May 4, 2019 - Cobalt Strike 3.14
+ Updated blockdlls to call SetErrorMode when enabled to hide/skip Bad Image errors
+ Fixed External C2 error that occurs when started before an HTTP/DNS listener
+ External C2 reports Beacon metadata periodically (Remove no longer loses session)
May 2, 2019 - Cobalt Strike 3.14
+ Added blockdlls command; blocks non-Microsoft DLLs from Beacon's child processes
+ Added python option to &artifact_stageless.
- Deprecated the process-inject -> disable "*" options from Cobalt Strike 3.12
+ Added process-inject -> execute to control thread creation functions used + order
+ Revised RtlCreateUserThread injection path to work x86 -> x86.
+ Overhauled injection path w/ NtQueueApcThread into existing processes
+ Added fake start addr Create[Remote]Thread variants to process-inject -> execute
+ Added process-inject option to push data to remote process with NtMapViewOfSection
+ .stage.cleanup now detects if memory is mapped and uses UnMapViewOfFile
+ Moved spawnto_x86, spawnto_x64, and amsi_disable to Malleable C2 post-ex block
+ Added post-ex.obfuscate to enable content and permission changes to post-ex DLLs
+ Added post-ex.smartinject; passes key function ptrs from Beacon to post-ex DLLs
+ Added NtQueueApcThread-s (for suspended processes) to process-inject -> execute
+ Added MITRE ATT&CK Tactic ID(s) to [task] entries in logs
+ Standardized time/date format in logs/; all times/dates are now UTC as well.
+ Added &brun Aggressor Script function (equivalent to the run command).
+ Hardened web server against spoofing of remote address value.
+ Added http-config -> trust_x_forwarded_for header. Forces web server to use the
X-Forwarded-For header value (when present, when valid) as HTTP external address.
+ Hardened Beacon C2's open local port callback primitive against rogue sessions.
+ HTTP/S stagers now set INTERNET_FLAG_NO_COOKIES, when a Cookie header is specified
(the effect here is to ignore the local cookie jar and use the specified value).
+ Beacon does not set INTERNET_FLAG_NO_COOKIES if profile doesn't use Cookie header
+ Removed INTERNET_FLAG_NO_AUTO_REDIRECT flag from HTTP/s stagers and Beacon.
+ Added credentials popup hook for credential manager.
+ Process Browser (single host) now displays a process tree for easier navigation
+ File browser now caches listings; added a tree to navigate/populate this cache
+ Added Copy option to get full file path in file browser right-click menu
+ Added Set as PPID option to process browser right-click menu
+ Updated to Mimikatz 2.2.0 20190414
+ Fixed an API use error (inconsequential?) in the parent process spoofing code
+ steal_token delays dropping current token (to use its rights stealing the token)
+ Updated "this session already has a browser pivot" error message with a remedy.
+ Failure to bind the DNS Beacon's port 53 is now more clear in the error message.
+ Fixed potential truncation of execute-assembly output.
+ Added &listeners_stageless function to get &artifact_stageless compat listeners
+ Fixed another drives bug that popped up on some JVMs.
+ Fixed x64 pointer truncation in VNC server DLL.
+ Credential Add/Edit dialog can now edit the Host field.
+ Added Ctrl+R to quickly rename the current tab in Cobalt Strike.
+ Web server now reports error if an exception occurs when accepting new client.
+ File Browser's Delete popup item now asks for confirmation of the action.
+ Browser Pivot is now case-agnostic looking for Content-Length, Host, etc.
+ Browser Pivot strips Strict-Transport-Security, Expect-CT, and Alt-Svc headers
January 2, 2019 - Cobalt Strike 3.13
+ CS now prints console warnings, on payload staging, when kill date is past.
+ dcsync [FQDN] now runs mimikatz's dcsync with options to export all hashes
+ Added a parser to add dcsync [FQDN] hashes to credential store.
- Removed the 'mode smb' option to turn an arbitrary Beacon into an SMB Beacon
+ Refactored Beacon HTTP/HTTPS/DNS and Beacon SMB into separate binaries
+ Reworked the link management and link client for Beacon
+ Added stageless windows/beacon_reverse_tcp as a Beacon pivot listener option.
+ Removed extraneous space from HTTP status responses.
+ Implemented fail-safe timeout to release Beacon chain if read blocks for 5 mins
+ Added command-line argument spoofing for matching processes with argue command.
+ Added &str_xor to XOR mask a string with a specified key.
+ Ctrl+F search in console is now case insensitive.
+ Added windows/beacon_tcp/bind_tcp listener for peer-to-peer comms.
+ stage.sleep_mask is now set to false by default
+ SSH client is now much smaller after switch to mbed TLS and newer LibSSH2 version
+ Added x64 SSH client. x64 Beacon uses the x64 client, x86 Beacon uses x86 client
+ Brought the new/reworked link client backend from Beacon to the SSH client.
+ SSH sessions can now control bind and reverse TCP Beacons.
+ Added x64 portscanner and net module builds for use by x64 Beacon.
