The REST API was a major feature of the 4.12 release and forms part of a broader ongoing change in the Cobalt Strike ecosystem. Therefore, we wanted to dedicate a blog post to explain the rationale behind it, discuss the architecture, and provide hands-on examples to get our customers up and running.

In addition to this blog, we have released a blog with more extensive examples that showcase the benefits of the REST API shortly, including an MCP server for integrating Cobalt Strike with the Claude LLM.

Our Motivation

Cobalt Strike was created over 15 years ago and whilst the product has changed a lot over this time, the architecture has remained the same: a fat client and a lightweight team server. This architecture has its benefits, such as the ability to collaborate via a team server whilst customizing and tinkering within the client to suit a specific way of working. However, we are always looking for opportunities to further open up Cobalt Strike to its users, provide new capabilities for offensive security research, and better support Red Team workflows. Therefore, we set out on an engineering journey to revamp the existing architecture and create a REST API.

Our main motivation for embarking on this journey was to bring the following capabilities to our customers:

• Language agnostic scripting in Cobalt Strike via REST:  Users can customize the product with the tools and programming languages they’re most comfortable with.
• Server-side execution of Aggressor scripts: Users can run existing Aggressor/.cna scripts server-side and can call these scripts via the REST API.
• Better task tracking: Ability to relate tasks (i.e. commands) and their response, which is valuable for users working with the API and provides needed insights for LLMs.
• Server-side artifact storage: A multi-person red team can use one specific artifact (e.g. a BOF, Cobalt Strike payload or .NET assembly) across the full team.
• Roles or ‘command restrictions’: A junior operator or LLM can be restricted from running unauthorized functionality.

The Beta and Road Ahead

We decided to provide the Cobalt Strike REST API as a beta release. The community is an essential part of the Cobalt Strike ecosystem and this approach gives our users the chance to tinker with it and provide feedback on the overall design, as well as how it performs in real operations. In parallel, the Cobalt Strike team will continue development and add more features and functionality.

Although it is released as beta, we have a well thought-out set of API routes and the overall API has gone through the regular quality control and testing processes as other Cobalt Strike features. Therefore, we expect only minor changes to the currently exposed functionality, so anything built against this API should not require major changes in future releases.

Please note, the REST service is not yet feature complete, see section Scope and caveats of this beta at the bottom of this blog for more information.

What Has Changed

Cobalt Strike 4.12 introduced the following changes relating to the REST API:

• A new REST service that exposes Cobalt Strike functionality via a REST API.
• The team server now performs task-tracking and exposes the task/response relationship through the REST API and in the logs.
• A central location for artifact management (available via the REST API).

The REST API provides a language agnostic interface which can be used to rapidly develop custom automation flows, integrate Cobalt Strike into the realm of LLMs, and even create custom User interfaces/clients.

The following diagram provides an overview of the REST architecture. The team server and the csrestapi run on the same server, whilst the Cobalt Strike client continues to work in the same fashion.

Getting Started with REST

The following sections will explain how to start the REST service and provide some simple examples. In addition, we will explain some of the background in terms of API routes and their design. For simplicity, these examples use the Swagger UI and/or Curl. More information on OpenAPI and how to generate an SDK can be found in the section OpenAPI and Development SDK.

Starting the REST Service

The REST API is not started by default. To enable the database that facilitates persistent task tracking you must provide the new --experimental-db flag when starting the team server. Once the team server is up and running, the csrestapi can connect with the specified password and start exposing the REST API on port 50443.

./teamserver <ip > <password> [<profile> <kill_date>] -–experimental-db
./csrestapi –-pass $PASSWORD

To validate that the REST API runs successfully, a Swagger user interface should be accessible on https://<teamserver>:50443/.

It is possible to configure different aspects of the REST API (e.g. network port, https certificates, etc) with startup flags and in the ./rest-server/application.properties file. More information can be found in the user guide.

Authentication and a First REST Request

To interact with the API, we first need to authenticate and obtain an access token via the /api/auth/login route. This takes a username and the team server password and returns an access token which must be included in each request in the Authorization HTTP header.

