Get notified about Cobalt Strike updates.
Sign up for the Cobalt Strike Technical Notes
We will email you when an update is ready. We won't send spam or give away your information.
Cobalt Strike Release Notes
Welcome to Cobalt Strike 3.x. Here are a few things you'll want to know, right away:
1. You do not need to install the Metasploit Framework to use Cobalt Strike 3.x.
Cobalt Strike 3.x does not depend on the Metasploit Framework.
2. Cobalt Strike 3.x is still distributed as a client and team server. The
team server must run on Linux.
3. You must always start a team server to use Cobalt Strike 3.x. Cobalt Strike
does not offer to start a team server for you.
4. If you use the Artifact Kit or Applet Kit--you should redownload these
packages from the new Cobalt Strike Arsenal and merge your changes into the
updated packages for Cobalt Strike 3.x. The scripting APIs to hook into these
artifacts changed [for the better].
5. Cobalt Strike 3.x is not compatible with Cobalt Strike 2.x. Stand up new
infrastructure and migrate accesses to it. Do not update 2.x infrastructure
to Cobalt Strike 3.x.
6. Use the licensed version of Cobalt Strike in production. The Cobalt Strike 3.x
trial takes steps, in many places, to get caught by standard defenses. The
licensed version removes these deliberate tells and restores evasion features.
September 6, 2018 - Cobalt Strike 3.12
+ Fixed targets_other popup hook. Now it passes the target info as an argument.
+ Fixed logic flaw in the kill date check.
+ Hardened reporting engine against unexpected characters in bookmark text.
+ configured MIME parser (used for phishing emails) to have fewer restrictions
+ Fixed bug ignoring the Name field in the Add Target dialog.
+ Updated target import codepaths to remove unexpected whitespace from addresses.
+ Added POWERSHELL_DOWNLOAD_CRADLE option to Resource Kit. Controls form of download
cradle used by powershell-import, spawnu, spawnas, and uac-token-bypass
+ powershell-import with empty file resets hints related to script hosting.
+ Added POWERSHELL_COMMAND option to Resource Kit. Controls form of [most] powershell
commands used throughout Cobalt Strike.
+ Added &sync_download to grab a downloaded file from the team server.
+ Added stage.sleep_mask Malleable PE option. When enabled, obfuscates Beacon in
memory before each Sleep() call. De-obfuscates Beacon prior to resuming execution
+ Added run command. Runs a program (+ shows output) without cmd.exe or powershell.exe
+ ssh-key command now accepts much larger key sizes (and warns when that's exceeded)
+ Process injection path now allows argument via SetThreadContext when x64 -> x64
+ keylogger command, with no args, now spawns a temporary process and injects into it
+ screenshot+keylogger commands, spawn mode, now match Beacon's arch for temp process
- Removed .create_remote_thread and .hijack_remote_thread options in Malleable C2
+ Added Malleable C2 options to modify Beacon's process injection behaviors
+ Synced built-in MITRE ATT&CK matrix to the April 2018 release.
+ Updated to Mimikatz 2.1.1 20180820
+ DNS Beacon signaling now combines dns_idle profile value with signal values. A good
dns_idle value helps avoid IPv4 bogon responses in dns6 and dns-txt transfers.
+ DNS listener now sanity checks dns_idle value vs. Team Server IP.
+ Added &str_chunk to easily chunk a string into multiple same-size chunks.
+ Updated exe/dll checksum update process to leave artifact alone if there's an error
+ Removed the OpenJDK checks/warnings from startup.
+ Updated the updater with new cert information. (Redownload the trial to get it)
May 24, 2018 - Cobalt Strike 3.11
+ Hardened Beacon against possible crashes on Win 10 when module stomping is setup.
+ Change size of Host column in IOCs report.
+ Updated the Malleable C2 'mask' decoder to fail in a more graceful way.
+ Beacon HTTP controller now outputs much more detail when it can't retrieve an id,
metadata, or process output from a Beacon HTTP request w/ the current profile.
+ Updated PowerShell injection templates to address issue w/ Windows 10.0.17134
+ Updated to Mimikatz 2.1.1 20180502
+ DNS Beacon now recovers from a failed AAAA download more gracefully.
+ Hardened DNS Beacon against an edge case for repeated/out-of-order requests
April 9, 2018 - Cobalt Strike 3.11
+ Added dllload command to Beacon. Calls LoadLibrary() w/ parameter in remote process.
+ Mitigated crash for Artifact Kit generated DLLs on certain loading conditions.
+ Added module stomping to Malleable PE options. Configures Beacon's loader to load
an unneeded library and overwrite its space instead of using VirtualAlloc.
+ Synced built-in MITRE ATT&CK matrix to the January 2018 release.
+ Beacon downloads smaller file pieces per check-in when HTTP chunking is in use
+ stomppe Malleable PE option stomps MZ, PE, and e_lfanew values once Beacon is loaded
+ Extended Malleable PE obfuscate option to obfuscate Beacon's DLL headers and header
slack space. This option also LoBoToMiZeS the DLL header once Beacon is loaded.
+ Added dns_max_txt and dns_ttl Malleable C2 options to tweak Beacon DNS C2 further.
+ &bdllspawn now accepts arguments larger than the previous 16KB limit.
+ Added execute-assembly to run a .NET executable on target without touching disk
+ Added Malleable PE options to change these fields of Beacon's Reflective DLL:
- checksum: CheckSum value
- entry_point: AddressOfEntryPoint (Cosmetic. Does not affect execution)
- name: the Exported name (e.g., beacon.dll)
- rich_header: replace the Rich Header with some other rich header
+ Added Malleable C2 sample_name option to name your "payload" in the IOCs report.
+ Cobalt Strike now aggregates more info about your profile to the reporting engine
+ Updated the IOCs report to show PE info, contacted hosts, a traffic sample, and
interesting strings for the Malleable C2 profile associated with each server.
+ Added peclone utility to Cobalt Strike Linux package. This utility parses a PE
file and prints a Malleable PE stage block with extracted values.
+ Artifact Kit now pushes decoded payload directly into alloc'd memory.
+ Added cleanup option to Malleable PE. This asks Beacon to attempt to free the
memory associated with the self-bootstrapping package that loaded it.
+ Added reg query|queryv to Beacon to query the registry
+ Added setenv command to Beacon
+ Updated getsystem/pth to use %COMSPEC% instead of cmd.exe.
+ Updated to Mimikatz 2.1.1 20180325
+ Hardened SSH sessions against infinite blocking situations.
+ Changed quoting convention in PowerShell scripts.
+ Added functions: &breg_query, &breg_queryv, &bdllload, and &bexecute_assembly
+ Added hex and vbs options to &transform
+ Extended Resource Kit to control CS's VBS and HTML Application output.
+ Added &transform_vbs to offer additional control over the VBS transform.
+ Added uac-token-duplication option to built-in privilege elevation options.
+ Added runasadmin to run a command in a high integrity context. This uses the UAC
Token Duplication attack. &brunasadmin gives scripts access to this too.
+ Rebuilt x86 VNC server DLL with v90 toolchain for maximum Windows 2000 fun.
+ Hardened the default (dist-pipe) Artifact Kit against rare error conditions.
+ Fixed a Beacon crash on Windows XP when CreateProcessWithTokenW is not present.
+ ReflectiveLoader now zeroes out its entire VirtualAlloc'd space
+ Made changes to the updater program for Java 9 compat and prep for cert changes
+ Internal script console implementation no longer uses $x and $error
+ Metadata verification now allows "unknown" as an internal IP value.
11 Dec 17 - Cobalt Strike 3.10
+ Added a ~1s delay to team server's authentication answer to mitigate brute force
+ x86 HTTP staging protocol server check now requires right x86 stager URI checksum
+ Randomized the unused host padding inside of the DNS TXT record stager.
+ Made changes to x86 XOR stage encoder stub
+ Added SSL support to Cobalt Strike's web-based social engineering features
+ Infused MITRE's ATT&CK matrix into Cobalt Strike:
- &attack_* functions provide access to ATT&CK data for custom reports
- Added Tactics, Techniques, and Procedures report: maps activity to ATT&CK
- &btask now accepts a comma separated list of ATT&CK tactics as an argument
+ Fixed: short title in report export dialog now affects the generated report
+ Added &h4, &list_unordered, and &p_formatted functions for custom reports
+ File browser right-click popups now announce "input" for actions taken.
+ Updated Synthetica L&F to version that is compatible with Java 1.9
+ CS now uses session-specific ANSI/OEM codepages to encode input and decode output
+ Beacon logs now normalize output to UTF-8 encoding.
+ Added "GUI Font" to Cobalt Strike preferences. Changes the font used by the UI
+ cobaltstrike.exe launcher on Windows now searches for Java 1.9 in registry
+ Changed how Beacon sends routine error messages back to Cobalt Strike
+ Added getprivs command to Beacon. (The ps command no longer gets privs for you.)
+ Refactored shell and powershell commands to transfer logic from Beacon to CS
+ Added &beacon_execute_job to run a command as a post-ex job and report output to CS
+ Added &str_encode and &str_decode to encode and decode a string with specified charset
+ Added &beacon_host_imported_script to host previously imported script and return a
one-liner to download and evaluate it. Returns nothing if no imported script exists
+ Added Malleable PE options string, stringw, and data to populate the .rdata section
of Beacon's rDLL with the specified strings.
+ Updated to mimikatz 2.1.1 20171106
+ HTTP server drops requests with malformed headers.
+ Proxy Server dialog is now friendly to @ in proxy username and password.
+ Fixed &format_size with larger file sizes
+ download now works with files >2GB. Reports an error if file is >4GB.
+ Minor syntax fix to C# shellcode output in Payload Generator
+ Fixed a Java 1.9 warning in the updater program.
+ Removed dependence on Java EE API (for 1.9 compatability. Ugh).
+ Added an admin check to [beacon] -> Access -> Dump Hashes
+ Added safety check to prevent SMB Beacon localhost staging failure when there's a name
conflict with this listener between multiple servers.
+ Export Data now uses UTF-8 encoding for its output
NOTE: An in-place update of Cobalt Strike with live sessions is never recommended. With
Cobalt Strike 3.10, this is especially true. Cobalt Strike 3.10 cannot control sessions
from previous versions of Cobalt Strike.
