Friday, June 14, 2024

Cobalt Strike 4.9 Released: What’s New!

The latest version of Cobalt Strike 4.9 is now available. This release includes improvements to Cobalt Strike’s post-exploitation capabilities, including the ability to export Beacon without a reflective loader, which adds official support for prepend-style URLs, support for callbacks in many built-in functions, a new in-Beacon data store, and more.

Users who have a valid license can obtain the latest Version 4.9 of the software by either downloading it from the official website or using the update program. It is recommended to read the release notes before installing the update.

What’s New in Cobalt Strike 4.9?

Update to post-exploitation capabilities of Cobalt Strike

The post-exploitation capabilities of Cobalt Strike have been updated, and the following post-exploitation DLLs now support prepend-style User Defined Reflective Loaders:

  • browserpivot 
  • hashdump 
  • invokeassembly 
  • keylogger 
  • mimikatz 
  • netview 
  • portscan 
  • powershell 
  • screenshot 
  • sshagent

To execute this modification and replace the default reflective loader with a UDRL, a new Aggressor Script hook called POSTEX_RDLL_GENERATE has been introduced.

Export Beacon Without A Reflective Loader

When utilizing UDRLs, Beacon may now be utilized without the exporting reflective loader function. Additionally, this change enhances support for prepend-style UDRLs.  

Callback Support

“We have had a number of requests from our users to make it easier to process the results of certain function calls. This is challenging due to the asynchronous nature of Cobalt Strike’s communications, but this has been addressed in this release by adding callbacks for several built-in functions, ” the company said in its blog.

The following Aggressor Script functions now support callbacks:

  • bnet 
  • beacon_inline_execute 
  • binline_execute 
  • bdllspawn 
  • bexecute_assembly 
  • bhashdump 
  • bmimikatz 
  • bmimikatz_small 
  • bportscan 
  • bpowerpick 
  • bpowershell 
  • bpsinject

Beacon Data Store

Further, in this new release, the company introduced a Beacon Data store that lets you save BOFs and .NET assemblies in Beacon’s memory, enabling the stored items to be run several times without transmitting the item.

Beacon User Data

Beacon User Data is a C structure that allows Reflective Loaders to pass additional data to Beacons. It also enables a Reflective Loader to resolve and provide system call information to Beacon, bypassing the normal system call resolver. BOFs can retrieve a pointer to this data with the BeaconGetCustomUserData function.  

WinHTTP Support

Beacon’s HTTP(S) listener has previously relied on the WinInet library by default. Support for the WinHTTP library has been implemented in response to user input.  

“A new Malleable C2 group, .http-beacon, has been created. Additionally, a .http-beacon.library option has been added to allow you to set the default library used when creating a new HTTP(S) listener”, the company explains.

Host Profile Support for HTTP(S) Listeners

When the Beacon payload is generated, callback host names are given to a single URI, and HTTP(S) parameters and headers are set at the profile or variant level. This implies that all HTTP(S) traffic to that host appears to be extremely similar.  

“We have addressed these limitations by adding a new Malleable C2 profile group – http-host-profiles. This allows you to define HTTP characteristics (URI, headers, and parameters) that will be used for HTTP(S) communications for a specific hostname”, the company said.

Inter-Client Communications

Three new Aggressor Script methods have been introduced to make firing and consuming custom events easier:  custom_event, custom_event_private, and custom_event_<topic-name>.

BOF Updates

Three new APIs have been added to Beacon to support this key/value store:  

BeaconAddValue(const char * key, void * ptr) allows you to add a memory address to a key. 

BeaconGetValue(const char * key) allows you to retrieve the memory address associated with a key. 

BeaconRemoveValue(const char * key) allows you to remove the key.

Sleep Mask Update

The sleep mask processing has been modified to mask Beacon’s patched sleep mask code. 

System Call Updates 

Support for direct and indirect system calls has been added for DuplicateHandle, ReadProcessMemory, and WriteProcessMemory.

Product Security Updates

“A change has been made to authorization files so that they are no longer backward compatible with older versions of Cobalt Strike. This means that the authorization file generated when you update to or install the 4.9 release will not work with any 4.8 versions that you may also need to use”, the company said.

The company also assured that the minimum supported Java version will be updated from Java 8 to Java 11 in the upcoming release.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles