Tuesday, December 3, 2024
HomeCyber Security NewsCobalt Strike 4.9 Released: What’s New!

Cobalt Strike 4.9 Released: What’s New!

Published on

SIEM as a Service

The latest version of Cobalt Strike 4.9 is now available. This release includes improvements to Cobalt Strike’s post-exploitation capabilities, including the ability to export Beacon without a reflective loader, which adds official support for prepend-style URLs, support for callbacks in many built-in functions, a new in-Beacon data store, and more.

Users who have a valid license can obtain the latest Version 4.9 of the software by either downloading it from the official website or using the update program. It is recommended to read the release notes before installing the update.

What’s New in Cobalt Strike 4.9?

Update to post-exploitation capabilities of Cobalt Strike

- Advertisement - SIEM as a Service

The post-exploitation capabilities of Cobalt Strike have been updated, and the following post-exploitation DLLs now support prepend-style User Defined Reflective Loaders:

  • browserpivot 
  • hashdump 
  • invokeassembly 
  • keylogger 
  • mimikatz 
  • netview 
  • portscan 
  • powershell 
  • screenshot 
  • sshagent

To execute this modification and replace the default reflective loader with a UDRL, a new Aggressor Script hook called POSTEX_RDLL_GENERATE has been introduced.

Export Beacon Without A Reflective Loader

When utilizing UDRLs, Beacon may now be utilized without the exporting reflective loader function. Additionally, this change enhances support for prepend-style UDRLs.  

Callback Support

“We have had a number of requests from our users to make it easier to process the results of certain function calls. This is challenging due to the asynchronous nature of Cobalt Strike’s communications, but this has been addressed in this release by adding callbacks for several built-in functions, ” the company said in its blog.

The following Aggressor Script functions now support callbacks:

  • bnet 
  • beacon_inline_execute 
  • binline_execute 
  • bdllspawn 
  • bexecute_assembly 
  • bhashdump 
  • bmimikatz 
  • bmimikatz_small 
  • bportscan 
  • bpowerpick 
  • bpowershell 
  • bpsinject

Beacon Data Store

Further, in this new release, the company introduced a Beacon Data store that lets you save BOFs and .NET assemblies in Beacon’s memory, enabling the stored items to be run several times without transmitting the item.

Beacon User Data

Beacon User Data is a C structure that allows Reflective Loaders to pass additional data to Beacons. It also enables a Reflective Loader to resolve and provide system call information to Beacon, bypassing the normal system call resolver. BOFs can retrieve a pointer to this data with the BeaconGetCustomUserData function.  

WinHTTP Support

Beacon’s HTTP(S) listener has previously relied on the WinInet library by default. Support for the WinHTTP library has been implemented in response to user input.  

“A new Malleable C2 group, .http-beacon, has been created. Additionally, a .http-beacon.library option has been added to allow you to set the default library used when creating a new HTTP(S) listener”, the company explains.

Host Profile Support for HTTP(S) Listeners

When the Beacon payload is generated, callback host names are given to a single URI, and HTTP(S) parameters and headers are set at the profile or variant level. This implies that all HTTP(S) traffic to that host appears to be extremely similar.  

“We have addressed these limitations by adding a new Malleable C2 profile group – http-host-profiles. This allows you to define HTTP characteristics (URI, headers, and parameters) that will be used for HTTP(S) communications for a specific hostname”, the company said.

Inter-Client Communications

Three new Aggressor Script methods have been introduced to make firing and consuming custom events easier:  custom_event, custom_event_private, and custom_event_<topic-name>.

BOF Updates

Three new APIs have been added to Beacon to support this key/value store:  

BeaconAddValue(const char * key, void * ptr) allows you to add a memory address to a key. 

BeaconGetValue(const char * key) allows you to retrieve the memory address associated with a key. 

BeaconRemoveValue(const char * key) allows you to remove the key.

Sleep Mask Update

The sleep mask processing has been modified to mask Beacon’s patched sleep mask code. 

System Call Updates 

Support for direct and indirect system calls has been added for DuplicateHandle, ReadProcessMemory, and WriteProcessMemory.

Product Security Updates

“A change has been made to authorization files so that they are no longer backward compatible with older versions of Cobalt Strike. This means that the authorization file generated when you update to or install the 4.9 release will not work with any 4.8 versions that you may also need to use”, the company said.

The company also assured that the minimum supported Java version will be updated from Java 8 to Java 11 in the upcoming release.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...