Get notified about Cobalt Strike updates. Sign up for the Cobalt Strike Technical Notes mailing list. We will email you when an update is ready. We won't send spam or give away your information.

E-mail Address:
Cobalt Strike Release Notes
-------------
Welcome to Cobalt Strike 3.x. Here are a few things you'll want to know, right away:

1. You do not need to install the Metasploit Framework to use Cobalt Strike 3.x.
   Cobalt Strike 3.x does not depend on the Metasploit Framework.

2. Cobalt Strike 3.x is still distributed as a client and team server. The
   team server must run on Linux.

3. You must always start a team server to use Cobalt Strike 3.x. Cobalt Strike 
   does not offer to start a team server for you.

4. If you use the Artifact Kit or Applet Kit--you should redownload these 
   packages from the new Cobalt Strike Arsenal and merge your changes into the
   updated packages for Cobalt Strike 3.x. The scripting APIs to hook into these
   artifacts changed [for the better].

5. Cobalt Strike 3.x is not compatible with Cobalt Strike 2.x. Stand up new
   infrastructure and migrate accesses to it. Do not update 2.x infrastructure
   to Cobalt Strike 3.x.

6. Use the licensed version of Cobalt Strike in production. The Cobalt Strike 3.x 
   trial takes steps, in many places, to get caught by standard defenses. The 
   licensed version removes these deliberate tells and restores evasion features.

8 Dec 16   - Cobalt Strike 3.6
--------
+ Added sanity check to HTTP header length.
+ Added script constants \c, \U, and \o to agscript client.
+ Beacon drops token when connecting to capability pipe anonymously. This should 
  mitigate some error 5s (permission denied) when using jobs after stealing a token
+ VNC client and Proxy Pivots -> Tunnel now use the IP address the CS client 
  connected to as the team server IP and not the value used when starting the
  team server.
+ Added Preferences -> Cobalt Strike -> VNC Ports option. This configures the range
  of ports CS should use for VNC client connections between the client and the
  team server.
+ Added &layout to custom reports. It's &table but without a border and col headers
+ Expanded Malleable C2 to allow additional flexibility with HTTP requests:
	- Use 'set verb' to change the default HTTP verb for http-get/http-post 
	- http-get.client.metadata can now print if http-get's verb is POST.
	- http-post.client.output can now use uri-append, parameter, and header
	  Beacon will chunk output into small blocks when these options are used.
	- http-post.client.id can now use print if http-post's verb is POST.
	- c2lint checks for possible mistakes/issues with the above.
+ c2lint now checks for assignment collissions.
+ c2lint now shows a preview of both http-get AND http-post.
+ added base64url encoding to Malleable C2. (This is a URL-safe encoding option).
+ SSH client now reports output sent to STDERR.
+ Added sanity check to HTTP POST Content-Length (max allowed is 10MB. Still big.)
+ SSH client now combines consecutive reads for a channel into one output blob.
+ Added entries to the Host File feature's automatic mime-type assignment table.
+ Reworked spawnto to allow operator control over x86 and x64 behavior.
	- Deprecated Malleable C2 set spawnto option (it's ambiguous)
	- Added set spawnto_x86 and set spawnto_x64 to Malleable C2.
	- Beacon's spawnto command now expects arch value to target right setting
+ Expanded spawn command to accept arch parameter (e.g., spawn x64 <listener>)
+ x64 Beacon falls back to RtlCreateUserThread when CreateRemoteThread fails.
+ Updated Beacon Job IDs to stick with job throughout its life
+ Added an Aggressor Script API to add exploits to Beacon's elevate command
+ Added &powershell_encode_oneliner to Aggressor Script. This function base64 
  encodes a PowerShell expression and returns a one-liner to run it.
+ Added quiet variants of many session tasking Aggressor Script functions. These 
  functions task a session without an acknowledgement. [e.g., bshell!("arp -a")]
+ Added &bdllspawn. This function launches a Reflective DLL as a Beacon post-ex job.
  This rDLL job can send output to Beacon by writing to STDOUT. This rDLL can also
  receive an argument from &bdllspawn. Check out the Aggressor Script docs for info.
+ Added arch parameter to &bstage (to allow staging x64 SMB Beacon locally)
+ hashdump now does a better job with larger sets of users.
+ DNS C2 applies tighter criteria to determine if a request is a "beacon" or not.
+ CS client filters listeners w/o stages when Malleable C2 host_stage is false
+ Addressed a potential thread-conflict with a shared buffer in an encryption routine
+ Cobalt Strike Trial no longer encrypts Beacon tasks and responses. *pHEAR*
+ Re-revised foreign listeners to return x86 shellcode only.
+ Updated to Mimikatz 2.1 20161126.
+ Added &bsetenv to set an environment variable within Beacon.
+ Added &bpsexec_command to run a command on a target via the service control manager
+ Keystroke logger is now better about non-US keyboard layouts.
+ Team server now properly releases resources from non-CS client connections
+ Removed keylogger start|stop from tab completion [these options no longer exist]
+ CS's web server returns 404 for HTTP proxy attempts when no proxy handler is setup
+ Fixed occasional x64 HTTP/HTTPS stager crash on Windows 10-era systems

3 Oct 16   - Cobalt Strike 3.5.1
--------
This release implements measures to harden Cobalt Strike against malicious sessions.

+ Re-worked file download feature. Cobalt Strike continues to store downloaded files 
  in the downloads/ folder, but this time with a random name and no sub-folders. The
  View -> Downloads and Sync Files user experience is restored to the behavior prior
  to 3.5-hf1 and 3.5-hf2. The logs/[date]/downloads.log file contains a manifest of
  downloaded files and maps known information about the file download to the random
  names in the downloads/ folder.
+ Team server now uses a safe path concatenation function that compares canonical 
  paths of the parent and result concatenated path to make sure the result doesn't 
  break out of its parent.
+ Added host_stage = true/false option to Malleable C2. This options allows you to
  disable the public hosting of a payload stage over HTTP, HTTPS, and DNS.
+ Beacon controller now refuses to process most session responses if a session is
  new and has not had a task yet. Some responses are still allowed prior to tasking.
+ Beacon controller drops sessions whose session metadata didn't validate.
+ Beacon's upload command with path no longer checks for 1MB limit
+ Added 0.0.0.0 to team server's list of hosts it won't accept.

29 Sept 16 - Cobalt Strike 3.5-hf2 
---------- 
+ Broader hardening of the Beacon controller against the RCE security issue.

28 Sept 16 - Cobalt Strike 3.5-hf1
----------
+ Hot fix for a security issue. See Cobalt Strike blog: 
  http://blog.cobaltstrike.com/2016/09/28/cobalt-strike-rce-active-exploitation-reported/

22 Sept 16 - Cobalt Strike 3.5
----------
+ Fixed sanity checks when adding a listener.
+ Lateral Movement & Make Token dialogs use a . if user leaves Domain field blank
+ Beacon socks command now asks Beacon to checkin interactively (sleep 0)
+ Added ssh and ssh-key commands to Beacon to create an SSH session with a target.
  These sessions allow you to run commands, upload/download files, and pivot 
  through targets over SSH.
+ Took steps to reduce likelihood of Beacon ID collissions
+ &bmimikatz function will now dispatch multiple commands separated by newlines.
+ SMB Beacon download feature now pulls bigger file chunks (~256KB) per checkin
+ Fixed double unlink notices for named pipe sessions.
+ Added several Aggressor Script enhancements:
	- ssh_alias keyword to add commands to SSH sessions
	- ssh_initial event to respond to new SSH events
	- ssh popup hook
	- &ssh_command_register to register SSH aliases with SSH help command
	- &bssh, &bssh_key to launch an SSH session from a Beacon
	- &bsudo to run the SSH session's sudo alias
	- &ssh_commands, &ssh_command_describe, &ssh_command_detail to grab help
	  information for SSH session commands.
	- -issh $id, -isbeacon $id predicates to test whether an ID is a specific
	  type of session
	- -isadmin $id predicate to check if a session is admin-level
	- -is64 $id predicate to check if target is an x64 system.
	- &sbrowser function to create a session browser GUI object
	- SSH sessions have their own sets/events that are similar to the ones
	  that exist for Beacon sessions.
+ View -> Proxy Pivots now posts input for rportfwd stop/socks stop
+ Added sanity check for team server <host> parameter to avoid common mistakes
+ x86 stager generation code now always use x86-specific URI checksum.

29 Jul 16 - Cobalt Strike 3.4
---------
+ Save dialog now defaults to the last saved file's location
+ Cleaned up several strings in Beacon's stage.
+ Added Malleable C2 option to set name of SMB Beacon's named pipe name
+ Added command-line help options for team server startup.
+ Added a kill date parameter to team server. This will embed a drop dead date
  into each Beacon stage generated by this team server.
+ Archiver on team server now truncates its entries to a set size. This prevents 
  a slow memory leak on the team server.
+ Fixed bug that capped Beacon's jitter variance to 32s, regardless of sleep time
+ Added a cobaltstrike.server_port property to change team server's default port
+ Fixed bug processing HTTP GET Malleable C2 recovery programs > 128 bytes.
+ Hardened Beacon's Malleable C2 recover code against corrupted/unexpected data.
+ Added Beacon's architecture (x86, x64) to session metadata as barch key. Also
  added an (x64) indicator to statusbar in x64 Beacon consoles.
+ 'mode dns' now restricts DNS host length (for puts) to 25% of maxdns value.
  The 'mode dns-txt' option is 100% of the maxdns value. 'mode dns6' is 50%
+ Beacon's upload command now supports files larger than 1MB.
+ Fixed a bug in task queue chunker that could affect order of task execution
+ Cobalt Strike -> Listeners shows last listener error in red, if there is one.
+ Added option to export COM Scriptlet (.sct) to Payload Generator dialog
+ Spear Phishing tool now allows Windows-style line endings for targets file
+ Added dns_idle setting to Malleable C2. Changes DNS C&C idle IP from 0.0.0.0
+ Added dns_sleep Malleable C2 setting. Forces a sleep before all DNS requests
+ Added 'mode dns6' to use DNS AAAA records as a data channel for DNS Beacon.
+ maxdns is now interpreted as maximum length of hostname to send data back
+ Improved DNS data channel throughput when using hostnames to send data back.
+ Updated to mimikatz build (Jan 31, 2016) to address golden ticket indicator
+ Spear Phish mail server setup now adds option to force STARTTLS
+ Fixed a bug with STARTTLS upgrade (introduced in 3.0)
+ Added &bnet function to call Beacon's net module.
+ Added &beacon_host_script function to (locally) host a PowerShell script and 
  return a one-liner to grab it/run it.
+ Fixed exception caused when hand-editing targets field in Spear Phish dialog
+ Fixed a potential exception caused by a race when removing a listener

