The latest version of Cobalt Strike 4.9 is now available. This release includes improvements to Cobalt Strike’s post-exploitation capabilities, including the ability to export Beacon without a reflective loader, which adds official support for prepend-style URLs, support for callbacks in many built-in functions, a new in-Beacon data store, and more.
Users who have a valid license can obtain the latest Version 4.9 of the software by either downloading it from the official website or using the update program. It is recommended to read the release notes before installing the update.
What’s New in Cobalt Strike 4.9?
Update to post-exploitation capabilities of Cobalt Strike
The post-exploitation capabilities of Cobalt Strike have been updated, and the following post-exploitation DLLs now support prepend-style User Defined Reflective Loaders:
- browserpivot
- hashdump
- invokeassembly
- keylogger
- mimikatz
- netview
- portscan
- powershell
- screenshot
- sshagent
To execute this modification and replace the default reflective loader with a UDRL, a new Aggressor Script hook called POSTEX_RDLL_GENERATE has been introduced.
Export Beacon Without A Reflective Loader
When utilizing UDRLs, Beacon may now be utilized without the exporting reflective loader function. Additionally, this change enhances support for prepend-style UDRLs.
Callback Support
“We have had a number of requests from our users to make it easier to process the results of certain function calls. This is challenging due to the asynchronous nature of Cobalt Strike’s communications, but this has been addressed in this release by adding callbacks for several built-in functions, ” the company said in its blog.
The following Aggressor Script functions now support callbacks:
- bnet
- beacon_inline_execute
- binline_execute
- bdllspawn
- bexecute_assembly
- bhashdump
- bmimikatz
- bmimikatz_small
- bportscan
- bpowerpick
- bpowershell
- bpsinject
Beacon Data Store
Further, in this new release, the company introduced a Beacon Data store that lets you save BOFs and .NET assemblies in Beacon’s memory, enabling the stored items to be run several times without transmitting the item.
Beacon User Data
Beacon User Data is a C structure that allows Reflective Loaders to pass additional data to Beacons. It also enables a Reflective Loader to resolve and provide system call information to Beacon, bypassing the normal system call resolver. BOFs can retrieve a pointer to this data with the BeaconGetCustomUserData function.
WinHTTP Support
Beacon’s HTTP(S) listener has previously relied on the WinInet library by default. Support for the WinHTTP library has been implemented in response to user input.
“A new Malleable C2 group, .http-beacon, has been created. Additionally, a .http-beacon.library option has been added to allow you to set the default library used when creating a new HTTP(S) listener”, the company explains.
Host Profile Support for HTTP(S) Listeners
When the Beacon payload is generated, callback host names are given to a single URI, and HTTP(S) parameters and headers are set at the profile or variant level. This implies that all HTTP(S) traffic to that host appears to be extremely similar.
“We have addressed these limitations by adding a new Malleable C2 profile group – http-host-profiles. This allows you to define HTTP characteristics (URI, headers, and parameters) that will be used for HTTP(S) communications for a specific hostname”, the company said.
Inter-Client Communications
Three new Aggressor Script methods have been introduced to make firing and consuming custom events easier: custom_event, custom_event_private, and custom_event_<topic-name>.
BOF Updates
Three new APIs have been added to Beacon to support this key/value store:
BeaconAddValue(const char * key, void * ptr) allows you to add a memory address to a key.
BeaconGetValue(const char * key) allows you to retrieve the memory address associated with a key.
BeaconRemoveValue(const char * key) allows you to remove the key.
Sleep Mask Update
The sleep mask processing has been modified to mask Beacon’s patched sleep mask code.
System Call Updates
Support for direct and indirect system calls has been added for DuplicateHandle, ReadProcessMemory, and WriteProcessMemory.
Product Security Updates
“A change has been made to authorization files so that they are no longer backward compatible with older versions of Cobalt Strike. This means that the authorization file generated when you update to or install the 4.9 release will not work with any 4.8 versions that you may also need to use”, the company said.
The company also assured that the minimum supported Java version will be updated from Java 8 to Java 11 in the upcoming release.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.