26 Sept 17 - Cobalt Strike 3.9
+ Updated VBA and VBS shellcode embedding to accommodate 3.9's larger stagers.
21 Sept 17 - Cobalt Strike 3.9
+ x86 HTTPS stager now (correctly) uses profile-specified URI
+ c2lint now flags absence of uri_x86 and uri_x64 as errors when a transform on the
stager output is present.
20 Sept 17 - Cobalt Strike 3.9
+ Added a startup check to verify -XX:+AggressiveHeap and -XX:+UseParallelGC are set.
+ Added a dialog to present a URL when the browser open action is not supported
+ powershell-import now uses a broader regex to find function names for tab completion
+ Changed the applet attack's memory allocation/process injection characteristics
+ Limited the team server file sync primitives to the downloads/ folder only.
+ Malleable C2 now prints a console error when POST'd session ID is empty
+ Artifact Kit uses SetThreadContext/ResumeThread for same-arch cross-process injection
+ Added Malleable client parameters/headers and server transforms to HTTP/HTTPS staging
+ Added a startup check + warning for Wayland desktops. (Not supported with CS)
+ c2lint now checks syswow64/sysnative case for spawnto_x86/spawnto_x64. It's important
+ &beacon_host_script now compresses imported PowerShell script (like powershell-import)
+ Made changes to the local staging process for the named pipe Beacon
! Removed windows/foreign/reverse_dns_txt as a listener (needed for the next change...)
+ Added dns_stager_prepend Malleable C2 option to offset DNS stage value in TXT records
+ Updated VNC server to remove unneeded "stuff" and improve reliability.
+ Restricted the team server file upload primitive to the uploads/ folder only.
+ Help -> System Information now includes environment variables
+ Licensed CS now requires a valid + non-expired authorization file to start. This file
is generated and refreshed by the update program in 3.9+
+ Licensed CS now embeds a 4-byte customer ID (from auth file) into stages and stagers
+ Added obfuscate Malleable PE option to mask import table strings
+ Updated to mimikatz 2.1.1 20170813
+ Added &gunzip function to Aggressor Script.
+ &closeClient now works when called from headless Agressor Script client.
+ &add_to_clipboard puts text into the clipboard and prompts the user.
+ headless Aggressor Script client now waits on global data before firing on ready event
+ Added light obfuscation to the System Profiler.
+ Added &encode function to obfuscate shellcode/stages with a CS encoder
+ Added &range and &iprange to generate a list of numbers/IPs from a string description
+ Added mask data transform to Malleable C2. Masks data with a random 4-byte value.
+ DNS Beacon accounts for in-progress HTTP GET-transfers when asked for IP address
23 May 17 - Cobalt Strike 3.8
+ Attacks -> Web Drive-by -> Host File maps .ps1 to text/plain (auto mime-type)
+ Host File dialog now checks that URI begins with a /
+ Fixed a bug with Malleable C2's base64url encoder
+ Exceptions thrown by Aggressor Script function calls are sent to the Script Console
+ Added [beacon] -> Access -> Elevate to pick a registered priv escalation to launch.
+ &bmode can now accept a dns6 argument.
+ Beacon DNS processor now lowercases all requests. (This was a 3.0 regression)
+ Web server now prints information & errors the same way other CS features do
+ Added ppid command to set parent process for processes Beacon launches
+ Added runu to run an arbitrary program under a specific process ID.
+ Added spawnu to spawn a session under a specific process ID (uses powershell.exe)
+ Updated web server to drop non-HTTP requests with no response.
+ Reporting now shows DNS Beacon mode changes in session transcripts
+ Artifact Kit's non-migrating artifacts start threads with memory backed by module
+ Improved c2lint's SSL keystore checks.
+ Cobalt Strike now updates PE CheckSum field for its executables and DLLs
+ Beacon now uses SetThreadContext/ResumeThread to start jobs in patsy processes
+ Beacon process injection now uses CreateThread for injecting into self
+ Added shspawn command to spawn shellcode file as Beacon post-ex job.
+ The updater program now verifies downloads via https://verify.cobaltstrike.com
Download the latest trial package to get the updated updater.
+ Updated to Mimikatz 2.1.1-20170508
+ Added scripting hooks to grant users control over PowerShell, Python, and VBA
templates used throughout Cobalt Strike. See the "Resource Kit" in the Arsenal.
+ Added Malleable C2 options: hijack_remote_thread, create_remote_thread to tweak
Beacon's process injection codepaths. Both are true/false options.
+ Added work-around for "Parallel GC" Java bug (Java 1.8u131) that prevents Cobalt
Strike from running. Download the latest trial package to benefit from this.
15 Mar 17 - Cobalt Strike 3.7
+ Added "set pipename_stager" Malleable C2 option to change named pipe stager pipe
+ Added manual proxy options to stageless Beacon artifacts
+ Attacks -> Packages -> Windows EXE (S) now shows listener names
+ Added &artifact_stageless function to generate stageless artifacts from scripts
+ &brm now rejects an empty argument
+ Added cp (copy) and mv (move) commands to Beacon. Added &bcp, &bmv for scripts
+ Added EXE and DLL code-signing capability to Cobalt Strike
- Malleable C2's code-signer block specifies the keystore and attributes
- Attacks -> Packages -> Windows EXE and Windows EXE (S) have a checkbox
to request a signed EXE or DLL
- The &artifact_sign function signs its argument (presumably a PE file)
+ Malleable C2 is now tolerant of case-transformed headers
+ Added Aggressor Script APIs to create simple dialogs
+ Added a parser to add mimikatz lsadump::sam results to credential model.