Once we have obtained an access token, it is possible to use any of the requests shown in the Swagger UI. For example, we can use /api/v1/beacons to get a listing of currently active Beacons and their associated Beacon IDs. This request is particularly important, as we will need a Beacon ID to interact with a specific Beacon in the rest of the examples in this blog post.

The recording below demonstrates the process of starting the REST service, authenticating and listing running Beacons.

Video 1: Start up the REST service, authenticate and list Beacons via Swagger.

Console Command and Structured Commands

In the REST API we offer two ways of command execution:

1. A consoleCommand route: This executes any input as if it was entered in the Cobalt Strike console.
2. A structured command route: Each command/functionality is a separate REST endpoint, similar to individual aggressor functions. The benefit of the structured command routes is that the input and output is much more clearly defined (i.e. named parameters). Secondly, the structured commands will likely serve as a building block for roles and permissions in a future release. Therefore, we recommend using these structured commands over the consoleCommand route.

The following two examples use a directory listing to demonstrate these requests:

consoleCommand
The consoleCommand route takes a command as if we typed it into the Cobalt Strike command line:

curl-k -X 'POST' \
  'https://teamserver:50443/api/v1/beacons/$beaconID/consoleCommand' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer <$access_token>' \
  -H 'Content-Type: application/json' \
  -d '{
  "command": "ls c:\\users"
}'

execute/ls
The /execute/ls/ endpoint takes only the path argument as illustrated below:

curl-k -X 'POST' \
  'https://teamserver:50443/api/v1/beacons/<$beaconID>/execute/ls' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer <$access_token>' \
  -H 'Content-Type: application/json' \
  -d '{
  "path": "c:\\users"
}'

Using Tasks to Retrieve Results

As the execution of a command relies on the exact moment when the Beacon checks-in, the REST requests cannot provide an immediate response. Consequently, the API creates a task and returns a taskID. This taskID can be used to retrieve the output or status as demonstrated below.

curl-k -X 'GET' \
  'https://teamserver:50443/api/v1/tasks/$taskID?format=structured' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer <$access_token>

This recording illustrates the steps required for running an ls on a beacon and getting its output.

Video 2: : Run ‘ls’ via the structured route and collect its response via the task mechanism.

It is important to highlight that whilst introducing the structured command routes we deviated from the historical Cobalt Strike command naming and created a more consistent naming convention that more clearly expresses Beacon’s actions:

• /spawn/ – indicates that the command uses fork & run.
• /inject/ – indicates that the command injects into a specified process.
• /execute/ – indicates that the command relies on Windows API calls.
• /state/ – indicates a command that modifies Beacon’s configuration.

As an example, the execute-assembly command can be accessed as /spawn/dotnetAssembly, setting a new sleep value is done via /state/sleepTime and running ls is done via /execute/ls.

To help our users in finding the right routes, a mapping of all existing Cobalt Strike commands to their REST route is provided in our documentation. Furthermore, in the Swagger UI routes are grouped by functionality, making it easier to find related commands.

Artifacts and Server-side Storage

Various Cobalt Strike commands take a binary file as input (i.e. an artifact). For example, running a .NET assembly like Rubeus. The API uses the @files operator within various REST calls to indicate that the file itself is provided within the request as a base64 encoded file. In the example below, we request the API to run Rubeus via execute-assembly (REST route spawn/dotnetAssembly).

curl-k -X 'POST' \
  'https://teamserver:50433/api/v1/beacons/<$beaconID>/spawn/dotnetAssembly' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer <$access_token>' \
  -H 'Content-Type: application/json' \
  -d '{
    "assembly": "@files/Rubeus.exe",
    "arguments": "logonsession",
    "files": {
       "Rubeus.exe":"<base64=== >"
    }
}'

Server-side Artifacts & Disk Structure

Server-side artifact storage makes it possible for one user to place artifacts (e.g. .NET assemblies, BOFs or .cna files) on the server and via REST those artifacts can be accessed and used by all users.  

The table below lists the default folders and files created by the REST API that are intended for server-side artifact storage. Users are free to structure files according to their preference, with two exceptions. First, the generated folder is intended for any payloads generated by Cobalt Strike. Second, the cna_scripts.config file is used to configure which .cna scripts are loaded by default by the REST API.