18 May 16 - Cobalt Strike 3.3
---------
+ Added krbtgt helper to Golden Ticket dialog.
+ Added filter feature (Ctrl+F) to most of Cobalt Strike's tables.
+ Raised data model retention limits again.
+ cobaltstrike.exe on x64 Windows now looks for x86 Java if x64 Java is not found
+ Removed remnants of non-existant task command.
+ Aliased ? to help in Beacon console.
+ Mitigated DOS condition that could stop Team Server from accepting new clients
+ Fixed conflict between Malleable C2 partial URIs (uri-append) and HTTP/S 
  staging protocol. Malleable C2 partial URIs requests match to handler first.
+ Added c2profile info to Help -> System Information
+ Made keystroke logger loop tighter.
+ Added powerpick command to run PowerShell via Unmanaged PowerShell technique
+ Added psinject command to inject Unmanaged PowerShell into a specific process
+ Added 3389 to default portscan port list.
+ Made multiple error checking enhancements to c2lint.
+ Added Reload button to Script Manager dialog.
+ Added ready column to Script Manager to indicate if script is loaded or not.
+ Ctrl+Shift+D closes all tabs except the active one.
+ note[space][tab] now completes the current Beacon note.
+ Added net time to Beacon's net module.
+ powershell-import size check occurs *after* compressing the script.
+ DNS server responds to (unexpected) AAAA requests with an empty answer section
+ Mimikatz parser now preserves passwords with spaces.
+ Beacon now uses encrypt-then-MAC to verify task/response message integrity
+ Updated web server to have enough Range request support to satisfy bitsadmin
+ Replaced PowerShell Web Delivery with Scripted Web Delivery. This dialog
  generates artifacts and one-liners to deliver payloads with: bitsadmin, 
  powershell, python, and regsrv32.
+ Added VBA shellcode injection option to the HTML Application Attack.
+ Added an option to use x64 stagers/stages to:
  - Attacks -> Packages -> Payload Generator
  - Attacks -> Packages -> Windows Executable
  - Attacks -> Packages -> Windows Executable (S)
+ Added x64 artifacts to the Artifact Kit 
+ Added shinject command to inject shellcode into a process
+ Made the following updates to Aggressor Script:
  - &binject now accepts an arch (x86, x64) parameter.
  - Added &beacon_ids function to get all Beacon IDs
  - Added &bpowerpick / &bpsinject functions to go with the above.
  - Added &openScriptedWebDialog for Scripted Web Delivery
  - Added &bshinject to go with shinject command
  - Extended &shellcode with an x86/x64 architecture parameter
  - Extended &artifact with an x86/x64 architecture parameter
  - Extended &artifact types with powershell, vbscript, and python
  - Extended &powershell with an x86/x64 architecture parameter
  - &agServices now limits its results to hosts in targets model only.
+ The make_token command now accepts passwords with spaces.
+ Improved Bypass UAC attack's reliability. It also gives feedback now.

4 April 16 - Cobalt Strike 3.2
----------
+ Removed errant date parsing code from Mimikatz output scraper.

22 Mar 16 - Cobalt Strike 3.2
---------
+ Fixed potential null pointer exception in multi-Beacon Process Browser
+ Fixed a type-issue that could cause client disconnect when editing credentials
+ Text displays show horizontal scrollbar if a text token is longer than display
+ Hardened report generator against empty bookmarks.

10 Mar 16 - Cobalt Strike 3.2
---------
+ Standard dialogs (messages, prompts) are now created in Swing's EDT
+ Merged client data sync process to one mechanism
+ Made slight change to bind TCP staging protocool.
+ Fixed bug with Beacon desktop command running twice when three args specified
+ Scrollbar now appears in connection list (when one is warranted).
+ Fixed VPN pivoting deployment error caused by internal API changes.
+ Added a startup warning for OpenJDK users. OpenJDK is not recommended for use
  with Cobalt Strike. It has occasional bugs that severely impact CS users.
+ Bind TCP staging process now encodes x86 payloads
+ Raised the max entry limits in Cobalt Strike's data model.
+ Port Scanner now properly ids Ubuntu OpenSSH banner as a Linux system
+ Added an x64 Beacon agent. You can now inject Beacon into x64 processes.
+ Added a timeout to VNC session handshake. If the timeout expires, you're asked
  to try the VNC process again.
+ [beacon] -> Explore -> Desktop announces desktop command to the beacon console
+ [beacon] -> Interact now activates Beacon's existing tab, if one is open.
+ Fixed a bug downloading 0 byte files.
+ Raised max number of linked beacons from 15 to 40.
+ Added 'net computers' to query Domain Computers/Domain Controllers groups to
  discover targets and populate Cobalt Strike's data model.
+ VPN Pivot now filters the VPN client's host and hosts in client's pivot chain.
+ Added Reporting -> Reset Data to reset Cobalt Strike's data model.
+ Modified teamserver script to avoid re-generating SSL cert if keystore exists
+ Website Keystroke Logger tool now logs to webkeystrokes.log on team server.
+ NMap import does not import hosts with no open services.
+ text prompts no longer fire their callback if dialog is cancelled.
+ Consoles now display a horizontal scrollbar when there is a text token longer
  than the console can display.
+ PowerShell Web Delivery and powershell-import now compress hosted scripts.
+ Added warning to prevent deploying CovertVPN on Windows 10.
+ Hardened recursive task building logic against potential loops.
+ Changed screenshot publish/read protocol to avoid incomplete screenshots
+ Added processbrowser and processbrowser_multi popup hooks to Aggressor Script
+ upload and powershell-import report errors if content is too big.
+ Ctrl+Shift+T takes screenshot of entire CS window and pushes it to team server
+ Reporting engine frees up memory after report is generated.
+ Hardened report generator against empty pages and empty tables.
 
8 Dec 15 - Cobalt Strike 3.1
--------
+ Fixed report generation bug when masking long email addresses
+ Fixed race that made metadata unavailable to beacon_initial event 
+ &binfo("id") now returns all metadata for the specified beacon id
+ Screenshots in memory no longer cache their ready-to-render form. This prevents
  out of memory exceptions for those of you watching busy desktops.

4 Dec 15 - Cobalt Strike 3.1
--------
+ Fixed report generation issue with UTF-8 encoded characters.
+ SE Report now excludes campaigns with no delivered messages.
+ Spear Phishing tool now preserves base64 encoded parts with a Content-ID
+ Script Console e, x, and ? commands present errors in friendlier way.

2 Dec 15 - Cobalt Strike 3.1
--------
+ Beacon help command complains when asked about a command that doesn't exist
+ VNC server stage is now encoded 
+ Bypass UAC on Windows 10 now takes steps to use an artifact that's OK with
  blocking DLL_PROCESS_ATTACH [not all techniques are OK with this].
+ Updated integrated mimikatz to 2.0 alpha 20151008
+ Added dcsync command to Beacon. Uses mimikatz to pull a hash from a DC. CS
  parses its output and adds the credential to the creds model too.
+ Fixed null pointer exception when trying to save an edited listener.
+ mimikatz @module::command will force mimikatz to use beacon's thread token
+ Download cancel now properly releases file handle in Beacon.
+ client now trims large data structures in the same way the team server does
+ Screenshot tool is now smarter. If user is idle, it returns one screenshot
  every three minutes. If user is active, it will return one each check-in.
+ Session metadata is now in the Beacon logs on the team server.
+ CS now offers to direct user to team server documentation when they get a
  Connection refused error.
+ Added headless option to run Aggressor Scripts. Use the agscript launcher
  included with the Linux package.
+ Obfuscated Artifact Kit's service entry point slightly.
+ DNS Beacon export option was not showing up in the stageless payload export
  dialog if windows/beacon_dns/reverse_dns_txt was set as the listener. Fixed.
+ Scan dialog now complains if a Beacon session wasn't selected.
+ Export Data and Sync Files features now mkdir folders that don't exist.
+ Added check to prevent you from using CS with Java 1.6.
+ %TOKEN% is now replaced everywhere in phishing template, not just URL.
+ Added Export button to View -> Credentials. Exports creds in PWDump format
+ Fixed stager crash on exit after failure; caused by wrong byte order exitfunk
+ Added a sanity check for phishing target files w/ reversed email/name info
+ View -> Targets now has an import button. Imports: NMap XML & flat host files
+ IoC Report now only shows each hash once.
+ Fixed several bugs that could affect report generation.
+ Spear Phishing tool no longer strips attachments with a Content-ID header.
+ Added several APIs to Aggressor Script
+ DNS Stager now exits after all attempts exhausted (better than crashing)

24 Sept 15 - Cobalt Strike 3.0
----------
+ Switched to the Aggressor project's team server and client. Aggressor
  was a long effort to rewrite Cobalt Strike's team server and client without 
  the Armitage codebase and dependency on the Metasploit Framework. The 
  Aggressor project expanded Beacon's post-exploitation capability and
  re-aligns Cobalt Strike's workflows around the Beacon payload. 
+ psexec commands now query service before they shut it down. This fixes a
  race condition that affected psexec's success in some situations.
+ Beacon now acknowledges the exit command and a message is shown.
+ Team server now delivers very large Beacon taskings in chunks. Beacon has a
  hard limit on taskings and this prevents large taskings (e.g., mimikatz sent
  to 5+ different hosts) from crashing Beacon.
+ The sleep command in an SMB Beacon now sends the command up to the egress
  Beacon to take effect.
+ psexec and friends tab complete target NetBIOS names from CS's data model
+ Added port scanner and net [view] modules to Beacon.
+ Named pipe staging now aborts after 60s of attempts or an error 53.
+ Bypass UAC now works on Windows 10
+ Added a profile preview to the c2lint utility.
+ Updated Artifact Kit and Applet Kit to use Aggressor Script APIs to hook
  into attack generation process.

12 Aug 15 - Cobalt Strike 2.5
---------
+ Beacon's lateral movement commands now show listener dialog when no 
  listener is specified.
+ Took steps to combat against Read Timeout errors during authentication
  to team server.
- Updated YAML parser and other code to become compatible with Kali 2.0
- Console Queue now sets some options (e.g., TARGET) before it sets others    
  to avoid errors 

29 Jul 15 - Cobalt Strike 2.5
---------
+ Removed [beacon] -> Log Keystrokes menu. These options don't make sense
  now that keystroke logger injects into specific processes
+ Added make_token command to Beacon. Clones current access token to pass
  username/password to remote systems. Requires admin access.
+ Added rm and mkdir commands to Beacon.
+ Added lateral movement commands to Beacon: psexec, psexec_psh, winrm, 
  and wmi. The psexec command uses a Service EXE from Artifact Kit. The 
  other options bootstrap a payload with PowerShell.
+ Replaced windows/beacon_smb/reverse_tcp with windows/beacon_smb/bind_pipe.
  You may use this listener with Beacon's lateral movement options. It will
  stage the SMB Beacon over a named pipe (quite slick!). This listener is
  also usable with other Beacon features (e.g., spawn, bypassuac, etc.)
+ Beacon now polls each SMB Beacon for data on checkin.
+ Backported Cobalt Strike 3.0's SOCKS backend to 2.5.
+ Added rportfwd command to Beacon. This creates a reverse port forward (on
  target) to catch connections and forward them to a host/server of your
  choosing. The forwarded traffic/connections are tunneled through Beacon.
+ Added hta-psh to Attacks -> Packages -> Payload Generator. Uses MSF to
  generate an HTML Application that bootstraps your payload with PowerShell
+ Browser Pivot dialog now shows processes on newer versions of Metasploit.
  Newer versions of MSF omit the PPID column in Meterpreter's ps output.
+ The PowerShell output for Windows Executable (S) is now much smaller!
+ Malleable C2 now allows escaping of quotes inside of strings #CommonSense
+ Added Malleable C2 options to import an SSL certificate for Beacon's use
+ Added spawnas to Beacon to run a payload with the specified creds.
+ Beacon now uses CREATE_NEW_CONSOLE with cmd.exe/powershell.exe. This 
  fixes some weird situations where Beacon could not consume output from a
  process created with a stolen token.
- Updated MsgPack library and code that uses it.
- Team server now authenticates client before exchanging serialized objects

21 May 15 - Cobalt Strike 2.4 
---------
+ Fixed a conflict with SMB Beacon pipenames due to random seed choice.
+ Added date stamp to View -> Web Log entries
+ Re-generated default Beacon HTTPS certificate with different parameters
+ Malleable C2 HTTPS certificate generation now uses different parameters
+ Slight refresh to the default artifact kit for executables and DLLs

10 Apr 15 - Cobalt Strike 2.4
--------
+ Fixed 'meterpreter' command to tunnel Meterpreter through Beacon
+ Pressing cancel on the Set Note dialog for Beacon no longer clears note
+ Fixed mimikatz command with really long commands + arguments.

