Cobalt Strike 4.9.1 is now available. This is an out of band update to fix an issue that was discovered in the 4.9 release that we felt would negatively impact customers as they start to roll out the release and for which there is no straightforward workaround. We also took the opportunity to address a couple of other issues that were slated to be addressed in the 4.10 release. This update does not affect the 4.10 release which is underway and due to ship in early 2024.
Post-Ex Loader Obfuscate and Cleanup Settings
We have fixed an issue whereby the default post-ex reflective loader was unable to apply the postex.obfuscate and postex.cleanup Malleable C2 options correctly. We also fixed a related issue that impacted UDRL developers due to the post-ex DLL’s CrtStartup routines. As a result of the above, we are also making a minor update to the UDRL-VS library available in the Arsenal kit.
Data Store
The data store was not able to identify .NET assemblies when the post-ex.obfuscate Malleable C2 profile option was set to “true.” This issue has now been fixed. We also took the opportunity to update the console help for the data store command. This now provides more information on how to run BOFs and .NET assemblies from the data store.
We apologise for any problems that these issues may have caused and we hope that we have addressed these issues before the majority of our users have put the 4.9 release into play on active engagements. If you notice any other issues with Cobalt Strike, please refer to the online support page, or report them to our support email address. Licensed users can download version 4.9.1 from the website. To purchase Cobalt Strike or learn more, please contact us.