Core Security

Cobalt Strike

Solution Overview

To analaysis a platform for adversary simulations and red team operations, which to execute targeted attacks and emulate the post-exploitation actions

Cobalt Strike

Cobalt Strike is an operating system for Adversary Simulations and Red Team Operations.

Adversary Simulations and Red Team Operations are security appraisal that clone the tactics and capability of an advanced adversary in a network. In the same moment, penetration tests focus on unpatched vulnerabilities and misconfigurations, these assessments benefit security operations and incident response.

The device is created to behead targeted attacks and emulate the post-exploitation actions of advanced threat
actors in customer's network. This sector describes the attack process supported by Cobalt Strike’s feature set. This is not compliance testing.

Cobalt Strike is a very common second-stage payload for many malware campaigns across many malware families, typically use case linked to campaigns ranging from ransomware deployment to surveillance and data exfiltration, but as the tool allows users to create malleable C2 architectures. Since 2020 Core Security acquired the product, it is now under the Core Security ownership of the product. Latest enhancements include integration Cobalt Strike with Core Security Core Impact Pentesting tool, and can be subscribed as the bundled for the end to end pentesting workflow for red team operations.

Reconnaissance

Discovers the reconnaissance

Attack Packages

Web drive-by attack packages

Spear phishing

Spear phishing a message

Collaboration

Collaboration system

Post Exploitation

Executes post exploitation

Covert Communication

Network indicators to covert communication

Browser Pivoting

Authentication browser pivoting

Reporting and Logging

Allows reporting and logging

Features Overview

Reconnaissance - The system profiler discovers which client-side applications your target uses, with version information.

Attack Packages - Use its to host a web drive-by attack or transform an innocent file into a trojan horse.

Java Applet Attacks
Microsoft Office Documents
Microsoft Windows Programs
Website Clone Tool

Spear phishing - Import a message and let device replace links and text to build a convincing phish for you. Cobalt Strike sends email and tracks who clicks.

Collaboration - Connect to a its team server to share data, communicate in real-time, and control systems compromised during the engagement.

Post Exploitation - Beacon is Cobalt Strike's payload to model an advanced actor. Beacon executes PowerShell scripts, logs keystrokes, takes screenshots, downloads files, and spawns other payloads.

Covert Communication - Beacon's network indicators are malleable. Load a C2 profile to look like another actor. Use HTTP, HTTPS, and DNS to egress a network. Use named pipes to control Beacons, peer-to-peer, over the SMB protocol.

Browser Pivoting - Use a Browser Pivot to go around two-factor authentication and access sites as your target.

Reporting and Logging - System is reports provide a timeline and a list of indicators from red team activity. These reports are made to benefit our peers in security operations. Cobalt Strike exports reports as both PDF and MS Word documents.

Benefits

Weaponization is pairing a post-exploitation payload with a document or exploit that will execute it on target. System has options to turn common documents into weaponized artifacts.

Its also has options to export its post-exploitation payload, Beacon, in a variety of formats for pairing with artifacts outside of this tool set.

Control your target’s network with Cobalt Strike’s Beacon. This post-exploitation payload uses an asynchronous “low and slow” communication pattern that’s common with advanced threat malware. Beacon will phone home over DNS, HTTP, or HTTPS. Beacon walks through common proxy configurations and calls home to multiple hosts to resist blocking.

Exercise your target’s attack attribution and analysis capability with Beacon’s Malleable Command and Control language. Reprogram Beacon to use network indicators that look like known malware or blend in with existing traffic.

Pivot into the compromised network, discover hosts, and move laterally with Beacon’s helpful automation and peer-to-peer communication over named pipes and TCP sockets. Its is optimized to capture trust relationships and enable lateral movement with captured credentials, password hashes, access tokens, and Kerberos tickets.

Demonstrate meaningful business risk with the device user-exploitation tools. Its is workflows make it easy to deploy keystroke loggers and screenshot capture tools on compromised systems. Use browser pivoting to gain access to websites that your compromised target is logged onto with Internet Explorer. This Cobalt Strike-only technique works with most sites and bypasses two-factor authentication.

The Team Server

Cobalt Strike is split into a client and a server component. The server, referred to as the team server, is the controller for the Beacon payload and the host for Cobalt Strike’s social engineering features. The team server also stores data collected by Cobalt Strike and it manages logging.

The Cobalt Strike team server must run on a supported Linux system. To start a Cobalt Strike team server, use the team server script included with the Cobalt Strike Linux package.

The team server has two mandatory parameters and two optional parameters. The first is the externally reachable IP address of the team server. Cobalt Strike uses this value as a default host for its features. The second is the password your team members will use to connect the Cobalt Strike client to the team server.

The third parameter is optional. This parameter specifies a Malleable C2 Profile. Chapters 11 and 12 discuss this feature.

The fourth parameter is also optional. This parameter specifies a kill date in YYYY-MM-DD format. The team server will embed this kill date into each Beacon stage it generates. The Beacon payload will refuse to run on or after this date. The Beacon payload will also exit if it wakes up on or after this date as well.

When the team server starts, it will publish the SHA256 hash of the team server’s SSL certificate. Distribute this hash to your team members. When your team members connect, their Cobalt Strike client will ask if they recognize this hash before it authenticates to the team server. This is an important protection against man-in-the-middle attacks.

Cobalt Strike Client

The Cobalt Strike client connects to the team server. To start the Cobalt Strike client, use the launcher included with your platform’s package.

You will see a connect dialog when the Cobalt Strike client starts.

Specify your team server’s address in the Host field. The default Port for the team server is 50050. There’s rarely a reason to change this. The User field is your nickname on the team server. Change this to your call sign, handle, or made-up hacker fantasy name. The Password field is the shared password for the team server.

Press Connect to connect to the Cobalt Strike team server.

If this is your first connection to this team server, Cobalt Strike will ask if you recognize the SHA256 hash of this team server. If you do, press OK, and the Cobalt Strike client will connect to the server. Cobalt Strike will also remember this SHA256 hash for future connections. You may manage these hashes through Cobalt Strike -> Preferences -> Fingerprints.

Cobalt Strike keeps track of the team servers you connect to and remembers your information. Select one of these team server profiles from the left-hand-side of the connect dialog to populate the connect dialog with its information. You may also prune this list through Cobalt Strike -> Preferences -> Team Servers.

Distributed and Team Operations

Use Cobalt Strike to coordinate a distributed red team effort. Stage Cobalt Strike on one or more remote hosts. Start your team servers and have your team connect.

Once connected to a team server, your team will:

Use the same sessions
Share hosts, captured data, and downloaded files
Communicate through a shared event log.

The Cobalt Strike client may connect to multiple team servers. Go to Cobalt Strike -> New Connection to initiate a new connection. When connected to multiple servers, a switch bar will show up at the bottom of your Cobalt Strike window.

This switchbar allows you to switch between active Cobalt Strike server instances. Each server has its own button. Right-click a button and select Rename to make the button’s text reflect the role of the server during your engagement. This button name will also identify the server in the Cobalt Strike Activity Report..

When connected to multiple servers, Cobalt Strike aggregates listeners from all of the servers it’s connected to. This aggregation allows you to send a phishing email from one server that references a malicious website hosted on another server. At the end of your engagement, Cobalt Strike’s reporting feature will query all of the servers you’re connected to and merge the data to tell one story.

Scripting Cobalt Strike

Cobalt Strike is scriptable through its Aggressor Script language. Aggressor Script is the spiritual successor to Armitage’s Cortana scripting language. The two are not compatible though. To manage scripts, go to Cobalt Strike -> Script Manager.

A default script inside of Cobalt Strike defines all of Cobalt Strike’s popup menus and formats information displayed in Cobalt Strike’s consoles. Through the Aggressor Script engine, you may override these defaults and customize Cobalt Strike to your preferences.

You may also use Aggressor Script to add new features to Cobalt Strike’s Beacon and to automate certain tasks.

March 17, 2021 - Cobalt Strike 4.3
-------------
+ Fix NullPointerException starting profiler (missing resources).
+ Fix DNS Resolver appearing as null string for legacy listener definition.

March 3, 2021 - Cobalt Strike 4.3
-------------
+ Added support for dns-beacon Malleable C2 group.
  Added options for DNS Host Indicators:
  beacon,get_A,get_AAAA,get_TXT,put_metadata,put_output
  Malleable C2 Lint changes to support dns-beacon group.
+ Allow DNS Beacons to egress directly through a specified DNS Resolver,
  rather than using the default resolver from the target server.
+ Host Rotation Strategy for customizing host selection for DNS/HTTP/HTTPS beacons.
+ Allow HTTP/HTTPS configuration of blocked useragent (previously curl/lynx/wget).
  Added .http-config.block_useragents to Malleable C2.
+ Add support for responding to NS request from specific DNS resolvers.
  Added .dns-beacon.ns_response Malleable C2 option.
+ Add timestamp to beacon console messages.
  The timestamp option can be enabled/disabled in Preferences (Console tab).
  The timestamp format can be modified with aggressor script.
  See BEACON_CONSOLE_TIMESTAMP and SSH_CONSOLE_TIMESTAMP in default.cna.
+ Add a PowerShell IEX option in Scripted Web Delivery
+ Fixed sleep command after exit causing beacons not to exit.
+ Malleable C2 lint was incorrectly showing jitter data in staging preview.
+ Fixed invalid help link (attacks->packages->Windows Executable)
+ Setting sleep to 0 in Malleable C2 caused beacons to fail.
  Add C2 Lint range for sleep values.
+ Fix data_jitter issue not using any jitter when it was longer than limit (921600).
  Added minimum data_jitter (10) and performance warning for over 10000.
  Show data_jitter marker in C2 Lint preview data rather than actual jitter data.

November 6, 2020 - Cobalt Strike 4.2
----------------
+ Refactored Beacon Reflective Loader and added mechanism to patch rDLL loader into
  Beacon (vs. shipping a static loader with the agent).
+ Added stage -> allocator (VirtualAlloc, HeapAlloc, or MapViewOfFile) to set
  which allocator Beacon's RDLL loader will use for the Beacon stage.
+ stage -> obfuscate now obfuscates .text section in rDLL package
+ Fixed client NPE triggered by missing download start metadata
+ Added Cobalt Strike client IP address to join message in events.log
+ Added -Dcobaltstrike.server_bindto=address (in teamserver script, java command) 
  to change the address the team server will bind to. Default is 0.0.0.0.
+ Team server now uses a more resilient process to write its data model
+ Screenshot tool now reports user, session, and active window title.
+ Updated View -> Screenshots and other UX to use screenshot context info
+ Added color highlighting to View -> Screenshots
+ http-post C2 handler now detects another type of corruption.
+ Added color highlighting to View -> Downloads
+ Added color highlighting to View -> Keystrokes
+ Keystroke logger now reports user and session information
+ Updated View -> Keystrokes and other UX to use keylogger context info
+ Added option to "remove" screenshot or keystrokes from interface via menu
+ Added screenshots.log to logs/[date]/[target]/ folder with screenshot meta-data
+ Stripped color codes from keystroke logs and added desktop session/user context
+ Added Save option to keystroke and screenshot browser right-click menu.
+ Split screenshot into two commands: screenshot and screenwatch. screenshot takes 
  a single screenshot. screenwatch takes periodic screenshots until terminated 
  with jobkill command.
+ Added printscreen command to take screenshot by forcing PrintScr keypress and 
  grabbing contents from the keyboard.
+ Added post-ex -> thread_hint to spawn threads with specified module!func+offset
  start address. Affects the browserpivot, keylogger, net, portscan, and 
  powerpick/psinject post-ex DLLs.
+ Added post-ex -> keylogger to set keystroke logging method. Current options are
  SetWindowsHookEx and GetAsyncKeyState.
+ post-ex -> obfuscate now enables behavior to mask DLL strings, when not needed, 
  in execute-assembly, keystroke logger, screenshot, and SSH client DLLs.
+ Added stage -> magic_mz_[arch] and magic_pe to set the MZ and PE header values to
  something else in Beacon's DLL package. Read the docs on this one as the MZ 
  values have to be valid executable instructions that [should] repair any changes 
+ Added a c2lint warning for operation-impacting high dns_ttl values.
+ HTTP and DNS C2 specific configs no longer show up outside of their payloads
+ Beacon now detects http-post block request failures and tries requests again.
+ Rewrote how DNS C2 caches and clears cache of conversations and entries. This 
  fixes DNS C2 stability/performance for servers that send parent domain before 
  each FQDN request. It looked like a checkin to Beacon and was wreaking havoc.
+ Implemented remote-exec wmi as a BOF.
+ Max length of useragent field in Malleable C2 profile is now 255 characters.
+ Fixed bug with [possible] domain truncation in DNS/HTTP Beacon config if the total
  length of the specified domains exceeded 255 characters.
+ 8+ years in and I think y'all deserve some generosity from the Cobalt Strike 
  product. As my kind act, I have doubled the max size of the http-get.client and 
  http-post.client programs in your profile.
+ Added headers_remove global option to force Beacon's WinINet to remove specified
  headers late in the HTTP/S transaction process.
+ Added a "this goes into your config" notice to the HTTP Beacon proxy config dialog
+ Added an empty BOF content sanity check to &beacon_inline_execute
+ Added rportfwd_local to create a port forward that initiates connection and routes
  from Beacon to team server onwards through the requester's Cobalt Strike client.
+ Implemented spunnel and spunnel_local commands to spawn shellcode and tunnel 
  connection to specified controller. spunnel_local forwards via Cobalt Strike client
  and spunnel forwards via the team server.
+ Added pivot socket read governor to limit read loop to max ~4s per Beacon checkin.
+ Bug fixto link module read functions
+ Multiple improvements to existing rportfwd implementation.
+ rportfwd (and spunnel) are now friendly to having the rportfwd for a session/port
  redefined without the need to release the bound port and rebind it.
+ Pivot socket writes now happen on a connection specific thread to prevent session
  deadlock if the team server-side relayed connection becomes unresponsive or blocked.
+ Fixed a handle leak in socks pivoting sub-system
+ DNS Beacon C2 now drops requests that are not A, AAAA, or TXT.
+ Added post-ex -> pipename Malleable C2 option to change post-ex job output pipename
+ Added set ssh_pipename to set the named pipe used by Cobalt Strike's SSH sessions
+ Proxy server config parser now strips trailing / (which impacted the port value).
+ Any # in Malleable C2 pipename options is now replaced with a random hex digit.
+ Fixed BeaconUseToken BOF API to return a BOOL as documented
+ Added BeaconSpawnTemporaryProcess BOF API. 
+ Fixed parser to extract creds from dcsync [domain] output
+ Made changes to avoid unneeded VirtualProtect when startrwx/userwx in process-inject
  block are both true.
+ BOF executable memory now honors startrwx/userwx hints from process-inject block
+ Added script hook to enable use of alt. mimikatz, provided by us, between releases
+ Updated to Mimikatz 2.2.0-20200918-fix
+ Greatly reduced the size of mimikatz-min and mimikatz-chrome DLLs.
+ Added chromedump alias to run dpapi::chrome in mimikatz.
+ Improved recoverability of parent Beacon if a child TCP Beacon process "fails"
+ Added Vista+ check to getsystem in Beacon console.
+ Browser Pivot HTTP Proxy is now manageable via View -> Proxy Pivots
+ Added &bmimikatz_small to Aggressor Script.
+ Moved capability to query network interfaces to a BOF and out of core Beacon
+ Added some ptr cleanup to post-ex RDLL loaders.
+ Fixed SSH agent bug where session was sometimes incorrectly reported as elevated
+ Added set data_jitter "X" to add noise to Beacon's HTTP/S beaconing by adding
  up to X (random each time) random bytes to the output of each http-get and 
  http-post response 
+ c2lint warns for a bad process-inject -> execute config for Windows XP-era systems.
+ execute-assembly now stomps DOS header when post-ex -> obfuscate is true
+ Added c2lint check for dangerous headers to overwrite with http-config.