8 Apr 15 - Cobalt Strike 2.4
--------
+ Added dllinject to Beacon. Injects a Reflective DLL into a process
- Sped up rendering of graph view on Windows and MacOS X.
+ Beacon now has a concept for long-running post exploitation jobs.
  Use the jobs command to list jobs. Use the jobkill command to kill
  a job. The keystroke logger, PowerShell tasks, and Command Shell tasks
  now use this mechanism.
+ Keystroke logger now injects into an x86 or x64 process of your 
  choosing and reports keystrokes back to you.
+ Added hashdump command to Beacon
+ Integrated mimikatz into Beacon. Use wdigest to dump plaintext creds.
  Use mimikatz [command] [args] to run an arbitrary mimikatz command.
+ Fixed Beacon's internal types to allow working with large PIDs.
+ Revised VNC client -> server staging and connection process to 
  eliminate a layer of unnecessary tunneling and improve reliability.
+ Payload names in Listener dialog are now in alphabetical order. This
  will mess with muscle memory for some of us. It's for the best though
+ Added foreign listeners. These listeners are aliases for Meterpreter
  or Beacon handlers managed elsewhere. 
+ Added a sanity check for when an Applet Kit script can't find its
  jar resource.
+ Added PowerApplet to the Cobalt Strike Arsenal. This alternate 
  implementation of the Cobalt Strike Applet Attacks uses PowerShell 
  to inject a payload into memory. 
- Made YAML parser more liberal with punctuation characters.
+ Fixed a malleable c2 bug that affected safebrowsing.profile
+ Improved c2lint utility with a few new checks and enhanced checks
+ Added another A/V bypass technique to the Artifact Kit.
+ Tweaked artifacts Cobalt Strike generates
+ Performed normal client-side database maintenance

22 Jan 15 - Cobalt Strike 2.3
---------
+ Cobalt Strike now encodes Beacon's DNS stage with a custom encoder.
+ kerberos_ticket_use with no arguments now prompts for file.
+ Staged Beacon's PowerShell output is now x86/x64 PowerShell agnostic
+ Added Attacks -> Web Drive-by -> PowerShell Web Delivery. 
- Fixed a repaint bug when removing last server button.
+ added runas command to Beacon.
+ Fix bug when prepend/append were used before base64/netbios encode in
  Malleable C2 profiles.
+ Beacon now dynamically calls Wow64 disable/revert. This prevents a 
  crash when user tries to run powershell command on older XP systems.
+ c2lint now checks for a ? in URIs and warns user.
+ Beacon's download command now gives feedback when it can't open a file
+ Added pwd command to Beacon

20 Nov 14 - Cobalt Strike 2.2
---------
- team server startup verifies default host is an IPv4 address.
- Prompt for default address is now more aggressive and continues to
  ask until an address is put in. If a user hit cancel on this dialog,
  threads to poll the database never get started. Bad day, for sure.
+ Rebuilt process to inject and connect to VNC server on target system.
  New process is more likely to be ignored by host-based firewalls.
+ VNC client now uses a better visual cue for view-only, ctrl/alt lock
+ Vulnerability report now shows URLs for references from ZDI, MSB, 
  US-CERT-VU and WPVDB.
- Cobalt Strike now sends a keep-alive every 1-2mins over an idle team 
  server connection to combat disconnection by a NAT device
+ Beacon re-adds host to db if you remove its Beacon and it comes back.
+ Fixed Beacon replay attack counter 50-day roll over cycle. 
+ c2lint now simulates impact of URL encode on parameters and mangled
  binary data in headers when unit testing profiles. 
+ Applet Kit shellcode injector now spawns a suspended process to 
  inject into.
+ Spear Phishing tool is better with more complicated message templates
+ Phishing preview no longer replaces links in plaintext preview that
  would not be replaced in actual phish.
+ c2lint now checks length of useragent value
+ You may now tab complete file with kerberos_ticket_use in Beacon
+ Fixed (potential) deadlock with listener tab complete in Beacon
- Cobalt Strike client now shows disconnect message if it loses any
  of its connections to the team server.
+ Added an ICMP channel to Covert VPN feature.
+ Fixed Covert VPN issue with encryption keys that contain null bytes
+ More small tweaks to the VBA macro.

Cortana Updates (for scripters)
--------
- name field for hosts is now available.

30 Sept 14 - Cobalt Strike 2.1
----------
+ Beacon's powershell command always launches native arch PowerShell
+ powershell tab completion now tracks completeable cmdlets on a 
  beacon-by-beacon basis.

23 Sept 14 - Cobalt Strike 2.1
----------
+ Beacons now use asymmetric cryptography to negotiate a unique 
  session key and authenticate with your Cobalt Strike instance.
- Added helper for SCRIPT option.
+ Added Malleable C2 options to customize SSL cert for HTTPS Beacon
+ You may now use PowerShell through Beacon. Use the powershell 
  command to evaluate a PowerShell expression. Use powershell-import
  to import a script and make it available to the powershell command.
- Right-click a tab's X button and use "Send to bottom" or Ctrl+B to 
  dock a tab to the bottom of the Cobalt Strike window. Use Ctrl+E to
  to get rid of the docked tab.
+ Cobalt Strike's web server now sends Content-Length when it's known
+ Added file tab completion for some of Beacon's commands.
+ Upload command now reports an error if Beacon can't write the file
+ Rebuilt CovertVPN client as a Reflective DLL. This will make client 
  deployment more reliable.
+ Cobalt Strike -> Interfaces now auto-refreshes itself every second
+ Split Covert VPN TCP channel into Bind and Reverse options. Reverse
  works as before and makes a connection to you. Bind uses a portfwd
  to connect to VPN client through Meterpreter [in effect tunneling
  frames through Meterpreter].
+ HTTP channel in Covert VPN now uses User-Agent from Malleable C2
- Added more YAML warnings to save heartache for custom installs
+ Added a user-driven attack: Attacks -> Packages -> HTML Application
+ Performed normal client-side database maintenance
- Database layer now uses core.version results to decide which MSF
  data model to use.
- File tab completion (Beacon, Cortana console) better handles ~
+ Made a small tweak to the VBA macro.
+ Updated Firefox Add-on Attack launcher to work with MSF updates
+ Updated artifact kit build.sh to account for increased beacon size

Cortana Updates (for scripters)
--------
- &credential_add, &credential_delete now take into account Metasloit
  version (pre 4.10, post 4.10) and do the right thing.

18 Aug 14 - Cobalt Strike 2.0.4.10
---------
- Added hard-coded database.yml path as fallback for Kali users
- Updated internal db.creds/db.creds2 calls to pull from new creds
  model in database.
- [meterpreter] -> Access -> Dump Hashes -> wdigest uses sso post
  module now. New creds model makes this better.
- Import option in View -> Credentials now works with new data model

16 Jul 14 - Cobalt Strike 2.0.49
---------
+ Fixed SE PDF report generation bug when masked emails collided
- Command Shell experience on Windows Meterpreter is much better now
- Java Meterpreter may now interact with a bash shell
! Removed [host] -> Meterpreter -> Access -> Migrate Now! menu item
- Ctrl+Escape temporarily drops the timeout times for Meterpreter
  commands to 5s, across the board. If a Meterpreter session appears
  unresponsive, try this to force any hung commands to timeout
+ Listener dialog now complains if user leaves host field blank
+ Added 'veil' option to Payload Generator. Outputs shellcode in a 
  format suitable for use with Veil [as custom shellcode].
+ Added Malleable C&C - a domain specific language to re-define 
  indicators in Beacon. Now you can make Beacon look like whatever 
  you need for your mission needs. *pHEAR*
+ Add windows/beacon_https/reverse_https which is an HTTPS Beacon.
+ Added [host] -> Meterpreter -> Access -> Bypass UAC. Launches the
  bypassuac_inject module w/ an Artifact Kit-made DLL for AV evasion
+ Fixed unicode issue with Website Clone Tool
- Cobalt Strike now warns when a team server is non-responsive by 
  making its server button purple. When the server is responsive again, 
  the button will turn back to its normal color. This requires that 
  you're connected to multiple team servers.
+ Added kill and ps commands to Beacon
+ Listener dialog now complains if user tries to use multiple hosts in
  host field.
+ Added kerberos_ticket_use and kerberos_ticket_purge commands to Beacon.
  These commands allow you to inject a Kerberos ticket into the session
  and purge it. Use with a Golden Ticket generated by Mimikatz 2.0.
+ Beacon's inject, spawn, and bypassuac commands pop up a listener dialog
  if no listener is specified.
- Windows EXE launcher for Cobalt Strike now finds 64-bit Java.

15 May 14 - Cobalt Strike 1.49
---------
- Worked around invisible text selection bug with latest Java on Kali

13 May 14 - Cobalt Strike 1.49
---------
+ Fixed Beacon HTTP Stager bug on Windows XP
+ Worked around VBA syntax error caused by stagers that are too long.

