Announcements Archives - Page 2 of 2 - Cobalt Strike Research and Development
fortra logo

Category: Announcements

Cobalt Strike 4.5: Fork&Run – you’re “history”

Posted on by Greg Darwin

Cobalt Strike 4.5 is now available. This release sees new options for process injection, updates to the sleep mask and UDRL kits, evasion improvements and a command history update along with other, smaller changes.

Security Updates

Before getting into the details of the release, I just wanted to impress upon you how seriously we take product security. We dedicated a significant portion of this release to improving controls around product licensing. We are fully committed to improving the security of the product and will continue to make product security enhancements a priority in future releases.

Process Injection

Until now, Cobalt Strike’s only process injection option was the built-in fork&run technique. While this is good for stability, it limits OPSEC options. We have added two new Aggressor Script hooks (PROCESS_INJECT_SPAWN and PROCESS_INJECT_EXPLICIT) to allow you to define how the fork&run and explicit injection techniques are implemented when executing post exploitation commands. A new BOF along with an Aggressor Script function implements both of these new techniques. You will now have the option of using the built-in fork&run technique or creating your own process injection technique.

Example: The keylogger using a custom process injection technique written by @ajpc500

Command History

Since adding the reconnect button in the 4.4 release, the new number one change request relates to issues with command history. There was an outstanding issue whereby scrolling back through your command history and then running a new command would insert that command in the wrong place in the command history. Not only did we fix that, we also overhauled command history to make it much more usable.

We have added a “history” command that displays your command history. You can choose to display all commands in the command history (“history all”) or specify how many commands that you want to display (for example, “history 10”). Is that all? No! We’ve also made working with command history more Unix-like by adding support for bang (!) characters.

history command

“Max Retry” Processing

This release also sees the addition of a complementary strategy to the existing Host Rotation Strategy. The “max retry” strategy is available for HTTP, HTTPS and DNS Beacons and it allows you to tell a Beacon to exit after a specified failure count. As failure count crosses a threshold, the sleep time is adjusted to a specified value.

The strategy comes with a number of default values for exit and sleep thresholds but you will be able to add custom values with a new Aggressor hook (LISTENER_MAX_RETRY_STRATEGIES).

Max Retry Strategy

Sleep Mask Kit Updates

The Sleep Mask kit was introduced in Cobalt Strike 4.4. There are two changes to the sleep mask kit in this release. Firstly, following user feedback, we have increased available space from 289 to 769 bytes. Secondly, we have added support to the kit for masking heap memory.

User Defined Reflective Loader Kit Update

Like the Sleep Mask kit, the User Defined Reflective Loader kit was introduced in Cobalt Strike 4.4. Following user feedback, we have increased the reserved size in Beacon for a larger User Defined Reflective Loader. A new Aggressor hook (BEACON_DLL_SIZE) allows you to specify whether to reserve 5k (the current threshold) or 100k for your custom loader.

Other Changes

One final, small update to mention is that to save you a click, the x64 checkbox is now checked by default on all payload generation dialogs. Please be aware of this change so that you don’t rely on muscle memory when working with those dialogs and accidentally uncheck that checkbox!

x64 checked by default

Documentation Changes

Unrelated to this release, but still relevant, is a change to the documentation. Earlier this month we made some changes to the Cobalt Strike infrastructure. One of those changes was an overhaul of the Cobalt Strike website, and the manual is now searchable: https://cobaltstrike.com/support.

Please note that you may need to refresh your browser cache to see the new documentation.

The support manual is now searchable

We will be publishing follow-up blog posts that provide much more detail on most of these changes in the next few days, so please keep your eye on the blog for those updates.

To see a full list of what’s new in Cobalt Strike 4.5, please check out the release notes. Licensed users can run the version 4.4 update program to get version 4.5. If you have not yet updated to version 4.4, you will need download from the website. To purchase Cobalt Strike or ask about evaluation options, please contact us for more information.

There’s a New Deputy in Town

Posted on by Joe Vest

It’s been less than a month since I joined the Cobalt Strike team. My first impressions of this team have been overwhelmingly positive. As Raphael transitioned out, He left us with a message “Cobalt Strike is in good hands.” I couldn’t agree more.