June 25, 2020 - Cobalt Strike 4.1
-------------
+ Fixed &listener_delete
+ Implemented sub-system to run Beacon Object Files. A BOF is a compiled C
  program that executes within Beacon and can call Win32 and Beacon APIs
+ Ported 4.0's inline-execute capabilities to BOFs
+ Fixed logic flaw in getsystem
+ Added inline-execute command to run arbitrary BOFs
+ Moved dllload, reg query/queryv, and timestomp to BOFs
+ Added option to bootstrap Beacon in-memory without walking kernel32 EAT
	- Artifact Kit and PowerShell (Resource Kit) artifacts use this option
	- Added &payload_bootstrap_hint to apply this option to other artifacts
	- Added -hasbootstraphint to check if this option applies to a payload
	- set stage -> smartinject to true to enable this behavior.
- Removed option to generate x64 DLL that spawns an x86 payload in new process
+ Simplified the Artifact Kit by removing artifacts for deprecated features
+ Extended Beacon metadata with more info such as Windows build number and key 
  function pointers used to bootstrap agent.
+ spawn, spawnas, spawnu, inject, and elevate uac-token-duplication now inherit 
  pointers from same-arch target Beacon session metadata when stage -> 
  smartinject is enabled.
+ Added &payload_local to generate shellcode with key bootstrap function
  pointers inherited from a parent Beacon session.
+ Added set ssh_banner "..." to change SSH client info for Beacon's SSH command
+ Simplifed the heartbeat portion of SMB and TCP Beacon protocols
+ Added smb_frame_header and tcp_frame_header Malleable C2 options to shape the
  content and size of the length frames in these communication protocols
+ Fixed bug that has localhost-only TCP Beacon bind to 0.0.0.0 after first unlink.
+ Multiple updates to SSH agent to keep pace with Beacon protocol changes
+ Split extc2 Beacon into its own DLL (as extc2 protocol is now diverged from 
  the SMB Beacon protocol due to changes made in this release).
+ Several security descriptor changes in ExtC2, SMB Beacon, and SSH agent
+ jump psexec* now uses UNC path with target instead of 127.0.0.1 to reference
  uploaded file on target.
+ Added right-click menu to show/hide unlinked nodes in pivot graph.
+ Added &unbind to unbind keyboard shortcuts (to include Cobalt Strike built-ins)
+ Added exe option to Scripted Web Delivery. Generates and hosts EXE at URL.
+ Added [note] field to logs to call out note changes made to session
+ Added scriptable popup hook for 'listeners' (View -> Listeners table)
+ Added "*" meta-column to table Ctrl+F feature. Searches all columns at once
+ Removed a few (not searchable) columns from table Ctrl+F feature
+ Added web server port to View -> Web Log output
+ Fixed a PE parser bug
+ execute-assembly's "are you an assembly" check uses a better check.
+ Updated to Mimikatz 2.2.0 20200519
+ Editing listener no longer removes its color accent.
+ Fixed off-by-1 error in c2lint's useragent length check.
+ sleep_mask now uses a slightly larger mask
+ Fixed DNS staging regression when dns_stager_subhost is set.
+ Fixed inconsistent stager pipe bug in &stager_bind_pipe and &beacon_stage_pipe.
+ Made getuid a little bit more robust
+ Console directed messages now scrub ESC character.
+ Added an exit hint parameter to &payload function (thread or process)

Feb 22, 2020 - Cobalt Strike 4.0
------------
+ Fixed binding for &listener_create_ext
+ Fixed argument order for &artifact_stager to match the documentation.
+ &bdllspawn truncates descriptions that are too long
+ Fixed x64 stager generation bug in Attacks -> Packages -> Windows Executable
+ Added additional checks to discern Beacon DNS C2 from drive-by DNS queries
+ Changed SO_TIMEOUT for web server socket to avoid excessive handle accumulation
  betweeen rounds of garbage collection.
+ Split mimikatz into mimikatz-min, mimikatz-full, and mimikatz-chrome. The latter
  is for dpapi::chrome which is such a huge monster it gets its own DLL. The
  mimikatz command in Beacon will choose between mimikatz-full and mimikatz-chrome
+ Added clock change detection/resilience to internal timed task management code.
+ Fixed &externalc2_start function.
+ Updated to Mimikatz 2.2.0 20200208
+ Slight fix to some of the Aggressor Script &artifact_* error messages
+ Added a banner to the top of the payload stager chooser dialog to make clear that the
  feature requires a payload stager and not all payloads have a remote staging option

Dec 5, 2019 - Cobalt Strike 4.0
-----------
+ Rewrote the code for listener management and payload controller setup. Benefits:
	- Improved user experience to add/edit payload listeners
	- Cobalt Strike can now bind multiple egress Beacons to one team server
	- Multiple TCP/SMB Beacons with alt. ports and pipes are now possible too.
	- Added multiple payload-specific options to tweak (e.g., port bending)	
+ Post-ex workflows updated to deliver stageless payloads (or to tightly couple the
  stager with the action). x64 payloads are now options (sometimes, implicit and
  other times, explicit) in these workflows.
+ Scripted Web Delivery is now stageless with an option for x64 payloads. The
  regsvr32 built-in option is gone though. (Can't jam a full payload into it).
+ Changed post-ex.amsi_disable to avoid a crash on latest Windows 10/.NET versions
+ connect [host] [port] and link [host] [pipe] links to an alt. TCP port or pipe
+ unlink now accepts [host] [pid] to identify a specific session to unlink from.
+ split the DNS Beacon and HTTP/S Beacons into separate agents. dns-txt is now the
  default mode and there is no mode http in the DNS Beacon. The DNS Beacon also 
  sends output for jobs when it has it; regardless of whether or not there are
  pending tasks.
+ Added payload arch to sessions table.
+ inject now passes a "exit thread" hint to Beacon payload stage.
+ Eliminated unneeded OpenProcess call in spawn+inject code paths.
+ Added [session] -> Access -> One-liner to host a one-use PowerShell script that 
  runs a payload
+ spawnas command now spawns temp process and inject into it. No powershell!
+ ps primitive uses PROCESS_QUERY_LIMITED_INFORMATION on Vista+
+ updated process dialog to grey out no-info processes in its process tree.
+ uac-token-duplication now executes inline w/i current Beacon. elevate 
  uac-token-duplication will inject payload into elevated process. No PowerShell.
+ getsystem now searches handles for system tokens and attempts to impersonate them
+ runu no longer steals parent process token
+ spawnu command now spawns temp process and injects into it. Also, no PowerShell.
+ kerberos_ticket_purge and kerberos_ticket_use are now inline-exec modules.
+ the &bipconfig primitive in Beacon now dynamically loads iphlpapi when used.
+ Added Beacon process name to sessions table, metadata, and reports
+ Added option to start External C2 via the listener management interface.
+ Expanded the size of the Beacon ID values.
+ Updated DNS server to prevent malformed response when sending empty TXT reply
+ Fixes to DNS TXT mode to better cope with (and limit) out of sync transactions
+ Added color row highlighting for creds, targets, services, applications, listeners,
  and beacon session tables. Right-click and find the Color menu.
+ Removed SSH and reverse TCP sessions from unlink tab completion.
+ Pivot graph no longer reports the firewall node as a selected session.
+ Listener Manager now annotates pivot listeners with error if pivot is dead/missing
+ Added variant http-get, http-post, http-stager, and https-certificate blocks to 
  Malleable C2. A variant is an alternate configuration of your current profile that 
  is selectable when configuring an HTTP or HTTPS Beacon listener.
+ (Egress) listener name now shows up in sessions table.
+ Pivot graph now uses firewall icon as root node for all sessions. A yellow dashed
  line indicates egress via the DNS Beacon. Green dashed line is the HTTP/S Beacon.
+ CS does a better job cleaning up closed dialog resources.
+ CS's open or activate console logic now goes by Beacon ID and not tab title.
+ Beacon tab title dynamically updates when session metadata becomes available.
+ Added 'jump' command to spawn a session on a remote target. Built-in options are
  psexec, psexec64, psexec_psh, winrm, and winrm64. All are stageless except for
  psexec_psh which implicitly uses the bind_pipe stager every time.
+ Added an Aggressor Script API to add remote exploits to Beacon's jump command
+ [host] -> Login menu is now [host] -> Jump and shows each available jump option.
- Removed bypassuac, psexec, psexec_psh, wdigest, winrm, and wmi commands.
+ Added svc-exe as a built-in elevate option (basically jump psexec to localhost)
+ Added set PSEXEC_SERVICE hook to control the service name used by psexec variants
+ Updated to mimikatz 2.2.0 20190813
+ IPv6 address checks now allow for embedded IPv4 addresses.
+ Screenshot filenames now use UTC times for hhmmss
+ weblog.log is now weblog_##.log where ## is the port number of the web server
+ View -> Targets -> Import Hosts can now pull multiple files in at one time.
+ Updated sleep.jar to build that fixes &&/|| code generation issues.
+ Added 'added' column to credential browser (date cred first added to model)
+ Fixed potential infinite loop caused by file read error during download.
+ Beacon controller now detects and notifies operator of incomplete/failed downloads.
+ connect and link primitives will now re-try for up to 15s to connect 
+ help net [command] now tab completes properly.
+ Fixed null pointer exception when trying to do some actions on an empty DNS Beacon
+ Removed Ctrl+Alt+Del button from VNC viewer since it doesn't quite... work :)
+ Beacon closes some process/thread handles that were left about.
+ Minor change to settings representation and updates to profile memory management.
+ Added several functions to Aggressor Script and revised some APIs as well. See the
  compatability chapter in the Aggressor Script docs for a list of changes that may 
  affect your existing scripts.
+ Replaced MacOS X Java App stub with a script that uses java from $PATH
+ Encrypted several internal resources (this makes the CS .jar file much bigger).
+ runasadmin now runs a command in an elevated context using a command elevator
  exploit registered with CS. uac-token-duplication and uac-cmstp are built-in.
+ Updated foreign listener URI length to match MSF staging URI length requirements
- Moved elevate ms14-058 out of CS and into the Elevate Kit
+ Added remote-exec to run command on remote target using a remote execute method
  registered with CS. psexec, winrm, and wmi are built-in.
+ Added 'domain' verb to net module to get current host's domain
+ Added 'net domain_controllers' to query Domain Controllers group to discover
  domain controllers and populate Cobalt Strike's data model.
+ Beacon tab completion for link and connect include 127.0.0.1 by default
+ Added c2lint OPSEC warning for .host_stage=true
+ Setting up a reverse TCP pivot sets session interacted with flag internally
+ Fixed a disconnect bug in file browser when providing malformed UNC path.
+ Fixed crash with x64 net group/localgroup listings
+ SpawnAs dialog shows listener name in "faked" input
+ Desktop tab title is now consistent with other Beacon features (IP@PID)
+ Added c2lint check for maximum prepend length in http-stager block
+ Empty DNS Beacons are now shown in the pivot graph
+ Added -isactive [bid] predicate to Aggressor Script. Returns false if session is
  not linked or if it's acknowledged an exit message. True otherwise.
+ Targets view now uses active criteria to show host as compromised and to include
  a menu for that session.
+ Listener ERROR! is now more obvious in the Listeners browser
+ Added a browser pivot client socket timeout to browser pivot proxy.
- Removed elevate uac-dll option.
- Removed Attacks -> Packages -> Windows Dropper and USB/CD Autoplay.
+ The trial package to distribute the trial product and its supporting files is now 
  replaced with a stub application and an updated updater application.
+ Fixed a bug with stage -> string/stringw where a string present in x86 Beacon DLL
  would not be populated into other Beacon DLLs (whether present or not)
+ Added a filter to make random DNS queries less likely to be interpreted as a new
  session.
+ Eep! Copied VNC DLLs from fix made for 3.14 (but not pushed to distribution). Me
  in the debugger tonight: "WTH, I thought I fixed this six months ago?!?".

May 4, 2019 - Cobalt Strike 3.14
-----------
+ Updated blockdlls to call SetErrorMode when enabled to hide/skip Bad Image errors
+ Fixed External C2 error that occurs when started before an HTTP/DNS listener
+ External C2 reports Beacon metadata periodically (Remove no longer loses session)

May 2, 2019 - Cobalt Strike 3.14
-----------
+ Added blockdlls command; blocks non-Microsoft DLLs from Beacon's child processes
+ Added python option to &artifact_stageless.
- Deprecated the process-inject -> disable "*" options from Cobalt Strike 3.12
+ Added process-inject -> execute to control thread creation functions used + order
+ Revised RtlCreateUserThread injection path to work x86 -> x86.
+ Overhauled injection path w/ NtQueueApcThread into existing processes
+ Added fake start addr Create[Remote]Thread variants to process-inject -> execute
+ Added process-inject option to push data to remote process with NtMapViewOfSection
+ .stage.cleanup now detects if memory is mapped and uses UnMapViewOfFile
+ Moved spawnto_x86, spawnto_x64, and amsi_disable to Malleable C2 post-ex block
+ Added post-ex.obfuscate to enable content and permission changes to post-ex DLLs
+ Added post-ex.smartinject; passes key function ptrs from Beacon to post-ex DLLs
+ Added NtQueueApcThread-s (for suspended processes) to process-inject -> execute
+ Added MITRE ATT&CK Tactic ID(s) to [task] entries in logs
+ Standardized time/date format in logs/; all times/dates are now UTC as well.
+ Added &brun Aggressor Script function (equivalent to the run command).
+ Hardened web server against spoofing of remote address value.
+ Added http-config -> trust_x_forwarded_for header. Forces web server to use the
  X-Forwarded-For header value (when present, when valid) as HTTP external address.
+ Hardened Beacon C2's open local port callback primitive against rogue sessions.
+ HTTP/S stagers now set INTERNET_FLAG_NO_COOKIES, when a Cookie header is specified
  (the effect here is to ignore the local cookie jar and use the specified value).
+ Beacon does not set INTERNET_FLAG_NO_COOKIES if profile doesn't use Cookie header
+ Removed INTERNET_FLAG_NO_AUTO_REDIRECT flag from HTTP/s stagers and Beacon.
+ Added credentials popup hook for credential manager.
+ Process Browser (single host) now displays a process tree for easier navigation
+ File browser now caches listings; added a tree to navigate/populate this cache
+ Added Copy option to get full file path in file browser right-click menu
+ Added Set as PPID option to process browser right-click menu
+ Updated to Mimikatz 2.2.0 20190414
+ Fixed an API use error (inconsequential?) in the parent process spoofing code
+ steal_token delays dropping current token (to use its rights stealing the token)
+ Updated "this session already has a browser pivot" error message with a remedy.
+ Failure to bind the DNS Beacon's port 53 is now more clear in the error message.
+ Fixed potential truncation of execute-assembly output.
+ Added &listeners_stageless function to get &artifact_stageless compat listeners
+ Fixed another drives bug that popped up on some JVMs.
+ Fixed x64 pointer truncation in VNC server DLL.
+ Credential Add/Edit dialog can now edit the Host field.
+ Added Ctrl+R to quickly rename the current tab in Cobalt Strike.
+ Web server now reports error if an exception occurs when accepting new client.
+ File Browser's Delete popup item now asks for confirmation of the action.
+ Browser Pivot is now case-agnostic looking for Content-Length, Host, etc.
+ Browser Pivot strips Strict-Transport-Security, Expect-CT, and Alt-Svc headers

January 2, 2019 - Cobalt Strike 3.13
---------------
+ CS now prints console warnings, on payload staging, when kill date is past.
+ dcsync [FQDN] now runs mimikatz's dcsync with options to export all hashes 
+ Added a parser to add dcsync [FQDN] hashes to credential store.
- Removed the 'mode smb' option to turn an arbitrary Beacon into an SMB Beacon
+ Refactored Beacon HTTP/HTTPS/DNS and Beacon SMB into separate binaries
+ Reworked the link management and link client for Beacon
+ Added stageless windows/beacon_reverse_tcp as a Beacon pivot listener option.
+ Removed extraneous space from HTTP status responses.
+ Implemented fail-safe timeout to release Beacon chain if read blocks for 5 mins
+ Added command-line argument spoofing for matching processes with argue command.
+ Added &str_xor to XOR mask a string with a specified key.
+ Ctrl+F search in console is now case insensitive.
+ Added windows/beacon_tcp/bind_tcp listener for peer-to-peer comms.
+ stage.sleep_mask is now set to false by default
+ SSH client is now much smaller after switch to mbed TLS and newer LibSSH2 version
+ Added x64 SSH client. x64 Beacon uses the x64 client, x86 Beacon uses x86 client
+ Brought the new/reworked link client backend from Beacon to the SSH client.
+ SSH sessions can now control bind and reverse TCP Beacons. 
+ Added x64 portscanner and net module builds for use by x64 Beacon.
+ Removed PDB string and assembly manifest from post-ex job DLLs
+ In-memory obfuscation of Beacon now works with TCP and SMB Beacons. Both obfuscate
  while waiting for a connection and during reads. Enable with stage.sleep_mask 
+ Updated &bdllspawn with option to use impersonated/created token in child process
+ execute-assembly, net, portscan, and powerpick now use impersonated/created token
+ steal_token drops current token before attempt. This prevents a handle leak.
+ make_token creds now used with CreateProcessWithLogonW if execute w/ token fails
+ Beacon does better job of clearing memory content before freeing it.
+ Resource Kit+defaults now XOR mask stager prior to embed in PowerShell scripts
+ named pipe string is now embedded with or sent to Beacons only when needed.
+ desktop post-ex job, spawned from x64 Beacon, will launch x64 VNC server.
+ Updated to mimikatz 2.1.1 20181209
+ Added http-config Malleable C2 block to influence all HTTP server responses
+ Added MITRE ATT&CK Tactic ID to activity.tsv/activity.xml in data export.
+ Removed an extra comma when combining ATT&CK tactics for post-ex job launches
+ VPN pivot server now checks for /dev/net/tun before doing anything else.
+ Added a list of used MITRE ATT&CK tactics to Indicators of Compromise report
+ screenshot module now degrades SS quality when SS size is over transmit limit
+ Re-synced built-in MITRE ATT&CK matrix (April 2018) to add missed entries
+ Tagged a few mimikatz commands with more specific ATT&CK tactics.
+ cobaltstrike.exe launcher on Windows will run java.exe from %PATH%
+ Added a hard startup deny for OpenJDK "8" (too many problems w/ it on Kali)
+ Dialog to present a URL when browser can't/won't open now works on Kali 2018.4
+ bind_tcp x86/x64 stagers now exit on recv() failure.
+ Beacon console now checks Vista+ for target when using ppid, runu, or argue
+ Fixed the drives bug that popped up on some JVMs.
+ Default GUI font is now Dialog-PLAIN-12
+ c2lint now warns when the rundll32.exe default is not overriden/replaced
+ Added amsi_disable Malleable C2 option. Attempts to disable AMSI for psinject,
  powerpick, and execute-assembly
+ Updated update program with faster routine to write out cobaltstrike.jar file.

