Cobalt Strike

July 2024

Version: 4.10

July 16,. 2024

New Features
  • Overhauled Sleepmask to support the new BeaconGate feature:

    • Added "stage.beacon_gate" Malleable C2 options to configure which APIs will be proxied through the BeaconGate.

    • Added "beacon_gate" command and "bbeacon_gate" aggressor function to enable and disable BeaconGate.

    • Increased sleepmask size from 16K to 32K.

    • Added sleepmask cleanup function to clean Beacon memory on exit.

    • Changed to default sleepmask to mask the .text section.

    • Allow users to give location of Sleepmask BOF memory with a UDRL and ALLOCATED_MEMORY structure.

  • Added support for executing DLL post-ex payloads with the "execute-dll" command and "beacon_execute_postex_job" aggressor function:

    • Added the "bjob_send_data" aggressor function will send data to the post-ex job during execution.

    • Added The "bjoblog" and "bjoberror" aggressor functions to log job output to the beacon console.

  • Added Job Browser and Job Console to client for viewing and managing jobs and job output.

  • Added "http_beacon.data_required" and "http_beacon.data_required_length" Malleable C2 options for web/proxy servers that return a empty 200 (OK) when blocking requests which beacon interprets as a valid connection.

    • Added "beacon_config failover_notification" command and "bbeacon_config" aggressor function to optionally log callback host connection failover information.

    • Added "beacon_config host" command and "bbeacon_config" aggressor function to add/update/remove hosts, list host info, list Host Profiles, reset hosts, and hold/release hosts.

    • Updated beacon random and round-robin rotation modes to hold hosts that have failed until all hosts have failed to stabilize connections.

  • Added Beacon APIs to expose system call functionality for use in BOFs:

    • Allow users to give location of BOF memory with a UDRL and ALLOCATED_MEMORY structure.

    • Added BeaconGetSyscallInformation API.

    • Expanded BOF API limit to 128.

  • Added CreateFile, ReadFile, and WriteFile system calls in beacon.

  • Changed tab management for Listeners, Sites, etc.. to activate already open tabs, when available.

  • Changed layout manager to improve dialog component layout when resizing dialogs.

  • Added preferences option for opening main frame maximized. Also saves last size/position for restarting main frame.

  • Added support for user defined tab auto-completion of user defined commands on Beacon Console.

  • Updated tab auto-complete for Windows file system to be case insensitive.

  • Added reverse tab auto-completion with Shift+TAB.

  • Changed stage.compile_time setting to be interpretted as UTC time.

  • Allow client to prompt for a different connection when attempting to connect with a username that is already connected to the server.

  • Changed Payload Generator dialog default to 'Raw' output type.

  • Added "Use PTH" option to Make Token dialog to indicate the password field is a hash or a potential 32 character password.

  • Added a check to the ExecuteAssemblyJob.spawn function to only generate the data store item if the data store has stored .NET assemblies.

  • Add customizable logging date format with "logfile.timestamp.pattern" and "logfile.timezone" in TeamServer.prop.

  • Added passthrough mode to external C2 to use embedded payload rather than getting it from server [payload=false option]

  • Added CSS MIME type to supported hosted file types on Host File dialog and automatic support.

  • Minimum java version has been updated to Java 11.

  • The team server and client have been split into separate installs to allow "client only" installation for Linux platforms.

    • Changed the Mac Client installer to install as a zip rather than as a dmg.

Fixes
  • Fixed sleep import command when importing from a jar file using Java 9 or later.

  • Fixed Windows/Mac client issue in Beacon Console not positioning/activating cursor on command input line.

  • Fixed amsi_disable setting on windows 11 systems.

  • Fixed error with Screenshot and Keystrokes browsers causing disconnect from the teamserver.

  • Changed WinHTTP based HTTP beacon to preload "OnDemandConnRouteHelper.dll" to prevent it from repeated reloading.

October 2023

Version: 4.9.1

October 10, 2023

Enhancements
  • Updated the console help for the execute-assembly, inline-execute, and data-store commands.
Fixes
  • Fixed issue where the Post-Ex obfuscate and cleanup settings were not applied correctly.

  • Fixed issue where the .NET assemblies stored in the Data Store were not used when Post-Ex obfuscate setting is true.

  • Fixed issue when applying UDRLs to Post-Ex DLLs (POSTEX_RDLL_GENERATE) would cause the dll to not initialize and fail.