Server-side Aggressor scripts that are run by REST are restricted to Sleep/Aggressor and cannot use any Java bindings.

Path	Description
/rest-server/csrestapi	Mandatory/reserved files: the REST service binary itself and further dependencies in the rest-server folder
/rest-server/restapi/cna_scripts.config	Mandatory/reserved file: A text file with the paths to individual .cna files that are loaded globally by the REST service
/rest-server/restapi/artifacts/generated	Mandatory/reserved folder: reserved for payloads generated by the Cobalt Strike REST service
/rest-server/restapi/artifacts/assemblies	A folder intended for .NET assemblies
/rest-server/restapi/artifacts/sleepmasks	Folder intended for scripts and resources for Sleepmasks
/rest-server/restapi/artifacts/udrls	Folder intended for scripts and resources for UDRLs


Since the REST API does not currently allow for file uploads, it is expected that users will place artifacts via SSH or other file copy means.

Running a .NET Assembly as a Server-side Artifact

The API’s server-side storage makes it possible for users to reference an artifact that is already present on the server, instead of sending it in the request.

The /api/v1/artifacts route allows users to list the available server-side artifacts and retrieve their symbolic references. These can then be used as part of any request that expects a binary file. In the example below, Rubeus.exe was previously uploaded to the restapi/artifacts/assemblies/ folder.

curl-k -X 'GET' \
  'https://teamserver:50433/api/v1/artifacts' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer <$access_token>' \

This will return the following:

[
  {
    "key": "assemblies/Rubeus.exe",
    "symbolicReference": "@artifacts/assemblies/Rubeus.exe"
  }
]

To execute the server-side Rubeus.exe, we can utilise the /spawn/dotnetAssembly route and provide the symbolic reference:

curl-k -X 'POST' \
  'https://teamserver:50433/api/v1/beacons/<$beaconID>/spawn/dotnetAssembly' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer <$access_token>' \
  -H 'Content-Type: application/json' \
  -d '{
  "assembly": "@artifacts/assemblies/Rubeus.exe",
  "arguments": "logonsession"}
'

This video demonstrates running Rubeus from server-side storage and collecting its output.

Video 3: Running a server-side.net assembly (Rubeus.exe) via REST.

Server-side Aggressor Scripts and Aliases

In addition to PE files and .NET assemblies, the server-side storage also supports Aggressor/.cna scripts. Upon startup of the REST API, any .cna filepath that is included in the cna_scripts.config file will automatically be loaded. To illustrate the value of this, we will deploy the TrustedSec Situational Awareness BOF collection server-side. The result is that all the aliases that are included in Situational Awareness become available via REST.

This involves the following deployment steps:

• Place the TrustedSec situational awareness collection on disk (e.g. in restapi/scripts_folder/ or restapi/BOF/ ).
• Add the filepath of SA.cna into the cna_scripts.config file so the REST server will load it upon startup.

echo "restapi/scripts_folder/SA/CS-Situational-Awareness-BOF-master/SA/SA.cna" >> restapi/cna_scripts.config 

• (re)start the csrestapi.

Once the csrestapi is restarted, we can use the /help endpoint to verify that the Situational Awareness aliases are available.(e.g. the command probe or whoami from Situational Awareness should be listed in the output of /help.)

curl-k -X 'GET' \
  'https://teamserver:50443/api/v1/beacons/<$beaconID>/help' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer <$access_token>'

Server-side aliases that are loaded by the REST API can be run via the consoleCommand, as shown below:

curl-k -X 'POST' \
  'https:// teamserver:50443/api/v1/beacons/<$beaconID>/consoleCommand' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer <$access_token>' \
  -H 'Content-Type: application/json' \
  -d '{
  "command": "probe 127.0.0.1 445"
}'

The video below demonstrates the process steps as outlined above.

Video 4: Deploying the TrustedSec Situational Awareness collection and running the ‘whoami’ alias.

Server-side Payload Generation

It is also possible to generate payloads via REST; the resulting payloads can be retrieved or used via @artifacts within other calls towards the API.

