Cobalt Strike, a highly advanced threat emulation tool, has released version 4.11, packing a robust suite of features designed to enhance evasion capabilities for red teams.
This latest update introduces several novel technologies and improvements, solidifying Cobalt Strike’s position as a leading platform for offensive security operations.
1. Enhanced Evasion Options
One of the highlights of Cobalt Strike 4.11 is its improved evasion options, which include:
Get-InjectedThreadEx
scanning a process into which a 4.11 Beacon has just been injected.process-inject {
execute {
# Accepts a module!function + offset for thread start address.
ObfSetThreadContext “ntdll!TpReleaseCleanupGroupMembers+0x450”;
NtQueueApcThread; # backup injection option 1
SetThreadContext; # backup injection option 2
}
}
2. Overhauled Reflective Loader
Cobalt Strike has revamped Beacon’s reflective loader, shifting to a prepend/sRDI style loader. This overhaul includes several key features:
stage {
transform-obfuscate {
lznt1;
rc4 "64"; # NB The max supported rc4 key size is 128
xor "32"; # NB The max supported xor key size is 2048
base64;
}
}
3. Asynchronous Beacon Object Files (BOFs)
Cobalt Strike introduces async-execute.dll, allowing the execution of BOFs in new threads without blocking Beacon.
This feature supports both single-shot and background execution modes, enhancing the flexibility of post-exploitation activities.
Operators can now run multiple BOFs simultaneously within the same process, each executing as its own job with output viewable in the Cobalt Strike GUI.
DNS Comm Mode
option. This can be configured to set up a DoH Beacon which will use the default DoH settings.4. Stealthy Network Communications with DNS over HTTPS (DoH) Beacon
The release includes a DNS over HTTPS Beacon, providing another stealthy network egress option. Users can easily configure the DoH settings via Malleable C2:
dns-beacon "DOH_EXAMPLE" {
set comm_mode "dns-over-https"; # [dns | dns-over-https]
dns-over-https {
# Verb: GET | POST (Default: POST)
set doh_verb "GET";
# User Agent
set doh_useragent "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)";
# Proxy Server for HTTP
# set doh_proxy_server "123.123.123.123:4321";
# DOH Server List (Default: "mozilla.cloudflare-dns.com,cloudflare-dns.com")
set doh_server "cloudflare-dns.com";
# Accept
set doh_accept "application/dns-message";
# Headers
header "Content-Type" "application/dns-message";
header "header1" "value1";
}
}
5. Quality of Life Updates
Cobalt Strike 4.11 also includes several quality-of-life updates:
Cobalt Strike 4.11 represents a significant leap forward in the world of threat emulation, empowering red teams with advanced evasion capabilities and enhanced operational flexibility.
The integrated features not only improve stealth operations but also provide a robust framework for customizing tradecraft within the Cobalt Strike ecosystem.
This release underscores the commitment of the developers to continuously innovate and support sophisticated offensive security operations.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
A recent threat intelligence report highlights the emergence of a sophisticated cyberattack technique known as…
In a recent cybersecurity threat, hackers have been using virtual hard disk image files (.vhd)…
The Bybit hack, which occurred on February 21, 2025, has been extensively analyzed by multiple…
A recent discovery by Xavier Mertens, a senior handler at the Internet Storm Center, has…
In a sophisticated phishing campaign uncovered by the BI.ZONE Threat Intelligence team, the Squid Werewolf…
The cybersecurity landscape has witnessed a new threat with the emergence of the DocSwap malware,…