September 6, 2018 - Cobalt Strike 3.12
-----------------
+ Fixed targets_other popup hook. Now it passes the target info as an argument.
+ Fixed logic flaw in the kill date check.
+ Hardened reporting engine against unexpected characters in bookmark text.
+ configured MIME parser (used for phishing emails) to have fewer restrictions
+ Fixed bug ignoring the Name field in the Add Target dialog.
+ Updated target import codepaths to remove unexpected whitespace from addresses.
+ Added POWERSHELL_DOWNLOAD_CRADLE option to Resource Kit. Controls form of download
  cradle used by powershell-import, spawnu, spawnas, and uac-token-bypass
+ powershell-import with empty file resets hints related to script hosting.
+ Added POWERSHELL_COMMAND option to Resource Kit. Controls form of [most] powershell 
  commands used throughout Cobalt Strike.
+ Added &sync_download to grab a downloaded file from the team server.
+ Added stage.sleep_mask Malleable PE option. When enabled, obfuscates Beacon in 
  memory before each Sleep() call. De-obfuscates Beacon prior to resuming execution
+ Added run command. Runs a program (+ shows output) without cmd.exe or powershell.exe
+ ssh-key command now accepts much larger key sizes (and warns when that's exceeded)
+ Process injection path now allows argument via SetThreadContext when x64 -> x64
+ keylogger command, with no args, now spawns a temporary process and injects into it
+ screenshot+keylogger commands, spawn mode, now match Beacon's arch for temp process
- Removed .create_remote_thread and .hijack_remote_thread options in Malleable C2
+ Added Malleable C2 options to modify Beacon's process injection behaviors
+ Synced built-in MITRE ATT&CK matrix to the April 2018 release.
+ Updated to Mimikatz 2.1.1 20180820
+ DNS Beacon signaling now combines dns_idle profile value with signal values. A good
  dns_idle value helps avoid IPv4 bogon responses in dns6 and dns-txt transfers.
+ DNS listener now sanity checks dns_idle value vs. Team Server IP.
+ Added &str_chunk to easily chunk a string into multiple same-size chunks.
+ Updated exe/dll checksum update process to leave artifact alone if there's an error
+ Removed the OpenJDK checks/warnings from startup.
+ Updated the updater with new cert information. (Redownload the trial to get it)

May 24, 2018 - Cobalt Strike 3.11
------------
+ Hardened Beacon against possible crashes on Win 10 when module stomping is setup.
+ Change size of Host column in IOCs report.
+ Updated the Malleable C2 'mask' decoder to fail in a more graceful way.
+ Beacon HTTP controller now outputs much more detail when it can't retrieve an id,
  metadata, or process output from a Beacon HTTP request w/ the current profile.
+ Updated PowerShell injection templates to address issue w/ Windows 10.0.17134
+ Updated to Mimikatz 2.1.1 20180502
+ DNS Beacon now recovers from a failed AAAA download more gracefully.
+ Hardened DNS Beacon against an edge case for repeated/out-of-order requests

April 9, 2018 - Cobalt Strike 3.11
-------------
+ Added dllload command to Beacon. Calls LoadLibrary() w/ parameter in remote process.
+ Mitigated crash for Artifact Kit generated DLLs on certain loading conditions.
+ Added module stomping to Malleable PE options. Configures Beacon's loader to load 
  an unneeded library and overwrite its space instead of using VirtualAlloc.
+ Synced built-in MITRE ATT&CK matrix to the January 2018 release.
+ Beacon downloads smaller file pieces per check-in when HTTP chunking is in use
+ stomppe Malleable PE option stomps MZ, PE, and e_lfanew values once Beacon is loaded
+ Extended Malleable PE obfuscate option to obfuscate Beacon's DLL headers and header 
  slack space. This option also LoBoToMiZeS the DLL header once Beacon is loaded.
+ Added dns_max_txt and dns_ttl Malleable C2 options to tweak Beacon DNS C2 further.
+ &bdllspawn now accepts arguments larger than the previous 16KB limit.
+ Added execute-assembly to run a .NET executable on target without touching disk
+ Added Malleable PE options to change these fields of Beacon's Reflective DLL:
	- checksum:    CheckSum value
	- entry_point: AddressOfEntryPoint (Cosmetic. Does not affect execution)
	- name:        the Exported name (e.g., beacon.dll)
	- rich_header: replace the Rich Header with some other rich header
+ Added Malleable C2 sample_name option to name your "payload" in the IOCs report.
+ Cobalt Strike now aggregates more info about your profile to the reporting engine
+ Updated the IOCs report to show PE info, contacted hosts, a traffic sample, and
  interesting strings for the Malleable C2 profile associated with each server.
+ Added peclone utility to Cobalt Strike Linux package. This utility parses a PE
  file and prints a Malleable PE stage block with extracted values.
+ Artifact Kit now pushes decoded payload directly into alloc'd memory.
+ Added cleanup option to Malleable PE. This asks Beacon to attempt to free the 
  memory associated with the self-bootstrapping package that loaded it. 
+ Added reg query|queryv to Beacon to query the registry
+ Added setenv command to Beacon
+ Updated getsystem/pth to use %COMSPEC% instead of cmd.exe.
+ Updated to Mimikatz 2.1.1 20180325
+ Hardened SSH sessions against infinite blocking situations.
+ Changed quoting convention in PowerShell scripts.
+ Added functions: &breg_query, &breg_queryv, &bdllload, and &bexecute_assembly
+ Added hex and vbs options to &transform
+ Extended Resource Kit to control CS's VBS and HTML Application output.
+ Added &transform_vbs to offer additional control over the VBS transform.
+ Added uac-token-duplication option to built-in privilege elevation options.
+ Added runasadmin to run a command in a high integrity context. This uses the UAC
  Token Duplication attack. &brunasadmin gives scripts access to this too.
+ Rebuilt x86 VNC server DLL with v90 toolchain for maximum Windows 2000 fun.
+ Hardened the default (dist-pipe) Artifact Kit against rare error conditions.
+ Fixed a Beacon crash on Windows XP when CreateProcessWithTokenW is not present.
+ ReflectiveLoader now zeroes out its entire VirtualAlloc'd space
+ Made changes to the updater program for Java 9 compat and prep for cert changes
+ Internal script console implementation no longer uses $x and $error
+ Metadata verification now allows "unknown" as an internal IP value.

11 Dec 17 - Cobalt Strike 3.10
---------
+ Added a ~1s delay to team server's authentication answer to mitigate brute force
+ x86 HTTP staging protocol server check now requires right x86 stager URI checksum
+ Randomized the unused host padding inside of the DNS TXT record stager.
+ Made changes to x86 XOR stage encoder stub
+ Added SSL support to Cobalt Strike's web-based social engineering features
+ Infused MITRE's ATT&CK matrix into Cobalt Strike:
	- &attack_* functions provide access to ATT&CK data for custom reports
	- Added Tactics, Techniques, and Procedures report: maps activity to ATT&CK
	- &btask now accepts a comma separated list of ATT&CK tactics as an argument
+ Fixed: short title in report export dialog now affects the generated report
+ Added &h4, &list_unordered, and &p_formatted functions for custom reports
+ File browser right-click popups now announce "input" for actions taken.
+ Updated Synthetica L&F to version that is compatible with Java 1.9
+ CS now uses session-specific ANSI/OEM codepages to encode input and decode output
+ Beacon logs now normalize output to UTF-8 encoding.
+ Added "GUI Font" to Cobalt Strike preferences. Changes the font used by the UI
+ cobaltstrike.exe launcher on Windows now searches for Java 1.9 in registry
+ Changed how Beacon sends routine error messages back to Cobalt Strike
+ Added getprivs command to Beacon. (The ps command no longer gets privs for you.)
+ Refactored shell and powershell commands to transfer logic from Beacon to CS
+ Added &beacon_execute_job to run a command as a post-ex job and report output to CS
+ Added &str_encode and &str_decode to encode and decode a string with specified charset
+ Added &beacon_host_imported_script to host previously imported script and return a
  one-liner to download and evaluate it. Returns nothing if no imported script exists
+ Added Malleable PE options string, stringw, and data to populate the .rdata section
  of Beacon's rDLL with the specified strings.
+ Updated to mimikatz 2.1.1 20171106
+ HTTP server drops requests with malformed headers.
+ Proxy Server dialog is now friendly to @ in proxy username and password.
+ Fixed &format_size with larger file sizes
+ download now works with files >2GB. Reports an error if file is >4GB.
+ Minor syntax fix to C# shellcode output in Payload Generator
+ Fixed a Java 1.9 warning in the updater program.
+ Removed dependence on Java EE API (for 1.9 compatability. Ugh).
+ Added an admin check to [beacon] -> Access -> Dump Hashes
+ Added safety check to prevent SMB Beacon localhost staging failure when there's a name 
  conflict with this listener between multiple servers.
+ Export Data now uses UTF-8 encoding for its output

NOTE: An in-place update of Cobalt Strike with live sessions is never recommended. With
Cobalt Strike 3.10, this is especially true. Cobalt Strike 3.10 cannot control sessions 
from previous versions of Cobalt Strike.

26 Sept 17 - Cobalt Strike 3.9
----------
+ Updated VBA and VBS shellcode embedding to accommodate 3.9's larger stagers.

21 Sept 17 - Cobalt Strike 3.9
----------
+ x86 HTTPS stager now (correctly) uses profile-specified URI
+ c2lint now flags absence of uri_x86 and uri_x64 as errors when a transform on the
  stager output is present.

20 Sept 17 - Cobalt Strike 3.9
----------
+ Added a startup check to verify -XX:+AggressiveHeap and -XX:+UseParallelGC are set.
+ Added a dialog to present a URL when the browser open action is not supported
+ powershell-import now uses a broader regex to find function names for tab completion
+ Changed the applet attack's memory allocation/process injection characteristics
+ Limited the team server file sync primitives to the downloads/ folder only.
+ Malleable C2 now prints a console error when POST'd session ID is empty
+ Artifact Kit uses SetThreadContext/ResumeThread for same-arch cross-process injection
+ Added Malleable client parameters/headers and server transforms to HTTP/HTTPS staging
+ Added a startup check + warning for Wayland desktops. (Not supported with CS)
+ c2lint now checks syswow64/sysnative case for spawnto_x86/spawnto_x64. It's important
+ &beacon_host_script now compresses imported PowerShell script (like powershell-import)
+ Made changes to the local staging process for the named pipe Beacon
! Removed windows/foreign/reverse_dns_txt as a listener (needed for the next change...)
+ Added dns_stager_prepend Malleable C2 option to offset DNS stage value in TXT records
+ Updated VNC server to remove unneeded "stuff" and improve reliability.
+ Restricted the team server file upload primitive to the uploads/ folder only.
+ Help -> System Information now includes environment variables
+ Licensed CS now requires a valid + non-expired authorization file to start. This file
  is generated and refreshed by the update program in 3.9+
+ Licensed CS now embeds a 4-byte customer ID (from auth file) into stages and stagers
+ Added obfuscate Malleable PE option to mask import table strings
+ Updated to mimikatz 2.1.1 20170813
+ Added &gunzip function to Aggressor Script.
+ &closeClient now works when called from headless Agressor Script client.
+ &add_to_clipboard puts text into the clipboard and prompts the user.
+ headless Aggressor Script client now waits on global data before firing on ready event
+ Added light obfuscation to the System Profiler.
+ Added &encode function to obfuscate shellcode/stages with a CS encoder
+ Added &range and &iprange to generate a list of numbers/IPs from a string description
+ Added mask data transform to Malleable C2. Masks data with a random 4-byte value.
+ DNS Beacon accounts for in-progress HTTP GET-transfers when asked for IP address

23 May 17 - Cobalt Strike 3.8
---------
+ Attacks -> Web Drive-by -> Host File maps .ps1 to text/plain (auto mime-type)
+ Host File dialog now checks that URI begins with a /
+ Fixed a bug with Malleable C2's base64url encoder 
+ Exceptions thrown by Aggressor Script function calls are sent to the Script Console
+ Added [beacon] -> Access -> Elevate to pick a registered priv escalation to launch.
+ &bmode can now accept a dns6 argument.
+ Beacon DNS processor now lowercases all requests. (This was a 3.0 regression)
+ Web server now prints information & errors the same way other CS features do
+ Added ppid command to set parent process for processes Beacon launches
+ Added runu to run an arbitrary program under a specific process ID.
+ Added spawnu to spawn a session under a specific process ID (uses powershell.exe)
+ Updated web server to drop non-HTTP requests with no response.
+ Reporting now shows DNS Beacon mode changes in session transcripts
+ Artifact Kit's non-migrating artifacts start threads with memory backed by module 
+ Improved c2lint's SSL keystore checks.
+ Cobalt Strike now updates PE CheckSum field for its executables and DLLs
+ Beacon now uses SetThreadContext/ResumeThread to start jobs in patsy processes
+ Beacon process injection now uses CreateThread for injecting into self
+ Added shspawn command to spawn shellcode file as Beacon post-ex job.
+ The updater program now verifies downloads via https://verify.cobaltstrike.com
  Download the latest trial package to get the updated updater.
+ Updated to Mimikatz 2.1.1-20170508
+ Added scripting hooks to grant users control over PowerShell, Python, and VBA
  templates used throughout Cobalt Strike. See the "Resource Kit" in the Arsenal.
+ Added Malleable C2 options: hijack_remote_thread, create_remote_thread to tweak
  Beacon's process injection codepaths. Both are true/false options.
+ Added work-around for "Parallel GC" Java bug (Java 1.8u131) that prevents Cobalt
  Strike from running. Download the latest trial package to benefit from this.

15 Mar 17 - Cobalt Strike 3.7
---------
+ Added "set pipename_stager" Malleable C2 option to change named pipe stager pipe
+ Added manual proxy options to stageless Beacon artifacts
+ Attacks -> Packages -> Windows EXE (S) now shows listener names
+ Added &artifact_stageless function to generate stageless artifacts from scripts
+ &brm now rejects an empty argument
+ Added cp (copy) and mv (move) commands to Beacon. Added &bcp, &bmv for scripts
+ Added EXE and DLL code-signing capability to Cobalt Strike
	- Malleable C2's code-signer block specifies the keystore and attributes
	- Attacks -> Packages -> Windows EXE  and Windows EXE (S) have a checkbox
	  to request a signed EXE or DLL
	- The &artifact_sign function signs its argument (presumably a PE file)
+ Malleable C2 is now tolerant of case-transformed headers
+ Added Aggressor Script APIs to create simple dialogs
+ Added a parser to add mimikatz lsadump::sam results to credential model.
+ Team server now uses SHA256 hash for its SSL-cert fingerprint
+ Added Malleable C2 options to modify Beacon's payload stage/Reflective Loader
+ Reduced Beacon's use of RWX permissions in its process injection code path
+ Reduced use of RWX permissions in non-trial Artifact Kit.
+ Fixed bug with SSH agent not always resolving path for file downloads
+ Added API for Cobalt Strike's web server: &site_host, &site_kill.
+ Enhanced the error reporting for client/server disconnections
+ Updated DNS stager to not modify itself.
+ Added an x64 stage encoder for Beacon stages delivered over SMB and HTTP/S
+ Added dns_stager_subhost Malleable C2 option to change DNS TXT stager indicator
+ Updated to mimikatz 2.1.0-20170305

8 Dec 16   - Cobalt Strike 3.6
--------
+ Added sanity check to HTTP header length.
+ Added script constants \c, \U, and \o to agscript client.
+ Beacon drops token when connecting to capability pipe anonymously. This should 
  mitigate some error 5s (permission denied) when using jobs after stealing a token
+ VNC client and Proxy Pivots -> Tunnel now use the IP address the CS client 
  connected to as the team server IP and not the value used when starting the
  team server.
+ Added Preferences -> Cobalt Strike -> VNC Ports option. This configures the range
  of ports CS should use for VNC client connections between the client and the
  team server.
+ Added &layout to custom reports. It's &table but without a border and col headers
+ Expanded Malleable C2 to allow additional flexibility with HTTP requests:
	- Use 'set verb' to change the default HTTP verb for http-get/http-post 
	- http-get.client.metadata can now print if http-get's verb is POST.
	- http-post.client.output can now use uri-append, parameter, and header
	  Beacon will chunk output into small blocks when these options are used.
	- http-post.client.id can now use print if http-post's verb is POST.
	- c2lint checks for possible mistakes/issues with the above.
+ c2lint now checks for assignment collissions.
+ c2lint now shows a preview of both http-get AND http-post.
+ added base64url encoding to Malleable C2. (This is a URL-safe encoding option).
+ SSH client now reports output sent to STDERR.
+ Added sanity check to HTTP POST Content-Length (max allowed is 10MB. Still big.)
+ SSH client now combines consecutive reads for a channel into one output blob.
+ Added entries to the Host File feature's automatic mime-type assignment table.
+ Reworked spawnto to allow operator control over x86 and x64 behavior.
	- Deprecated Malleable C2 set spawnto option (it's ambiguous)
	- Added set spawnto_x86 and set spawnto_x64 to Malleable C2.
	- Beacon's spawnto command now expects arch value to target right setting
+ Expanded spawn command to accept arch parameter (e.g., spawn x64 <listener>)
+ x64 Beacon falls back to RtlCreateUserThread when CreateRemoteThread fails.
+ Updated Beacon Job IDs to stick with job throughout its life
+ Added an Aggressor Script API to add exploits to Beacon's elevate command
+ Added &powershell_encode_oneliner to Aggressor Script. This function base64 
  encodes a PowerShell expression and returns a one-liner to run it.
+ Added quiet variants of many session tasking Aggressor Script functions. These 
  functions task a session without an acknowledgement. [e.g., bshell!("arp -a")]
+ Added &bdllspawn. This function launches a Reflective DLL as a Beacon post-ex job.
  This rDLL job can send output to Beacon by writing to STDOUT. This rDLL can also
  receive an argument from &bdllspawn. Check out the Aggressor Script docs for info.
+ Added arch parameter to &bstage (to allow staging x64 SMB Beacon locally)
+ hashdump now does a better job with larger sets of users.
+ DNS C2 applies tighter criteria to determine if a request is a "beacon" or not.
+ CS client filters listeners w/o stages when Malleable C2 host_stage is false
+ Addressed a potential thread-conflict with a shared buffer in an encryption routine
+ Cobalt Strike Trial no longer encrypts Beacon tasks and responses. *pHEAR*
+ Re-revised foreign listeners to return x86 shellcode only.
+ Updated to Mimikatz 2.1 20161126.
+ Added &bsetenv to set an environment variable within Beacon.
+ Added &bpsexec_command to run a command on a target via the service control manager
+ Keystroke logger is now better about non-US keyboard layouts.
+ Team server now properly releases resources from non-CS client connections
+ Removed keylogger start|stop from tab completion [these options no longer exist]
+ CS's web server returns 404 for HTTP proxy attempts when no proxy handler is setup
+ Fixed occasional x64 HTTP/HTTPS stager crash on Windows 10-era systems

3 Oct 16   - Cobalt Strike 3.5.1
--------
This release implements measures to harden Cobalt Strike against malicious sessions.