+ Team server now uses SHA256 hash for its SSL-cert fingerprint
+ Added Malleable C2 options to modify Beacon's payload stage/Reflective Loader
+ Reduced Beacon's use of RWX permissions in its process injection code path
+ Reduced use of RWX permissions in non-trial Artifact Kit.
+ Fixed bug with SSH agent not always resolving path for file downloads
+ Added API for Cobalt Strike's web server: &site_host, &site_kill.
+ Enhanced the error reporting for client/server disconnections
+ Updated DNS stager to not modify itself.
+ Added an x64 stage encoder for Beacon stages delivered over SMB and HTTP/S
+ Added dns_stager_subhost Malleable C2 option to change DNS TXT stager indicator
+ Updated to mimikatz 2.1.0-20170305
8 Dec 16 - Cobalt Strike 3.6
+ Added sanity check to HTTP header length.
+ Added script constants \c, \U, and \o to agscript client.
+ Beacon drops token when connecting to capability pipe anonymously. This should
mitigate some error 5s (permission denied) when using jobs after stealing a token
+ VNC client and Proxy Pivots -> Tunnel now use the IP address the CS client
connected to as the team server IP and not the value used when starting the
+ Added Preferences -> Cobalt Strike -> VNC Ports option. This configures the range
of ports CS should use for VNC client connections between the client and the
+ Added &layout to custom reports. It's &table but without a border and col headers
+ Expanded Malleable C2 to allow additional flexibility with HTTP requests:
- Use 'set verb' to change the default HTTP verb for http-get/http-post
- http-get.client.metadata can now print if http-get's verb is POST.
- http-post.client.output can now use uri-append, parameter, and header
Beacon will chunk output into small blocks when these options are used.
- http-post.client.id can now use print if http-post's verb is POST.
- c2lint checks for possible mistakes/issues with the above.
+ c2lint now checks for assignment collissions.
+ c2lint now shows a preview of both http-get AND http-post.
+ added base64url encoding to Malleable C2. (This is a URL-safe encoding option).
+ SSH client now reports output sent to STDERR.
+ Added sanity check to HTTP POST Content-Length (max allowed is 10MB. Still big.)
+ SSH client now combines consecutive reads for a channel into one output blob.
+ Added entries to the Host File feature's automatic mime-type assignment table.
+ Reworked spawnto to allow operator control over x86 and x64 behavior.
- Deprecated Malleable C2 set spawnto option (it's ambiguous)
- Added set spawnto_x86 and set spawnto_x64 to Malleable C2.
- Beacon's spawnto command now expects arch value to target right setting
+ Expanded spawn command to accept arch parameter (e.g., spawn x64 <listener>)
+ x64 Beacon falls back to RtlCreateUserThread when CreateRemoteThread fails.
+ Updated Beacon Job IDs to stick with job throughout its life
+ Added an Aggressor Script API to add exploits to Beacon's elevate command
+ Added &powershell_encode_oneliner to Aggressor Script. This function base64
encodes a PowerShell expression and returns a one-liner to run it.
+ Added quiet variants of many session tasking Aggressor Script functions. These
functions task a session without an acknowledgement. [e.g., bshell!("arp -a")]
+ Added &bdllspawn. This function launches a Reflective DLL as a Beacon post-ex job.
This rDLL job can send output to Beacon by writing to STDOUT. This rDLL can also
receive an argument from &bdllspawn. Check out the Aggressor Script docs for info.
+ Added arch parameter to &bstage (to allow staging x64 SMB Beacon locally)
+ hashdump now does a better job with larger sets of users.
+ DNS C2 applies tighter criteria to determine if a request is a "beacon" or not.
+ CS client filters listeners w/o stages when Malleable C2 host_stage is false
+ Addressed a potential thread-conflict with a shared buffer in an encryption routine
+ Cobalt Strike Trial no longer encrypts Beacon tasks and responses. *pHEAR*
+ Re-revised foreign listeners to return x86 shellcode only.
+ Updated to Mimikatz 2.1 20161126.
+ Added &bsetenv to set an environment variable within Beacon.
+ Added &bpsexec_command to run a command on a target via the service control manager
+ Keystroke logger is now better about non-US keyboard layouts.
+ Team server now properly releases resources from non-CS client connections
+ Removed keylogger start|stop from tab completion [these options no longer exist]
+ CS's web server returns 404 for HTTP proxy attempts when no proxy handler is setup
+ Fixed occasional x64 HTTP/HTTPS stager crash on Windows 10-era systems
3 Oct 16 - Cobalt Strike 3.5.1
This release implements measures to harden Cobalt Strike against malicious sessions.
+ Re-worked file download feature. Cobalt Strike continues to store downloaded files
in the downloads/ folder, but this time with a random name and no sub-folders. The
View -> Downloads and Sync Files user experience is restored to the behavior prior
to 3.5-hf1 and 3.5-hf2. The logs/[date]/downloads.log file contains a manifest of
downloaded files and maps known information about the file download to the random
names in the downloads/ folder.