September 2023

Version: 4.9

September 19, 2023

New Features
  • Authorization files are no longer backwards compatible.

  • Changed Post-Ex DLL's to use prepended loaders (sRDI/Double Pulsar).

    • Implemented in browserpivot, hashdump, invokeassembly, keylogger, mimikatz, netview, portscan, powershell, screenshot, and sshagent.

    • Added Aggressor hooks for applying UDRLs to post-ex DLLs (POSTEX_RDLL_GENERATE).

    • Added support for transform.strrep to post-ex DLL Processing.

    • Added post-ex.cleanup malleable C2 profile property.

    • Added smart-inject pointers to the POSTEX_RDLL_GENERATE hook.

  • Added Beacon without the exported ReflectiveLoader function to support the prepended UDRLs (sRDI/Double Pulsar).

    • The BEACON_RDLL_SIZE function default changed from 0 to 5k.

    • When the BEACON_RDLL_SIZE returns 0, then a Beacon without the reflective loader is passed to BEACON_RDLL_GENERATE and BEACON_RDLL_GENERATE_LOCAL hooks.

  • Added Beacon User Data to pass user specified information via UDRL.

    • Added support for syscall functions addresses/numbers.

    • Added a user specified field to Beacon User Data.

    • Added BOF API function to get the pointer to the user data.

  • Added data-store command to store BOFs and .NET assemblies in the beacon Data Store.

    • Added the aggressor script functions for supporting the beacon Data Store.

    • Added BOF API functions to access and protect stored items in the beacon Data Store.

  • Support spawning processes under the impersonated user security context.

  • Added DuplicateHandle, ReadProcessMemory, and WriteProcessMemory system calls in beacon.

  • Added Malleable C2 Profile definition of Host Profiles to customize the uri, header, and parameter attributes of the HTTP(S) get/post to be host specific and dynamic.

  • Added callback support to aggressor script functions: bnet, beacon_inline_execute, binline_execute, bdllspawn, bexecute_assembly, bhashdump, bmimikatz, bmimikatz_small, bportscan, bpowerpick, bpowershell, and bpsinject

  • Added support for a HTTP(S) beacon based on the WinHTTP library.

    • Added .http-beacon.library Malleable C2 setting to specify the default beacon http library type (wininet|winhttp).

  • Added aggressor script support for sending/receiving data between clients.

  • Added BOF APIs to access the key/value store in beacon.

  • Added BOF API to retrieve the sleep mask information.

  • Added Malleable C2 sleep setting to match the sleep command syntax.

Fixes
  • Fixed Malleable C2 strrep setting issues with sleep mask BOF.

  • Fixed Malleable C2 headers_remove setting.

  • Fixed Malleable C2 http-config.headers setting with Content-Type option adds "Content-Type: null" header.

  • Fixed c2lint syntax highlighting when data jitter and append are used.

  • Fixed steal_token command to open a process that is protected.

March 2023

Version: 4.8

March 7, 2023

New Features
  • Added support for beacon to use system calls.

  • Added new Malleable C2 profile setting stage.syscall_method to set the default system calls method.

  • Added support for picking the system call method at payload generation time.

  • Added support for system calls within sleepmask kit.

  • Added beacon command (syscall-method) to change the syscall method used at runtime.

  • Added patching support to powerpick (bpowerpick) and execute-assembly (bexecute-assembly) for ETW blinding, etc...

  • Added support for beacon guardrails (IP address, user name, server, and domain).

  • Added token store to allow token hot swapping of tokens.

  • Added script ('clearteamserverdata') to help reset team server.

  • Added exit function support to Windows Executable Stageless dialog.

  • Added support to chain multiple commands in a single Mimikatz call.

  • Added support to copy/paste from beacon output pane.

  • Added warning dialog to Spear-Phishing process.

Enhancements
  • Updated Sleep Mask size limit from 8192 to 16384 bytes.

  • Updated 'pth' command to accept a username with spaces in it.

  • Updated teamserver to check authorization expiration daily.

  • Updated stage.obfuscate malleable C2 option to use more robust encryption.

  • Display current token in the UI.

  • Make setting sleeptime more flexible (support seconds, minutes, hours, and days).

  • Sychronize teamserver data during startup (screenshots, keylogs, downloads, and hosted items).