+ Removed PDB string and assembly manifest from post-ex job DLLs
+ In-memory obfuscation of Beacon now works with TCP and SMB Beacons. Both obfuscate
while waiting for a connection and during reads. Enable with stage.sleep_mask
+ Updated &bdllspawn with option to use impersonated/created token in child process
+ execute-assembly, net, portscan, and powerpick now use impersonated/created token
+ steal_token drops current token before attempt. This prevents a handle leak.
+ make_token creds now used with CreateProcessWithLogonW if execute w/ token fails
+ Beacon does better job of clearing memory content before freeing it.
+ Resource Kit+defaults now XOR mask stager prior to embed in PowerShell scripts
+ named pipe string is now embedded with or sent to Beacons only when needed.
+ desktop post-ex job, spawned from x64 Beacon, will launch x64 VNC server.
+ Updated to mimikatz 2.1.1 20181209
+ Added http-config Malleable C2 block to influence all HTTP server responses
+ Added MITRE ATT&CK Tactic ID to activity.tsv/activity.xml in data export.
+ Removed an extra comma when combining ATT&CK tactics for post-ex job launches
+ VPN pivot server now checks for /dev/net/tun before doing anything else.
+ Added a list of used MITRE ATT&CK tactics to Indicators of Compromise report
+ screenshot module now degrades SS quality when SS size is over transmit limit
+ Re-synced built-in MITRE ATT&CK matrix (April 2018) to add missed entries
+ Tagged a few mimikatz commands with more specific ATT&CK tactics.
+ cobaltstrike.exe launcher on Windows will run java.exe from %PATH%
+ Added a hard startup deny for OpenJDK "8" (too many problems w/ it on Kali)
+ Dialog to present a URL when browser can't/won't open now works on Kali 2018.4
+ bind_tcp x86/x64 stagers now exit on recv() failure.
+ Beacon console now checks Vista+ for target when using ppid, runu, or argue
+ Fixed the drives bug that popped up on some JVMs.
+ Default GUI font is now Dialog-PLAIN-12
+ c2lint now warns when the rundll32.exe default is not overriden/replaced
+ Added amsi_disable Malleable C2 option. Attempts to disable AMSI for psinject,
powerpick, and execute-assembly
+ Updated update program with faster routine to write out cobaltstrike.jar file.
September 6, 2018 - Cobalt Strike 3.12
+ Fixed targets_other popup hook. Now it passes the target info as an argument.
+ Fixed logic flaw in the kill date check.
+ Hardened reporting engine against unexpected characters in bookmark text.
+ configured MIME parser (used for phishing emails) to have fewer restrictions
+ Fixed bug ignoring the Name field in the Add Target dialog.
+ Updated target import codepaths to remove unexpected whitespace from addresses.
+ Added POWERSHELL_DOWNLOAD_CRADLE option to Resource Kit. Controls form of download
cradle used by powershell-import, spawnu, spawnas, and uac-token-bypass
+ powershell-import with empty file resets hints related to script hosting.
+ Added POWERSHELL_COMMAND option to Resource Kit. Controls form of [most] powershell
commands used throughout Cobalt Strike.
+ Added &sync_download to grab a downloaded file from the team server.
+ Added stage.sleep_mask Malleable PE option. When enabled, obfuscates Beacon in
memory before each Sleep() call. De-obfuscates Beacon prior to resuming execution
+ Added run command. Runs a program (+ shows output) without cmd.exe or powershell.exe
+ ssh-key command now accepts much larger key sizes (and warns when that's exceeded)
+ Process injection path now allows argument via SetThreadContext when x64 -> x64
+ keylogger command, with no args, now spawns a temporary process and injects into it
+ screenshot+keylogger commands, spawn mode, now match Beacon's arch for temp process
- Removed .create_remote_thread and .hijack_remote_thread options in Malleable C2
+ Added Malleable C2 options to modify Beacon's process injection behaviors
+ Synced built-in MITRE ATT&CK matrix to the April 2018 release.
+ Updated to Mimikatz 2.1.1 20180820
+ DNS Beacon signaling now combines dns_idle profile value with signal values. A good
dns_idle value helps avoid IPv4 bogon responses in dns6 and dns-txt transfers.
+ DNS listener now sanity checks dns_idle value vs. Team Server IP.
+ Added &str_chunk to easily chunk a string into multiple same-size chunks.
+ Updated exe/dll checksum update process to leave artifact alone if there's an error
+ Removed the OpenJDK checks/warnings from startup.
+ Updated the updater with new cert information. (Redownload the trial to get it)
May 24, 2018 - Cobalt Strike 3.11
+ Hardened Beacon against possible crashes on Win 10 when module stomping is setup.
+ Change size of Host column in IOCs report.
+ Updated the Malleable C2 'mask' decoder to fail in a more graceful way.
+ Beacon HTTP controller now outputs much more detail when it can't retrieve an id,
metadata, or process output from a Beacon HTTP request w/ the current profile.
+ Updated PowerShell injection templates to address issue w/ Windows 10.0.17134
+ Updated to Mimikatz 2.1.1 20180502
+ DNS Beacon now recovers from a failed AAAA download more gracefully.
+ Hardened DNS Beacon against an edge case for repeated/out-of-order requests
April 9, 2018 - Cobalt Strike 3.11
+ Added dllload command to Beacon. Calls LoadLibrary() w/ parameter in remote process.
+ Mitigated crash for Artifact Kit generated DLLs on certain loading conditions.