What can you expect from me? I’m here to provide input and guidance to Cobalt Strike’s overall direction, but more importantly, I’m here to interact with and learn from the community to help drive the best improvements. I encourage you to reach out with questions or discussions on offensive or defensive security topics. Consider following us on Twitter @joevest, @CoreAdvisories, and @HelpSystemMN if you’d like to keep up with the latest news on Cobalt Strike, Core Security, or HelpSystems. You can also find me hanging out in the BloodhoundGang #aggressor channel on Slack.

I titled this post “There’s a new deputy in town.” You may hear my voice more than others on the team, but I am not the sheriff. I’m just the newest member of a fantastic team. We all play different but crucial roles. I’m excited to start this new journey with this great team.

Raphael’s Transition

Posted on by Raphael Mudge

Friday was my last day at HelpSystems. I spent the day on the #Aggressor channel on Slack, put some final touches on a 12 month roadmap document, and worked with my colleagues to remove myself from a few systems I had originally designed. I had planned to get a blog post out yesterday, but the day ran right up to my dinner plans!

Cobalt Strike is in great shape. The product is no longer the efforts of one person. There’s a full research and development team behind it. Greg Darwin is the leader. You’ll see his announcements here and on the Cobalt Strike Technical Notes mailing list. Twitter announcements for Cobalt Strike will come from @CoreAdvisories as well.

You’ve seen the work of our R&D team. 4.3 was their release. I provided guidance, but they 100% carried it.

The team is filled with very senior software folks. All come from security backgrounds (one of our engineers was tech lead of HelpSystems’ server antivirus product). The forward mantra is to keep the product stable and to continue to give more flexibility into the product’s attack chain.

The above team was three folks one week ago. A fourth engineer joined this week. And, we’re recruiting our hacker-in-residence as well. The hacker-in-residence will pick up some aspects of my role: input on the overall product direction, providing subject matter expertise on offense topics, and interacting with and helping all of us learn from you.

You have a bigger ally now. HelpSystems’ business strategy in this space is simple. As red teaming succeeds as a practice, we’ll succeed as a business. Cobalt Strike is in good hands.

I want to thank you for the opportunity to work with you for the past decade. It was the greatest privilege of my career. For me, the biggest thrill in this work wasn’t related to the technology. It was watching your careers, seeing your successes, and feeling a small supporting role in it. Thanks for having me as part of it.

verify.cobaltstrike.com outage summary

Posted on by Raphael Mudge

Cobalt Strike’s update process was degraded due to a data center outage that affected https://verify.cobaltstrike.com. The verify server is back up and the functionality of our update process is restored.

Here’s the timeline of the incident:

November 10, 2020 – 5:15pm EST The Cobalt Strike update process is degraded. You may still download and update the product. The verification step is unavailable. You will see a warning about verify.cobaltstrike.com not accepting connections during the update process. There is a data center networking issue that impacted our verification server. We are working with our service provider and monitoring the issue.

November 10, 2020 – 9:35pm EST The data center network issue was a planned power outage gone awry. We will bring the verify server online once connectivity is restored.

November 11, 2020 12:20pm EST The power outage caused a hardware failure with our provider. Our provider is working to address this. We have the option to migrate verify elsewhere, but are waiting out the restoration of the current server at this time.

November 11, 2020 1:05pm EST The verify server is back online and this incident is resolved.

What is the verify server?

The verify server is where we publish SHA-256 hashes of the Cobalt Strike product and its distribution packages. Our update program pins the certificate of this server and uses its hashes to verify the integrity of the product download. When the update program is unable to complete this process, it gives you the option to continue, but it warns that you should not.

The verify server exists on infrastructure separate from other parts of the Cobalt Strike update process. This outage did not affect other parts of our update infrastructure.

Cobalt Strike 3.0 – Advanced Threat Tactics

Posted on by Raphael Mudge

Cobalt Strike’s mission is to help security professionals emulate “advanced threat tactics” during their engagements. I’ve executed on this since the product’s 2012 release. Cobalt Strike 3.0 is the next iteration of this.

Cobalt Strike 3.0 is a ground-up rewrite of the client and server components in this product. Notably, Cobalt Strike no longer directly depends on the Metasploit Framework. Cobalt Strike 3.0 is a stand-alone platform for Adversary Simulations and Red Team Operations.

