I’m getting ready to head off to RIT SPARSA’s Information Security Talent Search event. Just in time for it, here’s another Cobalt Strike update.
This update focuses on Cobalt Strike’s Beacon agent again. At NECCDC, we had a few situations where Beacon was our only access to a host and Meterpreter would get blocked or cut off quickly. This update adds commands to download a file, upload a file, and execute a program (without cmd.exe) to Beacon. These capabilities help round out Beacon as a remote administration tool.
This update also changes how the [host] -> Meterpreter -> Access -> Dump Hashes -> lsass method menu works. The menu issues a hashdump command through Meterpreter, captures its output, and places it into the database. A common complaint is that this menu item provides no feedback or output. This has changed. Now, this item opens a meterpreter tab, and presents the hashes as they’re dumped and recorded.
This update changes how Cobalt Strike and Beacon exchange information. If you plan to collaborate using Cobalt Strike, make sure all users have the latest version and that the team server is running the latest version of Cobalt Strike.
The full list of changes is in the Cobalt Strike release notes. Licensed users may use the update program to get the latest. A 21-day trial of Cobalt Strike is available for download too.