+ Added module stomping to Malleable PE options. Configures Beacon's loader to load
an unneeded library and overwrite its space instead of using VirtualAlloc.
+ Synced built-in MITRE ATT&CK matrix to the January 2018 release.
+ Beacon downloads smaller file pieces per check-in when HTTP chunking is in use
+ stomppe Malleable PE option stomps MZ, PE, and e_lfanew values once Beacon is loaded
+ Extended Malleable PE obfuscate option to obfuscate Beacon's DLL headers and header
slack space. This option also LoBoToMiZeS the DLL header once Beacon is loaded.
+ Added dns_max_txt and dns_ttl Malleable C2 options to tweak Beacon DNS C2 further.
+ &bdllspawn now accepts arguments larger than the previous 16KB limit.
+ Added execute-assembly to run a .NET executable on target without touching disk
+ Added Malleable PE options to change these fields of Beacon's Reflective DLL:
- checksum: CheckSum value
- entry_point: AddressOfEntryPoint (Cosmetic. Does not affect execution)
- name: the Exported name (e.g., beacon.dll)
- rich_header: replace the Rich Header with some other rich header
+ Added Malleable C2 sample_name option to name your "payload" in the IOCs report.
+ Cobalt Strike now aggregates more info about your profile to the reporting engine
+ Updated the IOCs report to show PE info, contacted hosts, a traffic sample, and
interesting strings for the Malleable C2 profile associated with each server.
+ Added peclone utility to Cobalt Strike Linux package. This utility parses a PE
file and prints a Malleable PE stage block with extracted values.
+ Artifact Kit now pushes decoded payload directly into alloc'd memory.
+ Added cleanup option to Malleable PE. This asks Beacon to attempt to free the
memory associated with the self-bootstrapping package that loaded it.
+ Added reg query|queryv to Beacon to query the registry
+ Added setenv command to Beacon
+ Updated getsystem/pth to use %COMSPEC% instead of cmd.exe.
+ Updated to Mimikatz 2.1.1 20180325
+ Hardened SSH sessions against infinite blocking situations.
+ Changed quoting convention in PowerShell scripts.
+ Added functions: &breg_query, &breg_queryv, &bdllload, and &bexecute_assembly
+ Added hex and vbs options to &transform
+ Extended Resource Kit to control CS's VBS and HTML Application output.
+ Added &transform_vbs to offer additional control over the VBS transform.
+ Added uac-token-duplication option to built-in privilege elevation options.
+ Added runasadmin to run a command in a high integrity context. This uses the UAC
Token Duplication attack. &brunasadmin gives scripts access to this too.
+ Rebuilt x86 VNC server DLL with v90 toolchain for maximum Windows 2000 fun.
+ Hardened the default (dist-pipe) Artifact Kit against rare error conditions.
+ Fixed a Beacon crash on Windows XP when CreateProcessWithTokenW is not present.
+ ReflectiveLoader now zeroes out its entire VirtualAlloc'd space
+ Made changes to the updater program for Java 9 compat and prep for cert changes
+ Internal script console implementation no longer uses $x and $error
+ Metadata verification now allows "unknown" as an internal IP value.
11 Dec 17 - Cobalt Strike 3.10
+ Added a ~1s delay to team server's authentication answer to mitigate brute force
+ x86 HTTP staging protocol server check now requires right x86 stager URI checksum
+ Randomized the unused host padding inside of the DNS TXT record stager.
+ Made changes to x86 XOR stage encoder stub
+ Added SSL support to Cobalt Strike's web-based social engineering features
+ Infused MITRE's ATT&CK matrix into Cobalt Strike:
- &attack_* functions provide access to ATT&CK data for custom reports
- Added Tactics, Techniques, and Procedures report: maps activity to ATT&CK
- &btask now accepts a comma separated list of ATT&CK tactics as an argument
+ Fixed: short title in report export dialog now affects the generated report
+ Added &h4, &list_unordered, and &p_formatted functions for custom reports
+ File browser right-click popups now announce "input" for actions taken.
+ Updated Synthetica L&F to version that is compatible with Java 1.9
+ CS now uses session-specific ANSI/OEM codepages to encode input and decode output
+ Beacon logs now normalize output to UTF-8 encoding.
+ Added "GUI Font" to Cobalt Strike preferences. Changes the font used by the UI
+ cobaltstrike.exe launcher on Windows now searches for Java 1.9 in registry
+ Changed how Beacon sends routine error messages back to Cobalt Strike
+ Added getprivs command to Beacon. (The ps command no longer gets privs for you.)
+ Refactored shell and powershell commands to transfer logic from Beacon to CS
+ Added &beacon_execute_job to run a command as a post-ex job and report output to CS
+ Added &str_encode and &str_decode to encode and decode a string with specified charset
+ Added &beacon_host_imported_script to host previously imported script and return a
one-liner to download and evaluate it. Returns nothing if no imported script exists
+ Added Malleable PE options string, stringw, and data to populate the .rdata section
of Beacon's rDLL with the specified strings.
+ Updated to mimikatz 2.1.1 20171106
+ HTTP server drops requests with malformed headers.
+ Proxy Server dialog is now friendly to @ in proxy username and password.
