Cobalt Strike 4.11.1 is now available. This is an out of band update to fix an issue regarding module stomping that was discovered in the 4.11 release that we felt should be fixed prior to the next release.
Besides that issue, this out of band release also allowed us to include two other smaller bugfixes/quality of life improvements.
Module Stomping
We fixed an issue which caused Beacon to crash in edge cases when module stomping was used in conjunction with ObfSetThreadContext injection when the target process had Control Flow Guard enabled. We’ve added a patch for this issue.
Note: If you are using a UDRL which performs module stomping, you should ensure you set `METHOD_MODULESTOMP` as part of the `ALLOCATED_MEMORY` structure in your UDRL to make Beacon is aware to avoid any CFG related issues. See the bud-loader in UDRL-vs (part of the Cobalt Strike arsenal kit) for an example on how to do this.
“Enable SSL” Checkbox
We have fixed an issue with using self-signed certificates and the teamserver not allowing HTTPS to be enabled. Once a user configures the ‘https-certificate’ and points towards a self-signed certificate, the ‘Enable SSL’ checkbox would be disabled.
With the 4.11.1 release a self-signed certificate will now enable the ‘Enable SSL’ checkbox. See Self-signed SSL Certificates with SSL Beacon and Valid SSL Certificates with SSL Beacon on how to set up a SSL certificates in Cobalt Strike.
Deprecation Warning for Stomp Reflective Loaders
In the 4.11 release blog, we announced that we switched to prepend loaders and are ending support for stomp loaders. In this hotfix we’ve added a deprecation warning in the c2lint program to make the deprecation more explicit (and with this hotfix release blog we highlight the deprecation once more).
Download and update
Licensed users can download version 4.11.1 from here. If you need to update your CS license for an existing Cobalt Strike environment that you don’t want to update, you can obtain a new authorization file using the Authorization Generation page rather than running the update command
We thank our customers for reporting these issues. If you notice any other issues with Cobalt Strike, please refer to the online support page, or report them to our support email address. To learn more about Cobalt Strike, please contact us.
