Cobalt Strike Infrastructure Downtime – March 2024

The Cobalt Strike download infrastructure will be down for a short while on Wednesday 13th March for routine maintenance. Work will begin around 15:00 GMT (10:00 EST). We expect the maintenance to be completed in under 30 minutes. Downloads and updates will be unavailable while this work is carried out. Apologies for any inconvenience that […]

Read More… from Cobalt Strike Infrastructure Downtime – March 2024

Introducing the Mutator Kit: Creating Object File Monstrosities with Sleep Mask and LLVM

This is a joint blog written by William Burgess (@joehowwolf) and Henri Nurmi (@HenriNurmi). In our ‘Cobalt Strike and YARA: Can I Have Your Signature?’ blog post, we highlighted that the sleep mask is a common target for in-memory YARA signatures. In that post we recommended using the evasive sleep mask option to scramble the […]

Read More… from Introducing the Mutator Kit: Creating Object File Monstrosities with Sleep Mask and LLVM

Cobalt Strike Infrastructure Maintenance – January 2024

We will be making a small change to the Cobalt Strike infrastructure next week. This will not result in any downtime but will affect updates using old copies of the update application. TLS Certificate Update verify.cobaltstrike.com hosts a text file with SHA256 hashes for the licensed Cobalt Strike product and distribution packages for Windows, Linux […]

Read More… from Cobalt Strike Infrastructure Maintenance – January 2024

Cobalt Strike 4.9: Take Me To Your Loader

Cobalt Strike 4.9 is now available. This release sees an overhaul to Cobalt Strike’s post exploitation capabilities to support user defined reflective loaders (UDRLs), the ability to export Beacon without a reflective loader which adds official support for prepend-style UDRLs, support for callbacks in a number of built-in functions, a new in-Beacon data store and […]

Read More… from Cobalt Strike 4.9: Take Me To Your Loader

Revisiting the User-Defined Reflective Loader Part 2: Obfuscation and Masking

This is the second installment in a series revisiting the User-Defined Reflective Loader (UDRL). In part one, we aimed to simplify the development and debugging of custom loaders and introduced the User-Defined Reflective Loader Visual Studio (UDRL-VS) template. In this installment, we’ll build upon the original UDRL-VS loader and explore how to apply our own […]

Read More… from Revisiting the User-Defined Reflective Loader Part 2: Obfuscation and Masking

Simplifying BOF Development: Debug, Test, and Save Your B(e)acon 

Beacon Object Files (BOFs) were introduced in Cobalt Strike 4.1 in 2020. Since their release, BOFs have played a key role in post-exploitation activities, surpassing Reflective DLLs, .NET assemblies, and PowerShell scripts. However, in our experience, many developers struggle with four primary pain points: In this blog post, we will tackle these difficulties by introducing […]

Read More… from Simplifying BOF Development: Debug, Test, and Save Your B(e)acon 

Cobalt Strike and Outflank Security Tooling: Friends in Evasive Places

This is a joint blog written by the Cobalt Strike and Outflank teams. It is also available on the Outflank site. Over the past few months there has been increasing collaboration and knowledge sharing internally between the Cobalt Strike and Outflank R&D teams. We are excited about the innovation opportunities made possible by this teamwork and […]

Read More… from Cobalt Strike and Outflank Security Tooling: Friends in Evasive Places

Cobalt Strike and YARA: Can I Have Your Signature?

Over the past few years, there has been a massive proliferation of YARA signatures for Beacon. We know from conversations with our customers that this has become problematic when using Cobalt Strike for red team engagements and that there has been some confusion over how Cobalt Strike’s malleable C2 options can help.   Therefore, this blog […]

Read More… from Cobalt Strike and YARA: Can I Have Your Signature?

Stopping Cybercriminals From Abusing Security Tools 

Microsoft’s Digital Crimes Unit (DCU), cybersecurity software company Fortra™ and Health Information Sharing and Analysis Center (Health-ISAC) are taking technical and legal action to disrupt cracked, legacy copies of Cobalt Strike and abused Microsoft software, which have been used by cybercriminals to distribute malware, including ransomware. This is a change in the way DCU has […]

Read More… from Stopping Cybercriminals From Abusing Security Tools