate browser process APIs & Inter-Process Communication (IPC) |
Injects code (via #1 or #7) which then abuses browser IPC/APIs (#1) to leverage existing web sessions (implicitly using authentication state from #4). |
LoC, LoI (via web sessions) |
| Covert VPN |
#1 Abuse of Functions |
Legitimate network interface/tunneling APIs |
Uses Beacon (#7) to interact with OS networking APIs (#1) to create a tunnel interface. |
N/A (Enables network access) |
Conclusion
This detailed mapping reinforces that Cobalt Strike's power comes from its ability to seamlessly combine techniques across multiple TLCTC clusters, executing complex attack sequences. Attacks typically start with #9 or #3, establish a foothold with #7, steal credentials via #4, and then move laterally or execute actions using #1. Understanding these sequences and vulnerabilities is essential for effective defense.