support

Cobalt Strike License Authorization Files

The licensed version of Cobalt Strike requires a valid authorization file to start. An authorization file is an encrypted blob that provides information about your license to the Cobalt Strike product. This information includes: your license key, your license expiration date, and an ID number that is tied to your license key.

How do I get an authorization file?

The built-in update program requests an authorization file from Cobalt Strike's update server when it's run. The update program downloads a new authorization file, even if your Cobalt Strike version is up to date. This allows the authorization file to stay current with the license dates in Strategic Cyber LLC's records.

What happens when my license expires?

Cobalt Strike will refuse to start when its authorization file expires. There is no impact if an authorization file expires while Cobalt Strike is running. The licensed Cobalt Strike product only checks authorization files when it starts.

When does my authorization file expire?

Your authorization file expires when your Cobalt Strike license expires. If you renew your Cobalt Strike license, run the built-in update program to refresh the authorization file with the latest information.

Go to Help -> System Information to find out when your authorization file expires. Look for the "valid to" value under the Other section. Remember, the Client Information and Team Server Information may have different values (depending on which license key was used and when the authorization file was last refreshed).

Cobalt Strike will also warn you when its authorization file is within 30 days of its valid to date.

How do I bring an authorization file into a closed environment?

The authorization file is cobaltstrike.auth. The update program always co-locates this file with cobaltstrike.jar. To use Cobalt Strike in a closed environment:

  1. Download the Cobalt Strike trial package at https://www.cobaltstrike.com/download
  2. Update the Cobalt Strike trial package from an internet connected system
  3. Copy the contents of the updated cobaltstrike/ folder into your environment. The most important files are cobaltstrike.jar and cobaltstrike.auth.

Does Cobalt Strike phone home to Strategic Cyber LLC?

Beyond the update process, Cobalt Strike does not "phone home" to Strategic Cyber LLC. The authorization file is generated by the update process.

How do I use an older version of Cobalt Strike with a refreshed authorization file?

Cobalt Strike 3.8 and below do not check for or require an authorization file.

Cobalt Strike 3.9 and later check for a cobaltstrike.auth file co-located with the cobaltstrike.jar file. Update Cobalt Strike from another folder and copy the new cobaltstrike.auth file to the folder that contains your old-version of Cobalt Strike. The authorization file is not tied to a specific version of the product.

What is the Customer ID value?

The Customer ID is a 4-byte number associated with a Cobalt Strike license key. Cobalt Strike 3.9 and later embed this information into the payload stagers and stages generated by Cobalt Strike.

How do I find the Customer ID value in a Cobalt Strike artifact?

The Customer ID value is the last 4-bytes of a Cobalt Strike payload stager in Cobalt Strike 3.9 and later.

This screenshot is the HTTP stager from the trial. The trial has a Customer ID value of 0. The last 4-bytes of this stager (0x0, 0x0, 0x0, 0x0) reflect this.

HTTP Payload Stager (Cobalt Strike Trial)

HTTP Payload Stager (Cobalt Strike Trial)

The Customer ID value also exists in the payload stage, but it's more steps to recover. Cobalt Strike does not use the Customer ID value in its network traffic or other parts of the tool.

How do I protect disparate red team infrastructure from cross-identification with this ID?

If you have a unique authorization file on each team server, then each team server and the artifacts that originate from it will have a different ID.

Cobalt Strike's update server generates a new authorization file each time the update program is run. Each authorization file has a unique ID. Cobalt Strike only propagates the team server's ID. It does not propagate the ID from the GUI or headless client's authorization file.