+ Team server now uses a safe path concatenation function that compares canonical
paths of the parent and result concatenated path to make sure the result doesn't
break out of its parent.
+ Added host_stage = true/false option to Malleable C2. This options allows you to
disable the public hosting of a payload stage over HTTP, HTTPS, and DNS.
+ Beacon controller now refuses to process most session responses if a session is
new and has not had a task yet. Some responses are still allowed prior to tasking.
+ Beacon controller drops sessions whose session metadata didn't validate.
+ Beacon's upload command with path no longer checks for 1MB limit
+ Added 0.0.0.0 to team server's list of hosts it won't accept.
29 Sept 16 - Cobalt Strike 3.5-hf2
+ Broader hardening of the Beacon controller against the RCE security issue.
28 Sept 16 - Cobalt Strike 3.5-hf1
+ Hot fix for a security issue. See Cobalt Strike blog:
22 Sept 16 - Cobalt Strike 3.5
+ Fixed sanity checks when adding a listener.
+ Lateral Movement & Make Token dialogs use a . if user leaves Domain field blank
+ Beacon socks command now asks Beacon to checkin interactively (sleep 0)
+ Added ssh and ssh-key commands to Beacon to create an SSH session with a target.
These sessions allow you to run commands, upload/download files, and pivot
through targets over SSH.
+ Took steps to reduce likelihood of Beacon ID collissions
+ &bmimikatz function will now dispatch multiple commands separated by newlines.
+ SMB Beacon download feature now pulls bigger file chunks (~256KB) per checkin
+ Fixed double unlink notices for named pipe sessions.
+ Added several Aggressor Script enhancements:
- ssh_alias keyword to add commands to SSH sessions
- ssh_initial event to respond to new SSH events
- ssh popup hook
- &ssh_command_register to register SSH aliases with SSH help command
- &bssh, &bssh_key to launch an SSH session from a Beacon
- &bsudo to run the SSH session's sudo alias
- &ssh_commands, &ssh_command_describe, &ssh_command_detail to grab help
information for SSH session commands.
- -issh $id, -isbeacon $id predicates to test whether an ID is a specific
type of session
- -isadmin $id predicate to check if a session is admin-level
- -is64 $id predicate to check if target is an x64 system.
- &sbrowser function to create a session browser GUI object
- SSH sessions have their own sets/events that are similar to the ones
that exist for Beacon sessions.
+ View -> Proxy Pivots now posts input for rportfwd stop/socks stop
+ Added sanity check for team server <host> parameter to avoid common mistakes
+ x86 stager generation code now always use x86-specific URI checksum.
29 Jul 16 - Cobalt Strike 3.4
+ Save dialog now defaults to the last saved file's location
+ Cleaned up several strings in Beacon's stage.
+ Added Malleable C2 option to set name of SMB Beacon's named pipe name
+ Added command-line help options for team server startup.
+ Added a kill date parameter to team server. This will embed a drop dead date
into each Beacon stage generated by this team server.
+ Archiver on team server now truncates its entries to a set size. This prevents
a slow memory leak on the team server.
+ Fixed bug that capped Beacon's jitter variance to 32s, regardless of sleep time
+ Added a cobaltstrike.server_port property to change team server's default port
+ Fixed bug processing HTTP GET Malleable C2 recovery programs > 128 bytes.
+ Hardened Beacon's Malleable C2 recover code against corrupted/unexpected data.
+ Added Beacon's architecture (x86, x64) to session metadata as barch key. Also
added an (x64) indicator to statusbar in x64 Beacon consoles.
+ 'mode dns' now restricts DNS host length (for puts) to 25% of maxdns value.
The 'mode dns-txt' option is 100% of the maxdns value. 'mode dns6' is 50%
+ Beacon's upload command now supports files larger than 1MB.
+ Fixed a bug in task queue chunker that could affect order of task execution
+ Cobalt Strike -> Listeners shows last listener error in red, if there is one.
+ Added option to export COM Scriptlet (.sct) to Payload Generator dialog
+ Spear Phishing tool now allows Windows-style line endings for targets file
+ Added dns_idle setting to Malleable C2. Changes DNS C&C idle IP from 0.0.0.0
+ Added dns_sleep Malleable C2 setting. Forces a sleep before all DNS requests
+ Added 'mode dns6' to use DNS AAAA records as a data channel for DNS Beacon.
+ maxdns is now interpreted as maximum length of hostname to send data back
+ Improved DNS data channel throughput when using hostnames to send data back.
+ Updated to mimikatz build (Jan 31, 2016) to address golden ticket indicator
+ Spear Phish mail server setup now adds option to force STARTTLS
+ Fixed a bug with STARTTLS upgrade (introduced in 3.0)
+ Added &bnet function to call Beacon's net module.
+ Added &beacon_host_script function to (locally) host a PowerShell script and
return a one-liner to grab it/run it.
+ Fixed exception caused when hand-editing targets field in Spear Phish dialog
+ Fixed a potential exception caused by a race when removing a listener
18 May 16 - Cobalt Strike 3.3
+ Added krbtgt helper to Golden Ticket dialog.
+ Added filter feature (Ctrl+F) to most of Cobalt Strike's tables.
