Cobalt Strike Blog

TL;DR: In this blog we’ll demonstrate how to instrument Beacon via BeaconGate and walk through our implementations of return address spoofing, indirect syscalls, and a call stack spoofing technique, Draugr, that are now available in Sleepmask-VS. Furthermore, we’ll provide tips and tricks for developers in getting set up with Sleepmask-VS so they can write their [...]

Read More... from Dynamically Instrumenting Beacon With BeaconGate – For All Your Call Stack Spoofing Needs!

The post Dynamically Instrumenting Beacon With BeaconGate – For All Your Call Stack Spoofing Needs! appeared first on Cobalt Strike.

Cobalt Strike 4.11.1 is now available. This is an out of band update to fix an issue regarding module stomping that was discovered in the 4.11 release that we felt should be fixed prior to the next release. Besides that issue, this out of band release also allowed us to include two other smaller bugfixes/quality [...]

Read More... from Out of Band Update: Cobalt Strike 4.11.1

The post Out of Band Update: Cobalt Strike 4.11.1 appeared first on Cobalt Strike.

Cobalt Strike 4.11 is now available. This release introduces a novel Sleepmask, a novel process injection technique, new out-of-the-box obfuscation options for Beacon, asynchronous BOFs, and a DNS over HTTPS (DoH) Beacon. Additionally, we have overhauled Beacon’s reflective loader and there are numerous QoL updates. Out-of-the-Box Evasion Overhaul The focus of this release (and the [...]

Read More... from Cobalt Strike 4.11: Shhhhhh, Beacon is Sleeping….

The post Cobalt Strike 4.11: Shhhhhh, Beacon is Sleeping…. appeared first on Cobalt Strike.

Since 2023, Microsoft’s Digital Crimes Unit (DCU), Fortra, and the Health Information Sharing and Analysis Center (Health-ISAC) have been working together to combat the use of unauthorized, legacy copies of Cobalt Strike and compromised Microsoft software, which have been weaponized by cybercriminals to deploy ransomware  and other malware, causing significant harm to critical sectors like [...]

Read More... from Update: Stopping Cybercriminals from Abusing Cobalt Strike

The post Update: Stopping Cybercriminals from Abusing Cobalt Strike appeared first on Cobalt Strike.

Cobalt Strike 4.10.1 is now available. This is an out of band update to fix issues that were discovered in Cobalt Strike 4.10 that we felt should be fixed before the next release. This update does not affect the 4.11 release which is well underway and due to ship in early 2025. Mutiple Team Server [...]

Read More... from Out of Band Update: Cobalt Strike 4.10.1

The post Out of Band Update: Cobalt Strike 4.10.1 appeared first on Cobalt Strike.

TLDR: Cobalt Strike Staffing Changes Recently there have been some internal changes within the Cobalt Strike team. Greg Darwin has switched to a new position within Fortra. Greg has been the face of Cobalt Strike within the community for a number of years and we thank Greg for all his work and effort he put [...]

Read More... from Cobalt Strike Staffing Changes and the Road Ahead

The post Cobalt Strike Staffing Changes and the Road Ahead appeared first on Cobalt Strike.

The UDRL and the Sleepmask are key components of Cobalt Strike’s evasion strategy, yet historically they have not worked well together. For example, prior to CS 4.10, Beacon statically calculated its location in memory using a combination of its base address and its section table. This calculation was then modified depending on the contents of [...]

Read More... from Revisiting the UDRL Part 3: Beacon User Data

The post Revisiting the UDRL Part 3: Beacon User Data appeared first on Cobalt Strike.

Cobalt Strike 4.10 is now available. This release introduces BeaconGate, the Postex Kit, and Sleepmask-VS. In addition, we have overhauled the Sleepmask API, refreshed the Jobs UI, added new BOF APIs, added support for hot swapping C2 hosts, and more. This has been a longer release cycle than in previous releases to allow us to [...]

Read More... from Cobalt Strike 4.10: Through the BeaconGate

The post Cobalt Strike 4.10: Through the BeaconGate appeared first on Cobalt Strike.

Press Release: View Original Europol Announcement 03 Jul 2024 – Law enforcement has teamed up with the private sector to fight against the abuse of a legitimate security tool by criminals who were using it to infiltrate victims’ IT systems. Older, unlicensed versions of the Cobalt Strike red teaming tool were targeted during a week [...]