In the following request a payload is being generated by the REST service and stored in the server-side storage.

curl –k -X 'POST' \
  'https://teamserver:50433/api/v1/payloads/generate/stageless' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer <$access_token>' \
  -H 'Content-Type: application/json' \
  -d '{
  "listenerName": "https",
  "useListenerGuardRails": true,
  "guardRails": {
  },
  "architecture": "x64",
  "exitFunction": "Process",
  "systemCallMethod": "None",
  "httpLibrary": "wininet",
  "dnsCommMode": "dns",
  "output": "Raw"
}'

This route has optional parameters for sleepMaskCNA and a udrlCNA that can point to an @artifacts reference so that payload generation can be fully customized. In the video below this functionality is demonstrated with the AceLDR UDLR.

Video 5: Server-side payload generation using custom .cna files and retrieval of the resulting payload.

OpenAPI & Development SDK

The examples provided thus far in this blog relied on Swagger and Curl. These serve as excellent examples to illustrate the API but are not the best suited to integrate in a mature programming language. As the Cobalt Strike REST API supports OpenAPI, it is possible to generate an SDK for a large variety of programming languages. On our GitHub we provide a Jupyter notebook with instructions on how to generate an SDK and use the API from Python.

This video demonstrates installing and using the OpenAPI SDK for Python.

Video 6: Using OpenAPI to generate a Python SDK.

Scope and Caveats of This Beta

The following should be considered when using the beta release of the REST API:

• The current REST API is not fully feature complete: The API supports the vast majority of Cobalt strike functionality. There are, however, some areas where the API is not (yet) complete:
  • The reporting functionality and specific data models, such as services, sites and targets are not included.
  • The resource kit/artifact kit and process inject kit are not yet exposed via REST. Thus exporting filetypes such as exe, dll, hta is currently not possible.
  • Controlling the SSH Beacon is not supported via REST.
  • There is a limited set of commands not ported over (e.g. GUI commands such as ‘history’). Please refer to the command to REST mapping for additional details.
• No roles, authorizations and command restrictions yet: The functionality for roles or ‘command restrictions’ as described in our motivations is not yet provided. However, we did design our API to facilitate this in future releases.
• Task tracking has imperfections: We added a fair share of task-management and state tracking in the team server. However, we also hit limits in the exact communication flows between Beacon and the team server. Further mitigating these imperfections required a larger overhaul of Beacon and its messaging. For now, it is known behavior that various tasks never get to the state COMPLETED but remain in the state OUTPUT_RECEIVED or IN-PROGRESS if there is no output. For example, altering the sleep of a beacon will remain IN-PROGRESS indefinitely.
• Not all features are backported in the native client: With the REST server, we introduce the concept of ‘server-side storage’. A user can store and use artifacts (e.g. a generated payload, a BOF, .cna or .net assembly) in the REST-storage so all operators can use the same version of a specific artifact via REST. However, this functionality is not yet natively implemented in the regular Cobalt Strike client. We do have a prototype Aggressor script which enables the execution of server-side artifacts from the Cobalt Strike GUI. We will polish this up and release it soon.
• Real-world experience and feedback is needed: The changes around tasking and central database storage within the team server needs real-world usage. We have done performance tests, but nothing beats the experience of our users.

Next Steps

• Release our internal prototypes, including our MCP server: As part of our internal research, testing, and QA process, we have created various internal prototypes that rely on REST. For example, we have made a Model Context Protocol (MCP) that integrates the Cobalt Strike REST API in an LLM, a ‘mobile webapp’ and Aggressor scripts to call into the REST API from the regular client. We believe these examples serve as excellent showcases to prove the power of this API. In the upcoming weeks, we will polish up the internal prototypes and release them.
• Further mature the REST API: As indicated earlier, in future releases we will further mature this API and we foresee it becoming a core component of the Cobalt Strike architecture.
• We want your feedback: Besides this release, we have also improved our feedback process. We have added a simple feedback form on our support page under the “Support” header which can be used to submit bugs, ask questions, or provide feedback on the REST Beta as well as on other features of the product.. You can also access this form directly from your Cobalt Strike client via Help->Support. 

Help us improve Cobalt Strike!

×

Cobalt Strike 4.11 is now available. This release introduces a novel Sleepmask, a novel process injection technique, new out-of-the-box obfuscation options for Beacon, asynchronous BOFs, and a DNS over HTTPS (DoH) Beacon. Additionally, we have overhauled Beacon’s reflective loader and there are numerous QoL updates.