+ Raised data model retention limits again.
+ cobaltstrike.exe on x64 Windows now looks for x86 Java if x64 Java is not found
+ Removed remnants of non-existant task command.
+ Aliased ? to help in Beacon console.
+ Mitigated DOS condition that could stop Team Server from accepting new clients
+ Fixed conflict between Malleable C2 partial URIs (uri-append) and HTTP/S
staging protocol. Malleable C2 partial URIs requests match to handler first.
+ Added c2profile info to Help -> System Information
+ Made keystroke logger loop tighter.
+ Added powerpick command to run PowerShell via Unmanaged PowerShell technique
+ Added psinject command to inject Unmanaged PowerShell into a specific process
+ Added 3389 to default portscan port list.
+ Made multiple error checking enhancements to c2lint.
+ Added Reload button to Script Manager dialog.
+ Added ready column to Script Manager to indicate if script is loaded or not.
+ Ctrl+Shift+D closes all tabs except the active one.
+ note[space][tab] now completes the current Beacon note.
+ Added net time to Beacon's net module.
+ powershell-import size check occurs *after* compressing the script.
+ DNS server responds to (unexpected) AAAA requests with an empty answer section
+ Mimikatz parser now preserves passwords with spaces.
+ Beacon now uses encrypt-then-MAC to verify task/response message integrity
+ Updated web server to have enough Range request support to satisfy bitsadmin
+ Replaced PowerShell Web Delivery with Scripted Web Delivery. This dialog
generates artifacts and one-liners to deliver payloads with: bitsadmin,
powershell, python, and regsrv32.
+ Added VBA shellcode injection option to the HTML Application Attack.
+ Added an option to use x64 stagers/stages to:
- Attacks -> Packages -> Payload Generator
- Attacks -> Packages -> Windows Executable
- Attacks -> Packages -> Windows Executable (S)
+ Added x64 artifacts to the Artifact Kit
+ Added shinject command to inject shellcode into a process
+ Made the following updates to Aggressor Script:
- &binject now accepts an arch (x86, x64) parameter.
- Added &beacon_ids function to get all Beacon IDs
- Added &bpowerpick / &bpsinject functions to go with the above.
- Added &openScriptedWebDialog for Scripted Web Delivery
- Added &bshinject to go with shinject command
- Extended &shellcode with an x86/x64 architecture parameter
- Extended &artifact with an x86/x64 architecture parameter
- Extended &artifact types with powershell, vbscript, and python
- Extended &powershell with an x86/x64 architecture parameter
- &agServices now limits its results to hosts in targets model only.
+ The make_token command now accepts passwords with spaces.
+ Improved Bypass UAC attack's reliability. It also gives feedback now.
4 April 16 - Cobalt Strike 3.2
+ Removed errant date parsing code from Mimikatz output scraper.
22 Mar 16 - Cobalt Strike 3.2
+ Fixed potential null pointer exception in multi-Beacon Process Browser
+ Fixed a type-issue that could cause client disconnect when editing credentials
+ Text displays show horizontal scrollbar if a text token is longer than display
+ Hardened report generator against empty bookmarks.
10 Mar 16 - Cobalt Strike 3.2
+ Standard dialogs (messages, prompts) are now created in Swing's EDT
+ Merged client data sync process to one mechanism
+ Made slight change to bind TCP staging protocool.
+ Fixed bug with Beacon desktop command running twice when three args specified
+ Scrollbar now appears in connection list (when one is warranted).
+ Fixed VPN pivoting deployment error caused by internal API changes.
+ Added a startup warning for OpenJDK users. OpenJDK is not recommended for use
with Cobalt Strike. It has occasional bugs that severely impact CS users.
+ Bind TCP staging process now encodes x86 payloads
+ Raised the max entry limits in Cobalt Strike's data model.
+ Port Scanner now properly ids Ubuntu OpenSSH banner as a Linux system
+ Added an x64 Beacon agent. You can now inject Beacon into x64 processes.
+ Added a timeout to VNC session handshake. If the timeout expires, you're asked
to try the VNC process again.
+ [beacon] -> Explore -> Desktop announces desktop command to the beacon console
+ [beacon] -> Interact now activates Beacon's existing tab, if one is open.
+ Fixed a bug downloading 0 byte files.
+ Raised max number of linked beacons from 15 to 40.
+ Added 'net computers' to query Domain Computers/Domain Controllers groups to
discover targets and populate Cobalt Strike's data model.
+ VPN Pivot now filters the VPN client's host and hosts in client's pivot chain.
+ Added Reporting -> Reset Data to reset Cobalt Strike's data model.
+ Modified teamserver script to avoid re-generating SSL cert if keystore exists
+ Website Keystroke Logger tool now logs to webkeystrokes.log on team server.
+ NMap import does not import hosts with no open services.
+ text prompts no longer fire their callback if dialog is cancelled.
+ Consoles now display a horizontal scrollbar when there is a text token longer
than the console can display.
+ PowerShell Web Delivery and powershell-import now compress hosted scripts.
+ Added warning to prevent deploying CovertVPN on Windows 10.
+ Hardened recursive task building logic against potential loops.
+ Changed screenshot publish/read protocol to avoid incomplete screenshots
+ Added processbrowser and processbrowser_multi popup hooks to Aggressor Script
+ upload and powershell-import report errors if content is too big.
