Cobalt Strike 4.9 Released: What’s New!

The latest version of Cobalt Strike 4.9 is now available. This release includes improvements to Cobalt Strike’s post-exploitation capabilities, including the ability to export Beacon without a reflective loader, which adds official support for prepend-style URLs, support for callbacks in many built-in functions, a new in-Beacon data store, and more.

Users who have a valid license can obtain the latest Version 4.9 of the software by either downloading it from the official website or using the update program. It is recommended to read the release notes before installing the update.

What’s New in Cobalt Strike 4.9?

Update to post-exploitation capabilities of Cobalt Strike

The post-exploitation capabilities of Cobalt Strike have been updated, and the following post-exploitation DLLs now support prepend-style User Defined Reflective Loaders:

• browserpivot
• hashdump
• invokeassembly
• keylogger
• mimikatz
• netview
• portscan
• powershell
• screenshot
• sshagent

To execute this modification and replace the default reflective loader with a UDRL, a new Aggressor Script hook called POSTEX_RDLL_GENERATE has been introduced.

Export Beacon Without A Reflective Loader

When utilizing UDRLs, Beacon may now be utilized without the exporting reflective loader function. Additionally, this change enhances support for prepend-style UDRLs.  

Callback Support

“We have had a number of requests from our users to make it easier to process the results of certain function calls. This is challenging due to the asynchronous nature of Cobalt Strike’s communications, but this has been addressed in this release by adding callbacks for several built-in functions, ” the company said in its blog.

The following Aggressor Script functions now support callbacks:

• bnet
• beacon_inline_execute
• binline_execute
• bdllspawn
• bexecute_assembly
• bhashdump
• bmimikatz
• bmimikatz_small
• bportscan
• bpowerpick
• bpowershell
• bpsinject

Beacon Data Store

Further, in this new release, the company introduced a Beacon Data store that lets you save BOFs and .NET assemblies in Beacon’s memory, enabling the stored items to be run several times without transmitting the item.

Beacon User Data

Beacon User Data is a C structure that allows Reflective Loaders to pass additional data to Beacons. It also enables a Reflective Loader to resolve and provide system call information to Beacon, bypassing the normal system call resolver. BOFs can retrieve a pointer to this data with the BeaconGetCustomUserData function.  

WinHTTP Support

Beacon’s HTTP(S) listener has previously relied on the WinInet library by default. Support for the WinHTTP library has been implemented in response to user input.  

“A new Malleable C2 group, .http-beacon, has been created. Additionally, a .http-beacon.library option has been added to allow you to set the default library used when creating a new HTTP(S) listener”, the company explains.

Host Profile Support for HTTP(S) Listeners

When the Beacon payload is generated, callback host names are given to a single URI, and HTTP(S) parameters and headers are set at the profile or variant level. This implies that all HTTP(S) traffic to that host appears to be extremely similar.  

“We have addressed these limitations by adding a new Malleable C2 profile group – http-host-profiles. This allows you to define HTTP characteristics (URI, headers, and parameters) that will be used for HTTP(S) communications for a specific hostname”, the company said.

Inter-Client Communications

Three new Aggressor Script methods have been introduced to make firing and consuming custom events easier:  custom_event, custom_event_private, and custom_event_<topic-name>.

BOF Updates

Three new APIs have been added to Beacon to support this key/value store:  

BeaconAddValue(const char * key, void * ptr) allows you to add a memory address to a key. 

BeaconGetValue(const char * key) allows you to retrieve the memory address associated with a key. 

BeaconRemoveValue(const char * key) allows you to remove the key.

Sleep Mask Update

The sleep mask processing has been modified to mask Beacon’s patched sleep mask code. 

System Call Updates 

Support for direct and indirect system calls has been added for DuplicateHandle, ReadProcessMemory, and WriteProcessMemory.

Product Security Updates

“A change has been made to authorization files so that they are no longer backward compatible with older versions of Cobalt Strike. This means that the authorization file generated when you update to or install the 4.9 release will not work with any 4.8 versions that you may also need to use”, the company said.

The company also assured that the minimum supported Java version will be updated from Java 8 to Java 11 in the upcoming release.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.