23 Apr 14 - Cobalt Strike 1.49 (NCCDC Edition)
---------
- Keyboard shortcuts to change text size now work in table view
+ Browser Pivoting now uses a self-signed cert that expires in 10 years
+ Added ability to assign a non-persistent note to a Beacon
- Added Copy button to View -> Creds
+ Beacon's process injection now falls back to APC Queue process injection
  technique when CreateRemoteThread fails.
+ Listeners dialog now complains if you try to use an out-of-range port
+ Beacon DNS processor now lowercases all requests. 
+ Beacon's HTTP stager now prompts user for proxy creds when proxy 
  authentication fails. This prompt is the same one Internet Explorer uses.
- Services tab right-click menu now has options to edit a service's info
- YAML parser now gives better errors and forgives errant whitespace
- CS now intercepts shell command with arguments and spawns a command shell.
+ Beacon socks command prints an error if it can't bind the requested port
+ [beacon] -> Sleep menu now lets you specify a jitter factor.
+ Beacon's 'meterpreter' command now automatically changes the sleep time to
  something interactive.
+ Windows Executable (S) Package now has raw and PowerShell output
+ Fixed a bug that broke features when a custom Artifact Kit is loaded
- Logging now deals with IPv6 addresses better for Windows users
- Launching psexec at 4+ hosts will no longer open a tab for each host
- Cobalt Strike no longer allows two buttons with the same name in its team
  server button bar.
+ Listeners dialog now warns when Beacon hosts/domains list is too long
+ Beacon's spawn and meterpreter commands now create processes in a 
  suspended state and inject into rundll32.exe by default.
+ Beacon's spawn and meterpreter commands no longer use the impersonated 
  token to create the process to inject code into. This change reduces 
  "surprises" for you and gives you the flexibility to steal a token or 
  getsystem from the new session 

Cortana Updates (for scripters)
--------
- Added &script_load to load a script (as if the user did this)
- Added &script_unload to unload a script

13 Mar 14 - Cobalt Strike 1.48 (NECCDC Edition)
---------
+ PsExec now waits longer for a session
+ Added timestomp command to Beacon
+ Beacon's bypassuac now waits up to 10s for privileged file copy to complete
+ Beacon's 'meterpreter' command now checks for a pivot that could interfere
  with staging meterpreter through Beacon and presents a warning about it.
- Added Ctrl+L to quickly add an entry to timeline.[xml|tsv] (exported 
  through View -> Reporting -> Export Data)
+ Added Attacks -> Packages -> Windows Executable (S) to export a staged
  Beacon as a DLL or executable.
- Added osx-app to Output: type for payloads. Outputs a zipped MacOS X
  app archive.
+ Auto-Exploit Server now uses MSF's HTTP stager for Beacons. The custom stager
  is too big for most of MSF's client-side attacks.
- Scrubbed Cobalt Strike to eliminate unnecessary blocking calls from Sleep
  source code. This improves Cobalt Strike's responsiveness and takes away
  many opportunities for deadlock.
- Sync Files for Loot and Downloads is now much better with large files
+ Beacon now warns you when you try to upload a file bigger than its 1MB limit
- Cobalt Strike now properly notifies you when you lose a connection to a 
  team server. This was probably a long time coming.

27 Feb 14 - Cobalt Strike 1.48
---------
+ Beacon now reports Windows 8.1 correctly.
+ Beacon's interactive mode (sleep 0) is now 10-100ms delay between requests
+ Windows Dropper attack now uses a language-neutral method to determine
  Documents folder to write dropped file to.
+ Beacon's Task URL command now uses EXITFUNC of process to prevent metasploit
  generated shellcode from crashing after executed program closes.
+ Worked around known Java bug that prevents Spear Phishing HTML Preview from
  displaying text when a META tag is present.
+ Added Pivot Listeners--a listener that calls home through an existing 
  Meterpreter session. Go to [host] -> Meterpreter -> Pivoting -> Listener...
+ Added WebRTC IP address decloak to System Profiler. Based on technique at:
  https://github.com/natevw/ipcalf
+ Beacon's 'meterpreter' command now uses bind_tcp shellcode that binds to 
  127.0.0.1 explicitly. This will prevent some host firewall warnings.
+ Modified MSF's HTTP stager to specify a User-Agent. This is necessary to
  get through proxies that whitelist browsers. This modified stager is used
  to stage Beacon via Social Engineering Packages and when you task a Beacon
  to spawn a new Beacon for you.
+ Added Attacks -> Packages -> Payload Generator to output sourcecode or an
  artifact to deliver a Cobalt Strike payload to a host.
+ Added windows/beacon_smb/reverse_tcp payload to listeners dialog. This 
  will deliver a Beacon peer to a host (staged over a reverse TCP connection).
  You must have an HTTP or DNS Beacon setup before you create this listener.
+ Beacon SMB (reverse_tcp/bind_tcp) now kills the socket used to stage it.
+ Beacon now obfuscates session metadata better.
+ Added several commands for privilege escalation and token stealing to
  Beacon: steal_token, getuid, rev2self, getsystem, and bypassuac. This change
  gets one entry in this log but it was a lot of added grey hair to pull off
+ Beacons tab now shows a * next to user to indicate Beacon is run as admin
+ Type upload[enter] in a Beacon to immediately see a file chooser dialog
- Windows opened by Ctrl+W now show the proper application icon.
- Cobalt Strike now uses a JFrame to display its dialogs. This will give each
  window its own button in the taskbar regardless of window manager.
+ Beacon's inject and spawn commands will now deliver a DNS Beacon over DNS
  [just use spawn [listener] (DNS)]
+ Took steps to suppress "host called home" messages in Beacon console for
  data relayed through a P2P link/SOCKS pivot. 
+ Beacon auto-migrate now spawns a process that isn't notepad.exe ;)

8 Jan 14 - Cobalt Strike 1.48
--------
+ You may now assign a host on a per listener basis. Useful if you'd like a 
  listener to call home to a FQDN, an IPv6 host, or a hop point.
+ Added "shell (connect to target)" to PsExec dialogs.
+ Spear Phishing Preview now renders HTML and Plain Text previews of message
+ System Profiler is now compatible with IE11 and it detects Windows 8.1
+ Added an option to disable Java Applet with System Profiler. This will pull
  less information, but it also prevents click-to-run raising suspicion
+ Attacks -> Packages -> Windows EXE now generates an x86 EXE, x86 DLL, 
  x86 Service EXE, and an x64 DLL. These artifacts are generated by Cobalt
  Strike. Source code to this Artifact Kit is in the Cobalt Strike arsenal.
+ Added Attacks -> Packages -> Windows Dropper. This package drops a document
  to disk and opens it, while silently executing a payload.
+ Ported MSF's MS Office Macro Attack to Cobalt Strike with a few enhancements.
  Updated Office Macro now intelligently spawns payload into an x86 process--
  allowing the same macro to work when run on x86 or x64 Office. This also
  keeps your session safe if the user closes Office before you can migrate.
! Removed Attacks -> Packages -> Adobe PDF. This feature references a 
  Metasploit Framework module that is no longer very useful.
! Removed Attacks -> Packages -> MacOS X Trojan. This one was my fault.
+ Cobalt Strike now uses Artifact Kit to generate executables for its lateral
  movement dialogs. [host] -> Login -> psexec and psexec (token)
- Cobalt Strike.app for MacOS X now works with Oracle's Java 1.7
+ Added Microsoft Silverlight detection to the System Profiler
+ Updated client-side attack database with the latest and greatest
- Cobalt Strike console is now a mouse hot spot. Right-click a host in the
  console to see its menu. Click a module to open the module's launcher
- Cobalt Strike module launch console ignores false meterpreter prompt from
  msfrpcd after a successful exploit job is run. This work-around isn't
  perfect but it's much better than doing nothing.
- hashdump and wdigest menus now add usernames with spaces to creds table
+ Attacks -> Web Drive-by -> Firefox Add-on now uses Artifact Kit to generate
  an executable for its payload.
- IPv6 reverse sessions now associate with their host properly.
+ Added [listener] -> Debug... to restart a listener in a console where you
  can directly observe its output (and error messages)
+ Removed Set LHOST from View -> Beacons. Since LHOST no longer affects
  the listener callback address--it made sense to do this.
+ Cobalt Strike web server now uses proper MIME types for MS Office 2007 docs

21 Nov 13 - Cobalt Strike 1.48
---------
- Missing MSF_DATABASE_CONFIG error now gives troubleshooting steps too
- Added another check to detect and correct a corrupt module cache
- [host] -> Operating System -> Firewall works again.
+ Browser Pivoting now supports 64-bit Internet Explorer
+ Added peer-to-peer communication to Beacon. Use 'mode smb' to put turn a
  Beacon into a peer node. Use 'link [ip address]' to link a Beacon to a 
  peer. You may recursively link peers as well.
+ Beacon DNS C2 is now more robust.
+ Default port for MSF exploits in auto-exploit server is now 8080
+ Reporting Engine now links ZDI advisories
- You can now set PAYLOAD for windows/local/wmi exploit
+ Added [host] -> Login -> psexec (token+psh) to run current_user_psexec with
  the PowerShell injection technique.
+ Added [host] -> Login -> wmi (token+psh) to run windows/local/wmi with the
  PowerShell injection techniques. WMI is another option for lateral movement
+ Beacon checkin command now displays output stating the task was added
+ Beacon console now logs to a separate file for each beacon
+ Browser Pivoting now shows output/errors from reflective DLL injection step
+ Updated client-side attack database
+ Listener "sanity check" feature now gives the old non-HTTP listener more time 
  to close before warning that the listener may fail.
+ PsExec windows/meterpreter/bind_tcp payload option now encodes second stage
- Default meterpreter/reverse_tcp listener now encodes its second stage
+ Browser Pivoting can now connect to sites on non-standard ports
+ Added a check to prevent user from creating multiple beacon listeners on one
  Cobalt Strike instance.
+ Added Permissions and Application-Name to Signed Java Applet manifest. This
  supresses a big warning on the latest version of Java 1.7
+ Some PsExec options show 'beacon (connect to target)' as a listener option. 
  This will deliver Beacon setup as a peer. Link to it from another Beacon.
+ Beacon now times out WinINet requests after 4 minutes. If something traumatic
  happens to your poor Beacon, you'll get it back in 4 minutes. This is better
  than the WinINet default of 60 minutes.
+ Beacon now automatically checks in when a file download is in progress.

26 Sept 13 - Cobalt Strike 1.47
----------
- Fixed webcam selection logic that I broke last update.
+ Adjusted max RPC messages/second to 200 (from 20). This mitigates a message
  backlog from multiple interactive beacons.
+ Beacon's 'meterpreter' command now initiates a connection to localhost
  (tunneled through Beacon, of course) instead of the host's known external 
  address. This makes a session more likely to happen in most cases.
- Added a helper for PATH option
+ System Profiler now translates internal host 127.0.0.1 -> unknown. If you
  use this information to determine if an applet ran, look in the web log.
  The System Profiler will report a note to state that this change happened.
+ Added CVE-2013-2465 to Smart Applet Attack. This expands the Smart Applet
  Attack coverage to users with Java 1.6.0_45 or earlier.
- Java 1.6 is no longer a supported environment to run Cobalt Strike. Added
  a warning message to indicate as much.
+ Added Browser Pivoting to Cobalt Strike. A Browser Pivot is a proxy server 
  that fulfills requests with a target's browser (Internet Explorer 32-bit 
  only). This setup convienently inherits the user's cookies, HTTP
  authenticated sites, and client-SSL certificates too. To set it up:

	[host] -> Meterpreter -> Explore -> Browser Pivot

+ System Profiler now detects MS Office in some cases.
- Connect dialog now masks the password field.
+ Updated client-side attack database with new additions
- Cobalt Strike no longer allows you to start msfrpcd on Windows. It shows an
  error stating that you need to connect to a team server on Linux.
- Fixed a potential deadlock when opening a module launcher dialog.
+ Small changes to make the applet kit more robust.
+ Cobalt Strike now performs sanity checks when starting a listener. If a port
  is bound, Cobalt Strike will notify you.