Out-of-the-Box Evasion Overhaul

The focus of this release (and the next) was to overhaul Cobalt Strike’s out-of-the-box evasion options.

Firstly, we have added a novel Sleepmask which is automatically enabled via Malleable C2. In previous releases, Cobalt Strike’s “evasive sleep” has been available in the Arsenal Kit, but it was based upon a (modified) open-source technique and required a significant amount of customisation to use with Beacon. We felt that runtime masking is essential in modern operations with Cobalt Strike, which is why we wanted to update and improve it with something new and novel. The new evasive Sleepmask will obfuscate Beacon, its heap allocations, and itself, meaning that Beacon is robust against static signatures at runtime, out-of-the-box, without any further configuration required.  You can of course still use the evasive sleep in the Arsenal Kit or your own Sleepmask if you desire. 

Note: The new Sleepmask only applies to HTTP(S)/DNS Beacons; we are currently overhauling the pivot Beacon Sleepmask for the next release.

Secondly, we have added a new novel process injection technique, which is the default injection method used by Beacon as of 4.11. Injected threads are one of the pillars of modern detection and can be identified with high fidelity by simply looking for threads with a start address that is not backed by a Portable Executable (PE) image on disk. However, there are still many ways to bypass this approach, such as using various gadgets to redirect execution flow, meaning that EDR vendors typically have advanced logic to identify this type of behaviour.

In Cobalt Strike 4.11, we have added our own custom process injection technique, ObfSetThreadContext. In the following screenshot, we use ObfSetThreadContext to inject a Beacon into a remote process. We then scan the process with Get-InjectedThreadEx and observe that no suspicious threads have been identified:

By default, this new option will automatically set the injected thread start address as the (legitimate) remote image entry point, but can be additionally configured as shown below:

process-inject {
    execute {
            # Accepts a module!function + offset for thread start address.
            ObfSetThreadContext “ntdll!TpReleaseCleanupGroupMembers+0x450”;
            NtQueueApcThread;    # backup injection option 1 (see note below)
            SetThreadContext;    # backup injection option 2
    }
}

The option above sets ObfSetThreadContext as the default process injection technique and will ensure that all new threads are spawned at the exported ntdll function, TpReleaseCleanupGroupMembers (i.e. the entry point for thread pool threads on Win10).

Note: As shown above, the execute block allows you to specify multiple backup techniques (in this case NtQueueApcThread and SetThreadContext) in the event that your default technique fails for certain corner cases (i.e. x86 -> x64 injection, self-injection etc.). For example, ObfSetThreadContext currently only supports same arch injection, so a backup technique is recommended for cross arch injection (or alternatively use the proc-inj kit).

Thirdly, we have ported Beacon’s default reflective loader to a new prepend/sRDI style loader and added several new evasive features:

• A new EAF bypass option (stage.set eaf_bypass  “true”) which can be used to bypass security solutions which use Export Address Filtering (EAF) techniques/ guard pages.
• Support for indirect syscalls (stage.set rdll_use_syscalls  “true”).
• Support for automatically applying complex obfuscation routines to Beacon payloads (stage.transform-obfuscate {}).

A demo of the new EAF bypass in operation can be seen below:

We have previously blogged about creating custom obfuscation loaders for Beacon. This work was initially inspired by Hasherezade’s blog on custom PE formats and Elastic Security Lab’s blog on the Blister loader, which uses compression and encryption to add layers of obfuscation.

transform-obfuscate abstracts these ideas and enables Cobalt Strike users to automatically apply complex obfuscation routines to Beacon payloads. In this sense, it is analogous to the transforms Malleable C2 supports on Beacon’s network comms (but for the Beacon DLL instead of C2 traffic).

For example, the transform-obfuscate option below will compress a Beacon payload, rc4 encrypt it with a random 64 bit key, xor it with a random 32 bit key and then base64 encode it:

stage {
    transform-obfuscate {
        lznt1;
        rc4 “64”;        # NB The max supported rc4 key size is 128
        xor “32”;        # NB The max supported xor key size is 2048
        base64;
     } 
}

These transformation rules can be applied in any order and specified more than once. For example, if you wanted to emulate Roshtyak malware you could add 14 different transforms.