This release makes several strategic changes to support Cobalt Strike’s Red Team Operations and Adversary Simulation use cases. Here are the highlights…

Asynchronous Post Exploitation with Beacon

Beacon has completed its transition from stable lifeline to full-featured post-exploitation agent. This release includes features and workflows for user-exploitation at scale and a data model that populates itself with credentials and targets found with Beacon.

Logging and Reporting Designed for Red Team Operations

Logging and Reporting were completely overhauled. All logging now takes place on the team server. Each command is attributed to an operator. File uploads are hashed and the file hash is noted in the logs. Actions and output are captured whether a client is connected to the server or not. Cobalt Strike 3.0’s reports produce detailed timelines of red team activity and indicators of compromise.

sessions2

Intuitive Named-pipe Pivoting

The SMB Beacon is a first-class part of Cobalt Strike’s workflows. This Beacon variant uses a named pipe to receive commands from and send output through a parent Beacon. This effectively allows you to chain Beacons to tightly control your communication path and egress systems/elevated processes through another Beacon’s channel. Cobalt Strike 3.0 supports the SMB Beacon with visualization that shows this chaining in a beautiful and intuitive way.

Target Acquisition and Lateral Movement

Cobalt Strike 3.0 also provides tools and workflows to support target acquisition and lateral movement with Beacon. The new net module uses Win32 APIs to discover and interrogate targets. Beacon also gained a port scanner that operates on target and reports intermediate results when Beacon checks in. The workflows to repurpose trust material and jump to a target are efficient and intuitive.

Advanced Threat Tactics Training

Finally, Cobalt Strike’s online training was refreshed for this 3.0 release. The Advanced Threat Tactics course is nearly six hours of material on the modern offensive process Cobalt Strike 3.0 supports.

Introducing Morning Catch – A Phishing Paradise

Posted on by Raphael Mudge

Morning Catch is a VMware virtual machine, similar to Metasploitable, to demonstrate and teach about targeted client-side attacks and post-exploitation.

On this virtual machine, you will find: a website for a fictitious seafood company, self-contained email infrastructure to receive phishes, and two desktop environments. One desktop environment is a vulnerable Linux client-side attack surface. The other is a vulnerable Windows client-side attack surface.

Morning Catch uses a bleeding edge version of WINE to run a few vulnerable Windows applications AND experiment with post-exploitation tools in a fun and freely re-distributable environment.

You can download it via this torrent.

Login Screen

Your use of Morning Catch starts with the login screen.

Boyd Jenius is the Systems Administrator and his password is ‘password’. Login as Boyd to get to the vulnerable Linux desktop.

Richard Bourne is Morning Catch’s CEO and his password is also ‘password’. Login as Richard to get to the vulnerable Windows desktop.

You can also RDP into the Morning Catch environment.

logon

Windows Desktop

Richard’s desktop includes the Windows’ versions of Firefox, Thunderbird, Java, and putty. Open up Thunderbird to check Richard’s email.

You can send a phish to him too. This VM includes a mail server to receive email for users at the morningcatch.ph domain. Open up a terminal and find out the IP address of the VM. Make sure you relay messages through this server. Use [email protected] as the address.

Are you looking for some attacks to try? Here are a few staples:

Morning Catch’s WINE environment runs post-exploitation payloads, to include Windows Meterpreter and Beacon, without too much trouble.

theattack

Linux Desktop

Boyd’s desktop is the vulnerable Linux attack surface. Boyd has the Linux versions of Firefox, Java, and Thunderbird. Boyd also has an SSH key for the Metasploitable 2 virtual machine. Try to ssh to Metasploitable 2 as root and see what happens.

Webmail

Morning Catch also includes RoundCube webmail for all of its users. Use this as a target to clone and harvest passwords from.

roundcube

Hopes and Dreams

Morning Catch isn’t a replacement for a vulnerable Windows lab. It’s a safe and freely redistributable target to experiment with phishing and client-side attacks. It’s my hope that this environment will help more people experiment with and understand these attacks better.

Are you in Las Vegas for BlackHat USA or DEF CON? Stop by the Black Hat Arsenal on Wednesday at 10am for a demo of this new environment and a Morning Catch sticker. I’m also giving away DVDs with a revised Cobalt Strike pen testing lab that uses Morning Catch. Find me at the Cobalt Strike kiosk in the Innovation City portion of the Black Hat USA Exhibitor Hall. I will also give away these DVDs at the Cobalt Strike table in the DEF CON vendor area.