21 Aug 13 - Cobalt Strike 1.47
---------
- Fixed a potential deadlock when updating the host display
- Updated multiplexing code to be compatible with enumdesktops command
- Updated multiplexing code to be compatible with webcam_list command
- You may now choose which camera to take a Webcam Shot from
- Close button now shows w/ Cobalt Strike dialogs on Kali Linux.
- Module Launcher dialog is now always active when opened.
- EXE::Custom is no longer treated as an advanced option. When available it's 
  always present for you to modify in a module.
- Meterpreter -> Access -> Persistence now uses the local exploit module
  (default settings now work without tweaks too)
- Meterpreter -> Access -> Pass Session and Process -> Inject now use the
  payload_inject local exploit module.
- Added Meterpreter -> Access -> Dump Hashes -> wdigest to run mimikatz's
  wdigest command, to retrieve plaintext creds.
- Cobalt Strike now uses a better method to shuttle files to team server and
  notify you of the progress of this action.
+ Added [host] -> Login -> psexec (psh) to run PsExec with PowerShell module
+ Added a Help button to psexec dialogs.
+ Added 'meterpreter' command to Beacon--spawns a Meterpreter session that
  tunnels through Beacon's C2 channel.
- Made multiplexing code smarter about load and use commands.
+ Beacon stage encoding process now has a much higher timeout. On slower
  systems, the encoding process could exceed this timeout.
+ Added ability to specify a jitter factor with Beacon's sleep command. The
  jitter factor is a random percentage for Beacon to vary its sleep time with
+ Beacon download command now sends files, one piece with each checkin
- Added a check to detect a corrupt module cache and clean it. If you see a 
  message asking you to restart the Metasploit Framework... please heed it.
- Added ANSI color markup to Cobalt Strike's console output. It's less scary
  than the default messages and it's nicer to look at.
- Added cmd/unix/reverse to payload selection logic.
+ Java Applet attacks now take steps to prevent loading injector DLL twice.
+ Java Applet attacks now inject shellcode on Windows 64bit JVMs too.
+ Added CVE-2013-2460 to Cobalt Strike's Smart Applet Attack
+ Auto-exploit server eliminates "smart applet" attack if system profiler did
  not IP address through Java applet (indicating that applets don't auto run)
+ System Profiler now annotates 64-bit Windows and Internet Explorer
+ Added an option to mask email addresses in the social engineering report
+ Added an option to mask passwords in the hosts report
- Updated the payload output formats to match what's now possible in MSF
+ Fixed bug that sometimes prevented profiler associating info w/ phished user
+ Renamed Beacon -> Download to Beacon -> Task URL
+ Beacon's DNS C2 now recovers from a failed conversation more quickly
+ Beacon SOCKS Proxy capability is now faster and more robust
+ Cobalt Strike Listeners feature now uses a different encoder for the second
  stage of Meterpreter.
- [host] -> Login options set DB_ALL_CREDS to false.

9 Jul 13 - Cobalt Strike 1.46
--------
+ System profiler now uses a fallback measure to detect Java and report its
  version information to you. Necessary for latest IE10 update.
+ Beacon will no longer attempt to report keystrokes if it could not make a
  GET request to checkin. This prevents logged keystrokes from getting lost
  if one of your checkin domains is blocked or otherwise unavailable.
+ Added pivoting capability to Beacon. Use "socks [port]" to start a SOCKS4a
  proxy server that relays traffic through the Beacon instance. This works
  regardless of the type of Beacon or communication strategy in use. Use
  "socks stop" to stop the proxy server for that Beacon. 
+ Added checkin command to ask Beacon to connect to you and dump keystrokes.
  This command is necessary as the DNS Beacon does not connect to you unless 
  one or more tasks are waiting for it.
+ HTTP Beacon now sends output after task execution as a single POST request.
+ Added 'mode dns-txt' to Beacon. This sets the Beacon data channel to use 
  DNS TXT records. This mode transmits ~189 bytes per request versus 4 bytes 
  per request with 'mode dns' which uses DNS A records.
+ Increased Beacon DNS data channel output throughput to 84 bytes/request. Up
  from 28 bytes/request. This output method is used with both DNS channels.
+ Fixed a race that could prevent generation of Beacon stage when setting up
  the listener.
+ Fixed Beacon key generation bug. Some bytes in the key could end up null.
  When this happened, you'd get a non-responsive Beacon (e.g., it will always
  seem to "die" after a task). This is fixed. If you've see this behavior, 
  you'll need to force Cobalt Strike to generate a new key. To do so, stop 
  Cobalt Strike and change to the folder you normally start Cobalt Strike 
  from and type:

	rm -f .cobaltstrike.beacon
+ Updated client-side attack database with new additions
+ Website Clone Tool now follows 301 (permanent) redirects
- Removed sunrpc and dcerpc modules from MSF Scans feature
+ quick-msf-setup's Git option is now based on DarkOperator's msf_install.sh
  script. The updater script now updates quick-msf-setup as well.

6 Jun 13 - Cobalt Strike 1.46
--------
+ Added Login -> ssh (key) to let you login to a host with an SSH key file
  or select from a key that worked previously.
+ Added a helper to KEY_FILE to let you select from a known-working SSH key
  or specify one to upload.
- Added vmauthd to the Login menu
+ Fixed Beacon's "automatically migrate option"
+ Spear Phish dialog now warns on missing or incomplete parameters again.
- Increased the number of modules run in response to services found during
  a sweep with the MSF Scans feature.
- Attack menu attached to host now splits menus up if there are more than
  10 items. This will help with the webapp and http menus.
+ Beacon no longer gets confused when a hostname or username contain
  whitespace. I'm now using a better separator for metadata sent to it.
+ Fixed bug preventing Beacon upload from triggering a task request
+ Added DNS as a data channel to Beacon. This option is designed as a way
  to control Beacon when it can't communicate with you over HTTP. Deploy
  the DNS Beacon like normal. Type 'mode dns' in the Beacon console to 
  switch its communication scheme to use DNS. This mode can both transmit 
  and receive data.
+ Cobalt Strike now enables second stage encoding for Windows listeners it
  manages through Cobalt Strike -> Listeners.
+ Added option to stage DNS Beacon over DNS. This option is available with
  certain Cobalt Strike attack packages. Select "listener name (DNS)" to
  have Cobalt Strike stage the listener over DNS. 
+ Added random send delay option to the spear phishing tool. Click ... next 
  to the Mail Server field. Specify the number of seconds to delay to.
+ Spear phishing tool now ignores extra whitespace in targets file
- Added a menu to mark a host as a firewall
+ slight tweak to the Smart Applet attack (arsenal source updated too)
- Added a type-fix hack for MsgPack Long types

Cortana Updates (for scripters)
--------
- Updated &log_resource to account for new log folder layout scheme that
  involves a description of the current Armitage server
- Fixed a potential argument corruption bug with filters

9 May 13 - Cobalt Strike 1.46
--------
+ Fixed data correction issue that could prevent reports from generating
+ Improved formatting of vulnerability description information in reports
- Attacks -> Hail Mary now asks you to confirm the action.
- Fixed a potential table view sorting issue.
+ Added a check to auto-ex server to make sure a listener is defined
+ Updated client-side attack database
- Changed how some tables are updated to minimize blocking of other tasks. 
  This should make UI feel snappier in many cases.
- Credential helper now shows credentials from all servers that you're 
  connected to.
- Updated multiplexing code to be compatible with mimikatz extension's 
  output scheme.
- Meterpreter upload command (with no arguments) now prompts for a file.
  This file will be bounced to team server (if one is present) and
  uploaded to the target for you.
+ Auto-exploit Server now works with listeners defined on another Cobalt
  Strike team server.
- Cred tables no longer show SSH keys (since they're not actionable in
  these contexts yet...)

10 Apr 13 - Cobalt Strike 1.45
---------
+ Beacon now uses a random filename for files to download/execute. This
  works around a problem where subsequent download/execute taskings fail
  because the first downloaded file (with the same name) is still running
- The correct OS icon is now shown for Windows 2012 Server.
- Added an Inject button to the Process Explorer
+ VNC Viewer starts view-only by default. Untoggle the spy button to 
  assume control of the target's desktop
+ Added 'spawnto' command to Beacon. This command gives you control over
  which program Beacon will spawn to inject shellcode inside of.
+ Added checks to prevent a user from defining a listener with incomplete
  information.
- Event log now shows date with timestamp
+ Many fixes to report generation when connected to multiple team servers.
- Messages to your nick in the event log are now highlighted

20 Mar 13 - Cobalt Strike 1.45
---------
- Jobs dialog now queries job info in a separate thread context,
  stopping it from locking up your Cobalt Strike instance.
- Fixed console queue display bug when a required option has no setting
- Hashdump -> lsass method now pops open a Meterpreter tab and shows
  its progress. Should help when there's a lot of hashes coming back.
- Hail Mary attack now gives better feedback about what it's doing
+ Beacon now has a 1MB limit on its output.
+ Fixed a potential memory leak in Beacon (in the output posting)
+ Beacon now uses a different User-Agent string each run
+ Added an upload command to Beacon (to upload files).
+ Added a download command to Beacon. [And renamed the download+exec
  command to task].
- Fixed blank line showing when a host label exists and a session w/o
  any information is associated with the host.
+ Listener dialog now refreshes when updating LHOST
+ Added an execute command to Beacon. This will run a program without 
  posting output back to you.

Cortana Updates (for scripters)
--------
- Added work-around to prevent &psexec failing due to Ruby complaining
  about incompatible encodings.

6 Mar 13 - Cobalt Strike 1.45
--------
+ Updated quick-msf-setup script to pull framework source code via Git.
+ Spear phishing Preview button works in team server mode again.
+ Updated Beacon to auto-dump keystrokes with each beacon home.
+ Updated HTTP Beacon to change its signature profile.
+ Beacon domains now show in Cobalt Strike -> Listeners table.
- Active console now gets higher priority when polling msf for output
- Improved team server responsiveness in high latency situations by
  creating additional connections to server to balance messages over
+ Updated Web Drive-by -> Manage to allow stopping multiple sites at once
+ Performed client-side db maintenance
+ Added a helper to set URL option from Cobalt Strike hosted stuff.
- Preferences are now shared among each Cobalt Strike connection.
+ Website clone tool no longer validates SSL cert for HTTPs cloned sites

6 Mar 13 (2000h)
--------
+ Fixed a null pointer warning when starting the team server.

Cortana Updates (for scripters)
--------
- Added a &publish, &query, &subscribe API to allow inter-script
  communication across the team server.
- Added &table_update to set the contents of a table tab without
  disturbing the highlighted rows.
- Added an exec_error event. Fired when &m_exec or &m_exec_local fail
  due to an error reported by meterpreter.
- Fixed a bug that sometimes caused session_sync to fire twice (boo!)
- Added a 60s timeout to &s_cmd commands. Cortana will give a shell
  command 60s to execute. If it doesn't finish in that time, Cortana
  will release the lock on the shell so the user can control it.
  (ideally, this shouldn't happen... this is a safety mechanism)
- Changed Meterpreter command timeout to 2m from 12s. This is because
  https meterpreter might not checkin for up to 60s, if it's been
  idle for a long time. This will make &m_cmd less likely to timeout

12 Feb 13 - Cobalt Strike 1.45
---------
- Fixed RPC call cache corruption in team server mode. This bug could lead
  to some exploits defaulting to a shell payload when meterpreter was
  a possibility.
- Slight optimization to some DB queries. I no longer pull unused   
  fields making the query marginally faster. Team server is more 
  efficient too as changes to unused fields won't force data (re)sync.
- Hosts -> Clear Database now clears host labels.
- Cobalt Strike listener dialogs now size columns properly. 
- Added the ability to manage multiple team server instances through
  Cobalt Strike. Go to Cobalt Strike -> New Connection to connect to 
  another server. A button bar will appear that allows you to switch 
  active Cobalt Strike connections.     
        - Credentials available across instances are pooled when using
          the [host] -> Login menu and the credential helper.
	+ Listeners across instances are pooled in the listener select
	  dialogs. You may seamlessly launch exploits from one instance
	  and have sessions show up in another instance. It's also easy
	  to pass sessions between instances and task beacons to send
	  active sessions to other instances.
	+ Cobalt Strike hosted sites are pooled across instances too.
	+ Cobalt Strike's reporting engine merges data across instances
	  before generating a report for you. 

