License Authorization Files

The licensed version of Cobalt Strike requires a valid authorization file to start. An authorization file is an encrypted blob that provides information about your license to the Cobalt Strike product.

Authorization files are now associated to a specific release. Authorization files for 4.8 and earlier will continue to be backward compatible. Authorization files for 4.9 and later will only be valid for the specific version.

How do I get an authorization file?

The built-in update program requests an authorization file from Cobalt Strike's update server when it's run. The update program downloads a new authorization file for the current released version, even if your Cobalt Strike version is up to date. This allows the authorization file to stay current with the license dates in Fortra records.

In order to get an authorization file for a previous version use the Cobalt Strike Auth File Generator site. This site will generate an authorization file for the version and license key you enter on the page. Use the download link to retrieve the authorization file or use the instructions on the page to convert the base64 encoded string to an authorization file. Then copy the authorization file to your Cobalt Strike installation directory.

What happens when my license expires?

Cobalt Strike will refuse to start when its authorization file expires. Additionally, the licensed Cobalt Strike product checks authorization files daily. If the authorization file expires while Cobalt Strike is running, the teamserver keeps running for an additional 14 days grace period. The teamserver will shut down if the authorization file is not replaced during that period.

Details:

  • Teamserver checks the license at startup and at 10 AM everyday.
  • The teamserver license expiration is logged in the event log when the team server starts.
  • Clients connected to a teamserver will display a license warning ribbon starting 45 days prior to license expiration.
  • Running teamservers will have a 14 day grace period before the server is shutdown during the daily license check.
  • If you need to extend the license for a running teamserver, you can install/update CobaltStrike in a different location and copy/replace the “cobaltstrike.auth” file from the new install into the running instance. If the teamserver version is prior to the current released version then use the Cobalt Strike Auth File Generator site instead.

When does my authorization file expire?

Your authorization file expires when your Cobalt Strike license expires. If you renew your Cobalt Strike license, run the built-in update program to refresh the authorization file for the current released version with the latest information. For previous versions use the Cobalt Strike Auth File Generator site to refresh the authorization file with the latest information.

Go to Help -> System Information to find out when your authorization file expires. Look for the "valid to" value under the Other section. Remember, the Client Information and Team Server Information may have different values (depending on which license key was used and when the authorization file was last refreshed).

Cobalt Strike will also warn you when its authorization file is within 45 days of its valid to date.

How do I bring an authorization file into a closed environment?

The authorization file is cobaltstrike.auth. The update program always co-locates this file with cobaltstrike.jar. To use Cobalt Strike in a closed environment:

  1. Download the Cobalt Strike package at https://www.cobaltstrike.com/download
  2. Update the Cobalt Strike package from an internet connected system
  3. Copy the contents of the updated cobaltstrike/ folder into your environment. The most important files are cobaltstrike.jar and cobaltstrike.auth.

Does Cobalt Strike phone home to Fortra?

Beyond the update process, Cobalt Strike does not "phone home" to Fortra. The authorization file is generated by the update process.

How do I use an older version of Cobalt Strike with a refreshed authorization file?

In order to get an authorization file for a previous version use the Cobalt Strike Auth File Generator site. This site will generate an authorization file for the version and license key you enter on the page. Use the download link to retrieve the authorization file or use the instructions on the page to convert the base64 encoded string to an authorization file. Then copy the authorization file to your Cobalt Strike installation directory.

What is the Customer ID value?

The Customer ID is a 4-byte number associated with a Cobalt Strike license key. Cobalt Strike 3.9 and later embed this information into the payload stagers and stages generated by Cobalt Strike.

How do I find the Customer ID value in a Cobalt Strike artifact?

The Customer ID value is the last 4-bytes of a Cobalt Strike payload stager in Cobalt Strike 3.9 and later.

This screenshot is the HTTP stager from the trial. The trial has a Customer ID value of 0. The last 4-bytes of this stager (0x0, 0x0, 0x0, 0x0) reflect this.

figure 2 - HTTP Payload Stager (Cobalt Strike Trial)

The Customer ID value also exists in the payload stage, but it's more steps to recover. Cobalt Strike does not use the Customer ID value in its network traffic or other parts of the tool.

How do I protect disparate red team infrastructure from cross-identification with this ID?

If you have a unique authorization file on each team server, then each team server and the artifacts that originate from it will have a different ID.

Cobalt Strike's update server generates a new authorization file each time the update program is run. Each authorization file has a unique ID. Cobalt Strike only propagates the team server's ID. It does not propagate the ID from the GUI or headless client's authorization file.