+ Fixed &format_size with larger file sizes
+ download now works with files >2GB. Reports an error if file is >4GB.
+ Minor syntax fix to C# shellcode output in Payload Generator
+ Fixed a Java 1.9 warning in the updater program.
+ Removed dependence on Java EE API (for 1.9 compatability. Ugh).
+ Added an admin check to [beacon] -> Access -> Dump Hashes
+ Added safety check to prevent SMB Beacon localhost staging failure when there's a name
conflict with this listener between multiple servers.
+ Export Data now uses UTF-8 encoding for its output
NOTE: An in-place update of Cobalt Strike with live sessions is never recommended. With
Cobalt Strike 3.10, this is especially true. Cobalt Strike 3.10 cannot control sessions
from previous versions of Cobalt Strike.
26 Sept 17 - Cobalt Strike 3.9
+ Updated VBA and VBS shellcode embedding to accommodate 3.9's larger stagers.
21 Sept 17 - Cobalt Strike 3.9
+ x86 HTTPS stager now (correctly) uses profile-specified URI
+ c2lint now flags absence of uri_x86 and uri_x64 as errors when a transform on the
stager output is present.
20 Sept 17 - Cobalt Strike 3.9
+ Added a startup check to verify -XX:+AggressiveHeap and -XX:+UseParallelGC are set.
+ Added a dialog to present a URL when the browser open action is not supported
+ powershell-import now uses a broader regex to find function names for tab completion
+ Changed the applet attack's memory allocation/process injection characteristics
+ Limited the team server file sync primitives to the downloads/ folder only.
+ Malleable C2 now prints a console error when POST'd session ID is empty
+ Artifact Kit uses SetThreadContext/ResumeThread for same-arch cross-process injection
+ Added Malleable client parameters/headers and server transforms to HTTP/HTTPS staging
+ Added a startup check + warning for Wayland desktops. (Not supported with CS)
+ c2lint now checks syswow64/sysnative case for spawnto_x86/spawnto_x64. It's important
+ &beacon_host_script now compresses imported PowerShell script (like powershell-import)
+ Made changes to the local staging process for the named pipe Beacon
! Removed windows/foreign/reverse_dns_txt as a listener (needed for the next change...)
+ Added dns_stager_prepend Malleable C2 option to offset DNS stage value in TXT records
+ Updated VNC server to remove unneeded "stuff" and improve reliability.
+ Restricted the team server file upload primitive to the uploads/ folder only.
+ Help -> System Information now includes environment variables
+ Licensed CS now requires a valid + non-expired authorization file to start. This file
is generated and refreshed by the update program in 3.9+
+ Licensed CS now embeds a 4-byte customer ID (from auth file) into stages and stagers
+ Added obfuscate Malleable PE option to mask import table strings
+ Updated to mimikatz 2.1.1 20170813
+ Added &gunzip function to Aggressor Script.
+ &closeClient now works when called from headless Agressor Script client.
+ &add_to_clipboard puts text into the clipboard and prompts the user.
+ headless Aggressor Script client now waits on global data before firing on ready event
+ Added light obfuscation to the System Profiler.
+ Added &encode function to obfuscate shellcode/stages with a CS encoder
+ Added &range and &iprange to generate a list of numbers/IPs from a string description
+ Added mask data transform to Malleable C2. Masks data with a random 4-byte value.
+ DNS Beacon accounts for in-progress HTTP GET-transfers when asked for IP address
23 May 17 - Cobalt Strike 3.8
+ Attacks -> Web Drive-by -> Host File maps .ps1 to text/plain (auto mime-type)
+ Host File dialog now checks that URI begins with a /
+ Fixed a bug with Malleable C2's base64url encoder
+ Exceptions thrown by Aggressor Script function calls are sent to the Script Console
+ Added [beacon] -> Access -> Elevate to pick a registered priv escalation to launch.
+ &bmode can now accept a dns6 argument.
+ Beacon DNS processor now lowercases all requests. (This was a 3.0 regression)
+ Web server now prints information & errors the same way other CS features do
+ Added ppid command to set parent process for processes Beacon launches
+ Added runu to run an arbitrary program under a specific process ID.
+ Added spawnu to spawn a session under a specific process ID (uses powershell.exe)
+ Updated web server to drop non-HTTP requests with no response.
+ Reporting now shows DNS Beacon mode changes in session transcripts
+ Artifact Kit's non-migrating artifacts start threads with memory backed by module
+ Improved c2lint's SSL keystore checks.
+ Cobalt Strike now updates PE CheckSum field for its executables and DLLs
+ Beacon now uses SetThreadContext/ResumeThread to start jobs in patsy processes
+ Beacon process injection now uses CreateThread for injecting into self
+ Added shspawn command to spawn shellcode file as Beacon post-ex job.
+ The updater program now verifies downloads via https://verify.cobaltstrike.com
Download the latest trial package to get the updated updater.
+ Updated to Mimikatz 2.1.1-20170508
+ Added scripting hooks to grant users control over PowerShell, Python, and VBA
templates used throughout Cobalt Strike. See the "Resource Kit" in the Arsenal.
+ Added Malleable C2 options: hijack_remote_thread, create_remote_thread to tweak
Beacon's process injection codepaths. Both are true/false options.