+ Ctrl+Shift+T takes screenshot of entire CS window and pushes it to team server
+ Reporting engine frees up memory after report is generated.
+ Hardened report generator against empty pages and empty tables.
8 Dec 15 - Cobalt Strike 3.1
+ Fixed report generation bug when masking long email addresses
+ Fixed race that made metadata unavailable to beacon_initial event
+ &binfo("id") now returns all metadata for the specified beacon id
+ Screenshots in memory no longer cache their ready-to-render form. This prevents
out of memory exceptions for those of you watching busy desktops.
4 Dec 15 - Cobalt Strike 3.1
+ Fixed report generation issue with UTF-8 encoded characters.
+ SE Report now excludes campaigns with no delivered messages.
+ Spear Phishing tool now preserves base64 encoded parts with a Content-ID
+ Script Console e, x, and ? commands present errors in friendlier way.
2 Dec 15 - Cobalt Strike 3.1
+ Beacon help command complains when asked about a command that doesn't exist
+ VNC server stage is now encoded
+ Bypass UAC on Windows 10 now takes steps to use an artifact that's OK with
blocking DLL_PROCESS_ATTACH [not all techniques are OK with this].
+ Updated integrated mimikatz to 2.0 alpha 20151008
+ Added dcsync command to Beacon. Uses mimikatz to pull a hash from a DC. CS
parses its output and adds the credential to the creds model too.
+ Fixed null pointer exception when trying to save an edited listener.
+ mimikatz @module::command will force mimikatz to use beacon's thread token
+ Download cancel now properly releases file handle in Beacon.
+ client now trims large data structures in the same way the team server does
+ Screenshot tool is now smarter. If user is idle, it returns one screenshot
every three minutes. If user is active, it will return one each check-in.
+ Session metadata is now in the Beacon logs on the team server.
+ CS now offers to direct user to team server documentation when they get a
Connection refused error.
+ Added headless option to run Aggressor Scripts. Use the agscript launcher
included with the Linux package.
+ Obfuscated Artifact Kit's service entry point slightly.
+ DNS Beacon export option was not showing up in the stageless payload export
dialog if windows/beacon_dns/reverse_dns_txt was set as the listener. Fixed.
+ Scan dialog now complains if a Beacon session wasn't selected.
+ Export Data and Sync Files features now mkdir folders that don't exist.
+ Added check to prevent you from using CS with Java 1.6.
+ %TOKEN% is now replaced everywhere in phishing template, not just URL.
+ Added Export button to View -> Credentials. Exports creds in PWDump format
+ Fixed stager crash on exit after failure; caused by wrong byte order exitfunk
+ Added a sanity check for phishing target files w/ reversed email/name info
+ View -> Targets now has an import button. Imports: NMap XML & flat host files
+ IoC Report now only shows each hash once.
+ Fixed several bugs that could affect report generation.
+ Spear Phishing tool no longer strips attachments with a Content-ID header.
+ Added several APIs to Aggressor Script
+ DNS Stager now exits after all attempts exhausted (better than crashing)
24 Sept 15 - Cobalt Strike 3.0
+ Switched to the Aggressor project's team server and client. Aggressor
was a long effort to rewrite Cobalt Strike's team server and client without
the Armitage codebase and dependency on the Metasploit Framework. The
Aggressor project expanded Beacon's post-exploitation capability and
re-aligns Cobalt Strike's workflows around the Beacon payload.
+ psexec commands now query service before they shut it down. This fixes a
race condition that affected psexec's success in some situations.
+ Beacon now acknowledges the exit command and a message is shown.
+ Team server now delivers very large Beacon taskings in chunks. Beacon has a
hard limit on taskings and this prevents large taskings (e.g., mimikatz sent
to 5+ different hosts) from crashing Beacon.
+ The sleep command in an SMB Beacon now sends the command up to the egress
Beacon to take effect.
+ psexec and friends tab complete target NetBIOS names from CS's data model
+ Added port scanner and net [view] modules to Beacon.
+ Named pipe staging now aborts after 60s of attempts or an error 53.
+ Bypass UAC now works on Windows 10
+ Added a profile preview to the c2lint utility.
+ Updated Artifact Kit and Applet Kit to use Aggressor Script APIs to hook
into attack generation process.
12 Aug 15 - Cobalt Strike 2.5
+ Beacon's lateral movement commands now show listener dialog when no
listener is specified.
+ Took steps to combat against Read Timeout errors during authentication
to team server.
- Updated YAML parser and other code to become compatible with Kali 2.0
- Console Queue now sets some options (e.g., TARGET) before it sets others
to avoid errors
29 Jul 15 - Cobalt Strike 2.5
+ Removed [beacon] -> Log Keystrokes menu. These options don't make sense
now that keystroke logger injects into specific processes
+ Added make_token command to Beacon. Clones current access token to pass
username/password to remote systems. Requires admin access.
+ Added rm and mkdir commands to Beacon.
+ Added lateral movement commands to Beacon: psexec, psexec_psh, winrm,
and wmi. The psexec command uses a Service EXE from Artifact Kit. The
other options bootstrap a payload with PowerShell.
+ Replaced windows/beacon_smb/reverse_tcp with windows/beacon_smb/bind_pipe.