+ Re-worked file download feature. Cobalt Strike continues to store downloaded files 
  in the downloads/ folder, but this time with a random name and no sub-folders. The
  View -> Downloads and Sync Files user experience is restored to the behavior prior
  to 3.5-hf1 and 3.5-hf2. The logs/[date]/downloads.log file contains a manifest of
  downloaded files and maps known information about the file download to the random
  names in the downloads/ folder.
+ Team server now uses a safe path concatenation function that compares canonical 
  paths of the parent and result concatenated path to make sure the result doesn't 
  break out of its parent.
+ Added host_stage = true/false option to Malleable C2. This options allows you to
  disable the public hosting of a payload stage over HTTP, HTTPS, and DNS.
+ Beacon controller now refuses to process most session responses if a session is
  new and has not had a task yet. Some responses are still allowed prior to tasking.
+ Beacon controller drops sessions whose session metadata didn't validate.
+ Beacon's upload command with path no longer checks for 1MB limit
+ Added 0.0.0.0 to team server's list of hosts it won't accept.

29 Sept 16 - Cobalt Strike 3.5-hf2 
---------- 
+ Broader hardening of the Beacon controller against the RCE security issue.

28 Sept 16 - Cobalt Strike 3.5-hf1
----------
+ Hot fix for a security issue. See Cobalt Strike blog: 
  Cobalt Strike RCE. Active Exploitation Reported.

22 Sept 16 - Cobalt Strike 3.5
----------
+ Fixed sanity checks when adding a listener.
+ Lateral Movement & Make Token dialogs use a . if user leaves Domain field blank
+ Beacon socks command now asks Beacon to checkin interactively (sleep 0)
+ Added ssh and ssh-key commands to Beacon to create an SSH session with a target.
  These sessions allow you to run commands, upload/download files, and pivot 
  through targets over SSH.
+ Took steps to reduce likelihood of Beacon ID collissions
+ &bmimikatz function will now dispatch multiple commands separated by newlines.
+ SMB Beacon download feature now pulls bigger file chunks (~256KB) per checkin
+ Fixed double unlink notices for named pipe sessions.
+ Added several Aggressor Script enhancements:
	- ssh_alias keyword to add commands to SSH sessions
	- ssh_initial event to respond to new SSH events
	- ssh popup hook
	- &ssh_command_register to register SSH aliases with SSH help command
	- &bssh, &bssh_key to launch an SSH session from a Beacon
	- &bsudo to run the SSH session's sudo alias
	- &ssh_commands, &ssh_command_describe, &ssh_command_detail to grab help
	  information for SSH session commands.
	- -issh $id, -isbeacon $id predicates to test whether an ID is a specific
	  type of session
	- -isadmin $id predicate to check if a session is admin-level
	- -is64 $id predicate to check if target is an x64 system.
	- &sbrowser function to create a session browser GUI object
	- SSH sessions have their own sets/events that are similar to the ones
	  that exist for Beacon sessions.
+ View -> Proxy Pivots now posts input for rportfwd stop/socks stop
+ Added sanity check for team server <host> parameter to avoid common mistakes
+ x86 stager generation code now always use x86-specific URI checksum.

29 Jul 16 - Cobalt Strike 3.4
---------
+ Save dialog now defaults to the last saved file's location
+ Cleaned up several strings in Beacon's stage.
+ Added Malleable C2 option to set name of SMB Beacon's named pipe name
+ Added command-line help options for team server startup.
+ Added a kill date parameter to team server. This will embed a drop dead date
  into each Beacon stage generated by this team server.
+ Archiver on team server now truncates its entries to a set size. This prevents 
  a slow memory leak on the team server.
+ Fixed bug that capped Beacon's jitter variance to 32s, regardless of sleep time
+ Added a cobaltstrike.server_port property to change team server's default port
+ Fixed bug processing HTTP GET Malleable C2 recovery programs > 128 bytes.
+ Hardened Beacon's Malleable C2 recover code against corrupted/unexpected data.
+ Added Beacon's architecture (x86, x64) to session metadata as barch key. Also
  added an (x64) indicator to statusbar in x64 Beacon consoles.
+ 'mode dns' now restricts DNS host length (for puts) to 25% of maxdns value.
  The 'mode dns-txt' option is 100% of the maxdns value. 'mode dns6' is 50%
+ Beacon's upload command now supports files larger than 1MB.
+ Fixed a bug in task queue chunker that could affect order of task execution
+ Cobalt Strike -> Listeners shows last listener error in red, if there is one.
+ Added option to export COM Scriptlet (.sct) to Payload Generator dialog
+ Spear Phishing tool now allows Windows-style line endings for targets file
+ Added dns_idle setting to Malleable C2. Changes DNS C&C idle IP from 0.0.0.0
+ Added dns_sleep Malleable C2 setting. Forces a sleep before all DNS requests
+ Added 'mode dns6' to use DNS AAAA records as a data channel for DNS Beacon.
+ maxdns is now interpreted as maximum length of hostname to send data back
+ Improved DNS data channel throughput when using hostnames to send data back.
+ Updated to mimikatz build (Jan 31, 2016) to address golden ticket indicator
+ Spear Phish mail server setup now adds option to force STARTTLS
+ Fixed a bug with STARTTLS upgrade (introduced in 3.0)
+ Added &bnet function to call Beacon's net module.
+ Added &beacon_host_script function to (locally) host a PowerShell script and 
  return a one-liner to grab it/run it.
+ Fixed exception caused when hand-editing targets field in Spear Phish dialog
+ Fixed a potential exception caused by a race when removing a listener

18 May 16 - Cobalt Strike 3.3
---------
+ Added krbtgt helper to Golden Ticket dialog.
+ Added filter feature (Ctrl+F) to most of Cobalt Strike's tables.
+ Raised data model retention limits again.
+ cobaltstrike.exe on x64 Windows now looks for x86 Java if x64 Java is not found
+ Removed remnants of non-existant task command.
+ Aliased ? to help in Beacon console.
+ Mitigated DOS condition that could stop Team Server from accepting new clients
+ Fixed conflict between Malleable C2 partial URIs (uri-append) and HTTP/S 
  staging protocol. Malleable C2 partial URIs requests match to handler first.
+ Added c2profile info to Help -> System Information
+ Made keystroke logger loop tighter.
+ Added powerpick command to run PowerShell via Unmanaged PowerShell technique
+ Added psinject command to inject Unmanaged PowerShell into a specific process
+ Added 3389 to default portscan port list.
+ Made multiple error checking enhancements to c2lint.
+ Added Reload button to Script Manager dialog.
+ Added ready column to Script Manager to indicate if script is loaded or not.
+ Ctrl+Shift+D closes all tabs except the active one.
+ note[space]
	
		Tab
	
 now completes the current Beacon note.
+ Added net time to Beacon's net module.
+ powershell-import size check occurs *after* compressing the script.
+ DNS server responds to (unexpected) AAAA requests with an empty answer section
+ Mimikatz parser now preserves passwords with spaces.
+ Beacon now uses encrypt-then-MAC to verify task/response message integrity
+ Updated web server to have enough Range request support to satisfy bitsadmin
+ Replaced PowerShell Web Delivery with Scripted Web Delivery. This dialog
  generates artifacts and one-liners to deliver payloads with: bitsadmin, 
  powershell, python, and regsrv32.
+ Added VBA shellcode injection option to the HTML Application Attack.
+ Added an option to use x64 stagers/stages to:
  - Attacks -> Packages -> Payload Generator
  - Attacks -> Packages -> Windows Executable
  - Attacks -> Packages -> Windows Executable (S)
+ Added x64 artifacts to the Artifact Kit 
+ Added shinject command to inject shellcode into a process
+ Made the following updates to Aggressor Script:
  - &binject now accepts an arch (x86, x64) parameter.
  - Added &beacon_ids function to get all Beacon IDs
  - Added &bpowerpick / &bpsinject functions to go with the above.
  - Added &openScriptedWebDialog for Scripted Web Delivery
  - Added &bshinject to go with shinject command
  - Extended &shellcode with an x86/x64 architecture parameter
  - Extended &artifact with an x86/x64 architecture parameter
  - Extended &artifact types with powershell, vbscript, and python
  - Extended &powershell with an x86/x64 architecture parameter
  - &agServices now limits its results to hosts in targets model only.
+ The make_token command now accepts passwords with spaces.
+ Improved Bypass UAC attack's reliability. It also gives feedback now.

4 April 16 - Cobalt Strike 3.2
----------
+ Removed errant date parsing code from Mimikatz output scraper.

22 Mar 16 - Cobalt Strike 3.2
---------
+ Fixed potential null pointer exception in multi-Beacon Process Browser
+ Fixed a type-issue that could cause client disconnect when editing credentials
+ Text displays show horizontal scrollbar if a text token is longer than display
+ Hardened report generator against empty bookmarks.

10 Mar 16 - Cobalt Strike 3.2
---------
+ Standard dialogs (messages, prompts) are now created in Swing's EDT
+ Merged client data sync process to one mechanism
+ Made slight change to bind TCP staging protocool.
+ Fixed bug with Beacon desktop command running twice when three args specified
+ Scrollbar now appears in connection list (when one is warranted).
+ Fixed VPN pivoting deployment error caused by internal API changes.
+ Added a startup warning for OpenJDK users. OpenJDK is not recommended for use
  with Cobalt Strike. It has occasional bugs that severely impact CS users.
+ Bind TCP staging process now encodes x86 payloads
+ Raised the max entry limits in Cobalt Strike's data model.
+ Port Scanner now properly ids Ubuntu OpenSSH banner as a Linux system
+ Added an x64 Beacon agent. You can now inject Beacon into x64 processes.
+ Added a timeout to VNC session handshake. If the timeout expires, you're asked
  to try the VNC process again.
+ [beacon] -> Explore -> Desktop announces desktop command to the beacon console
+ [beacon] -> Interact now activates Beacon's existing tab, if one is open.
+ Fixed a bug downloading 0 byte files.
+ Raised max number of linked beacons from 15 to 40.
+ Added 'net computers' to query Domain Computers/Domain Controllers groups to
  discover targets and populate Cobalt Strike's data model.
+ VPN Pivot now filters the VPN client's host and hosts in client's pivot chain.
+ Added Reporting -> Reset Data to reset Cobalt Strike's data model.
+ Modified teamserver script to avoid re-generating SSL cert if keystore exists
+ Website Keystroke Logger tool now logs to webkeystrokes.log on team server.
+ NMap import does not import hosts with no open services.
+ text prompts no longer fire their callback if dialog is cancelled.
+ Consoles now display a horizontal scrollbar when there is a text token longer
  than the console can display.
+ PowerShell Web Delivery and powershell-import now compress hosted scripts.
+ Added warning to prevent deploying CovertVPN on Windows 10.
+ Hardened recursive task building logic against potential loops.
+ Changed screenshot publish/read protocol to avoid incomplete screenshots
+ Added processbrowser and processbrowser_multi popup hooks to Aggressor Script
+ upload and powershell-import report errors if content is too big.
+ Ctrl+Shift+T takes screenshot of entire CS window and pushes it to team server
+ Reporting engine frees up memory after report is generated.
+ Hardened report generator against empty pages and empty tables.
 
8 Dec 15 - Cobalt Strike 3.1
--------
+ Fixed report generation bug when masking long email addresses
+ Fixed race that made metadata unavailable to beacon_initial event 
+ &binfo("id") now returns all metadata for the specified beacon id
+ Screenshots in memory no longer cache their ready-to-render form. This prevents
  out of memory exceptions for those of you watching busy desktops.

4 Dec 15 - Cobalt Strike 3.1
--------
+ Fixed report generation issue with UTF-8 encoded characters.
+ SE Report now excludes campaigns with no delivered messages.
+ Spear Phishing tool now preserves base64 encoded parts with a Content-ID
+ Script Console e, x, and ? commands present errors in friendlier way.

2 Dec 15 - Cobalt Strike 3.1
--------
+ Beacon help command complains when asked about a command that doesn't exist
+ VNC server stage is now encoded 
+ Bypass UAC on Windows 10 now takes steps to use an artifact that's OK with
  blocking DLL_PROCESS_ATTACH [not all techniques are OK with this].
+ Updated integrated mimikatz to 2.0 alpha 20151008
+ Added dcsync command to Beacon. Uses mimikatz to pull a hash from a DC. CS
  parses its output and adds the credential to the creds model too.
+ Fixed null pointer exception when trying to save an edited listener.
+ mimikatz @module::command will force mimikatz to use beacon's thread token
+ Download cancel now properly releases file handle in Beacon.
+ client now trims large data structures in the same way the team server does
+ Screenshot tool is now smarter. If user is idle, it returns one screenshot
  every three minutes. If user is active, it will return one each check-in.
+ Session metadata is now in the Beacon logs on the team server.
+ CS now offers to direct user to team server documentation when they get a
  Connection refused error.
+ Added headless option to run Aggressor Scripts. Use the agscript launcher
  included with the Linux package.
+ Obfuscated Artifact Kit's service entry point slightly.
+ DNS Beacon export option was not showing up in the stageless payload export
  dialog if windows/beacon_dns/reverse_dns_txt was set as the listener. Fixed.
+ Scan dialog now complains if a Beacon session wasn't selected.
+ Export Data and Sync Files features now mkdir folders that don't exist.
+ Added check to prevent you from using CS with Java 1.6.
+ %TOKEN% is now replaced everywhere in phishing template, not just URL.
+ Added Export button to View -> Credentials. Exports creds in PWDump format
+ Fixed stager crash on exit after failure; caused by wrong byte order exitfunk
+ Added a sanity check for phishing target files w/ reversed email/name info
+ View -> Targets now has an import button. Imports: NMap XML & flat host files
+ IoC Report now only shows each hash once.
+ Fixed several bugs that could affect report generation.
+ Spear Phishing tool no longer strips attachments with a Content-ID header.
+ Added several APIs to Aggressor Script
+ DNS Stager now exits after all attempts exhausted (better than crashing)

24 Sept 15 - Cobalt Strike 3.0
----------
+ Switched to the Aggressor project's team server and client. Aggressor
  was a long effort to rewrite Cobalt Strike's team server and client without 
  the Armitage codebase and dependency on the Metasploit Framework. The 
  Aggressor project expanded Beacon's post-exploitation capability and
  re-aligns Cobalt Strike's workflows around the Beacon payload. 
+ psexec commands now query service before they shut it down. This fixes a
  race condition that affected psexec's success in some situations.
+ Beacon now acknowledges the exit command and a message is shown.
+ Team server now delivers very large Beacon taskings in chunks. Beacon has a
  hard limit on taskings and this prevents large taskings (e.g., mimikatz sent
  to 5+ different hosts) from crashing Beacon.
+ The sleep command in an SMB Beacon now sends the command up to the egress
  Beacon to take effect.
+ psexec and friends tab complete target NetBIOS names from CS's data model
+ Added port scanner and net [view] modules to Beacon.
+ Named pipe staging now aborts after 60s of attempts or an error 53.
+ Bypass UAC now works on Windows 10
+ Added a profile preview to the c2lint utility.
+ Updated Artifact Kit and Applet Kit to use Aggressor Script APIs to hook
  into attack generation process.