  • Store screenshot and keylogging data on teamserver for subsequent syncing.

  • Allow deleting of downloaded files.

  • Updated Mimikatz to version 2.2.0 20220919.

  • Rebranded Cobalt Strike parent company from HelpSystems to Fortra.

  • Change default naming convention on payload generation dialogs to include bitness (_x86/_x64).

  • Miscellaneous java dependency updates for security.

Fixes
  • Fixed typo in Generate All Payloads dialog.

  • Fixed Pivot beacons not showing as connected after reconnecting.

  • Fixed unresponsive DNS beacons after a teamserver restart.

October 2022

Version: 4.7.2

October 17, 2022

Fixes
  • Hardening of the client against a RCE security issue within the Java Swing framework's support for HTML in components.

  • Fixed an issue with the example text in the font selection dialog.

  • Added a confirmation dialog for the Spear Phish preview dialog to confirm the user trusts the data used for the Spear Phish.

September 2022

Version: 4.7.1

September 20, 2022

Fixes
  • Fixed an issue when stage.sleep_mask is set to false beacon would still allocate memory for the sleep mask BOF.

  • Fixed an issue with the sleep mask size limit for the pivot type not supporting 8192 bytes.

  • Fixed an issue with background color not working correctly for console windows.

  • Fixed a typo in the Windows Executable (Stageless) Variants dialog.

  • Fixed an issue where text can be entered into the beacon console status bar.

  • Fixed an issue with beacon colors not working correctly.

  • Restricted valid characters allowed in beacon metadata.

  • Added ability to limit the maximum beacons allowed via "limits.beacons_max" attribue in "TeamServer.prop" team server file.

August 2022

Version: 4.7

August 17, 2022

New Features
  • Added new memory options to the Malleable C2 Profile for BOF execution, allowing users to define how BOFs live in memory.
  • Added SOCKS5 proxy server support, including DNS resolution and UDP support.
  • Added an option to import credentials on the View -> Credentials list. Added an additional export option to facilitate this.
  • Added a stageless payload generator dialog that allows you to set either "thread" or "process" as the exit option.
  • Added a new command clipboard to steal the contents of the Windows clipboard.
    • Also added an Aggressor Script function bclipboard to steal the contents of the Windows clipboard.
  • Added a preference to set whether to display the teamserver tab bar at all times (unchecked by default).
  • Added a new menu item to allow the user to generate x86 and x64 stageless payloads for all available payload variants at once.
    • Also added a new Aggressor Script function all_payloads to do this without showing the dialog.
  • Added a sleep time tracking feature.
    • The sleep time for each Beacon is recorded and displayed in a new column in the Beacon table view
    • Sleep time is persisted between teamserver restarts.
  • Added a Beacon Health feature that uses the sleep time and last checkin time for each Beacon to indicate whether the Beacon is active, disconnected or dead.
  • Added a dark mode option to the UI.
  • Added two new Beacon console commands.
    • file_browser opens the File Browser.
    • process_browser opens the Process Browser.
  • Added automatic parsing and resolution of Windows error codes.
    • Added a new Beacon console command windows_error_code that can be independently used to convert a Windows error code to a message.
    • Added a new Aggressor Script function windows_error_code that can be used to convert a Windows error code to a message.
Enhancements
  • Updated how Beacon processes BOFs.
  • BOF memory sections are now located together, this resolves issues where BOFs may not run because the address offset is > 4GB.
    • Added support for additional relocation types.
    • Increased the number of available dynamic functions from 32 to 64.
  • Updated File Browser processing to ensure that actions are displayed on the Beacon console and logged in the activity report in the same way as when the "ls" command is run.
  • Updated Beacon interactions in the UI. Double-clicking a Beacon now open the Beacon console (i.e. interact with the Beacon).
  • Updated Process Browser processing to ensure that actions are dispalyed on the Beacon console and logged in the activity report in the same way as when the "ps" command is run.
  • Updated the main menu to flatten out and reorganize some of the menus.
  • Updated the icons used in the UI and simplified the toolbar, removing buttons for some of the less popular functions.
  • Added a new dialog that displays default shortcut keys (Help -> Default Shortcut Keys).
  • Updated Beacon and SSH console timestamps. They are both now on by default.
  • Updated the Beacon status bar to display more information including hostname, host OS bitness (x86 or x64), username, process ID, process bitness (x86 or x64), parent process ID (linked Beacons only), Beacon note (truncated if > 50 characters) and last connection time.
  • Updated the event status bar to include the teamserver local IP and number of Beacons.
  • Updated Sleep mask to be executed as a BOF.
    • Sleep mask size limit increased from 769 to 8192 bytes.
  • Updated module stomping to support the ability to specify the starting ordinal when searching for exported functions.
  • Updated steal_token to enable it to steal tokens from processes that it previously couldn't get to, by making the access mask customizable.
    • Also updated the steal_token dialog in the UI to make it easier to set the access mask.
  • Updated the Beacon right-click menu. Changes made to Beacon, SSH, Graph and Targets options.
  • Updated the "ps" command output.
    • Parent/child process relationships are resolved and displayed in a tree.
  • Updated the images used for Beacons, sessions and targets in the pivot chart and table views.
  • Updated the Aggressor Script function setup_reflective_loader to output the ReflectiveLoader function offset to the script console.
Fixes
  • Fixed reliability issues around how copy/paste works. Text is now reliably copied to the clipboard.