+ Added work-around for "Parallel GC" Java bug (Java 1.8u131) that prevents Cobalt
Strike from running. Download the latest trial package to benefit from this.
15 Mar 17 - Cobalt Strike 3.7
+ Added "set pipename_stager" Malleable C2 option to change named pipe stager pipe
+ Added manual proxy options to stageless Beacon artifacts
+ Attacks -> Packages -> Windows EXE (S) now shows listener names
+ Added &artifact_stageless function to generate stageless artifacts from scripts
+ &brm now rejects an empty argument
+ Added cp (copy) and mv (move) commands to Beacon. Added &bcp, &bmv for scripts
+ Added EXE and DLL code-signing capability to Cobalt Strike
- Malleable C2's code-signer block specifies the keystore and attributes
- Attacks -> Packages -> Windows EXE and Windows EXE (S) have a checkbox
to request a signed EXE or DLL
- The &artifact_sign function signs its argument (presumably a PE file)
+ Malleable C2 is now tolerant of case-transformed headers
+ Added Aggressor Script APIs to create simple dialogs
+ Added a parser to add mimikatz lsadump::sam results to credential model.
+ Team server now uses SHA256 hash for its SSL-cert fingerprint
+ Added Malleable C2 options to modify Beacon's payload stage/Reflective Loader
+ Reduced Beacon's use of RWX permissions in its process injection code path
+ Reduced use of RWX permissions in non-trial Artifact Kit.
+ Fixed bug with SSH agent not always resolving path for file downloads
+ Added API for Cobalt Strike's web server: &site_host, &site_kill.
+ Enhanced the error reporting for client/server disconnections
+ Updated DNS stager to not modify itself.
+ Added an x64 stage encoder for Beacon stages delivered over SMB and HTTP/S
+ Added dns_stager_subhost Malleable C2 option to change DNS TXT stager indicator
+ Updated to mimikatz 2.1.0-20170305
8 Dec 16 - Cobalt Strike 3.6
+ Added sanity check to HTTP header length.
+ Added script constants \c, \U, and \o to agscript client.
+ Beacon drops token when connecting to capability pipe anonymously. This should
mitigate some error 5s (permission denied) when using jobs after stealing a token
+ VNC client and Proxy Pivots -> Tunnel now use the IP address the CS client
connected to as the team server IP and not the value used when starting the
+ Added Preferences -> Cobalt Strike -> VNC Ports option. This configures the range
of ports CS should use for VNC client connections between the client and the
+ Added &layout to custom reports. It's &table but without a border and col headers
+ Expanded Malleable C2 to allow additional flexibility with HTTP requests:
- Use 'set verb' to change the default HTTP verb for http-get/http-post
- http-get.client.metadata can now print if http-get's verb is POST.
- http-post.client.output can now use uri-append, parameter, and header
Beacon will chunk output into small blocks when these options are used.
- http-post.client.id can now use print if http-post's verb is POST.
- c2lint checks for possible mistakes/issues with the above.
+ c2lint now checks for assignment collissions.
+ c2lint now shows a preview of both http-get AND http-post.
+ added base64url encoding to Malleable C2. (This is a URL-safe encoding option).
+ SSH client now reports output sent to STDERR.
+ Added sanity check to HTTP POST Content-Length (max allowed is 10MB. Still big.)
+ SSH client now combines consecutive reads for a channel into one output blob.
+ Added entries to the Host File feature's automatic mime-type assignment table.
+ Reworked spawnto to allow operator control over x86 and x64 behavior.
- Deprecated Malleable C2 set spawnto option (it's ambiguous)
- Added set spawnto_x86 and set spawnto_x64 to Malleable C2.
- Beacon's spawnto command now expects arch value to target right setting
+ Expanded spawn command to accept arch parameter (e.g., spawn x64 <listener>)
+ x64 Beacon falls back to RtlCreateUserThread when CreateRemoteThread fails.
+ Updated Beacon Job IDs to stick with job throughout its life
+ Added an Aggressor Script API to add exploits to Beacon's elevate command
+ Added &powershell_encode_oneliner to Aggressor Script. This function base64
encodes a PowerShell expression and returns a one-liner to run it.
+ Added quiet variants of many session tasking Aggressor Script functions. These
functions task a session without an acknowledgement. [e.g., bshell!("arp -a")]
+ Added &bdllspawn. This function launches a Reflective DLL as a Beacon post-ex job.
This rDLL job can send output to Beacon by writing to STDOUT. This rDLL can also
receive an argument from &bdllspawn. Check out the Aggressor Script docs for info.
+ Added arch parameter to &bstage (to allow staging x64 SMB Beacon locally)
+ hashdump now does a better job with larger sets of users.
+ DNS C2 applies tighter criteria to determine if a request is a "beacon" or not.
+ CS client filters listeners w/o stages when Malleable C2 host_stage is false
+ Addressed a potential thread-conflict with a shared buffer in an encryption routine
+ Cobalt Strike Trial no longer encrypts Beacon tasks and responses. *pHEAR*
+ Re-revised foreign listeners to return x86 shellcode only.
+ Updated to Mimikatz 2.1 20161126.
+ Added &bsetenv to set an environment variable within Beacon.