Cobalt Strike Boxed Set comes to ShmooCon

Posted on by Raphael Mudge

It’s the middle of February, love is in the air, and… I’m busy preparing for my favorite hacker conference ShmooCon.

This year, for the second year in a row, Strategic Cyber LLC is sponsoring ShmooCon.

Last year, I had intended to launch Cobalt Strike. Except, it wasn’t called Cobalt Strike and someone else beat me on filing a trademark application on the original name–by about five days. Pure coincidence and I learned a lesson about retaining an IP lawyer early in the business formation process. Anyways…

Cobalt Strike is having its first year at ShmooCon and I plan to make it a good one. I’m unveiling a Limited Edition Boxed Set and giving away more of the popular Pen Test Lab DVDs. Read on…

Cobalt Strike Boxed Set

Limited Edition Boxed Set (Seriously)

If you haven’t bought Cobalt Strike yet, now is your opportunity. Leading up to and during ShmooCon, a few Limited Edition Boxed Sets are available. If you buy a Cobalt Strike license now through this weekend and present the key at the Cobalt Strike table, I will issue a boxed set to you (while supplies last).

These sets are beautiful. They include a professionally bound copy of the Cobalt Strike manual, a DVD with the Cobalt Strike software, and a Cobalt Strike sticker.

Most big software companies ask for a big check. In exchange, you get some 1s and 0s transmitted to you over the internet. When’s the last time someone bothered to put those 1s and 0s into a box? I rest my case.

Penetration Testing Lab DVD

If you haven’t tried Cobalt Strike yet, we have a slight problem. I don’t want you to buy without putting the software through its paces. I’m quite serious about this. If you want to try Cobalt Strike, stop by the table and get a Penetration Testing Lab DVD.

This DVD has everything you need to put Cobalt Strike through its paces from the comforts of your laptop. This DVD includes an attack virtual machine, a Cobalt Strike trial package, and two victim virtual machines with self-guided hacking labs. I think of it as a chemistry kit for learning hacking. You can follow the steps or invent your own experiments.

I plan to burn a few hundred of these. I’m doing it now. I will run out. I always do. If you want one, come get it as early into the conference as you can.

Come say Hi!

I work the Strategic Cyber LLC table the entire time. If you have questions about Armitage or Cobalt Strike or if you’d like to see a demonstration, come on by. I’m looking forward to seeing you at ShmooCon!

Strategic Cyber at Derbycon

Posted on by Raphael Mudge

Day 2 of Derbycon 2.0 – The Reunion is about to start. Strategic Cyber LLC is near the Capture the Flag room exhibiting Cobalt Strike, answering questions, and talking about hacking.

The airline destroyed my portable monitor (boo!), so we’re working off of laptops, but it’s OK.

We have several goodies that we’ree handing out too. Goodies include Armitage stickers, a limited number of Cobalt Strike stickers AND pen test lab DVDs.

Pen Test Labs

Yes, pen test labs. Our free pen test lab consists of three virtual machines.

  1. An attack virtual machine with a 21-day trial of Cobalt Strike that starts when you first run Cobalt Strike
  2. The awesome Metasploitable 2 virtual machine from the Metasploit Project
  3. A workstation victim virtual machine with self-contained email infrastructure

These virtual machines provide a quick and safe way for you to experiment with the offensive tools and techniques. The DVD also includes several step by step labs tied directly to the free Penetration Testing with Cobalt Strike course.

We have a limited number of DVDs available and they moved fast yesterday.

Beacon

The big topic around the table is Beacon, Cobalt Strike’s new covert command and control payload that mimics the C2 of advanced malware and RATs. This is an exciting capability leap for penetration testers. We will be answering questions and demoing aspects of Beacon at the table as well.

Dirty Red Team Tricks II

Sunday at noon, I will be delivering the Dirty Red Team Tricks II talk at Derbycon. Last year’s talk was quite a hit. I provided the kit and process we used at the Collegiate Cyber Defense Competition to work together as a red team and stay hidden on student systems. This update to the original talk will feature 2012’s tactics. You don’t want to miss.

That’s about it. I look forward to seeing you at the con.

Cortana: real-time collaborative hacking… with bots

Posted on by Raphael Mudge

At BSides Las Vegas, I talked about Force Multipliers for Red Team Operations. In this talk, I shared several stories about how my evil bots stole passwords, instantly installed back doors, and generally wreaked havoc on college students defending (sometimes) unpatched systems. Today, I’d like to introduce you to the technology behind this havoc: Cortana.

