The licensed version of Cobalt Strike requires a valid authorization file to start. An authorization file is an encrypted blob that provides information about your license to the Cobalt Strike product. This information includes: your license key, your license expiration date, and an ID number that is tied to your license key.
The built-in update program requests an authorization file from Cobalt Strike's update server when it's run. The update program downloads a new authorization file, even if your Cobalt Strike version is up to date. This allows the authorization file to stay current with the license dates in HelpSystems records.
Cobalt Strike will refuse to start when its authorization file expires. There is no impact if an authorization file expires while Cobalt Strike is running. The licensed Cobalt Strike product only checks authorization files when it starts.
Your authorization file expires when your Cobalt Strike license expires. If you renew your Cobalt Strike license, run the built-in update program to refresh the authorization file with the latest information.
Go to Help -> System Information to find out when your authorization file expires. Look for the "valid to" value under the Other section. Remember, the Client Information and Team Server Information may have different values (depending on which license key was used and when the authorization file was last refreshed).
Cobalt Strike will also warn you when its authorization file is within 30 days of its valid to date.
The authorization file is cobaltstrike.auth. The update program always co-locates this file with cobaltstrike.jar. To use Cobalt Strike in a closed environment:
Beyond the update process, Cobalt Strike does not "phone home" to HelpSystems. The authorization file is generated by the update process.
Cobalt Strike 3.8 and below do not check for or require an authorization file.
Cobalt Strike 3.9 and later check for a cobaltstrike.auth file co-located with the cobaltstrike.jar file. Update Cobalt Strike from another folder and copy the new cobaltstrike.auth file to the folder that contains your old-version of Cobalt Strike. The authorization file is not tied to a specific version of the product.
The Customer ID is a 4-byte number associated with a Cobalt Strike license key. Cobalt Strike 3.9 and later embed this information into the payload stagers and stages generated by Cobalt Strike.
The Customer ID value is the last 4-bytes of a Cobalt Strike payload stager in Cobalt Strike 3.9 and later.
This screenshot is the HTTP stager from the trial. The trial has a Customer ID value of 0. The last 4-bytes of this stager (0x0, 0x0, 0x0, 0x0) reflect this.
The Customer ID value also exists in the payload stage, but it's more steps to recover. Cobalt Strike does not use the Customer ID value in its network traffic or other parts of the tool.
If you have a unique authorization file on each team server, then each team server and the artifacts that originate from it will have a different ID.
Cobalt Strike's update server generates a new authorization file each time the update program is run. Each authorization file has a unique ID. Cobalt Strike only propagates the team server's ID. It does not propagate the ID from the GUI or headless client's authorization file.