	You may now pen test through many points of presence and use 
	Cobalt Strike's reports to help tell the full story.

+ Pressing Cancel on a Save dialog will now cancel the action.
+ Performed regular maintenance of client-side attack database.
- Rewrote the event log management code in the team server
- Added nickname tab completion to event log window
+ Spear phishing tool now sends phishes from the team server. Now that you
  can connect to multiple Cobalt Strike servers, it makes sense to do this.
+ Revamped spear phishing tool output
- Hosts -> Clear Database now asks you to confirm the action.
+ Hosts -> Clear Database stops all listeners before dropping the database
- Hosts -> Import Hosts announces successful import to event log again.
+ Obfuscated Smart Applet attack
+ Beacon staging no longer shows in Social Engineering report
+ Updated hosts report generation process to use all possible host icons

28 Jan 13 - Cobalt Strike 1.45
---------
- Added helpers to set EXE::Custom and EXE::Template options.
- Fixed a bug displaying a Windows 8 icon for Windows 2008 hosts
- Cleaned up Cobalt Strike -> SOCKS Proxy job management code. The code 
  to check if a proxy server is up was deadlock prone. Removed it.
- Starting SOCKS Proxy module now opens a tab displaying the module
  start process. An event is posted to the event log too.
- Created an option helper to select credentials for SMBUser, SMBPass,
  USERNAME, and PASSWORD.
- Added a feature to label hosts. A label will show up in its own column
  in table view or below all info in graph view. Any team member may
  change a label through [host] -> host -> Set Label. You may also use
  dynamic workspaces to show hosts with certain labels attached.
- Fixed bad things happening when connecting Cobalt Strike to 'localhost' 
  and not '127.0.0.1'.
+ System profiler now auto-redirects a visitor after 20s if no profile
  is returned. Moved up from 5s.
+ Fixed a bad merge that took away the Login -> psexec (token) menu
+ File hosting feature now works in teamserver mode again. Moved file
  verification logic to the server where it belongs.
+ Ported the CVE-2013-0422 (java_jre17_jmxbean) exploit to the Smart 
  Applet attack. This attack is also available to the auto-exploit server.
+ Fixed a potential deadlock condition with the Beacon viewer.
- Cobalt Strike now centers screenshots/webcam shots in their tab
+ Added a VNC Viewer to Cobalt Strike. [host] -> Meterpreter -> Interact
  -> Desktop (VNC) will now open a tab with the user's desktop.
- Added an alternate .bat file to start msfrpcd on Windows in the
  Metasploit 4.5 installer's environment. *cough* Remember using Cobalt
  Strike to connect to the Framework on Windows is not supported. *cough*
- Added a color-style for [!] warning messages
+ Mitigated race condition that stopped Beacon listeners from restarting
  when connected to a team server.
+ Fixed Beacon -> Download menu. It now properly tasks highlighted items.

Cortana Updates (for scripters)
--------
- &handler function now works as advertised.
- Cortana functions now avoid core.setg

2 Jan 13 - Cobalt Strike 1.45
--------
- Set postgres_payload exploits to use a reverse payload by default
+ Updated JavaScript keystroke logger to work with IE9 and later. Also
  fixed a regression preventing it from working in IE in general.
+ Added Cobalt Strike Java Attacks. The Signed Applet Attack option is a
  simple self-signed applet. The Smart Applet Attack attempts to disable the
  Java Security Sandbox using an exploit. Both options are available under
  the Attacks -> Web Drive-by menu.

  These Java Attacks use a Cobalt Strike Java Injector Payload. This payload
  accepts both a Windows and Java listener. You don't want to lose a shell
  when a MacOS X user visits your Windows attack, right? The payload injects 
  shellcode into memory on Windows and dynamically links Java meterpreter for 
  other operating systems.

  Source code, build files, and a Cortana script to integrate changes to the
  applet attacks are available in the Cobalt Strike Arsenal. Help -> Arsenal
+ Major overhaul to the Cobalt Strike Auto Exploit feature. This went from 
  being a neglected feature to the most cutting edge exploit guidance system
  outside of the crime kit universe. The Auto Exploit feature now shares 
  code with the system profiler and uses this information to zap visitors
  with the right exploit. The new Auto Exploit feature also takes advantage of 
  the Cobalt Strike-hosted Java attacks.
+ Added a data sanitization pass to the reporting engine. Prevents 
  non-printable characters from disrupting the report generation process.
+ The Applications portion of the Social Engineering reports now sorts the
  applications and removes duplicate entries.
+ The SE report now puts a page break between the end of the Campaigns section
  and the beginning of the Users section.
+ Fixed "incompatible character encodings: ASCII-8BIT and UTF-8" exceptions
  caused by my use of the core.setg RPC-call in Beacon's UI. This RPC call 
  leaks improperly encoded stuff into Metasploit's global datastore.
 
12 Dec 12 - Cobalt Strike 1.45
---------
+ Beacon's spawn command now creates a separate process to inject 
  shellcode into. This way a failure in the shellcode will not cause 
  Beacon process to exit.
+ Beacon download command now uses payload/windows/download_exec module
+ Added a keystroke logger to Beacon. Use:

	keylogger start - to start the keylogger
	keylogger       - to dump collected keystrokes
	keylogger stop  - to stop the keylogger and dump keystrokes.

  Beacon must live inside of a process associated with the desktop and 
  user you want to log keystrokes for.
+ Added inject command to Beacon. Use this to spawn a session by injecting
  shellcode into a specific process id.
+ View -> Beacons table now properly sorts its columns when you ask it to
- Added a helper to set REXE option
+ Web Drive-by -> Host File now complains if file does not exist
+ Performed normal client-side database maintenance
+ Website clone tool now uses an MSIE user agent, instead of the Java one.
+ Website clone tool detects empty cloned site results and shows an error.
  It then instructs you to try the HTTPS version of the URL. Java's URL 
  library will not follow a redirect from one protocol to another.
+ System Profiler now detects and reports Windows 8
+ System Profiler's local IP address detection is much more reliable now
- Added Windows 8 icon
+ Cobalt Strike now starts persistent listers *after* it determines local
  IP address. This is important as the meterpreter reverse_http[s] payloads
  need to be bound to a specific LHOST to work.
- [host] -> Login menu is now built using open services for all highlighted
  hosts, not just the first one.
- [host] -> Login items now escape punctuation characters in passwords 
  before passing them to a framework module.
+ PDF reports properly wordwrap password hashes and other long strings again

Cortana Updates (for scripters)
--------
- &credential_add and &credential_delete no longer break when a password has 
  creative punctuation in it.

26 Nov 12 - Cobalt Strike 1.44
---------
+ Added support for some SMTP authentication schemes to Cobalt Strike's
  spear phishing tool. You may also connect to an SSL enabled SMTP
  server too. Special thanks to Allen Harper who provided infrastructure
  to test all of this against.
+ Spear phishing tool now strips more headers from template messages
+ Editing Targets field in spear phish dialog no longer locks up for 
  several seconds when the value of the field is a folder.
+ Updated client-side attack database (regular maintenance...)
+ You may now export Cobalt Strike reports as MS Word documents. *pHEAR*
- add_user and add_[local]group_user now show all of their output when
  the -h flag is used to operate on a remote host.
- added a Delete menu to creds table. Right-click a cred to delete it
+ Added an import button to the creds viewer to quickly add credentials
+ Fixed a bug that caused Vulnerability report export to fail when a 
  vuln had no associated references.
+ Hosts report no longer shows vulnerability description twice (this 
  would happen when the same vulnerability was exploited against two
  or more ports listening with the vulnerable service).
+ Multiple cosmetic improvements to the display of vulnerabilities in
  hosts and vulnerability reports.

Cortana Updates (for scripters)
--------
- aliased &data_delete to &data_clear to match the documentation.
- &file_get, &loot_get, and &file_content no longer delete the remote
  file when connected to a teamserver.

8 Nov 12 - Cobalt Strike 1.44
--------
- Windows command shell tab is now friendlier to commands that prompt
  for input (e.g., time command)
- [host] -> Meterpreter -> Access -> Escalate Privileges now shows all
  the framework's new exploit/windows/local modules too
- [host] -> Shell -> Post Modules now shows the framework's unix/local
  and exploit/linux/local modules
- Added Ctrl+I shortcut. Lets you choose a session to interact with.
- Added Steal Token button to Processes dialog.
- Cobalt Strike now requests a non-expiring token after connecting to 
  msfrpcd. This makes your connection to msfrpcd more robust.
+ Cobalt Strike psexec dialog now lets you choose one of your configured
  Cobalt Strike reverse listeners
+ You may now select a custom executable in both psexec dialogs
+ Added Help -> Arsenal which will take you to the Cobalt Strike arsenal.
  The Cobalt Strike arsenal will contain scripts to aid your penetration
  testing process. These features will only be available to licensed
  Cobalt Strike users (usually with full source code too). 

  The first arsenal item is topaz, a script to embed shellcode into an 
  anti-virus bypass executable. Topaz will intercept module launches (such as
  psexec and current_user_psexec), generate a new executable, and use the
  new executable with the module. 

  Full source code to topaz is available. You may use it as-is, modify
  it to pass other products, or use it as a template to make your AV 
  bypass executable work with Cobalt Strike.
  
16 Oct 12 - Cobalt Strike 1.44
---------
- Added port 5985 to Scan feature port list.
- Meterpreter -> Access -> Persistence sets ACTION option for you
- Changed how LHOST and LPORT are set globally to prevent Ruby 
  character encoding conversion error in the framework.
+ Fixed a potential deadlock in the listener management dialogs
+ You can now use Beacon to spawn a Beacon.
- Log Keystrokes, Persist, and Pass Session now use a new thread to
  query module information.
+ Beacon last callback time is now computed on team server. Prevents
  whackiness when client's have different time value from server.
- Cobalt Strike now shows URL/folder in a popup dialog when trying to
  open a file/URL on a desktop where Java's JDesktop is not supported
- Check all credentials option now filters duplicate entries.
- Exploit payload selection now selects cmd/unix/interact when required
- Explore -> Processes works with Java Meterpreter again.
+ Beacon callback events are now suppressed from reports and logs
- MSF Scans feature now runs http_version against port 443

27 Sept 12 - Cobalt Strike 1.44
----------
+ Added Beacon management feature. Beacon is a Cobalt Strike payload 
  that periodically phones home to request taskings. Beacon will check 
  task availability over HTTP or DNS.