Note: Extensive transforms (and in particular compression) can add slight delays to payload generation (as Cobalt Strike will need to compress a payload potentially multiple times).

Additionally, this reflective loader overhaul allowed us to make several improvements to Cobalt Strike’s existing Malleable C2 options. For example, it allowed us to decouple stage.obfuscate from controlling whether the PE header is copied into memory as part of reflectively loading Beacon (which has added complications to UDRL development; see Sleepmask Redux here). This can now be configured via the stage.copy_pe_header “false”; option.

Lastly, Beacon is now robust against static signatures out-of-the-box, at all stages of the attack chain, as in 4.11 we have enabled by default:

• set sleepmask “true”
• set cleanup “true”
• transform-obfuscate { xor “32”; }

If you want to disable Cobalt Strike automatically xor’ing the entire Beacon payload with a random key, you can set transform-obfuscate { } in your Malleable C2 profile (NB This is only applicable when using Beacon’s default prepend loader and will not impact UDRLs as they ignore PE modifications).

Note: As of 4.11, Beacon will now use the new prepend loader by default. The legacy stomp / exported reflective loader is still being supported in 4.11 and if you still want this behaviour you can manually enable it via stage.rdll_loader “StompLoader”;. However, we recommend against using it and are ending support for stomp loaders in 4.12.

Asynchronous BOFs

We have added a new Postex DLL, async-execute.dll which can be used to asynchronously execute BOFs (i.e.in a new thread while Beacon is sleeping). This means that operators can now run multiple BOFs at the same time all within the same process without blocking Beacon. This Postex DLL operates in two modes:

• Single shot: a single BOF will be executed asynchronously and the async-execute Postex DLL will immediately exit.
• Background: the async-execute Postex DLL will act as a server and repeatedly execute all BOFs sent to it.

Each asynchronous BOF will run as its own job and its specific output can be viewed in its job console window in the Cobalt Strike GUI. Additionally, async-execute honours the process-inject.bof_allocator method (virtualalloc, mapviewoffile, heapalloc), supports indirect syscalls, and will automatically free itself from memory on termination.

A demo of async-execute in operation can be seen below:

Note: The majority of the Beacon C API is supported, so most BOFs will run without requiring any modification. However, there are some APIs which are not supported for obvious reasons (i.e. Beacon data store APIs). Check the async-execute-README in kits/postex/artifacts/async-execute for a complete list.

It is important to stress that async-execute was written entirely with the Postex Kit (released in 4.10). This is why you will find the compiled DLLs in the Arsenal Kit (kits/postex/artifacts/async-execute) with their corresponding async-execute.cna script. We have added it to the Postex Kit as an example to demonstrate the power and extensibility of the Postex Kit for developing custom long running jobs which plug directly into CS.

Note: To support async-execute we have added a new Aggressor function bread_pipe. This allows you to register a custom job via reading from the specified named pipe and gives greater flexibility when writing custom tooling with the Postex Kit.

Additionally, we hope to demonstrate with this example that all Cobalt Strike users have all the tools to be Cobalt Strike developers. As this release shows, we are committed to adding novel evasion into Cobalt Strike, but if you still don’t like Cobalt Strike’s default options, you will always have scope to customise the product to your liking.

For example, you can effectively add your ‘own’ Malleable C2 options for reflective loading, via using Aggressor Script and UDRL-VS (the obfuscation-loader is a great example of how to do this).  If you have a great idea for a new post exploitation capability, the Postex Kit makes it possible to integrate custom tradecraft directly into Cobalt Strike (as demonstrated by async-execute!).

Furthermore, with UDRL-VS, Sleepmask-VS, BOF-VS, and the Postex Kit, you have access to the same tooling that the Cobalt Strike developers use and can integrate custom tradecraft into the Cobalt Strike ecosystem, at all stages of the attack chain, quicker than ever before.

Cobalt Strike customers can download the latest Arsenal Kit here.

Note: You can combine your own postex DLLs with a custom postex UDRL and additionally control the process injection technique used (via the proc-inj kit), giving Cobalt Strike users full control over their postex attack chain.

