Clik here to view.
Cobalt Strike 3.5.1 – Important Security Update
Cobalt Strike 3.5.1 is now available. This release addresses a remote code execution vulnerability in Cobalt Strike. This vulnerability was discovered after a report of in-the-wild exploitation by a...
View ArticleClik here to view.
What is a stageless payload artifact?
I’ve had a few questions about Cobalt Strike’s stageless payloads and how these compare to other payload varieties. In this blog post, I’ll explain stageless payloads and why you might prefer stageless...
View ArticleClik here to view.
Cobalt Strike 3.6 – A Path for Privilege Escalation
Cobalt Strike 3.6 is now available. This release adds an API to use third-party privilege escalation exploits with Beacon and extends Malleable C2 to allow HTTP C&C without HTTP POST. This release...
View ArticleClik here to view.
Scripting Matt Nelson’s MMC20.Application Lateral Movement Technique
This is a short blog post with a long title. A few weeks ago, Matt Nelson published Lateral Movement Using the MMC20.APPLICATION COM Object (there’s a Part 2 as well!). The post documents an option,...
View ArticleClik here to view.
Cobalt Strike 3.7 – Cat, Meet Mouse
The 8th release of the Cobalt Strike 3.0 series is now available. The release extends Malleable C2 to influence how Beacon lives in memory, adds code-signing for executables, and gives operators...
View ArticleClik here to view.
Java Startup Bug in Java 1.8u131
If you recently updated your penetration testing environment, it’s possible you were greeted with a special surprise. Cobalt Strike and its team server will no longer start. Instead of Cobalt Strike,...
View ArticleClik here to view.
Cobalt Strike 3.8 – Who’s Your Daddy?
Cobalt Strike 3.8 is now available. This release adds features to spawn processes with an alternate parent process. This release also gives the operator control over the script templates Cobalt Strike...
View ArticleClik here to view.
Cobalt Strike 3.9 – Livin’ in a Stager’s Paradise
Cobalt Strike 3.9 is now available. This release brings several additions to Malleable C2 with an emphasis on staging flexibility. Malleable HTTP/S Staging Stagers are tiny programs that download the...
View ArticleClik here to view.
Kits, Profiles, and Scripts… Oh my!
If I had to describe Cobalt Strike in one word, I’d say ‘flexible’. There are a lot of options to control Cobalt Strike’s features and indicators. In this post, I’ll introduce these options, explain...
View ArticleClik here to view.
Cobalt Strike 3.10 –Хакер vs. 肉雞
Cobalt Strike 3.10 is now available. This release adds Unicode support to the Beacon payload, introduces a built-in report based on MITRE’s ATT&CK matrix, and performs endodontics on the Beacon...
View ArticleBeware of Slow Downloads
I often receive emails that ask about slow file downloads with the Beacon payload. Here are the symptoms: It takes multiple hours to grab a few megabytes The sleep time makes no difference File uploads...
View ArticleClik here to view.
Cobalt Strike 3.11 – The snake that eats its tail
Cobalt Strike 3.11 is now available. This release adds to Cobalt Strike’s in-memory threat emulation and evasion capabilities, adds a means to run .NET executable assemblies without touching disk, and...
View ArticleClik here to view.
PowerShell Shellcode Injection on Win 10 (v1803)
Cobalt Strike’s process to inject shellcode, via PowerShell, does not work with the latest Windows 10 update (v1803). While it’s possible to work without this capability, a lot of CS automation uses...
View ArticleCobalt Strike 3.12 – Blink and you’ll miss it
Cobalt Strike 3.12 is now available. This release adds an “obfuscate and sleep” in-memory evasion feature, gives operators [some] control over process injection, and introduces hooks to shape how...
View ArticleClik here to view.
Cobalt Strike 3.13 – Why do we argue?
Cobalt Strike 3.13 is now available. This release adds a TCP Beacon, process argument spoofing, and extends the Obfuscate and Sleep capability to the SMB and TCP Beacons. TCP Beacon Cobalt Strike has...
View ArticleClik here to view.
Cobalt Strike Team Server Population Study
From February 4, 2019 to February 15, 2019 Strategic Cyber LLC connected to several live Cobalt Strike team servers to download Beacon payloads, analyze them, and study the information within these...
View ArticleClik here to view.
Cobalt Strike 3.14 – Post-Ex Omakase Shimasu
Cobalt Strike 3.14 is now available. This release benefits the OPSEC of Beacon’s post-exploitation jobs. To take a screenshot, log keystrokes, dump credentials, or scan for targets: Beacon often spawns...
View ArticleCobalt Strike’s Process Injection: The Details
Cobalt Strike 3.14 finally delivered some of the process injection flexibility I’ve long wanted to see in the product. In this post, I’d like to write about my thoughts on process injection, and share...
View ArticleClik here to view.
Cobalt Strike 4.0 – Bring Your Own Weaponization
Cobalt Strike 4.0 is now available. This release improves Cobalt Strike’s distributed operations model, revises post-exploitation workflows to drop some historical baggage, and adds “Bring Your Own...
View ArticleClik here to view.
SSL certificate verification for failed
TL;DR a certificate for part of the Cobalt Strike update infrastructure changed. Download the 20200511 distribution package to avoid certificate verification errors. If you recently ran the Cobalt...
View Article