You may know Armitage: a red team collaboration tool built on the Metasploit Framework. Cobalt Strike is Armitage’s commercial big brother. Both packages include a team server. Through this team server, multiple hackers may control compromised hosts and launch attacks through one instance of the Metasploit Framework.

Inspired by my days on IRC in the 1990s, I wondered what would happen if I added bots to this collaborative hacking setup. This wondering (and a DARPA contract) led to Cortana, a scripting language for Armitage and Cobalt Strike.

Cortana Architecture

What can I do?

Using Cortana, you may develop stand-alone bots that join your red team. Cortana bots scan hosts, launch exploits, and work on compromised hosts without stepping on each other or getting in the way of their human teammates. Think of this system as Google Wave Apache Wave for hacking.

Cortana scripts may also extend the Armitage and Cobalt Strike clients with new features. Cortana scripts can expose hidden Metasploit features, integrate third-party tools and agents, or control other Cortana bots.

Start Here…

If you’ve ever written scripts for an IRC client such as mIRC, irssi, BitchX, or even jIRCii–you’ll find yourself right at home with Cortana. The best place to start is the Cortana Tutorial. This document is a 55-page tutorial, reference, and collection of examples.

If you’d like to get involved writing Cortana scripts, head over to the Cortana Scripts Github repository. Fork the repository and start hacking away. Several example scripts are available, right now, for your copying and pasting pleasure.

Developer Support

If you have questions, join the Cortana Hackers Mailing list. Send a blank message to [email protected] and you will be subscribed. You may send a message to [email protected] to unsubscribe from the list.

If you’d like to connect on IRC with other Cortana hackers, join #armitage on irc.freenode.net.

Get It

Cortana is now available in Armitage 08.02.12 shipped in the Metasploit Framework. Type msfupdate and you have it. I hope I didn’t freak anyone out with my mega-large pull request.

The latest trial of Cobalt Strike has it too.

Cortana is BSD-licensed and is co-developed with Armitage. This work was made possible by a DARPA Cyber Fast Track contract.

I first announced Cortana at DEFCON 20. The slides from this presentation are available as well.

Meet Cobalt Strike: Adaptive Pen Testing

Posted on by Raphael Mudge

If you’re reading this, you’re likely aware of the Armitage project. Fed by your enthusiasm and feedback, Armitage has enjoyed a rapid pace of development since its inception. I left a security engineer role one year ago to search out how to properly nurture this project and its ideas going forward. This search led to some exciting initiatives, one that I’m announcing, right now.

I’d like to introduce you to Armitage’s big brother: Cobalt Strike

Cobalt Strike is a penetration testing suite built for threat emulation. I say suite, because it’s not just software. It’s documentation, online training, and a set of tools to help you execute an adaptive penetration test.

Cobalt Strike adds client-side reconnaissance, spear phishing, web drive-by attacks, and reporting to Armitage’s red team collaboration and post-exploitation capabilities.

Now that you’ve met Cobalt Strike, here are the next steps:

1. Watch the Cobalt Strike trailer to get a taste of Cobalt Strike

2. Get Cobalt Strike into your organization: buy online or request a quote.

Live Training at BlackHat USA

If you’re ready to add Adaptive Penetration Testing to your organization’s skill set, I recommend signing up for the BlackHat USA course run by the Veris Group. This course is a vendor neutral offering, but those who attend will have an opportunity to play with Cobalt Strike under the guidance of a seasoned instructor team.

The instructors David, Jason, and Chris are among the early adopters who helped shape this product.

And, what about Armitage?

Armitage, Cobalt Strike, and my security research initiatives are now under the banner of Strategic Cyber LLC. The formation of this company is an exciting opportunity. I can now work more formally with many of you and strengthen new and existing relationships.

Armitage will enjoy the same development pace and it will stay open source, always. Even better, I’m releasing something really big for Armitage at DEFCON 20.

I hope to see you there!

— Raphael


Raphael Mudge
Principal, Strategic Cyber LLC
http://www.advancedpentest.com/
1-888-761-7773

Bloggers and Journalists: More information about Strategic Cyber LLC and Cobalt Strike is available in our press kit.