+ Added &bpsexec_command to run a command on a target via the service control manager
+ Keystroke logger is now better about non-US keyboard layouts.
+ Team server now properly releases resources from non-CS client connections
+ Removed keylogger start|stop from tab completion [these options no longer exist]
+ CS's web server returns 404 for HTTP proxy attempts when no proxy handler is setup
+ Fixed occasional x64 HTTP/HTTPS stager crash on Windows 10-era systems
3 Oct 16 - Cobalt Strike 3.5.1
This release implements measures to harden Cobalt Strike against malicious sessions.
+ Re-worked file download feature. Cobalt Strike continues to store downloaded files
in the downloads/ folder, but this time with a random name and no sub-folders. The
View -> Downloads and Sync Files user experience is restored to the behavior prior
to 3.5-hf1 and 3.5-hf2. The logs/[date]/downloads.log file contains a manifest of
downloaded files and maps known information about the file download to the random
names in the downloads/ folder.
+ Team server now uses a safe path concatenation function that compares canonical
paths of the parent and result concatenated path to make sure the result doesn't
break out of its parent.
+ Added host_stage = true/false option to Malleable C2. This options allows you to
disable the public hosting of a payload stage over HTTP, HTTPS, and DNS.
+ Beacon controller now refuses to process most session responses if a session is
new and has not had a task yet. Some responses are still allowed prior to tasking.
+ Beacon controller drops sessions whose session metadata didn't validate.
+ Beacon's upload command with path no longer checks for 1MB limit
+ Added 0.0.0.0 to team server's list of hosts it won't accept.
29 Sept 16 - Cobalt Strike 3.5-hf2
+ Broader hardening of the Beacon controller against the RCE security issue.
28 Sept 16 - Cobalt Strike 3.5-hf1
+ Hot fix for a security issue. See Cobalt Strike blog:
Cobalt Strike RCE. Active Exploitation Reported.
22 Sept 16 - Cobalt Strike 3.5
+ Fixed sanity checks when adding a listener.
+ Lateral Movement & Make Token dialogs use a . if user leaves Domain field blank
+ Beacon socks command now asks Beacon to checkin interactively (sleep 0)
+ Added ssh and ssh-key commands to Beacon to create an SSH session with a target.
These sessions allow you to run commands, upload/download files, and pivot
through targets over SSH.
+ Took steps to reduce likelihood of Beacon ID collissions
+ &bmimikatz function will now dispatch multiple commands separated by newlines.
+ SMB Beacon download feature now pulls bigger file chunks (~256KB) per checkin
+ Fixed double unlink notices for named pipe sessions.
+ Added several Aggressor Script enhancements:
- ssh_alias keyword to add commands to SSH sessions
- ssh_initial event to respond to new SSH events
- ssh popup hook
- &ssh_command_register to register SSH aliases with SSH help command
- &bssh, &bssh_key to launch an SSH session from a Beacon
- &bsudo to run the SSH session's sudo alias
- &ssh_commands, &ssh_command_describe, &ssh_command_detail to grab help
information for SSH session commands.
- -issh $id, -isbeacon $id predicates to test whether an ID is a specific
type of session
- -isadmin $id predicate to check if a session is admin-level
- -is64 $id predicate to check if target is an x64 system.
- &sbrowser function to create a session browser GUI object
- SSH sessions have their own sets/events that are similar to the ones
that exist for Beacon sessions.
+ View -> Proxy Pivots now posts input for rportfwd stop/socks stop
+ Added sanity check for team server <host> parameter to avoid common mistakes
+ x86 stager generation code now always use x86-specific URI checksum.
29 Jul 16 - Cobalt Strike 3.4
+ Save dialog now defaults to the last saved file's location
+ Cleaned up several strings in Beacon's stage.
+ Added Malleable C2 option to set name of SMB Beacon's named pipe name
+ Added command-line help options for team server startup.
+ Added a kill date parameter to team server. This will embed a drop dead date
into each Beacon stage generated by this team server.
+ Archiver on team server now truncates its entries to a set size. This prevents
a slow memory leak on the team server.
+ Fixed bug that capped Beacon's jitter variance to 32s, regardless of sleep time
+ Added a cobaltstrike.server_port property to change team server's default port
+ Fixed bug processing HTTP GET Malleable C2 recovery programs > 128 bytes.
+ Hardened Beacon's Malleable C2 recover code against corrupted/unexpected data.
+ Added Beacon's architecture (x86, x64) to session metadata as barch key. Also
added an (x64) indicator to statusbar in x64 Beacon consoles.
+ 'mode dns' now restricts DNS host length (for puts) to 25% of maxdns value.
The 'mode dns-txt' option is 100% of the maxdns value. 'mode dns6' is 50%
+ Beacon's upload command now supports files larger than 1MB.
+ Fixed a bug in task queue chunker that could affect order of task execution
+ Cobalt Strike -> Listeners shows last listener error in red, if there is one.
+ Added option to export COM Scriptlet (.sct) to Payload Generator dialog
+ Spear Phishing tool now allows Windows-style line endings for targets file
+ Added dns_idle setting to Malleable C2. Changes DNS C&C idle IP from 0.0.0.0
+ Added dns_sleep Malleable C2 setting. Forces a sleep before all DNS requests
+ Added 'mode dns6' to use DNS AAAA records as a data channel for DNS Beacon.