12 Aug 15 - Cobalt Strike 2.5
---------
+ Beacon's lateral movement commands now show listener dialog when no 
  listener is specified.
+ Took steps to combat against Read Timeout errors during authentication
  to team server.
- Updated YAML parser and other code to become compatible with Kali 2.0
- Console Queue now sets some options (e.g., TARGET) before it sets others    
  to avoid errors 

29 Jul 15 - Cobalt Strike 2.5
---------
+ Removed [beacon] -> Log Keystrokes menu. These options don't make sense
  now that keystroke logger injects into specific processes
+ Added make_token command to Beacon. Clones current access token to pass
  username/password to remote systems. Requires admin access.
+ Added rm and mkdir commands to Beacon.
+ Added lateral movement commands to Beacon: psexec, psexec_psh, winrm, 
  and wmi. The psexec command uses a Service EXE from Artifact Kit. The 
  other options bootstrap a payload with PowerShell.
+ Replaced windows/beacon_smb/reverse_tcp with windows/beacon_smb/bind_pipe.
  You may use this listener with Beacon's lateral movement options. It will
  stage the SMB Beacon over a named pipe (quite slick!). This listener is
  also usable with other Beacon features (e.g., spawn, bypassuac, etc.)
+ Beacon now polls each SMB Beacon for data on checkin.
+ Backported Cobalt Strike 3.0's SOCKS backend to 2.5.
+ Added rportfwd command to Beacon. This creates a reverse port forward (on
  target) to catch connections and forward them to a host/server of your
  choosing. The forwarded traffic/connections are tunneled through Beacon.
+ Added hta-psh to Attacks -> Packages -> Payload Generator. Uses MSF to
  generate an HTML Application that bootstraps your payload with PowerShell
+ Browser Pivot dialog now shows processes on newer versions of Metasploit.
  Newer versions of MSF omit the PPID column in Meterpreter's ps output.
+ The PowerShell output for Windows Executable (S) is now much smaller!
+ Malleable C2 now allows escaping of quotes inside of strings #CommonSense
+ Added Malleable C2 options to import an SSL certificate for Beacon's use
+ Added spawnas to Beacon to run a payload with the specified creds.
+ Beacon now uses CREATE_NEW_CONSOLE with cmd.exe/powershell.exe. This 
  fixes some weird situations where Beacon could not consume output from a
  process created with a stolen token.
- Updated MsgPack library and code that uses it.
- Team server now authenticates client before exchanging serialized objects

21 May 15 - Cobalt Strike 2.4 
---------
+ Fixed a conflict with SMB Beacon pipenames due to random seed choice.
+ Added date stamp to View -> Web Log entries
+ Re-generated default Beacon HTTPS certificate with different parameters
+ Malleable C2 HTTPS certificate generation now uses different parameters
+ Slight refresh to the default artifact kit for executables and DLLs

10 Apr 15 - Cobalt Strike 2.4
--------
+ Fixed 'meterpreter' command to tunnel Meterpreter through Beacon
+ Pressing cancel on the Set Note dialog for Beacon no longer clears note
+ Fixed mimikatz command with really long commands + arguments.

8 Apr 15 - Cobalt Strike 2.4
--------
+ Added dllinject to Beacon. Injects a Reflective DLL into a process
- Sped up rendering of graph view on Windows and MacOS X.
+ Beacon now has a concept for long-running post exploitation jobs.
  Use the jobs command to list jobs. Use the jobkill command to kill
  a job. The keystroke logger, PowerShell tasks, and Command Shell tasks
  now use this mechanism.
+ Keystroke logger now injects into an x86 or x64 process of your 
  choosing and reports keystrokes back to you.
+ Added hashdump command to Beacon
+ Integrated mimikatz into Beacon. Use wdigest to dump plaintext creds.
  Use mimikatz [command] [args] to run an arbitrary mimikatz command.
+ Fixed Beacon's internal types to allow working with large PIDs.
+ Revised VNC client -> server staging and connection process to 
  eliminate a layer of unnecessary tunneling and improve reliability.
+ Payload names in Listener dialog are now in alphabetical order. This
  will mess with muscle memory for some of us. It's for the best though
+ Added foreign listeners. These listeners are aliases for Meterpreter
  or Beacon handlers managed elsewhere. 
+ Added a sanity check for when an Applet Kit script can't find its
  jar resource.
+ Added PowerApplet to the Cobalt Strike Arsenal. This alternate 
  implementation of the Cobalt Strike Applet Attacks uses PowerShell 
  to inject a payload into memory. 
- Made YAML parser more liberal with punctuation characters.
+ Fixed a malleable c2 bug that affected safebrowsing.profile
+ Improved c2lint utility with a few new checks and enhanced checks
+ Added another A/V bypass technique to the Artifact Kit.
+ Tweaked artifacts Cobalt Strike generates
+ Performed normal client-side database maintenance

22 Jan 15 - Cobalt Strike 2.3
---------
+ Cobalt Strike now encodes Beacon's DNS stage with a custom encoder.
+ kerberos_ticket_use with no arguments now prompts for file.
+ Staged Beacon's PowerShell output is now x86/x64 PowerShell agnostic
+ Added Attacks -> Web Drive-by -> PowerShell Web Delivery. 
- Fixed a repaint bug when removing last server button.
+ added runas command to Beacon.
+ Fix bug when prepend/append were used before base64/netbios encode in
  Malleable C2 profiles.
+ Beacon now dynamically calls Wow64 disable/revert. This prevents a 
  crash when user tries to run powershell command on older XP systems.
+ c2lint now checks for a ? in URIs and warns user.
+ Beacon's download command now gives feedback when it can't open a file
+ Added pwd command to Beacon

20 Nov 14 - Cobalt Strike 2.2
---------
- team server startup verifies default host is an IPv4 address.
- Prompt for default address is now more aggressive and continues to
  ask until an address is put in. If a user hit cancel on this dialog,
  threads to poll the database never get started. Bad day, for sure.
+ Rebuilt process to inject and connect to VNC server on target system.
  New process is more likely to be ignored by host-based firewalls.
+ VNC client now uses a better visual cue for view-only, ctrl/alt lock
+ Vulnerability report now shows URLs for references from ZDI, MSB, 
  US-CERT-VU and WPVDB.
- Cobalt Strike now sends a keep-alive every 1-2mins over an idle team 
  server connection to combat disconnection by a NAT device
+ Beacon re-adds host to db if you remove its Beacon and it comes back.
+ Fixed Beacon replay attack counter 50-day roll over cycle. 
+ c2lint now simulates impact of URL encode on parameters and mangled
  binary data in headers when unit testing profiles. 
+ Applet Kit shellcode injector now spawns a suspended process to 
  inject into.
+ Spear Phishing tool is better with more complicated message templates
+ Phishing preview no longer replaces links in plaintext preview that
  would not be replaced in actual phish.
+ c2lint now checks length of useragent value
+ You may now tab complete file with kerberos_ticket_use in Beacon
+ Fixed (potential) deadlock with listener tab complete in Beacon
- Cobalt Strike client now shows disconnect message if it loses any
  of its connections to the team server.
+ Added an ICMP channel to Covert VPN feature.
+ Fixed Covert VPN issue with encryption keys that contain null bytes
+ More small tweaks to the VBA macro.

Cortana Updates (for scripters)
--------
- name field for hosts is now available.

30 Sept 14 - Cobalt Strike 2.1
----------
+ Beacon's powershell command always launches native arch PowerShell
+ powershell tab completion now tracks completeable cmdlets on a 
  beacon-by-beacon basis.

23 Sept 14 - Cobalt Strike 2.1
----------
+ Beacons now use asymmetric cryptography to negotiate a unique 
  session key and authenticate with your Cobalt Strike instance.
- Added helper for SCRIPT option.
+ Added Malleable C2 options to customize SSL cert for HTTPS Beacon
+ You may now use PowerShell through Beacon. Use the powershell 
  command to evaluate a PowerShell expression. Use powershell-import
  to import a script and make it available to the powershell command.
- Right-click a tab's X button and use "Send to bottom" or Ctrl+B to 
  dock a tab to the bottom of the Cobalt Strike window. Use Ctrl+E to
  to get rid of the docked tab.
+ Cobalt Strike's web server now sends Content-Length when it's known
+ Added file tab completion for some of Beacon's commands.
+ Upload command now reports an error if Beacon can't write the file
+ Rebuilt CovertVPN client as a Reflective DLL. This will make client 
  deployment more reliable.
+ Cobalt Strike -> Interfaces now auto-refreshes itself every second
+ Split Covert VPN TCP channel into Bind and Reverse options. Reverse
  works as before and makes a connection to you. Bind uses a portfwd
  to connect to VPN client through Meterpreter [in effect tunneling
  frames through Meterpreter].
+ HTTP channel in Covert VPN now uses User-Agent from Malleable C2
- Added more YAML warnings to save heartache for custom installs
+ Added a user-driven attack: Attacks -> Packages -> HTML Application
+ Performed normal client-side database maintenance
- Database layer now uses core.version results to decide which MSF
  data model to use.
- File tab completion (Beacon, Cortana console) better handles ~
+ Made a small tweak to the VBA macro.
+ Updated Firefox Add-on Attack launcher to work with MSF updates
+ Updated artifact kit build.sh to account for increased beacon size

Cortana Updates (for scripters)
--------
- &credential_add, &credential_delete now take into account Metasloit
  version (pre 4.10, post 4.10) and do the right thing.

18 Aug 14 - Cobalt Strike 2.0.4.10
---------
- Added hard-coded database.yml path as fallback for Kali users
- Updated internal db.creds/db.creds2 calls to pull from new creds
  model in database.
- [meterpreter] -> Access -> Dump Hashes -> wdigest uses sso post
  module now. New creds model makes this better.
- Import option in View -> Credentials now works with new data model

16 Jul 14 - Cobalt Strike 2.0.49
---------
+ Fixed SE PDF report generation bug when masked emails collided
- Command Shell experience on Windows Meterpreter is much better now
- Java Meterpreter may now interact with a bash shell
! Removed [host] -> Meterpreter -> Access -> Migrate Now! menu item
- Ctrl+Escape temporarily drops the timeout times for Meterpreter
  commands to 5s, across the board. If a Meterpreter session appears
  unresponsive, try this to force any hung commands to timeout
+ Listener dialog now complains if user leaves host field blank
+ Added 'veil' option to Payload Generator. Outputs shellcode in a 
  format suitable for use with Veil [as custom shellcode].
+ Added Malleable C&C - a domain specific language to re-define 
  indicators in Beacon. Now you can make Beacon look like whatever 
  you need for your mission needs. *pHEAR*
+ Add windows/beacon_https/reverse_https which is an HTTPS Beacon.
+ Added [host] -> Meterpreter -> Access -> Bypass UAC. Launches the
  bypassuac_inject module w/ an Artifact Kit-made DLL for AV evasion
+ Fixed unicode issue with Website Clone Tool
- Cobalt Strike now warns when a team server is non-responsive by 
  making its server button purple. When the server is responsive again, 
  the button will turn back to its normal color. This requires that 
  you're connected to multiple team servers.
+ Added kill and ps commands to Beacon
+ Listener dialog now complains if user tries to use multiple hosts in
  host field.
+ Added kerberos_ticket_use and kerberos_ticket_purge commands to Beacon.
  These commands allow you to inject a Kerberos ticket into the session
  and purge it. Use with a Golden Ticket generated by Mimikatz 2.0.
+ Beacon's inject, spawn, and bypassuac commands pop up a listener dialog
  if no listener is specified.
- Windows EXE launcher for Cobalt Strike now finds 64-bit Java.

15 May 14 - Cobalt Strike 1.49
---------
- Worked around invisible text selection bug with latest Java on Kali

13 May 14 - Cobalt Strike 1.49
---------
+ Fixed Beacon HTTP Stager bug on Windows XP
+ Worked around VBA syntax error caused by stagers that are too long.

23 Apr 14 - Cobalt Strike 1.49 (NCCDC Edition)
---------
- Keyboard shortcuts to change text size now work in table view
+ Browser Pivoting now uses a self-signed cert that expires in 10 years
+ Added ability to assign a non-persistent note to a Beacon
- Added Copy button to View -> Creds
+ Beacon's process injection now falls back to APC Queue process injection
  technique when CreateRemoteThread fails.
+ Listeners dialog now complains if you try to use an out-of-range port
+ Beacon DNS processor now lowercases all requests. 
+ Beacon's HTTP stager now prompts user for proxy creds when proxy 
  authentication fails. This prompt is the same one Internet Explorer uses.
- Services tab right-click menu now has options to edit a service's info
- YAML parser now gives better errors and forgives errant whitespace
- CS now intercepts shell command with arguments and spawns a command shell.
+ Beacon socks command prints an error if it can't bind the requested port
+ [beacon] -> Sleep menu now lets you specify a jitter factor.
+ Beacon's 'meterpreter' command now automatically changes the sleep time to
  something interactive.
+ Windows Executable (S) Package now has raw and PowerShell output
+ Fixed a bug that broke features when a custom Artifact Kit is loaded
- Logging now deals with IPv6 addresses better for Windows users
- Launching psexec at 4+ hosts will no longer open a tab for each host
- Cobalt Strike no longer allows two buttons with the same name in its team
  server button bar.
+ Listeners dialog now warns when Beacon hosts/domains list is too long
+ Beacon's spawn and meterpreter commands now create processes in a 
  suspended state and inject into rundll32.exe by default.
+ Beacon's spawn and meterpreter commands no longer use the impersonated 
  token to create the process to inject code into. This change reduces 
  "surprises" for you and gives you the flexibility to steal a token or 
  getsystem from the new session 

Cortana Updates (for scripters)
--------
- Added &script_load to load a script (as if the user did this)
- Added &script_unload to unload a script

13 Mar 14 - Cobalt Strike 1.48 (NECCDC Edition)
---------
+ PsExec now waits longer for a session
+ Added timestomp command to Beacon
+ Beacon's bypassuac now waits up to 10s for privileged file copy to complete
+ Beacon's 'meterpreter' command now checks for a pivot that could interfere
  with staging meterpreter through Beacon and presents a warning about it.
- Added Ctrl+L to quickly add an entry to timeline.[xml|tsv] (exported 
  through View -> Reporting -> Export Data)
+ Added Attacks -> Packages -> Windows Executable (S) to export a staged
  Beacon as a DLL or executable.
- Added osx-app to Output: type for payloads. Outputs a zipped MacOS X
  app archive.
+ Auto-Exploit Server now uses MSF's HTTP stager for Beacons. The custom stager
  is too big for most of MSF's client-side attacks.
- Scrubbed Cobalt Strike to eliminate unnecessary blocking calls from Sleep
  source code. This improves Cobalt Strike's responsiveness and takes away
  many opportunities for deadlock.
- Sync Files for Loot and Downloads is now much better with large files
+ Beacon now warns you when you try to upload a file bigger than its 1MB limit
- Cobalt Strike now properly notifies you when you lose a connection to a 
  team server. This was probably a long time coming.

27 Feb 14 - Cobalt Strike 1.48
---------
+ Beacon now reports Windows 8.1 correctly.
+ Beacon's interactive mode (sleep 0) is now 10-100ms delay between requests
+ Windows Dropper attack now uses a language-neutral method to determine
  Documents folder to write dropped file to.
+ Beacon's Task URL command now uses EXITFUNC of process to prevent metasploit
  generated shellcode from crashing after executed program closes.
+ Worked around known Java bug that prevents Spear Phishing HTML Preview from
  displaying text when a META tag is present.
+ Added Pivot Listeners--a listener that calls home through an existing 
  Meterpreter session. Go to [host] -> Meterpreter -> Pivoting -> Listener...
+ Added WebRTC IP address decloak to System Profiler. Based on technique at:
  https://github.com/natevw/ipcalf
+ Beacon's 'meterpreter' command now uses bind_tcp shellcode that binds to 
  127.0.0.1 explicitly. This will prevent some host firewall warnings.
+ Modified MSF's HTTP stager to specify a User-Agent. This is necessary to
  get through proxies that whitelist browsers. This modified stager is used
  to stage Beacon via Social Engineering Packages and when you task a Beacon
  to spawn a new Beacon for you.
+ Added Attacks -> Packages -> Payload Generator to output sourcecode or an
  artifact to deliver a Cobalt Strike payload to a host.
+ Added windows/beacon_smb/reverse_tcp payload to listeners dialog. This 
  will deliver a Beacon peer to a host (staged over a reverse TCP connection).
  You must have an HTTP or DNS Beacon setup before you create this listener.
+ Beacon SMB (reverse_tcp/bind_tcp) now kills the socket used to stage it.
+ Beacon now obfuscates session metadata better.
+ Added several commands for privilege escalation and token stealing to
  Beacon: steal_token, getuid, rev2self, getsystem, and bypassuac. This change
  gets one entry in this log but it was a lot of added grey hair to pull off
+ Beacons tab now shows a * next to user to indicate Beacon is run as admin
+ Type upload[enter] in a Beacon to immediately see a file chooser dialog
- Windows opened by Ctrl+W now show the proper application icon.
- Cobalt Strike now uses a JFrame to display its dialogs. This will give each
  window its own button in the taskbar regardless of window manager.
+ Beacon's inject and spawn commands will now deliver a DNS Beacon over DNS
  [just use spawn [listener] (DNS)]
+ Took steps to suppress "host called home" messages in Beacon console for
  data relayed through a P2P link/SOCKS pivot. 
+ Beacon auto-migrate now spawns a process that isn't notepad.exe ;)