Read More... from Europol Coordinates Global Action Against Criminal Abuse of Cobalt Strike

The post Europol Coordinates Global Action Against Criminal Abuse of Cobalt Strike appeared first on Cobalt Strike.

The Cobalt Strike download infrastructure will be down for a short while on Wednesday 13th March for routine maintenance. Work will begin around 15:00 GMT (10:00 EST). We expect the maintenance to be completed in under 30 minutes. Downloads and updates will be unavailable while this work is carried out. Apologies for any inconvenience that [...]

Read More... from Cobalt Strike Infrastructure Downtime – March 2024

The post Cobalt Strike Infrastructure Downtime – March 2024 appeared first on Cobalt Strike.

This is a joint blog written by William Burgess (@joehowwolf) and Henri Nurmi (@HenriNurmi). In our ‘Cobalt Strike and YARA: Can I Have Your Signature?’ blog post, we highlighted that the sleep mask is a common target for in-memory YARA signatures. In that post we recommended using the evasive sleep mask option to scramble the [...]

Read More... from Introducing the Mutator Kit: Creating Object File Monstrosities with Sleep Mask and LLVM

The post Introducing the Mutator Kit: Creating Object File Monstrosities with Sleep Mask and LLVM appeared first on Cobalt Strike.

We will be making a small change to the Cobalt Strike infrastructure next week. This will not result in any downtime but will affect updates using old copies of the update application. TLS Certificate Update verify.cobaltstrike.com hosts a text file with SHA256 hashes for the licensed Cobalt Strike product and distribution packages for Windows, Linux [...]

Read More... from Cobalt Strike Infrastructure Maintenance – January 2024

The post Cobalt Strike Infrastructure Maintenance – January 2024 appeared first on Cobalt Strike.

Cobalt Strike 4.9.1 is now available. This is an out of band update to fix an issue that was discovered in the 4.9 release that we felt would negatively impact customers as they start to roll out the release and for which there is no straightforward workaround. We also took the opportunity to address a [...]

Read More... from Out of Band Update: Cobalt Strike 4.9.1

The post Out of Band Update: Cobalt Strike 4.9.1 appeared first on Cobalt Strike.

Cobalt Strike 4.9 is now available. This release sees an overhaul to Cobalt Strike’s post exploitation capabilities to support user defined reflective loaders (UDRLs), the ability to export Beacon without a reflective loader which adds official support for prepend-style UDRLs, support for callbacks in a number of built-in functions, a new in-Beacon data store and [...]

Read More... from Cobalt Strike 4.9: Take Me To Your Loader

The post Cobalt Strike 4.9: Take Me To Your Loader appeared first on Cobalt Strike.

This is the second installment in a series revisiting the User-Defined Reflective Loader (UDRL). In part one, we aimed to simplify the development and debugging of custom loaders and introduced the User-Defined Reflective Loader Visual Studio (UDRL-VS) template. In this installment, we’ll build upon the original UDRL-VS loader and explore how to apply our own [...]

Read More... from Revisiting the User-Defined Reflective Loader Part 2: Obfuscation and Masking

The post Revisiting the User-Defined Reflective Loader Part 2: Obfuscation and Masking appeared first on Cobalt Strike.

Beacon Object Files (BOFs) were introduced in Cobalt Strike 4.1 in 2020. Since their release, BOFs have played a key role in post-exploitation activities, surpassing Reflective DLLs, .NET assemblies, and PowerShell scripts. However, in our experience, many developers struggle with four primary pain points: In this blog post, we will tackle these difficulties by introducing [...]

Read More... from Simplifying BOF Development: Debug, Test, and Save Your B(e)acon 

The post Simplifying BOF Development: Debug, Test, and Save Your B(e)acon  appeared first on Cobalt Strike.

This is a joint blog written by the Cobalt Strike and Outflank teams. It is also available on the Outflank site. Over the past few months there has been increasing collaboration and knowledge sharing internally between the Cobalt Strike and Outflank R&D teams. We are excited about the innovation opportunities made possible by this teamwork and [...]

Read More... from Cobalt Strike and Outflank Security Tooling: Friends in Evasive Places

The post Cobalt Strike and Outflank Security Tooling: Friends in Evasive Places appeared first on Cobalt Strike.