+ maxdns is now interpreted as maximum length of hostname to send data back
+ Improved DNS data channel throughput when using hostnames to send data back.
+ Updated to mimikatz build (Jan 31, 2016) to address golden ticket indicator
+ Spear Phish mail server setup now adds option to force STARTTLS
+ Fixed a bug with STARTTLS upgrade (introduced in 3.0)
+ Added &bnet function to call Beacon's net module.
+ Added &beacon_host_script function to (locally) host a PowerShell script and
return a one-liner to grab it/run it.
+ Fixed exception caused when hand-editing targets field in Spear Phish dialog
+ Fixed a potential exception caused by a race when removing a listener
18 May 16 - Cobalt Strike 3.3
+ Added krbtgt helper to Golden Ticket dialog.
+ Added filter feature (Ctrl+F) to most of Cobalt Strike's tables.
+ Raised data model retention limits again.
+ cobaltstrike.exe on x64 Windows now looks for x86 Java if x64 Java is not found
+ Removed remnants of non-existant task command.
+ Aliased ? to help in Beacon console.
+ Mitigated DOS condition that could stop Team Server from accepting new clients
+ Fixed conflict between Malleable C2 partial URIs (uri-append) and HTTP/S
staging protocol. Malleable C2 partial URIs requests match to handler first.
+ Added c2profile info to Help -> System Information
+ Made keystroke logger loop tighter.
+ Added powerpick command to run PowerShell via Unmanaged PowerShell technique
+ Added psinject command to inject Unmanaged PowerShell into a specific process
+ Added 3389 to default portscan port list.
+ Made multiple error checking enhancements to c2lint.
+ Added Reload button to Script Manager dialog.
+ Added ready column to Script Manager to indicate if script is loaded or not.
+ Ctrl+Shift+D closes all tabs except the active one.
now completes the current Beacon note.
+ Added net time to Beacon's net module.
+ powershell-import size check occurs *after* compressing the script.
+ DNS server responds to (unexpected) AAAA requests with an empty answer section
+ Mimikatz parser now preserves passwords with spaces.
+ Beacon now uses encrypt-then-MAC to verify task/response message integrity
+ Updated web server to have enough Range request support to satisfy bitsadmin
+ Replaced PowerShell Web Delivery with Scripted Web Delivery. This dialog
generates artifacts and one-liners to deliver payloads with: bitsadmin,
powershell, python, and regsrv32.
+ Added VBA shellcode injection option to the HTML Application Attack.
+ Added an option to use x64 stagers/stages to:
- Attacks -> Packages -> Payload Generator
- Attacks -> Packages -> Windows Executable
- Attacks -> Packages -> Windows Executable (S)
+ Added x64 artifacts to the Artifact Kit
+ Added shinject command to inject shellcode into a process
+ Made the following updates to Aggressor Script:
- &binject now accepts an arch (x86, x64) parameter.
- Added &beacon_ids function to get all Beacon IDs
- Added &bpowerpick / &bpsinject functions to go with the above.
- Added &openScriptedWebDialog for Scripted Web Delivery
- Added &bshinject to go with shinject command
- Extended &shellcode with an x86/x64 architecture parameter
- Extended &artifact with an x86/x64 architecture parameter
- Extended &artifact types with powershell, vbscript, and python
- Extended &powershell with an x86/x64 architecture parameter
- &agServices now limits its results to hosts in targets model only.
+ The make_token command now accepts passwords with spaces.
+ Improved Bypass UAC attack's reliability. It also gives feedback now.
4 April 16 - Cobalt Strike 3.2
+ Removed errant date parsing code from Mimikatz output scraper.
22 Mar 16 - Cobalt Strike 3.2
+ Fixed potential null pointer exception in multi-Beacon Process Browser
+ Fixed a type-issue that could cause client disconnect when editing credentials
+ Text displays show horizontal scrollbar if a text token is longer than display
+ Hardened report generator against empty bookmarks.
10 Mar 16 - Cobalt Strike 3.2
+ Standard dialogs (messages, prompts) are now created in Swing's EDT
+ Merged client data sync process to one mechanism
+ Made slight change to bind TCP staging protocool.
+ Fixed bug with Beacon desktop command running twice when three args specified
+ Scrollbar now appears in connection list (when one is warranted).
+ Fixed VPN pivoting deployment error caused by internal API changes.
+ Added a startup warning for OpenJDK users. OpenJDK is not recommended for use
with Cobalt Strike. It has occasional bugs that severely impact CS users.
+ Bind TCP staging process now encodes x86 payloads
+ Raised the max entry limits in Cobalt Strike's data model.
+ Port Scanner now properly ids Ubuntu OpenSSH banner as a Linux system
+ Added an x64 Beacon agent. You can now inject Beacon into x64 processes.
+ Added a timeout to VNC session handshake. If the timeout expires, you're asked
to try the VNC process again.
+ [beacon] -> Explore -> Desktop announces desktop command to the beacon console
+ [beacon] -> Interact now activates Beacon's existing tab, if one is open.
+ Fixed a bug downloading 0 byte files.
+ Raised max number of linked beacons from 15 to 40.