Stealthy Network Comms with DNS over HTTPS Beacon

Cobalt Strike 4.11 introduces a DNS over HTTPS (DoH) Beacon, which provides another stealthy network egress option for Cobalt Strike users. Assuming DNS C2 infrastructure has already been configured, using the DoH Beacon is as simple as enabling it on payload generation, as demonstrated below, and it will run out-of-the-box with all the default options.

By default, Beacon will use mozilla.cloudflare-dns.com,cloudflare-dns.com as its target DoH-compatible DNS server. However, you can configure Beacon’s DoH settings via Malleable C2 as demonstrated below:

dns-beacon "DOH_EXAMPLE" {
  set comm_mode "dns-over-https";        # [dns | dns-over-https]

  dns-over-https {
                # ----------------------------------------------------------------------
                # Verb:
                # - GET | POST
                #   - Default: "POST"
                # ----------------------------------------------------------------------
                set doh_verb "GET";

                # ----------------------------------------------------------------------
                # Useragent
                #   - Default: Blank
                # ----------------------------------------------------------------------
                set doh_useragent "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)";

                # ----------------------------------------------------------------------
                # Proxy Server for HTTP
                # ----------------------------------------------------------------------
                # set doh_proxy_server "123.123.123.123:4321";

                # ----------------------------------------------------------------------
                # DOH Server List
                # - Default: "mozilla.cloudflare-dns.com,cloudflare-dns.com"
                # ----------------------------------------------------------------------
                set doh_server "cloudflare-dns.com";

                # ----------------------------------------------------------------------
                # Accept
                # - Default = application/dns-message
                # ----------------------------------------------------------------------
                set doh_accept "application/dns-message";

                # ----------------------------------------------------------------------
                # Headers
                # - Default = Content-Type: application/dns-message
                # ----------------------------------------------------------------------
                header "Content-Type" "application/dns-message";
                header "header1" "value1";
  }

A demo of the new DoH Beacon in action can be seen below:

Additional Updates

This release also contains a number of QoL updates, most notably:

• Added command line variables ($BEACON_PID, $BEACON_ARCH etc.) corresponding to Beacon console metadata, which can be used during command execution (i.e. inject $BEACON_PID x64 HTTP). Use the variables beacon console command to see the list of available variables and values.
• Beacon’s help command has been reorganised into groups to make commands easier to find and now supports adding custom commands to new/existing help groups. To see more information on help groupings, run the beacon console help for the help command: help help.

• The host rotation beacon_config host add command now supports hot swapping multiple C2 hosts at the same time (instead of just one as of 4.10).
• You can now specify the default chunking size for Beacon’s GET/POST requests to bypass data exfiltration prevention solutions:
  • Use client_max_post_post_size to reduce the maximum post request size.Use client_max_post_get_size to control the size of chunked data (i.e. data sent per request) when Beacon is posting with a GET verb.
  • Use client_max_post_get_packet to control the amount of file download data that Beacon can process during one cycle (i.e. check-in) when using HTTP posts with the GET verb.
• Make_token now supports UserPrincipalName (UPN) syntax (User@DNSDomainName).
• BeaconGetSyscallInformation() has had a breaking change, as it previously returned pointers to Beacon’s data section which could cause errors when using syscalls after masking. It now fills out a copy for the caller, making it much easier to use syscalls when developing custom Sleepmask/BeaconGate BOFs (more to come on this very soon!).
• To aid BeaconGate development, Beacon will now resolve a more extensive set of syscalls. The full list of resolved syscall functions can be found in the SYSCALL_API struct in Beacon.h.
• Added numerous GUI improvements such as:
  •  Support for customising the max Beacon console buffer size to display more console data before truncation occurs (Preferences -> Console -> Console Buffer Size).Support for wrapping long text lines in the console on word breaks (Preferences -> Console -> Default Hzt-Scroll) to better support copying and pasting from tools like Rubeus.
  • There is now the option to disable auto scrolling in console windows. This can be found in the bottom right corner of the CS client:

To see a full list of what’s new in Cobalt Strike 4.11, please check out the release notes.

To purchase Cobalt Strike or learn more, please contact us.