A complementary strategy to the Host Rotation Strategy was introduced to Cobalt Strike 4.5. The max retry strategy was added to HTTP, HTTPS, and DNS beacon listeners. A max retry strategy allows a beacon to exit after a specified failure count. As the failure count increases, sleep is adjusted to a specified value. By default, […]
Read More… from A Deeper Look Into the Max Retry Strategy Option
Following the 4.4 release, you may have noticed a warning message when starting your teamserver: The missing file is optional and its absence does not break the teamserver. It contains a number of optional parameters that can be used to customize the settings used to validate screenshot and keylog callback data, which allows you to […]
Cobalt Strike 4.4 is now available. This release puts more control into your hands, improves Cobalt Strike’s evasive qualities and addresses a number of smaller changes requested by our users… and yes! We’ve added a reconnect button! User Defined Reflective DLL Loader Cobalt Strike has a lot of flexibility in its Reflective Loading foundation but […]
Read More… from Cobalt Strike 4.4: The One with the Reconnect Button
SentinelOne discovered a denial of service (DoS) vulnerability in Cobalt Strike. The bug (aka Hotcobalt) can cause a denial of service on a teamserver by using a fake beacon sending abnormally large screenshots. This bug has been fixed in Cobalt Strike 4.4 Consider mitigating this risk to a teamserver by hardening your C2 infrastructure. Thank you, […]
Read More… from Cobalt Strike DoS Vulnerability (CVE-2021-36798)
UPDATE: This has now been fixed. I’ve amended this post to reflect that. If you ran the Cobalt Strike update program today, you may have seen an error message about the failed SSL certificate verification for www.cobaltstrike.com: The update program pins the certificate for this server. When the certificate does not match what the update […]
Cobalt Strike 4.3 is now available. The bulk of the release involves updates to DNS processing but there are some other, smaller changes in there too. DNS updates We have added options to Malleable C2 to allow DNS traffic to be masked. A new dns-beacon block allows you to specify options to override the DNS […]
Cobalt Strike 4.2 is now available. This release overhauls our user exploitation features, adds more memory flexibility options to Beacon, adds more behavior flexibility to our post-exploitation features, and makes some nice changes to Malleable C2 too. User Exploitation Redux Cobalt Strike’s screenshot tool and keystroke logger are examples of user exploitation tools. These capabilities are […]
Read More… from Cobalt Strike 4.2 – Everything but the kitchen sink
Cobalt Strike 4.1 is now available. This release introduces a new way to build post-ex tools that work with Beacon, pushes back on a generic shellcode detection strategy, and grants added protocol flexibility to the TCP and named pipe Beacons. Beacon Object Files Cobalt Strike has weaponization options for PowerShell, .NET, and Reflective DLLs. These […]
TL;DR a certificate for part of the Cobalt Strike update infrastructure changed. Download the 20200511 distribution package to avoid certificate verification errors. If you recently ran the Cobalt Strike update program (version 20191204); you may see a nice message about the failed SSL certificate verification for verify.cobaltstrike.com: verify.cobaltstrike.com hosts a text file with SHA256 hashes […]
Cobalt Strike 4.0 is now available. This release improves Cobalt Strike’s distributed operations model, revises post-exploitation workflows to drop some historical baggage, and adds “Bring Your Own Weaponization” workflows for privilege escalation and lateral movement. A Vision for Red Team Server Consolidation Cobalt Strike’s model for distributed operations (2013!) is to stand up a new server for […]
Read More… from Cobalt Strike 4.0 – Bring Your Own Weaponization