April 2022

Version: 4.6

April 20, 2022

New Features
  • Combined all kits in the Cobalt Strike arsenal into a single kit. Available via the Cobalt Strike -> Help -> Arsenal menu option.
Enhancements
  • Improved product security:

    • The Cobalt Strike teamserver now runs from a Executable image (TeamServerImage), rather than a standard Java application.

    • The Cobalt Strike client now runs from a new jar file ('cobaltstrike-client.jar' rather than 'cobaltstrike.jar').

    • The 'TeamServerImage' and 'cobaltstrike-client.jar' files are extracted from the 'cobaltstrike.jar' as needed.

  • Increased 1MB size limit for execute-assembly (also used by dllinject and other tasks). The maximum size can now be controlled via three new Malleable C2 profile settings.

Fixes
  • Added a warning message if the host parameter to the teamserver is not a known network interface on the server when connecting.

  • Fixed an issue that caused service binaries to use rundll32 rather than the spawnto value. Note that the fix for this is located in the new arsenal kit rather than the core product.

  • Fixed an issue that caused Cobalt Strike's http listener to be vulnerable when URLs start with "/" as outlined in CVE-2022-23317.

  • Fixed an issue that caused metadata of a .NET assembly load to be generated when running the powerpick command.

  • Fixed an issue that was preventing an x86 foreign listener from being spawned.

  • Fixed an issue that was preventing Beacon from cleaning up the loader when the cleanup flag is used on Windows 7 SP1.

  • Fixed an issue that erroneously required an address for the string length to be passed when calling BeaconFormatToString in a BOF.

  • Fixed an issue that was causing "Net View" in the GUI to return an error while the command line "net view" worked fine.

  • Fixed an issue where a Beacon would not properly clean up memory for the loader in some cases.

December 2021

Version: 4.5

December 14, 2021

New Features
  • Added a new Aggressor script hook to allow users to define how fork&run process injection is implemented.

  • Added a new Aggressor script hook to allow users to define how explicit process injection is implemented.

  • Added support for explicit process injection to post-exploitation jobs.

  • Added a "max retry" option which allows a Beacon to exit or increase sleep time after a specified failure count. This applies to HTTP, HTTPS and DNS Beacons.

  • Added a console history command to display a list of commands. Display the entire command history, or specify how many items to display.

  • Added support for the bang (!) character to run a command from the command history list.

  • Added support to the sleep_mask kit for masking heap memory.

Enhancements
  • Increased available space in the sleep_mask kit from 289 to 769 bytes.

  • Increased reserved size in Beacon for a larger User Defined Reflective Loader. A new hook adds an override with a 100kb upper limit (5kb default).

  • x64 checkbox is now checked by default in all dialogs related to payload generation.

  • Made changes to product security and licensing.

  • Improved command history behavior. Commands are now appended to the history in the correct order.

Fixes
  • Fixed an issue where the user defined reflective loader was not being cleaned up in some circumstances. The bootstrap code now supports the stage.cleanup setting.

  • Fixed issue that caused a warning to appear if TeamServer.prop was missing at teamserver startup.

  • Fixed a validation issue on the HTML Attack dialog where the dialog could be submitted without a listener value.

  • Fixed an issue in c2lint where a space at the end of the metadata/prepend transformation caused an error to be reported.