  To start Beacon listener, go to Cobalt Strike -> Listeners.

  Go to View -> Beacons to see activity and task beacons.

  Use Beacon like any other reverse listener. Embed it in social 
  engineering packages, use it with client-side attacks, etc.
+ Updated client-side database
+ Cobalt Strike only shows token passing dialog if current_user_psexec
  module exists (for 4.4-release compatability)

5 Sept 12 - Cobalt Strike 1.44
---------
+ Added CovertVPN feature. CovertVPN is a Windows client that provides
  the Cobalt Strike host with a virtual interface on a target's network.
  CovertVPN is able to relay raw frames over a TCP, UDP, or HTTP channel.

  To use it:

  [host] -> Meterpreter -> Pivoting -> Deploy VPN

+ Added a helper for INTERFACE option to select a CovertVPN interface
- Setup dialog now trims host, port, user, and pass fields.
- Cobalt Strike now complains when it can't write to your preferences file 
  (versus just hanging without a real error message)
- View -> Jobs now queries jobs in a thread outside of UI thread
- Tab completion now uses a separate thread to call into the RPC server. 
  This prevents a deadlock if server is not responding.
- Login -> psexec now shows when 445 is open on a Windows machine. The old 
  criteria was too restrictive.
- Added a helper to set Wordlist option
+ Updated client-side exploit database with two new exploits
+ Added help button to Cobalt Strike -> Scripts
- Cobalt Strike now sets a random LPORT for non-exploit modules with an
  LPORT option (e.g., post modules that do priv escalation)
- Cobalt Strike now shows an error if it can't open a Windows command shell
- Steal Token dialog now uses incognito module to get token data instead of 
  the MSF post module. This is more reliable.
- current_user_psexec module now allows you to set the payload options
+ Added [host] -> Login -> psexec (token) to use a stolen token to psexec
  into all highlighted hosts.

Cortana Updates (for scripters)
--------
- added an eventlog popup hook

16 Aug 12 - Cobalt Strike 1.44
---------
- Dynamic workspaces now removes closed services from its set of
  hosts matching certain open ports.
- Cortana console now reports a clear error message a built-in
  command is executed without the right number of arguments.
- Added host icons for Android and iOS. You may now set these
  operating systems by going to [host] -> Host -> Operating System
- Cobalt Strike now shows the client-side exploit dialog for exploits
  that do not target an RHOST (for example, windows/smb/smb_relay)
- Added support for remote exploits that use RHOSTS over RHOST
  (this includes the new windows/local/current_user_psexec)
- Added a helper for setting the SESSION option
+ Added preferences for customizing Cobalt Strike reports:
  * reporting.accent.color
	the color of links and the solid bar below the header image
  * reporting.header_image.file
	an 1192x257px/300dpi header image for your reports
+ Added a helper to set file preferences
+ System Profiler now reports Apple iOS and Android operating systems
+ System Profiler now reports host with OS it could not determine

Cortana Updates (for scripters)
--------
- s_cmd no longer times out after 60s. It will wait forever for a 
  command to complete now.
- added shell_read event which fires when a shell s_cmd comes back 
  with intermediate output.
- fixed a potential deadlock with &open_console_tab
- scripts now have the ability to redefine the max size of a workspace: 
  db_workspace(%(size => #####));

08.05.12 - Cobalt Strike 1.44
--------
- Rebuilt the 08.02.12 release with missing internal files used by 
  Cortana. Sorry about this!

08.02.12 - Cobalt Strike 1.44
--------
- Team server now buffers all of its output. SO_NODELAY is no longer
  used. This will improves team performance on a congested network 
  without a hit to responsiveness otherwise.
+ Spear phishing tool now strips CC field from template messages
- Added Cortana, a DARPA funded scripting technology, into Armitage.
  There's a lot of fun to be had here.
- Cobalt Strike now queues messages to destroy a console rather than
  spinning up a new thread for each closed console.
- Rendering of icons for hosts now happens outside of UI thread.
+ Fixed highlight rendering issue in spearphish message preview.
+ Spear phishing tool more aggressively replaces links in template
  messages.
+ Spear phishing tool now displays a message when something goes
  wrong while processing a template file.
- Increased timeout for meterpreter read command
- Cobalt Strike now detects a corrupt module cache and attempts to 
  clear it so it can be rebuilt.

07.19.12 - Cobalt Strike 1.44
--------
+ Updated client-side vulns database (a typical maintenance action)
+ Fixed host report generation failure when there are two hosts with
  the same IP address in the hosts database. 
+ Vulnerability Report and Hosts Report vulnerability descriptions
  are now compatible with the latest Metasploit Framework database
  schema changes.
- Pass-the-Hash and Login dialogs now honor the shift+Launch convention
  which keeps the dialog open after launching the action.
+ Cobalt Strike now binds reverse_http/reverse_https listeners to the
  LHOST value for the host. Previously, they bound to 0.0.0.0 to accept
  connections on any interface. This no longer works though and established
  http/https sessions hang. This change fixes this problem.
+ Added set LHOST button to Cobalt Strike -> Listeners. This button will 
  update the global LHOST option in MSF, update the value saved in Cobalt
  Strike and it will restart all listeners to take advantage of the change
+ Added Attacks -> Packages -> USB/CD AutoPlay feature. This package turns
  a USB stick or CD into an attack vector against Windows XP/Vista

07.05.12 - Cobalt Strike 1.43 
--------
- Login -> psexec now sets a different LPORT for each host it's
  launched against when using a reverse payload. Fixes a bug where
  using a reverse connect payload against X hosts didn't work.
- Progressbar Cancel button now works with the Sync Files button
  in View -> Downloads and View -> Loot
- Fixed a potential deadlock with the Sync Files feature
- Clicking the Size column in View -> Downloads now sorts properly
+ Fixed a race condition that sometimes prevented the display of 
  the old data in View -> Web Log

06.23.12 - Cobalt Strike 1.43
--------
+ Updated client-side database with latest changes.
- Added View item to File Browser popup menu. Views and logs text files.
+ Added Attacks -> Web Drive-by -> Host File. This feature hosts a file 
  using the Cobalt Strike web server.
+ Web Drive-by options that start a Cobalt Strike server now have blue-ish
  labels.

06.14.12 - Cobalt Strike 1.43
--------
- Meterpreter -> Kill now uses session.stop RPC call
- Cleaned up code to kill jobs acting as a service
- Added an option to disable TCP_NODELAY from the comamnd line:

        java -Darmitage.enable_nagle=true -jar armitage.jar

  Use this if you see "bad mac" SSL errors when connected to a
  team server.
- Log Keystrokes tab now changes color when there is activity
- Randomized filename for USERPASS_FILE to allow multiple brute
  forces to happen at once.
+ Updated client-side database with ms12-037 information

06.07.12 - Cobalt Strike v1.43
--------
- Fixed an exception when killing a session or removing a route
- ps command added a new column to its output. Updated ps parser
- Hosts -> Import Hosts now works under Windows again
- Hail Mary now sets LHOST option. This is necessary for some attacks to 
  work properly
- Tweaked console create code in beginning of Cobalt Strike setup to avoid
  aggravating a deadlock condition
- Disabled Nagles Algorithm for team server and client SSL sockets. This 
  drastically improves responsiveness for Windows 7 clients.
- Starting jobs like the SOCKS Proxy server now shows the Service Started
  message again.
- Fixed a highlighting bug with the find feature in the View tab

05.21.12 - Cobalt Strike v1.43
--------
- Fixed a bug that triggered when resizing text in a Loot/Download View tab.
+ Updated IE date guessing database for more accuracy. This makes the system
  profiler better.
- Cobalt Strike's console now uses color to highlight information and make
  it clearer. This applies to all consoles. Set console.show_colors.boolean to
  false to disable this behavior.
- Default console font color is now grey.
+ Cobalt Strike now catches internal errors related to phishing messages (e.g.,
  a poorly formed template/address) and displays these in the phishing console.
- Fixed a bug preventing input field from getting focus when using Ctrl+W to
  open a console in its own window.
+ Updated entries in client-side attack database that have changed.
- Improved performance of module launches (through a console) when in team mode.
- Improved performance of msf scans feature when in team mode.
+ Spear phishing window no longer piggy backs off of a normal console tab.
- Improved perceived performance of posting chat messages
- Fixed text search feature (Ctrl+F) on Windows
- Fixed View -> Downloads -> Sync Files feature on Windows

05.14.12 - Cobalt Strike v1.43
--------
- Dynamic workspace keyboard shortcuts are now always bound (previously
  you had to visit workspaces menu before they'd bind)
- Improved console pool's ability to detect dead consoles
- Bound Ctrl+Backspace to show all hosts (without a workspace)
- Added Ctrl+T to quickly take a screenshot of the active tab and save it
- Added Ctrl+W to open the active tab in its own window
- Cobalt Strike team server is now SSL enabled. The server will present the
  SHA1 hash of its certificate on startup. When connecting, Cobalt Strike 
  will present the SHA1 hash of the certificate presented to it. You'll have
  the opportunity to trust it or reject it.
+ Updated entries in client-side attack database that have changed.
- Added Ctrl+Left / Ctrl+Right to navigate tabs with the keyboard
+ quick-msf-setup script now downloads 64-bit msf installer on 64-bit systems
- Fixed a bug that prevented command shells from opening on some sessions
+ Web log messages are now delivered in batches (vs. one at a time)
- Team server client now caches some calls to RPC server
- Reworked View button in Download and Loot tabs. The button now displays the
  contents of all the highlighted rows in one tab. Further, I've added a 
  Sync Files button to download the highlighted loot or download files when
  in a team situation.

05.07.12 - Cobalt Strike v1.43
--------
- Cobalt Strike's team server is now compatible with the latest changes to
  Metasploit 4.3.0. 
- Added Ctrl+D keyboard shortcut to close the active tab
- Module description in module launcher dialog is now resizable.
- Cobalt Strike now uses (more robust) console queue for launching post
  modules, handlers, brute force attacks, and other things.
- Fixed a race condition in the Jobs tab refresh after killing a job
- Cobalt Strike now filters smb hashes from non-psexec/smb login dialogs.
+ Dumped the "capture form data" in favor of a Javascript key logger. Logged
  keystrokes show up in the web log (View -> Web Log) and in the social
  engineering report.
+ System Profiler now reports applications grabbed to weblog and not the raw
  stuff posted back. This is a move to make the web log a generic console to
  view Cobalt Strike web activity in.
- Added armitage.log_data_here.folder setting. This setting lets you
  specify where Cobalt Strike will save its logs, downloaded files, and
  screenshots.
+ Cobalt Strike now properly reports "web server" errors when in team mode.
  Previously these weren't making it back to the user.
+ Cobalt Strike web apps (system profiler, cloned site, etc.) now work with or
  without the ending /. 

