Released in 2012, Cobalt Strike is a penetration testing, adversary simulation, and red team operations framework featuring a number of built-in offensive modules. Though CS itself is a legitimate platform, its tools are frequently repurposed by threat actors to facilitate cyberattacks. Actors use CS for the delivery, exploitation, control, execution and maintenance stages of an attack - leveraging the platform to load and execute their own malware. CS consists of two main packages, team server and client. Team server is a C2 server, and client is an application used to connect to a team server. CS also contains a default malware payload, BEACON, which establishes C2 with an infected machine. BEACON can be staged in order to conduct reconnaissance on a target machine before loading the full BEACON backdoor from the C2 server. When conducting an attack with Cobalt Strike, actors deploy a staged BEACON payload, then attempt lateral movement from their entrypoint in order to achieve privilege escalation. Then, the actors take over the victim’s network where they may exfiltrate data, install other backdoors, etc.. Finally, threat actors use C2 to drop their custom malware payload and proceed to the final stage(s) of their attack. Because of its advanced feature set and capability to load a variety of follow-on malware, Cobalt Strike is frequently used by ransomware threat groups or RaaS providers to facilitate large scale attacks. In 2020, CS, along with the Metasploit framework, were used to host over 25% of all malicious C2 servers.

References
https://www.mandiant.com/resources/defining-cobalt-strike-components
https://www.zdnet.com/article/this-is-how-the-cobalt-strike-penetration-testing-tool-is-being-abused-by-cybercriminals/
http://www2.mitre.org/public/industry-perspective/documents/lifecycle-ex.pdf