  • Fixed an issue in c2lint where an error was reported if allow_useragents was set but block_useragents wasn't.

  • Fixed an issue where the cp command was mishandling spaces in the path. Spaces are now supported when the path is enclosed with single or double quotes.

  • Fixed an issue where the mv command was mishandling spaces in the path.Spaces are now supported when the path is enclosed with single or double quotes.

  • Fixed an issue where the timestomp command was mishandling spaces in the path. Spaces are now supported when the path is enclosed with single or double quotes.

  • Fixed an error in the phishing dialog where email addresses in the Bounce To field were not being correctly validated.

  • Fixed an issue where reading job output from multiple reads was returning the last read size instead of the total size.

August 2021

Version: 4.4

August 4, 2021

New Features
  • Add support for User Defined reflective loaders.

    https://www.cobaltstrike.com/help-user-defined-reflective-loader

  • Add support for User Defined sleep masking.

    https://www.cobaltstrike.com/help-sleep-mask-kit

  • Product licensing and Security enhancements.

  • Avoid localhost Sysmon event 22 for Beacon meta-data resolution.

  • Validate beacons with sleep_mask set have enough code cave space.

  • Add client reconnection option.

  • Add buffering when sending data via NanoHTTPD.

  • Add new dialog to the UI to view the Malleable C2 profile.

  • Add an "allow" option to useragents filter; complements the block added in 4.3.

  • Add alias field for server to login dialog+ Add alias to connection dialog.

  • Add alias on connection tabs on main Cobalt Strike screen.

  • Add spear phishing email template parsing validation to Send client action.

  • Add better C2 linting for code signing configuration.

Enhancements
  • Update Mimikatz (2.2.0 20210724).

  • Update Cobalt Strike updater with cert/subdomain info.

  • Update beacon help for link command.

  • Update c2lint to return a result code.

  • Enhance c2lint and UI handling of coding signing functionality.

  • Enhance failover host rotation strategy(http/s 200 response with invalid data is a failure).

  • UI: enhancement request for Connect dialog to remember last connected teamserver.

Fixes
  • Checksum failure when building beacon using compiled Artifact kit.

  • Vulnerability report: Team server crashes when bombarded with too large screenshots. (added TeamServer.prop config).

  • Fix error in arsenal build scripts (add bin/bash directive).

  • Fix various places in the UI where required table row selection was not edited.

  • Fix beacon error when a host entry of a listener contains a space at the end (trim host entry strings).

  • Clicking into the screenshots/keystrokes tabs doesn't immediately focus the list.

  • Fix host rotation 'strategy' option documentation missing from 'listener_create_ext' aggressor function.

March 2021

Version: 4.3

March 2, 2021

Enhancements
  • Added support for dns-beacon Malleable C2 group. Added options for DNS Host Indicators: beacon, get_A, get_AAAA, get_TXT, put_metadata, put_output including Malleable C2 Lint changes to support dns-beacon group.

  • Allow DNS Beacons to egress directly through a specified DNS Resolver, rather than using the default resolver from the target server.

  • Host Rotation Strategy for customizing host selection for DNS/HTTP/HTTPS beacons.

  • Allow HTTP/HTTPS configuration of blocked useragent (previously curl/lynx/wget). Added .http-config.block_useragents to Malleable C2.

  • Add support for responding to NS request from specific DNS resolvers including the additional .dns-beacon.ns_response Malleable C2 option.

  • Add timestamp to beacon console messages. The timestamp option can be enabled/disabled in Preferences (Console tab). The timestamp format can be modified with aggressor script. See BEACON_CONSOLE_TIMESTAMP and SSH_CONSOLE_TIMESTAMP in default.cna.

  • Add a PowerShell IEX option in Scripted Web Delivery

Fixes
  • Fixed sleep command after exit causing beacons not to exit.
  • Malleable C2 lint was incorrectly showing jitter data in staging preview.
  • Fixed invalid help link (attacks->packages->Windows Executable)
  • Setting sleep to 0 in Malleable C2 caused beacons to fail. Add C2 Lint range for sleep values.
  • Fix data_jitter issue not using any jitter when it was longer than limit (921600). Added minimum data_jitter (10) and performance warning for over 10000. Show data_jitter marker in C2 Lint preview data rather than actual jitter data.

 

Back to Cobalt Strike Products