8 Jan 14 - Cobalt Strike 1.48
--------
+ You may now assign a host on a per listener basis. Useful if you'd like a 
  listener to call home to a FQDN, an IPv6 host, or a hop point.
+ Added "shell (connect to target)" to PsExec dialogs.
+ Spear Phishing Preview now renders HTML and Plain Text previews of message
+ System Profiler is now compatible with IE11 and it detects Windows 8.1
+ Added an option to disable Java Applet with System Profiler. This will pull
  less information, but it also prevents click-to-run raising suspicion
+ Attacks -> Packages -> Windows EXE now generates an x86 EXE, x86 DLL, 
  x86 Service EXE, and an x64 DLL. These artifacts are generated by Cobalt
  Strike. Source code to this Artifact Kit is in the Cobalt Strike arsenal.
+ Added Attacks -> Packages -> Windows Dropper. This package drops a document
  to disk and opens it, while silently executing a payload.
+ Ported MSF's MS Office Macro Attack to Cobalt Strike with a few enhancements.
  Updated Office Macro now intelligently spawns payload into an x86 process--
  allowing the same macro to work when run on x86 or x64 Office. This also
  keeps your session safe if the user closes Office before you can migrate.
! Removed Attacks -> Packages -> Adobe PDF. This feature references a 
  Metasploit Framework module that is no longer very useful.
! Removed Attacks -> Packages -> MacOS X Trojan. This one was my fault.
+ Cobalt Strike now uses Artifact Kit to generate executables for its lateral
  movement dialogs. [host] -> Login -> psexec and psexec (token)
- Cobalt Strike.app for MacOS X now works with Oracle's Java 1.7
+ Added Microsoft Silverlight detection to the System Profiler
+ Updated client-side attack database with the latest and greatest
- Cobalt Strike console is now a mouse hot spot. Right-click a host in the
  console to see its menu. Click a module to open the module's launcher
- Cobalt Strike module launch console ignores false meterpreter prompt from
  msfrpcd after a successful exploit job is run. This work-around isn't
  perfect but it's much better than doing nothing.
- hashdump and wdigest menus now add usernames with spaces to creds table
+ Attacks -> Web Drive-by -> Firefox Add-on now uses Artifact Kit to generate
  an executable for its payload.
- IPv6 reverse sessions now associate with their host properly.
+ Added [listener] -> Debug... to restart a listener in a console where you
  can directly observe its output (and error messages)
+ Removed Set LHOST from View -> Beacons. Since LHOST no longer affects
  the listener callback address--it made sense to do this.
+ Cobalt Strike web server now uses proper MIME types for MS Office 2007 docs

21 Nov 13 - Cobalt Strike 1.48
---------
- Missing MSF_DATABASE_CONFIG error now gives troubleshooting steps too
- Added another check to detect and correct a corrupt module cache
- [host] -> Operating System -> Firewall works again.
+ Browser Pivoting now supports 64-bit Internet Explorer
+ Added peer-to-peer communication to Beacon. Use 'mode smb' to put turn a
  Beacon into a peer node. Use 'link [ip address]' to link a Beacon to a 
  peer. You may recursively link peers as well.
+ Beacon DNS C2 is now more robust.
+ Default port for MSF exploits in auto-exploit server is now 8080
+ Reporting Engine now links ZDI advisories
- You can now set PAYLOAD for windows/local/wmi exploit
+ Added [host] -> Login -> psexec (token+psh) to run current_user_psexec with
  the PowerShell injection technique.
+ Added [host] -> Login -> wmi (token+psh) to run windows/local/wmi with the
  PowerShell injection techniques. WMI is another option for lateral movement
+ Beacon checkin command now displays output stating the task was added
+ Beacon console now logs to a separate file for each beacon
+ Browser Pivoting now shows output/errors from reflective DLL injection step
+ Updated client-side attack database
+ Listener "sanity check" feature now gives the old non-HTTP listener more time 
  to close before warning that the listener may fail.
+ PsExec windows/meterpreter/bind_tcp payload option now encodes second stage
- Default meterpreter/reverse_tcp listener now encodes its second stage
+ Browser Pivoting can now connect to sites on non-standard ports
+ Added a check to prevent user from creating multiple beacon listeners on one
  Cobalt Strike instance.
+ Added Permissions and Application-Name to Signed Java Applet manifest. This
  supresses a big warning on the latest version of Java 1.7
+ Some PsExec options show 'beacon (connect to target)' as a listener option. 
  This will deliver Beacon setup as a peer. Link to it from another Beacon.
+ Beacon now times out WinINet requests after 4 minutes. If something traumatic
  happens to your poor Beacon, you'll get it back in 4 minutes. This is better
  than the WinINet default of 60 minutes.
+ Beacon now automatically checks in when a file download is in progress.

26 Sept 13 - Cobalt Strike 1.47
----------
- Fixed webcam selection logic that I broke last update.
+ Adjusted max RPC messages/second to 200 (from 20). This mitigates a message
  backlog from multiple interactive beacons.
+ Beacon's 'meterpreter' command now initiates a connection to localhost
  (tunneled through Beacon, of course) instead of the host's known external 
  address. This makes a session more likely to happen in most cases.
- Added a helper for PATH option
+ System Profiler now translates internal host 127.0.0.1 -> unknown. If you
  use this information to determine if an applet ran, look in the web log.
  The System Profiler will report a note to state that this change happened.
+ Added CVE-2013-2465 to Smart Applet Attack. This expands the Smart Applet
  Attack coverage to users with Java 1.6.0_45 or earlier.
- Java 1.6 is no longer a supported environment to run Cobalt Strike. Added
  a warning message to indicate as much.
+ Added Browser Pivoting to Cobalt Strike. A Browser Pivot is a proxy server 
  that fulfills requests with a target's browser (Internet Explorer 32-bit 
  only). This setup convienently inherits the user's cookies, HTTP
  authenticated sites, and client-SSL certificates too. To set it up:

	[host] -> Meterpreter -> Explore -> Browser Pivot

+ System Profiler now detects MS Office in some cases.
- Connect dialog now masks the password field.
+ Updated client-side attack database with new additions
- Cobalt Strike no longer allows you to start msfrpcd on Windows. It shows an
  error stating that you need to connect to a team server on Linux.
- Fixed a potential deadlock when opening a module launcher dialog.
+ Small changes to make the applet kit more robust.
+ Cobalt Strike now performs sanity checks when starting a listener. If a port
  is bound, Cobalt Strike will notify you.

21 Aug 13 - Cobalt Strike 1.47
---------
- Fixed a potential deadlock when updating the host display
- Updated multiplexing code to be compatible with enumdesktops command
- Updated multiplexing code to be compatible with webcam_list command
- You may now choose which camera to take a Webcam Shot from
- Close button now shows w/ Cobalt Strike dialogs on Kali Linux.
- Module Launcher dialog is now always active when opened.
- EXE::Custom is no longer treated as an advanced option. When available it's 
  always present for you to modify in a module.
- Meterpreter -> Access -> Persistence now uses the local exploit module
  (default settings now work without tweaks too)
- Meterpreter -> Access -> Pass Session and Process -> Inject now use the
  payload_inject local exploit module.
- Added Meterpreter -> Access -> Dump Hashes -> wdigest to run mimikatz's
  wdigest command, to retrieve plaintext creds.
- Cobalt Strike now uses a better method to shuttle files to team server and
  notify you of the progress of this action.
+ Added [host] -> Login -> psexec (psh) to run PsExec with PowerShell module
+ Added a Help button to psexec dialogs.
+ Added 'meterpreter' command to Beacon--spawns a Meterpreter session that
  tunnels through Beacon's C2 channel.
- Made multiplexing code smarter about load and use commands.
+ Beacon stage encoding process now has a much higher timeout. On slower
  systems, the encoding process could exceed this timeout.
+ Added ability to specify a jitter factor with Beacon's sleep command. The
  jitter factor is a random percentage for Beacon to vary its sleep time with
+ Beacon download command now sends files, one piece with each checkin
- Added a check to detect a corrupt module cache and clean it. If you see a 
  message asking you to restart the Metasploit Framework... please heed it.
- Added ANSI color markup to Cobalt Strike's console output. It's less scary
  than the default messages and it's nicer to look at.
- Added cmd/unix/reverse to payload selection logic.
+ Java Applet attacks now take steps to prevent loading injector DLL twice.
+ Java Applet attacks now inject shellcode on Windows 64bit JVMs too.
+ Added CVE-2013-2460 to Cobalt Strike's Smart Applet Attack
+ Auto-exploit server eliminates "smart applet" attack if system profiler did
  not IP address through Java applet (indicating that applets don't auto run)
+ System Profiler now annotates 64-bit Windows and Internet Explorer
+ Added an option to mask email addresses in the social engineering report
+ Added an option to mask passwords in the hosts report
- Updated the payload output formats to match what's now possible in MSF
+ Fixed bug that sometimes prevented profiler associating info w/ phished user
+ Renamed Beacon -> Download to Beacon -> Task URL
+ Beacon's DNS C2 now recovers from a failed conversation more quickly
+ Beacon SOCKS Proxy capability is now faster and more robust
+ Cobalt Strike Listeners feature now uses a different encoder for the second
  stage of Meterpreter.
- [host] -> Login options set DB_ALL_CREDS to false.

9 Jul 13 - Cobalt Strike 1.46
--------
+ System profiler now uses a fallback measure to detect Java and report its
  version information to you. Necessary for latest IE10 update.
+ Beacon will no longer attempt to report keystrokes if it could not make a
  GET request to checkin. This prevents logged keystrokes from getting lost
  if one of your checkin domains is blocked or otherwise unavailable.
+ Added pivoting capability to Beacon. Use "socks [port]" to start a SOCKS4a
  proxy server that relays traffic through the Beacon instance. This works
  regardless of the type of Beacon or communication strategy in use. Use
  "socks stop" to stop the proxy server for that Beacon. 
+ Added checkin command to ask Beacon to connect to you and dump keystrokes.
  This command is necessary as the DNS Beacon does not connect to you unless 
  one or more tasks are waiting for it.
+ HTTP Beacon now sends output after task execution as a single POST request.
+ Added 'mode dns-txt' to Beacon. This sets the Beacon data channel to use 
  DNS TXT records. This mode transmits ~189 bytes per request versus 4 bytes 
  per request with 'mode dns' which uses DNS A records.
+ Increased Beacon DNS data channel output throughput to 84 bytes/request. Up
  from 28 bytes/request. This output method is used with both DNS channels.
+ Fixed a race that could prevent generation of Beacon stage when setting up
  the listener.
+ Fixed Beacon key generation bug. Some bytes in the key could end up null.
  When this happened, you'd get a non-responsive Beacon (e.g., it will always
  seem to "die" after a task). This is fixed. If you've see this behavior, 
  you'll need to force Cobalt Strike to generate a new key. To do so, stop 
  Cobalt Strike and change to the folder you normally start Cobalt Strike 
  from and type:

	rm -f .cobaltstrike.beacon
+ Updated client-side attack database with new additions
+ Website Clone Tool now follows 301 (permanent) redirects
- Removed sunrpc and dcerpc modules from MSF Scans feature
+ quick-msf-setup's Git option is now based on DarkOperator's msf_install.sh
  script. The updater script now updates quick-msf-setup as well.

6 Jun 13 - Cobalt Strike 1.46
--------
+ Added Login -> ssh (key) to let you login to a host with an SSH key file
  or select from a key that worked previously.
+ Added a helper to KEY_FILE to let you select from a known-working SSH key
  or specify one to upload.
- Added vmauthd to the Login menu
+ Fixed Beacon's "automatically migrate option"
+ Spear Phish dialog now warns on missing or incomplete parameters again.
- Increased the number of modules run in response to services found during
  a sweep with the MSF Scans feature.
- Attack menu attached to host now splits menus up if there are more than
  10 items. This will help with the webapp and http menus.
+ Beacon no longer gets confused when a hostname or username contain
  whitespace. I'm now using a better separator for metadata sent to it.
+ Fixed bug preventing Beacon upload from triggering a task request
+ Added DNS as a data channel to Beacon. This option is designed as a way
  to control Beacon when it can't communicate with you over HTTP. Deploy
  the DNS Beacon like normal. Type 'mode dns' in the Beacon console to 
  switch its communication scheme to use DNS. This mode can both transmit 
  and receive data.
+ Cobalt Strike now enables second stage encoding for Windows listeners it
  manages through Cobalt Strike -> Listeners.
+ Added option to stage DNS Beacon over DNS. This option is available with
  certain Cobalt Strike attack packages. Select "listener name (DNS)" to
  have Cobalt Strike stage the listener over DNS. 
+ Added random send delay option to the spear phishing tool. Click ... next 
  to the Mail Server field. Specify the number of seconds to delay to.
+ Spear phishing tool now ignores extra whitespace in targets file
- Added a menu to mark a host as a firewall
+ slight tweak to the Smart Applet attack (arsenal source updated too)
- Added a type-fix hack for MsgPack Long types

Cortana Updates (for scripters)
--------
- Updated &log_resource to account for new log folder layout scheme that
  involves a description of the current Armitage server
- Fixed a potential argument corruption bug with filters

9 May 13 - Cobalt Strike 1.46
--------
+ Fixed data correction issue that could prevent reports from generating
+ Improved formatting of vulnerability description information in reports
- Attacks -> Hail Mary now asks you to confirm the action.
- Fixed a potential table view sorting issue.
+ Added a check to auto-ex server to make sure a listener is defined
+ Updated client-side attack database
- Changed how some tables are updated to minimize blocking of other tasks. 
  This should make UI feel snappier in many cases.
- Credential helper now shows credentials from all servers that you're 
  connected to.
- Updated multiplexing code to be compatible with mimikatz extension's 
  output scheme.
- Meterpreter upload command (with no arguments) now prompts for a file.
  This file will be bounced to team server (if one is present) and
  uploaded to the target for you.
+ Auto-exploit Server now works with listeners defined on another Cobalt
  Strike team server.
- Cred tables no longer show SSH keys (since they're not actionable in
  these contexts yet...)

10 Apr 13 - Cobalt Strike 1.45
---------
+ Beacon now uses a random filename for files to download/execute. This
  works around a problem where subsequent download/execute taskings fail
  because the first downloaded file (with the same name) is still running
- The correct OS icon is now shown for Windows 2012 Server.
- Added an Inject button to the Process Explorer
+ VNC Viewer starts view-only by default. Untoggle the spy button to 
  assume control of the target's desktop
+ Added 'spawnto' command to Beacon. This command gives you control over
  which program Beacon will spawn to inject shellcode inside of.
+ Added checks to prevent a user from defining a listener with incomplete
  information.
- Event log now shows date with timestamp
+ Many fixes to report generation when connected to multiple team servers.
- Messages to your nick in the event log are now highlighted

20 Mar 13 - Cobalt Strike 1.45
---------
- Jobs dialog now queries job info in a separate thread context,
  stopping it from locking up your Cobalt Strike instance.
- Fixed console queue display bug when a required option has no setting
- Hashdump -> lsass method now pops open a Meterpreter tab and shows
  its progress. Should help when there's a lot of hashes coming back.
- Hail Mary attack now gives better feedback about what it's doing
+ Beacon now has a 1MB limit on its output.
+ Fixed a potential memory leak in Beacon (in the output posting)
+ Beacon now uses a different User-Agent string each run
+ Added an upload command to Beacon (to upload files).
+ Added a download command to Beacon. [And renamed the download+exec
  command to task].
- Fixed blank line showing when a host label exists and a session w/o
  any information is associated with the host.
+ Listener dialog now refreshes when updating LHOST
+ Added an execute command to Beacon. This will run a program without 
  posting output back to you.

Cortana Updates (for scripters)
--------
- Added work-around to prevent &psexec failing due to Ruby complaining
  about incompatible encodings.

6 Mar 13 - Cobalt Strike 1.45
--------
+ Updated quick-msf-setup script to pull framework source code via Git.
+ Spear phishing Preview button works in team server mode again.
+ Updated Beacon to auto-dump keystrokes with each beacon home.
+ Updated HTTP Beacon to change its signature profile.
+ Beacon domains now show in Cobalt Strike -> Listeners table.
- Active console now gets higher priority when polling msf for output
- Improved team server responsiveness in high latency situations by
  creating additional connections to server to balance messages over
+ Updated Web Drive-by -> Manage to allow stopping multiple sites at once
+ Performed client-side db maintenance
+ Added a helper to set URL option from Cobalt Strike hosted stuff.
- Preferences are now shared among each Cobalt Strike connection.
+ Website clone tool no longer validates SSL cert for HTTPs cloned sites

6 Mar 13 (2000h)
--------
+ Fixed a null pointer warning when starting the team server.

Cortana Updates (for scripters)
--------
- Added a &publish, &query, &subscribe API to allow inter-script
  communication across the team server.
- Added &table_update to set the contents of a table tab without
  disturbing the highlighted rows.
- Added an exec_error event. Fired when &m_exec or &m_exec_local fail
  due to an error reported by meterpreter.
- Fixed a bug that sometimes caused session_sync to fire twice (boo!)
- Added a 60s timeout to &s_cmd commands. Cortana will give a shell
  command 60s to execute. If it doesn't finish in that time, Cortana
  will release the lock on the shell so the user can control it.
  (ideally, this shouldn't happen... this is a safety mechanism)
- Changed Meterpreter command timeout to 2m from 12s. This is because
  https meterpreter might not checkin for up to 60s, if it's been
  idle for a long time. This will make &m_cmd less likely to timeout

12 Feb 13 - Cobalt Strike 1.45
---------
- Fixed RPC call cache corruption in team server mode. This bug could lead
  to some exploits defaulting to a shell payload when meterpreter was
  a possibility.
- Slight optimization to some DB queries. I no longer pull unused   
  fields making the query marginally faster. Team server is more 
  efficient too as changes to unused fields won't force data (re)sync.
- Hosts -> Clear Database now clears host labels.
- Cobalt Strike listener dialogs now size columns properly. 
- Added the ability to manage multiple team server instances through
  Cobalt Strike. Go to Cobalt Strike -> New Connection to connect to 
  another server. A button bar will appear that allows you to switch 
  active Cobalt Strike connections.     
        - Credentials available across instances are pooled when using
          the [host] -> Login menu and the credential helper.
	+ Listeners across instances are pooled in the listener select
	  dialogs. You may seamlessly launch exploits from one instance
	  and have sessions show up in another instance. It's also easy
	  to pass sessions between instances and task beacons to send
	  active sessions to other instances.
	+ Cobalt Strike hosted sites are pooled across instances too.
	+ Cobalt Strike's reporting engine merges data across instances
	  before generating a report for you. 