04.17.12
--------
- Update console reading code to make Cobalt Strike compatible with latest
  Metasploit changes.
- Console commands are now queued. Hopefully they'll execute in order now
  when launched in consoles automagically..
+ Added Refresh button to Listeners dialog
+ Cobalt Strike now runs in Metasploit 4.3.0* (before it'd only run in
  4.3.0-dev)

04.15.12
--------
+ Added support for EDB (Exploit DB) references in vulnerability reports
+ Added multi/browser/java_setdifficm_bof to client-side database.
+ Added multi/browser/java_atomicreferencearray to client-side database.
- Module browser search now filters modules as you type.
- Added keyboard shortcuts to switch dynamic workspaces.
	Ctrl+1 = first workspace
	Ctrl+2 = second workspace
	...
	Ctrl+0 = show all hosts
+ Added generic/shell/reverse_tcp to listener options. Use this for Linux
  and OS X reverse shells (or even as a netcat listener).
- Cobalt Strike now uses a more aggressive read strategy for hashdump lsass
  method. You should now see the entire output added to the creds table 
  more often. :)
+ Updated Internet Explorer version data with hints from MS12-010 and MS12-023.
+ Fixed a typo in the MacOS X update command script.
- Added Ctrl+N to open a new Metasploit(r) console and Ctrl+O to open the 
  preferences dialog.
- You may now use Ctrl+Alt to deselect a row in the Jobs and Workspaces tables.
- Added Shell -> Pass Session to *NIX shell sessions. Allows you to duplicate
  a *NIX access or pass it to another Cobalt Strike instance.
+ Updated auto-exploit server to use multi/browser/java_atomicreferencearray
+ Added Attacks -> Packages -> Web Drive-by -> Firefox Addon dialog. This is a
  new social engineering attack module in Metasploit that prompts the user to
  install a Firefox addon. This is a very cool option against Firefox users.

03.28.12
--------
Note: This release contains changes that will require redownloading Cobalt
Strike. It's not a requirement, but if you want to take advantage of some of
these changes, you'll need to get the whole package.

+ Updated the updater program to not rely on the cache when pulling down a 
  Cobalt Strike update. You will need to redownload Cobalt Strike to get the
  latest updater program though. http://www.advancedpentest.com/download
- Cobalt Strike team server now uses a batch method to send chat messages to 
  clients. This should be much better.
- Cobalt Strike now minimizes the number of messages it sends to the collab
  server during a team engagement. The goal is to make the system less likely
  to back up on messages when there's a lot of latency in the environment. 
- Added an optimization to make command shell feel more responsive in team mode
- Hosts -> DNS Enumerate now populates the NS field with the current highlighted
  host.
+ Tweaked Java parameters for Cobalt Strike to prevent it from "giving up" when
  attempting to do something requiring a lot of memory (like generate a huge PDF
  report). You will need to redownload Cobalt Strike to get the updated CS
  launchers with these tweaked parameters.
- Improved tab management:
	-- Shift+click to close like tabs now ignores the session id when 
	   deciding if a tab is alike. So Shift+Click on a Screenshot tab will
           close *all* Screenshot tabs.
	-- Added a tooltip to session related tabs to indicate the host associated
           with the session.
+ Hosts listed in Vulnerability Report are now sorted.
+ Added Restart button to Cobalt Strike -> Listeners. Use this to quickly stop/restart
  listeners if a handler becomes non-responsive.
+ Cobalt Strike now queues certain Metasploit commands and executes them in turn. This
  will make the system feel more responsive over all. Cobalt Strike features that log
  activity (e.g., spear phishing, hosted attacks, etc.) will respond faster too.
- Added a List Drives button to File Browser for Windows meterpreter sessions.
- File Browser can now navigate to folders with apostrophes in their names.
+ System profiler now reports external IP as a firewall if it's able to get the internal
  IP and the internal IP does not match the external IP.

22 Mar 12
---------
- Cobalt Strike NMap profiles are now improved with the following options:
	-n [do not attempt to resolve reverse hosts for IPs]
	-T4 [wait longer to determine whether a service is alive or not]
	--min-hostgroup 96 [scan more hosts in parallel]
- Cobalt Strike now intercepts webcam_snap and screenshot meterpreter commands
  and performs the appropriate actions.
- View -> Creds -> Export now works in team mode.
+ Cobalt Strike web server now returns a 404 to visitors with curl, wget, or
  lynx user agents. This is an easy measure to defeat, but we're all about 
  offense in depth with this project.
- VMware icon now shows when a VMware ESXi host is identified by Metasploit
- Fixed a bug preventing commands like del /S (which prompts for Y/N) from
  working from a command shell tab.
- Added a check to prevent old Cobalt Strike and Armitage clients from connecting
  to the team server. In the future, I may restrict the Cobalt Strike team server
  to Cobalt Strike clients only.
- Added a * indicator to active workspace in Workspaces menu
+ Added a check to prevent user from defining a persistent listener to a port
  that already has a persistent listener bound to it.
- Added Hosts -> DNS Enumerate to discover hosts through a name server.
- Cobalt Strike now displays a pivot relationship between a host and the NAT 
  device it is communicating through when there is an active session.
+ Added windows/browser/adobe_flash_mp4_cprt to client-side database
- Added Copy button to Services tab. Copies highlighted hosts to clipboard.
+ Added windows/browser/ms10_002_ie_object to client-side database
- Improved reverse payload selection logic. Cobalt Strike now chooses php
  meterpreter when it makes sense.
- Cobalt Strike now assigns a random LPORT for each exploit module launched with
  a reverse payload.

7 Mar 12
--------
- Cobalt Strike now uses an IPv6 bind payload when exploting an IPv6 host
- Cobalt Strike now displays a firewall icon for hosts marked as a firewall
  with no associated operating system. This marking is something done by
  Metasploit.
- Cobalt Strike is now explicitly sets RPORT for psexec and msf scan modules

2 Mar 12
--------
- Meterpreter now reports the IP of the owned system in a consistent way.
  Cobalt Strike now places the session info and lightning bolts on this
  owned system. No longer will you have X session menus attached to a 
  firewall / NAT device. This is good news.
- Cobalt Strike now uses a random payload listener for any client side
  attack by default (previously--it used a default reverse listener for
  windows client attacks--lost benefit of automigrating)
- Token stealing dialog now disables Refresh button while grabbing tokens
  and enables it when tokens are grabbed. Now you kind of know what it's 
  doing.
- Updated Topaz to improve its stability.

1 Mar 12
--------
- Doh! Trial license code was messed up. Fixed how I calculate the 
  difference between dates.
- Fixed Topaz EXITFUNC so Topaz binary does not crash when exiting meterp
  session or migrating.
- Fixed bug with "check all credentials" feature not working in team mode
  when server and client run from the same folder.
- Added a rename tab feature. Right-click the tab X and select rename tab
- Cobalt Strike now displays an XP/2003 era logo for hosts self reporting
  as .NET server.
- Added a minimum amount of version checking to Cobalt Strike startup.
  This version now requires Metasploit 4.3.0-dev
- Updated ARP Scan and Pivoting dialogs to parse the new route output in
  Metasploit 4.3.0-dev
- Cobalt Strike now deletes notes.* for a host when you manually set its
  OS. This is done to allow a future scan to set the host's OS to 
  something else. 
- Cloned websites now use the favicon of the cloned site. *pHEAR*

26 Feb 12
---------
- Fixed a system profiler bug caused when profiled client with IE does
  not have Windows Media Player installed.
- Added a slight delay between commands issued to a console to prevent
  them from executing out of order.
- Adjusted graph view scrolling increments to something sane.
- Fixed keyboard accelerators when right-clicking in the graph view.
- Made the file browser directory up button more obvious.
- Team server now returns the last-100 events (instead of all of the
  engagement events) when connecting.
- Improved Host -> Remove feature when removing many hosts.
- Dynamic workspaces feature now allows to comma separated entries
  with no spaces between them.
- Table view now allows rows to be deselected in an interval (they
  won't become reselected automatically like before).

24 Feb 12
---------
- Added quick-msf-setup script to the Linux package. This script will
  download and install Metasploit, setup the postgres db to start on
  boot, and set the system to point to the Java included with Metasploit
  if necessary.
- Cobalt Strike doesn't write to /Applications any more...
- Added a VMWare icon for hosts whose OS is reported as ESX or ESXi
- Greatly improved token stealing user experience. It's awesome now.
- Greatly improved the responsiveness of the file browser. 

20 Feb 12
---------
- A space inside of a module search is now treated as a wildcard. This
  means you can type: win meterp and it will be treated as win*meterp
- Removed Host option from Adobe PDF dialog (not needed since we're
  embedding an EXE that already knows the host it wants to connect to)
- Modified listener stop/start code so that actions happen asynchronous
  to the UI (meaning working with listeners won't block the UI)
- Social Engineering report now rounds summary stats to two decimal places. 
  I was recording a screencast and generated a report--imagine my surprise
  when a bunch of sixes were going across the cover page.
- Hovering over an edge in graph view no longer shows a "null" tooltip
- Completely fixed parsing of ps output. The process dialog through 
  meterpreter will now be accurate regardless of OS :) [Caveat: so long as
  the meterpreter session reports processes-Java meterp on OS X f/e does
  not].

19 Feb 12
---------
- Made a change to how some commands are synchronized... this should
  have no negative effects, but only testing will tell.
- Command sync change fixes a bug preventing system profiler from 
  adding hosts to display in a team situation.
- Fixed a bug in export data with client-side report data
- Fixed "No client vulns" always showing up at the bottom of the client
  side vulnerability report
- Client-side Vuln. reported and exported client vulns now treats
  hosts external/internal combinations as unique hosts.

18 Feb 12
---------
- Added windows/browser/java_mixer_sequencer to client-side vuln db
- Fixed a bug in the teamserver start script for Linux (you'll need to
  redownload the package to get this updated script)
- Adobe PDF package now prompts you where to save PDF file whether
  MSF is local or remote to Cobalt Strike.
- Added Cut/Copy/Paste/Clear menu to table cell editor
- Started work modifying the about dialog so I can provide proper
  attribution of the various open source projects used by Cobalt Strike

16 Feb 12
---------
- Client-side vulnerability report was producing duplicate entries for 
  vulnerabilities with both a fileformat and browser exploit. Fixed.
- System profiler was accidentally reporting some Windows hosts as
  Windows Media Center edition. Fixed.
- Cobalt Strike reports now have the Cobalt Strike logo
- Updated Help menu with Cobalt Strike stuff.
- Help button in Connect dialog now points to advancedpentest.com/start
  so does the "hey msfrpcd crashed from underneath me" dialog.
- Released "helper" indicator with a thick square (vs. the thick cross
  in Armitage).
- Added a teamserver script to UNIX distribution of Cobalt Strike. This
  script will check the environment to make sure everything is in place.
- Cobalt Strike was saving preferences to wrong file.

14 Feb 12
---------
- Added Cobalt Strike update tool
- Created packages for Windows, MacOS X, and Linux

Legend
--------
- = a change made in Armitage and Cobalt Strike
+ = a Cobalt Strike specific change
! = a removed feature