+ Added 'net computers' to query Domain Computers/Domain Controllers groups to
discover targets and populate Cobalt Strike's data model.
+ VPN Pivot now filters the VPN client's host and hosts in client's pivot chain.
+ Added Reporting -> Reset Data to reset Cobalt Strike's data model.
+ Modified teamserver script to avoid re-generating SSL cert if keystore exists
+ Website Keystroke Logger tool now logs to webkeystrokes.log on team server.
+ NMap import does not import hosts with no open services.
+ text prompts no longer fire their callback if dialog is cancelled.
+ Consoles now display a horizontal scrollbar when there is a text token longer
than the console can display.
+ PowerShell Web Delivery and powershell-import now compress hosted scripts.
+ Added warning to prevent deploying CovertVPN on Windows 10.
+ Hardened recursive task building logic against potential loops.
+ Changed screenshot publish/read protocol to avoid incomplete screenshots
+ Added processbrowser and processbrowser_multi popup hooks to Aggressor Script
+ upload and powershell-import report errors if content is too big.
+ Ctrl+Shift+T takes screenshot of entire CS window and pushes it to team server
+ Reporting engine frees up memory after report is generated.
+ Hardened report generator against empty pages and empty tables.
8 Dec 15 - Cobalt Strike 3.1
+ Fixed report generation bug when masking long email addresses
+ Fixed race that made metadata unavailable to beacon_initial event
+ &binfo("id") now returns all metadata for the specified beacon id
+ Screenshots in memory no longer cache their ready-to-render form. This prevents
out of memory exceptions for those of you watching busy desktops.
4 Dec 15 - Cobalt Strike 3.1
+ Fixed report generation issue with UTF-8 encoded characters.
+ SE Report now excludes campaigns with no delivered messages.
+ Spear Phishing tool now preserves base64 encoded parts with a Content-ID
+ Script Console e, x, and ? commands present errors in friendlier way.
2 Dec 15 - Cobalt Strike 3.1
+ Beacon help command complains when asked about a command that doesn't exist
+ VNC server stage is now encoded
+ Bypass UAC on Windows 10 now takes steps to use an artifact that's OK with
blocking DLL_PROCESS_ATTACH [not all techniques are OK with this].
+ Updated integrated mimikatz to 2.0 alpha 20151008
+ Added dcsync command to Beacon. Uses mimikatz to pull a hash from a DC. CS
parses its output and adds the credential to the creds model too.
+ Fixed null pointer exception when trying to save an edited listener.
+ mimikatz @module::command will force mimikatz to use beacon's thread token
+ Download cancel now properly releases file handle in Beacon.
+ client now trims large data structures in the same way the team server does
+ Screenshot tool is now smarter. If user is idle, it returns one screenshot
every three minutes. If user is active, it will return one each check-in.
+ Session metadata is now in the Beacon logs on the team server.
+ CS now offers to direct user to team server documentation when they get a
Connection refused error.
+ Added headless option to run Aggressor Scripts. Use the agscript launcher
included with the Linux package.
+ Obfuscated Artifact Kit's service entry point slightly.
+ DNS Beacon export option was not showing up in the stageless payload export
dialog if windows/beacon_dns/reverse_dns_txt was set as the listener. Fixed.
+ Scan dialog now complains if a Beacon session wasn't selected.
+ Export Data and Sync Files features now mkdir folders that don't exist.
+ Added check to prevent you from using CS with Java 1.6.
+ %TOKEN% is now replaced everywhere in phishing template, not just URL.
+ Added Export button to View -> Credentials. Exports creds in PWDump format
+ Fixed stager crash on exit after failure; caused by wrong byte order exitfunk
+ Added a sanity check for phishing target files w/ reversed email/name info
+ View -> Targets now has an import button. Imports: NMap XML & flat host files
+ IoC Report now only shows each hash once.
+ Fixed several bugs that could affect report generation.
+ Spear Phishing tool no longer strips attachments with a Content-ID header.
+ Added several APIs to Aggressor Script
+ DNS Stager now exits after all attempts exhausted (better than crashing)
24 Sept 15 - Cobalt Strike 3.0
+ Switched to the Aggressor project's team server and client. Aggressor
was a long effort to rewrite Cobalt Strike's team server and client without
the Armitage codebase and dependency on the Metasploit Framework. The
Aggressor project expanded Beacon's post-exploitation capability and
re-aligns Cobalt Strike's workflows around the Beacon payload.
+ psexec commands now query service before they shut it down. This fixes a
race condition that affected psexec's success in some situations.
+ Beacon now acknowledges the exit command and a message is shown.
+ Team server now delivers very large Beacon taskings in chunks. Beacon has a
hard limit on taskings and this prevents large taskings (e.g., mimikatz sent
to 5+ different hosts) from crashing Beacon.
+ The sleep command in an SMB Beacon now sends the command up to the egress
Beacon to take effect.
+ psexec and friends tab complete target NetBIOS names from CS's data model
+ Added port scanner and net [view] modules to Beacon.
+ Named pipe staging now aborts after 60s of attempts or an error 53.
+ Bypass UAC now works on Windows 10
+ Added a profile preview to the c2lint utility.
+ Updated Artifact Kit and Applet Kit to use Aggressor Script APIs to hook
into attack generation process.