	You may now pen test through many points of presence and use 
	Cobalt Strike's reports to help tell the full story.

+ Pressing Cancel on a Save dialog will now cancel the action.
+ Performed regular maintenance of client-side attack database.
- Rewrote the event log management code in the team server
- Added nickname tab completion to event log window
+ Spear phishing tool now sends phishes from the team server. Now that you
  can connect to multiple Cobalt Strike servers, it makes sense to do this.
+ Revamped spear phishing tool output
- Hosts -> Clear Database now asks you to confirm the action.
+ Hosts -> Clear Database stops all listeners before dropping the database
- Hosts -> Import Hosts announces successful import to event log again.
+ Obfuscated Smart Applet attack
+ Beacon staging no longer shows in Social Engineering report
+ Updated hosts report generation process to use all possible host icons

28 Jan 13 - Cobalt Strike 1.45
---------
- Added helpers to set EXE::Custom and EXE::Template options.
- Fixed a bug displaying a Windows 8 icon for Windows 2008 hosts
- Cleaned up Cobalt Strike -> SOCKS Proxy job management code. The code 
  to check if a proxy server is up was deadlock prone. Removed it.
- Starting SOCKS Proxy module now opens a tab displaying the module
  start process. An event is posted to the event log too.
- Created an option helper to select credentials for SMBUser, SMBPass,
  USERNAME, and PASSWORD.
- Added a feature to label hosts. A label will show up in its own column
  in table view or below all info in graph view. Any team member may
  change a label through [host] -> host -> Set Label. You may also use
  dynamic workspaces to show hosts with certain labels attached.
- Fixed bad things happening when connecting Cobalt Strike to 'localhost' 
  and not '127.0.0.1'.
+ System profiler now auto-redirects a visitor after 20s if no profile
  is returned. Moved up from 5s.
+ Fixed a bad merge that took away the Login -> psexec (token) menu
+ File hosting feature now works in teamserver mode again. Moved file
  verification logic to the server where it belongs.
+ Ported the CVE-2013-0422 (java_jre17_jmxbean) exploit to the Smart 
  Applet attack. This attack is also available to the auto-exploit server.
+ Fixed a potential deadlock condition with the Beacon viewer.
- Cobalt Strike now centers screenshots/webcam shots in their tab
+ Added a VNC Viewer to Cobalt Strike. [host] -> Meterpreter -> Interact
  -> Desktop (VNC) will now open a tab with the user's desktop.
- Added an alternate .bat file to start msfrpcd on Windows in the
  Metasploit 4.5 installer's environment. *cough* Remember using Cobalt
  Strike to connect to the Framework on Windows is not supported. *cough*
- Added a color-style for [!] warning messages
+ Mitigated race condition that stopped Beacon listeners from restarting
  when connected to a team server.
+ Fixed Beacon -> Download menu. It now properly tasks highlighted items.

Cortana Updates (for scripters)
--------
- &handler function now works as advertised.
- Cortana functions now avoid core.setg

2 Jan 13 - Cobalt Strike 1.45
--------
- Set postgres_payload exploits to use a reverse payload by default
+ Updated JavaScript keystroke logger to work with IE9 and later. Also
  fixed a regression preventing it from working in IE in general.
+ Added Cobalt Strike Java Attacks. The Signed Applet Attack option is a
  simple self-signed applet. The Smart Applet Attack attempts to disable the
  Java Security Sandbox using an exploit. Both options are available under
  the Attacks -> Web Drive-by menu.

  These Java Attacks use a Cobalt Strike Java Injector Payload. This payload
  accepts both a Windows and Java listener. You don't want to lose a shell
  when a MacOS X user visits your Windows attack, right? The payload injects 
  shellcode into memory on Windows and dynamically links Java meterpreter for 
  other operating systems.

  Source code, build files, and a Cortana script to integrate changes to the
  applet attacks are available in the Cobalt Strike Arsenal. Help -> Arsenal
+ Major overhaul to the Cobalt Strike Auto Exploit feature. This went from 
  being a neglected feature to the most cutting edge exploit guidance system
  outside of the crime kit universe. The Auto Exploit feature now shares 
  code with the system profiler and uses this information to zap visitors
  with the right exploit. The new Auto Exploit feature also takes advantage of 
  the Cobalt Strike-hosted Java attacks.
+ Added a data sanitization pass to the reporting engine. Prevents 
  non-printable characters from disrupting the report generation process.
+ The Applications portion of the Social Engineering reports now sorts the
  applications and removes duplicate entries.
+ The SE report now puts a page break between the end of the Campaigns section
  and the beginning of the Users section.
+ Fixed "incompatible character encodings: ASCII-8BIT and UTF-8" exceptions
  caused by my use of the core.setg RPC-call in Beacon's UI. This RPC call 
  leaks improperly encoded stuff into Metasploit's global datastore.
 
12 Dec 12 - Cobalt Strike 1.45
---------
+ Beacon's spawn command now creates a separate process to inject 
  shellcode into. This way a failure in the shellcode will not cause 
  Beacon process to exit.
+ Beacon download command now uses payload/windows/download_exec module
+ Added a keystroke logger to Beacon. Use:

	keylogger start - to start the keylogger
	keylogger       - to dump collected keystrokes
	keylogger stop  - to stop the keylogger and dump keystrokes.

  Beacon must live inside of a process associated with the desktop and 
  user you want to log keystrokes for.
+ Added inject command to Beacon. Use this to spawn a session by injecting
  shellcode into a specific process id.
+ View -> Beacons table now properly sorts its columns when you ask it to
- Added a helper to set REXE option
+ Web Drive-by -> Host File now complains if file does not exist
+ Performed normal client-side database maintenance
+ Website clone tool now uses an MSIE user agent, instead of the Java one.
+ Website clone tool detects empty cloned site results and shows an error.
  It then instructs you to try the HTTPS version of the URL. Java's URL 
  library will not follow a redirect from one protocol to another.
+ System Profiler now detects and reports Windows 8
+ System Profiler's local IP address detection is much more reliable now
- Added Windows 8 icon
+ Cobalt Strike now starts persistent listers *after* it determines local
  IP address. This is important as the meterpreter reverse_http[s] payloads
  need to be bound to a specific LHOST to work.
- [host] -> Login menu is now built using open services for all highlighted
  hosts, not just the first one.
- [host] -> Login items now escape punctuation characters in passwords 
  before passing them to a framework module.
+ PDF reports properly wordwrap password hashes and other long strings again

Cortana Updates (for scripters)
--------
- &credential_add and &credential_delete no longer break when a password has 
  creative punctuation in it.

26 Nov 12 - Cobalt Strike 1.44
---------
+ Added support for some SMTP authentication schemes to Cobalt Strike's
  spear phishing tool. You may also connect to an SSL enabled SMTP
  server too. Special thanks to Allen Harper who provided infrastructure
  to test all of this against.
+ Spear phishing tool now strips more headers from template messages
+ Editing Targets field in spear phish dialog no longer locks up for 
  several seconds when the value of the field is a folder.
+ Updated client-side attack database (regular maintenance...)
+ You may now export Cobalt Strike reports as MS Word documents. *pHEAR*
- add_user and add_[local]group_user now show all of their output when
  the -h flag is used to operate on a remote host.
- added a Delete menu to creds table. Right-click a cred to delete it
+ Added an import button to the creds viewer to quickly add credentials
+ Fixed a bug that caused Vulnerability report export to fail when a 
  vuln had no associated references.
+ Hosts report no longer shows vulnerability description twice (this 
  would happen when the same vulnerability was exploited against two
  or more ports listening with the vulnerable service).
+ Multiple cosmetic improvements to the display of vulnerabilities in
  hosts and vulnerability reports.

Cortana Updates (for scripters)
--------
- aliased &data_delete to &data_clear to match the documentation.
- &file_get, &loot_get, and &file_content no longer delete the remote
  file when connected to a teamserver.

8 Nov 12 - Cobalt Strike 1.44
--------
- Windows command shell tab is now friendlier to commands that prompt
  for input (e.g., time command)
- [host] -> Meterpreter -> Access -> Escalate Privileges now shows all
  the framework's new exploit/windows/local modules too
- [host] -> Shell -> Post Modules now shows the framework's unix/local
  and exploit/linux/local modules
- Added Ctrl+I shortcut. Lets you choose a session to interact with.
- Added Steal Token button to Processes dialog.
- Cobalt Strike now requests a non-expiring token after connecting to 
  msfrpcd. This makes your connection to msfrpcd more robust.
+ Cobalt Strike psexec dialog now lets you choose one of your configured
  Cobalt Strike reverse listeners
+ You may now select a custom executable in both psexec dialogs
+ Added Help -> Arsenal which will take you to the Cobalt Strike arsenal.
  The Cobalt Strike arsenal will contain scripts to aid your penetration
  testing process. These features will only be available to licensed
  Cobalt Strike users (usually with full source code too). 

  The first arsenal item is topaz, a script to embed shellcode into an 
  anti-virus bypass executable. Topaz will intercept module launches (such as
  psexec and current_user_psexec), generate a new executable, and use the
  new executable with the module. 

  Full source code to topaz is available. You may use it as-is, modify
  it to pass other products, or use it as a template to make your AV 
  bypass executable work with Cobalt Strike.
  
16 Oct 12 - Cobalt Strike 1.44
---------
- Added port 5985 to Scan feature port list.
- Meterpreter -> Access -> Persistence sets ACTION option for you
- Changed how LHOST and LPORT are set globally to prevent Ruby 
  character encoding conversion error in the framework.
+ Fixed a potential deadlock in the listener management dialogs
+ You can now use Beacon to spawn a Beacon.
- Log Keystrokes, Persist, and Pass Session now use a new thread to
  query module information.
+ Beacon last callback time is now computed on team server. Prevents
  whackiness when client's have different time value from server.
- Cobalt Strike now shows URL/folder in a popup dialog when trying to
  open a file/URL on a desktop where Java's JDesktop is not supported
- Check all credentials option now filters duplicate entries.
- Exploit payload selection now selects cmd/unix/interact when required
- Explore -> Processes works with Java Meterpreter again.
+ Beacon callback events are now suppressed from reports and logs
- MSF Scans feature now runs http_version against port 443

27 Sept 12 - Cobalt Strike 1.44
----------
+ Added Beacon management feature. Beacon is a Cobalt Strike payload 
  that periodically phones home to request taskings. Beacon will check 
  task availability over HTTP or DNS.

  To start Beacon listener, go to Cobalt Strike -> Listeners.

  Go to View -> Beacons to see activity and task beacons.

  Use Beacon like any other reverse listener. Embed it in social 
  engineering packages, use it with client-side attacks, etc.
+ Updated client-side database
+ Cobalt Strike only shows token passing dialog if current_user_psexec
  module exists (for 4.4-release compatability)

5 Sept 12 - Cobalt Strike 1.44
---------
+ Added CovertVPN feature. CovertVPN is a Windows client that provides
  the Cobalt Strike host with a virtual interface on a target's network.
  CovertVPN is able to relay raw frames over a TCP, UDP, or HTTP channel.

  To use it:

  [host] -> Meterpreter -> Pivoting -> Deploy VPN

+ Added a helper for INTERFACE option to select a CovertVPN interface
- Setup dialog now trims host, port, user, and pass fields.
- Cobalt Strike now complains when it can't write to your preferences file 
  (versus just hanging without a real error message)
- View -> Jobs now queries jobs in a thread outside of UI thread
- Tab completion now uses a separate thread to call into the RPC server. 
  This prevents a deadlock if server is not responding.
- Login -> psexec now shows when 445 is open on a Windows machine. The old 
  criteria was too restrictive.
- Added a helper to set Wordlist option
+ Updated client-side exploit database with two new exploits
+ Added help button to Cobalt Strike -> Scripts
- Cobalt Strike now sets a random LPORT for non-exploit modules with an
  LPORT option (e.g., post modules that do priv escalation)
- Cobalt Strike now shows an error if it can't open a Windows command shell
- Steal Token dialog now uses incognito module to get token data instead of 
  the MSF post module. This is more reliable.
- current_user_psexec module now allows you to set the payload options
+ Added [host] -> Login -> psexec (token) to use a stolen token to psexec
  into all highlighted hosts.

Cortana Updates (for scripters)
--------
- added an eventlog popup hook

16 Aug 12 - Cobalt Strike 1.44
---------
- Dynamic workspaces now removes closed services from its set of
  hosts matching certain open ports.
- Cortana console now reports a clear error message a built-in
  command is executed without the right number of arguments.
- Added host icons for Android and iOS. You may now set these
  operating systems by going to [host] -> Host -> Operating System
- Cobalt Strike now shows the client-side exploit dialog for exploits
  that do not target an RHOST (for example, windows/smb/smb_relay)
- Added support for remote exploits that use RHOSTS over RHOST
  (this includes the new windows/local/current_user_psexec)
- Added a helper for setting the SESSION option
+ Added preferences for customizing Cobalt Strike reports:
  * reporting.accent.color
	the color of links and the solid bar below the header image
  * reporting.header_image.file
	an 1192x257px/300dpi header image for your reports
+ Added a helper to set file preferences
+ System Profiler now reports Apple iOS and Android operating systems
+ System Profiler now reports host with OS it could not determine

Cortana Updates (for scripters)
--------
- s_cmd no longer times out after 60s. It will wait forever for a 
  command to complete now.
- added shell_read event which fires when a shell s_cmd comes back 
  with intermediate output.
- fixed a potential deadlock with &open_console_tab
- scripts now have the ability to redefine the max size of a workspace: 
  db_workspace(%(size => #####));

08.05.12 - Cobalt Strike 1.44
--------
- Rebuilt the 08.02.12 release with missing internal files used by 
  Cortana. Sorry about this!

08.02.12 - Cobalt Strike 1.44
--------
- Team server now buffers all of its output. SO_NODELAY is no longer
  used. This will improves team performance on a congested network 
  without a hit to responsiveness otherwise.
+ Spear phishing tool now strips CC field from template messages
- Added Cortana, a DARPA funded scripting technology, into Armitage.
  There's a lot of fun to be had here.
- Cobalt Strike now queues messages to destroy a console rather than
  spinning up a new thread for each closed console.
- Rendering of icons for hosts now happens outside of UI thread.
+ Fixed highlight rendering issue in spearphish message preview.
+ Spear phishing tool more aggressively replaces links in template
  messages.
+ Spear phishing tool now displays a message when something goes
  wrong while processing a template file.
- Increased timeout for meterpreter read command
- Cobalt Strike now detects a corrupt module cache and attempts to 
  clear it so it can be rebuilt.

07.19.12 - Cobalt Strike 1.44
--------
+ Updated client-side vulns database (a typical maintenance action)
+ Fixed host report generation failure when there are two hosts with
  the same IP address in the hosts database. 
+ Vulnerability Report and Hosts Report vulnerability descriptions
  are now compatible with the latest Metasploit Framework database
  schema changes.
- Pass-the-Hash and Login dialogs now honor the shift+Launch convention
  which keeps the dialog open after launching the action.
+ Cobalt Strike now binds reverse_http/reverse_https listeners to the
  LHOST value for the host. Previously, they bound to 0.0.0.0 to accept
  connections on any interface. This no longer works though and established
  http/https sessions hang. This change fixes this problem.
+ Added set LHOST button to Cobalt Strike -> Listeners. This button will 
  update the global LHOST option in MSF, update the value saved in Cobalt
  Strike and it will restart all listeners to take advantage of the change
+ Added Attacks -> Packages -> USB/CD AutoPlay feature. This package turns
  a USB stick or CD into an attack vector against Windows XP/Vista

07.05.12 - Cobalt Strike 1.43 
--------
- Login -> psexec now sets a different LPORT for each host it's
  launched against when using a reverse payload. Fixes a bug where
  using a reverse connect payload against X hosts didn't work.
- Progressbar Cancel button now works with the Sync Files button
  in View -> Downloads and View -> Loot
- Fixed a potential deadlock with the Sync Files feature
- Clicking the Size column in View -> Downloads now sorts properly
+ Fixed a race condition that sometimes prevented the display of 
  the old data in View -> Web Log

06.23.12 - Cobalt Strike 1.43
--------
+ Updated client-side database with latest changes.
- Added View item to File Browser popup menu. Views and logs text files.
+ Added Attacks -> Web Drive-by -> Host File. This feature hosts a file 
  using the Cobalt Strike web server.
+ Web Drive-by options that start a Cobalt Strike server now have blue-ish
  labels.

06.14.12 - Cobalt Strike 1.43
--------
- Meterpreter -> Kill now uses session.stop RPC call
- Cleaned up code to kill jobs acting as a service
- Added an option to disable TCP_NODELAY from the comamnd line:

        java -Darmitage.enable_nagle=true -jar armitage.jar

  Use this if you see "bad mac" SSL errors when connected to a
  team server.
- Log Keystrokes tab now changes color when there is activity
- Randomized filename for USERPASS_FILE to allow multiple brute
  forces to happen at once.
+ Updated client-side database with ms12-037 information

06.07.12 - Cobalt Strike v1.43
--------
- Fixed an exception when killing a session or removing a route
- ps command added a new column to its output. Updated ps parser
- Hosts -> Import Hosts now works under Windows again
- Hail Mary now sets LHOST option. This is necessary for some attacks to 
  work properly
- Tweaked console create code in beginning of Cobalt Strike setup to avoid
  aggravating a deadlock condition
- Disabled Nagles Algorithm for team server and client SSL sockets. This 
  drastically improves responsiveness for Windows 7 clients.
- Starting jobs like the SOCKS Proxy server now shows the Service Started
  message again.
- Fixed a highlighting bug with the find feature in the View tab

05.21.12 - Cobalt Strike v1.43
--------
- Fixed a bug that triggered when resizing text in a Loot/Download View tab.
+ Updated IE date guessing database for more accuracy. This makes the system
  profiler better.
- Cobalt Strike's console now uses color to highlight information and make
  it clearer. This applies to all consoles. Set console.show_colors.boolean to
  false to disable this behavior.
- Default console font color is now grey.
+ Cobalt Strike now catches internal errors related to phishing messages (e.g.,
  a poorly formed template/address) and displays these in the phishing console.
- Fixed a bug preventing input field from getting focus when using Ctrl+W to
  open a console in its own window.
+ Updated entries in client-side attack database that have changed.
- Improved performance of module launches (through a console) when in team mode.
- Improved performance of msf scans feature when in team mode.
+ Spear phishing window no longer piggy backs off of a normal console tab.
- Improved perceived performance of posting chat messages
- Fixed text search feature (Ctrl+F) on Windows
- Fixed View -> Downloads -> Sync Files feature on Windows

05.14.12 - Cobalt Strike v1.43
--------
- Dynamic workspace keyboard shortcuts are now always bound (previously
  you had to visit workspaces menu before they'd bind)
- Improved console pool's ability to detect dead consoles
- Bound Ctrl+Backspace to show all hosts (without a workspace)
- Added Ctrl+T to quickly take a screenshot of the active tab and save it
- Added Ctrl+W to open the active tab in its own window
- Cobalt Strike team server is now SSL enabled. The server will present the
  SHA1 hash of its certificate on startup. When connecting, Cobalt Strike 
  will present the SHA1 hash of the certificate presented to it. You'll have
  the opportunity to trust it or reject it.
+ Updated entries in client-side attack database that have changed.
- Added Ctrl+Left / Ctrl+Right to navigate tabs with the keyboard
+ quick-msf-setup script now downloads 64-bit msf installer on 64-bit systems
- Fixed a bug that prevented command shells from opening on some sessions
+ Web log messages are now delivered in batches (vs. one at a time)
- Team server client now caches some calls to RPC server
- Reworked View button in Download and Loot tabs. The button now displays the
  contents of all the highlighted rows in one tab. Further, I've added a 
  Sync Files button to download the highlighted loot or download files when
  in a team situation.

05.07.12 - Cobalt Strike v1.43
--------
- Cobalt Strike's team server is now compatible with the latest changes to
  Metasploit 4.3.0. 
- Added Ctrl+D keyboard shortcut to close the active tab
- Module description in module launcher dialog is now resizable.
- Cobalt Strike now uses (more robust) console queue for launching post
  modules, handlers, brute force attacks, and other things.
- Fixed a race condition in the Jobs tab refresh after killing a job
- Cobalt Strike now filters smb hashes from non-psexec/smb login dialogs.
+ Dumped the "capture form data" in favor of a Javascript key logger. Logged
  keystrokes show up in the web log (View -> Web Log) and in the social
  engineering report.
+ System Profiler now reports applications grabbed to weblog and not the raw
  stuff posted back. This is a move to make the web log a generic console to
  view Cobalt Strike web activity in.
- Added armitage.log_data_here.folder setting. This setting lets you
  specify where Cobalt Strike will save its logs, downloaded files, and
  screenshots.
+ Cobalt Strike now properly reports "web server" errors when in team mode.
  Previously these weren't making it back to the user.
+ Cobalt Strike web apps (system profiler, cloned site, etc.) now work with or
  without the ending /.

04.17.12
--------
- Update console reading code to make Cobalt Strike compatible with latest
  Metasploit changes.
- Console commands are now queued. Hopefully they'll execute in order now
  when launched in consoles automagically..
+ Added Refresh button to Listeners dialog
+ Cobalt Strike now runs in Metasploit 4.3.0* (before it'd only run in
  4.3.0-dev)

04.15.12
--------
+ Added support for EDB (Exploit DB) references in vulnerability reports
+ Added multi/browser/java_setdifficm_bof to client-side database.
+ Added multi/browser/java_atomicreferencearray to client-side database.
- Module browser search now filters modules as you type.
- Added keyboard shortcuts to switch dynamic workspaces.
	Ctrl+1 = first workspace
	Ctrl+2 = second workspace
	...
	Ctrl+0 = show all hosts
+ Added generic/shell/reverse_tcp to listener options. Use this for Linux
  and OS X reverse shells (or even as a netcat listener).
- Cobalt Strike now uses a more aggressive read strategy for hashdump lsass
  method. You should now see the entire output added to the creds table 
  more often. :)
+ Updated Internet Explorer version data with hints from MS12-010 and MS12-023.
+ Fixed a typo in the MacOS X update command script.
- Added Ctrl+N to open a new Metasploit(r) console and Ctrl+O to open the 
  preferences dialog.
- You may now use Ctrl+Alt to deselect a row in the Jobs and Workspaces tables.
- Added Shell -> Pass Session to *NIX shell sessions. Allows you to duplicate
  a *NIX access or pass it to another Cobalt Strike instance.
+ Updated auto-exploit server to use multi/browser/java_atomicreferencearray
+ Added Attacks -> Packages -> Web Drive-by -> Firefox Addon dialog. This is a
  new social engineering attack module in Metasploit that prompts the user to
  install a Firefox addon. This is a very cool option against Firefox users.

03.28.12
--------
Note: This release contains changes that will require redownloading Cobalt
Strike. It's not a requirement, but if you want to take advantage of some of
these changes, you'll need to get the whole package.

+ Updated the updater program to not rely on the cache when pulling down a 
  Cobalt Strike update. You will need to redownload Cobalt Strike to get the
  latest updater program though. http://www.advancedpentest.com/download
- Cobalt Strike team server now uses a batch method to send chat messages to 
  clients. This should be much better.
- Cobalt Strike now minimizes the number of messages it sends to the collab
  server during a team engagement. The goal is to make the system less likely
  to back up on messages when there's a lot of latency in the environment. 
- Added an optimization to make command shell feel more responsive in team mode
- Hosts -> DNS Enumerate now populates the NS field with the current highlighted
  host.
+ Tweaked Java parameters for Cobalt Strike to prevent it from "giving up" when
  attempting to do something requiring a lot of memory (like generate a huge PDF
  report). You will need to redownload Cobalt Strike to get the updated CS
  launchers with these tweaked parameters.
- Improved tab management:
	-- Shift+click to close like tabs now ignores the session id when 
	   deciding if a tab is alike. So Shift+Click on a Screenshot tab will
           close *all* Screenshot tabs.
	-- Added a tooltip to session related tabs to indicate the host associated
           with the session.
+ Hosts listed in Vulnerability Report are now sorted.
+ Added Restart button to Cobalt Strike -> Listeners. Use this to quickly stop/restart
  listeners if a handler becomes non-responsive.
+ Cobalt Strike now queues certain Metasploit commands and executes them in turn. This
  will make the system feel more responsive over all. Cobalt Strike features that log
  activity (e.g., spear phishing, hosted attacks, etc.) will respond faster too.
- Added a List Drives button to File Browser for Windows meterpreter sessions.
- File Browser can now navigate to folders with apostrophes in their names.
+ System profiler now reports external IP as a firewall if it's able to get the internal
  IP and the internal IP does not match the external IP.

22 Mar 12
---------
- Cobalt Strike NMap profiles are now improved with the following options:
	-n [do not attempt to resolve reverse hosts for IPs]
	-T4 [wait longer to determine whether a service is alive or not]
	--min-hostgroup 96 [scan more hosts in parallel]
- Cobalt Strike now intercepts webcam_snap and screenshot meterpreter commands
  and performs the appropriate actions.
- View -> Creds -> Export now works in team mode.
+ Cobalt Strike web server now returns a 404 to visitors with curl, wget, or
  lynx user agents. This is an easy measure to defeat, but we're all about 
  offense in depth with this project.
- VMware icon now shows when a VMware ESXi host is identified by Metasploit
- Fixed a bug preventing commands like del /S (which prompts for Y/N) from
  working from a command shell tab.
- Added a check to prevent old Cobalt Strike and Armitage clients from connecting
  to the team server. In the future, I may restrict the Cobalt Strike team server
  to Cobalt Strike clients only.
- Added a * indicator to active workspace in Workspaces menu
+ Added a check to prevent user from defining a persistent listener to a port
  that already has a persistent listener bound to it.
- Added Hosts -> DNS Enumerate to discover hosts through a name server.
- Cobalt Strike now displays a pivot relationship between a host and the NAT 
  device it is communicating through when there is an active session.
+ Added windows/browser/adobe_flash_mp4_cprt to client-side database
- Added Copy button to Services tab. Copies highlighted hosts to clipboard.
+ Added windows/browser/ms10_002_ie_object to client-side database
- Improved reverse payload selection logic. Cobalt Strike now chooses php
  meterpreter when it makes sense.
- Cobalt Strike now assigns a random LPORT for each exploit module launched with
  a reverse payload.

7 Mar 12
--------
- Cobalt Strike now uses an IPv6 bind payload when exploting an IPv6 host
- Cobalt Strike now displays a firewall icon for hosts marked as a firewall
  with no associated operating system. This marking is something done by
  Metasploit.
- Cobalt Strike is now explicitly sets RPORT for psexec and msf scan modules

2 Mar 12
--------
- Meterpreter now reports the IP of the owned system in a consistent way.
  Cobalt Strike now places the session info and lightning bolts on this
  owned system. No longer will you have X session menus attached to a 
  firewall / NAT device. This is good news.
- Cobalt Strike now uses a random payload listener for any client side
  attack by default (previously--it used a default reverse listener for
  windows client attacks--lost benefit of automigrating)
- Token stealing dialog now disables Refresh button while grabbing tokens
  and enables it when tokens are grabbed. Now you kind of know what it's 
  doing.
- Updated Topaz to improve its stability.

1 Mar 12
--------
- Doh! Trial license code was messed up. Fixed how I calculate the 
  difference between dates.
- Fixed Topaz EXITFUNC so Topaz binary does not crash when exiting meterp
  session or migrating.
- Fixed bug with "check all credentials" feature not working in team mode
  when server and client run from the same folder.
- Added a rename tab feature. Right-click the tab X and select rename tab
- Cobalt Strike now displays an XP/2003 era logo for hosts self reporting
  as .NET server.
- Added a minimum amount of version checking to Cobalt Strike startup.
  This version now requires Metasploit 4.3.0-dev
- Updated ARP Scan and Pivoting dialogs to parse the new route output in
  Metasploit 4.3.0-dev
- Cobalt Strike now deletes notes.* for a host when you manually set its
  OS. This is done to allow a future scan to set the host's OS to 
  something else. 
- Cloned websites now use the favicon of the cloned site. *pHEAR*

26 Feb 12
---------
- Fixed a system profiler bug caused when profiled client with IE does
  not have Windows Media Player installed.
- Added a slight delay between commands issued to a console to prevent
  them from executing out of order.
- Adjusted graph view scrolling increments to something sane.
- Fixed keyboard accelerators when right-clicking in the graph view.
- Made the file browser directory up button more obvious.
- Team server now returns the last-100 events (instead of all of the
  engagement events) when connecting.
- Improved Host -> Remove feature when removing many hosts.
- Dynamic workspaces feature now allows to comma separated entries
  with no spaces between them.
- Table view now allows rows to be deselected in an interval (they
  won't become reselected automatically like before).

24 Feb 12
---------
- Added quick-msf-setup script to the Linux package. This script will
  download and install Metasploit, setup the postgres db to start on
  boot, and set the system to point to the Java included with Metasploit
  if necessary.
- Cobalt Strike doesn't write to /Applications any more...
- Added a VMWare icon for hosts whose OS is reported as ESX or ESXi
- Greatly improved token stealing user experience. It's awesome now.
- Greatly improved the responsiveness of the file browser. 

20 Feb 12
---------
- A space inside of a module search is now treated as a wildcard. This
  means you can type: win meterp and it will be treated as win*meterp
- Removed Host option from Adobe PDF dialog (not needed since we're
  embedding an EXE that already knows the host it wants to connect to)
- Modified listener stop/start code so that actions happen asynchronous
  to the UI (meaning working with listeners won't block the UI)
- Social Engineering report now rounds summary stats to two decimal places. 
  I was recording a screencast and generated a report--imagine my surprise
  when a bunch of sixes were going across the cover page.
- Hovering over an edge in graph view no longer shows a "null" tooltip
- Completely fixed parsing of ps output. The process dialog through 
  meterpreter will now be accurate regardless of OS :) [Caveat: so long as
  the meterpreter session reports processes-Java meterp on OS X f/e does
  not].

19 Feb 12
---------
- Made a change to how some commands are synchronized... this should
  have no negative effects, but only testing will tell.
- Command sync change fixes a bug preventing system profiler from 
  adding hosts to display in a team situation.
- Fixed a bug in export data with client-side report data
- Fixed "No client vulns" always showing up at the bottom of the client
  side vulnerability report
- Client-side Vuln. reported and exported client vulns now treats
  hosts external/internal combinations as unique hosts.

18 Feb 12
---------
- Added windows/browser/java_mixer_sequencer to client-side vuln db
- Fixed a bug in the teamserver start script for Linux (you'll need to
  redownload the package to get this updated script)
- Adobe PDF package now prompts you where to save PDF file whether
  MSF is local or remote to Cobalt Strike.
- Added Cut/Copy/Paste/Clear menu to table cell editor
- Started work modifying the about dialog so I can provide proper
  attribution of the various open source projects used by Cobalt Strike

16 Feb 12
---------
- Client-side vulnerability report was producing duplicate entries for 
  vulnerabilities with both a fileformat and browser exploit. Fixed.
- System profiler was accidentally reporting some Windows hosts as
  Windows Media Center edition. Fixed.
- Cobalt Strike reports now have the Cobalt Strike logo
- Updated Help menu with Cobalt Strike stuff.
- Help button in Connect dialog now points to advancedpentest.com/start
  so does the "hey msfrpcd crashed from underneath me" dialog.
- Released "helper" indicator with a thick square (vs. the thick cross
  in Armitage).
- Added a teamserver script to UNIX distribution of Cobalt Strike. This
  script will check the environment to make sure everything is in place.
- Cobalt Strike was saving preferences to wrong file.

14 Feb 12
---------
- Added Cobalt Strike update tool
- Created packages for Windows, MacOS X, and Linux

Legend
--------
- = a change made in Armitage and Cobalt Strike
+ = a Cobalt Strike specific change
! = a removed feature

Documentation

System Requirements

The minimum system requirements for Cobalt Strike are:

2 GHz+ processor
2 GB RAM
500MB+ available disk space

On Amazon's EC2, use at least a High-CPU Medium (c1.medium, 1.7 GB) instance.

Supported Operating Systems

The Cobalt Strike Team Server is supported on the following systems:

Kali Linux 2018.4 - AMD64
Ubuntu Linux 16.04, 18.04 - x86_64

The Cobalt Strike clients run on the following systems:

Windows 7 and above
MacOS X 10.13 and above
Kali Linux 2018.4 - AMD64
Ubuntu Linux 16.04, 18.04 - x86_64

E-SPIN Value Proposition

E-SPIN have actively in promoting Core Security full range of products and technologies as part of the company Vulnerability Management and Penetration Testing solution portfolio. E-SPIN is active in provide consulting, suppply, training, and maintaining Core Security products for the enterprise, government and military customers (or distribute and resell as part of the compete package) on the region E-SPIN do business. The enterprise range from telecommunications, corporate, government agencies to IT Security Share Service Outsourcing (SSO) service providers on vulnerability management, penetration testing, cyber security/cyber warfare for unified Vulnerability Management, Penetration Testing and Exploitation Management.

Please feel free to contact E-SPIN for your inquiry and requirement, so we can assist you on the exact requirement in the packaged solutions that you may required for your operation or project needs.

CORPORATE

SOLUTIONS & PRODUCTS

STORE & SUPPORT

PRODUCTS & SERVICES

© 2005 - 2023 E-SPIN Group of Companies | All rights reserved.
E-SPIN refers to the global organisation, and may refer to one or more of the member firms of E-SPIN Group of Companies, each of which is a separate legal entity.

SIGN IN YOUR ACCOUNT TO HAVE ACCESS TO DIFFERENT FEATURES

FORGOT YOUR DETAILS?

Cobalt Strike

Solution Overview

To analaysis a platform for adversary simulations and red team operations, which to execute targeted attacks and emulate the post-exploitation actions

Cobalt Strike

Reconnaissance

Attack Packages

Spear phishing

Collaboration

Post Exploitation

Covert Communication

Browser Pivoting

Reporting and Logging

Features Overview

Benefits

The Team Server

Cobalt Strike Client

Distributed and Team Operations

Scripting Cobalt Strike

Documentation

System Requirements

Supported Operating Systems

E-SPIN Value Proposition

CORPORATE

SOLUTIONS & PRODUCTS

STORE & SUPPORT

PRODUCTS & SERVICES

FOLLOW US