You may use this listener with Beacon's lateral movement options. It will
stage the SMB Beacon over a named pipe (quite slick!). This listener is
also usable with other Beacon features (e.g., spawn, bypassuac, etc.)
+ Beacon now polls each SMB Beacon for data on checkin.
+ Backported Cobalt Strike 3.0's SOCKS backend to 2.5.
+ Added rportfwd command to Beacon. This creates a reverse port forward (on
target) to catch connections and forward them to a host/server of your
choosing. The forwarded traffic/connections are tunneled through Beacon.
+ Added hta-psh to Attacks -> Packages -> Payload Generator. Uses MSF to
generate an HTML Application that bootstraps your payload with PowerShell
+ Browser Pivot dialog now shows processes on newer versions of Metasploit.
Newer versions of MSF omit the PPID column in Meterpreter's ps output.
+ The PowerShell output for Windows Executable (S) is now much smaller!
+ Malleable C2 now allows escaping of quotes inside of strings #CommonSense
+ Added Malleable C2 options to import an SSL certificate for Beacon's use
+ Added spawnas to Beacon to run a payload with the specified creds.
+ Beacon now uses CREATE_NEW_CONSOLE with cmd.exe/powershell.exe. This
fixes some weird situations where Beacon could not consume output from a
process created with a stolen token.
- Updated MsgPack library and code that uses it.
- Team server now authenticates client before exchanging serialized objects
21 May 15 - Cobalt Strike 2.4
+ Fixed a conflict with SMB Beacon pipenames due to random seed choice.
+ Added date stamp to View -> Web Log entries
+ Re-generated default Beacon HTTPS certificate with different parameters
+ Malleable C2 HTTPS certificate generation now uses different parameters
+ Slight refresh to the default artifact kit for executables and DLLs
10 Apr 15 - Cobalt Strike 2.4
+ Fixed 'meterpreter' command to tunnel Meterpreter through Beacon
+ Pressing cancel on the Set Note dialog for Beacon no longer clears note
+ Fixed mimikatz command with really long commands + arguments.
8 Apr 15 - Cobalt Strike 2.4
+ Added dllinject to Beacon. Injects a Reflective DLL into a process
- Sped up rendering of graph view on Windows and MacOS X.
+ Beacon now has a concept for long-running post exploitation jobs.
Use the jobs command to list jobs. Use the jobkill command to kill
a job. The keystroke logger, PowerShell tasks, and Command Shell tasks
now use this mechanism.
+ Keystroke logger now injects into an x86 or x64 process of your
choosing and reports keystrokes back to you.
+ Added hashdump command to Beacon
+ Integrated mimikatz into Beacon. Use wdigest to dump plaintext creds.
Use mimikatz [command] [args] to run an arbitrary mimikatz command.
+ Fixed Beacon's internal types to allow working with large PIDs.
+ Revised VNC client -> server staging and connection process to
eliminate a layer of unnecessary tunneling and improve reliability.
+ Payload names in Listener dialog are now in alphabetical order. This
will mess with muscle memory for some of us. It's for the best though
+ Added foreign listeners. These listeners are aliases for Meterpreter
or Beacon handlers managed elsewhere.
+ Added a sanity check for when an Applet Kit script can't find its
+ Added PowerApplet to the Cobalt Strike Arsenal. This alternate
implementation of the Cobalt Strike Applet Attacks uses PowerShell
to inject a payload into memory.
- Made YAML parser more liberal with punctuation characters.
+ Fixed a malleable c2 bug that affected safebrowsing.profile
+ Improved c2lint utility with a few new checks and enhanced checks
+ Added another A/V bypass technique to the Artifact Kit.
+ Tweaked artifacts Cobalt Strike generates
+ Performed normal client-side database maintenance
22 Jan 15 - Cobalt Strike 2.3
+ Cobalt Strike now encodes Beacon's DNS stage with a custom encoder.
+ kerberos_ticket_use with no arguments now prompts for file.
+ Staged Beacon's PowerShell output is now x86/x64 PowerShell agnostic
+ Added Attacks -> Web Drive-by -> PowerShell Web Delivery.
- Fixed a repaint bug when removing last server button.
+ added runas command to Beacon.
+ Fix bug when prepend/append were used before base64/netbios encode in
Malleable C2 profiles.
+ Beacon now dynamically calls Wow64 disable/revert. This prevents a
crash when user tries to run powershell command on older XP systems.
+ c2lint now checks for a ? in URIs and warns user.
+ Beacon's download command now gives feedback when it can't open a file
+ Added pwd command to Beacon
20 Nov 14 - Cobalt Strike 2.2
- team server startup verifies default host is an IPv4 address.
- Prompt for default address is now more aggressive and continues to
ask until an address is put in. If a user hit cancel on this dialog,
threads to poll the database never get started. Bad day, for sure.
+ Rebuilt process to inject and connect to VNC server on target system.
New process is more likely to be ignored by host-based firewalls.
+ VNC client now uses a better visual cue for view-only, ctrl/alt lock
+ Vulnerability report now shows URLs for references from ZDI, MSB,
US-CERT-VU and WPVDB.
- Cobalt Strike now sends a keep-alive every 1-2mins over an idle team
server connection to combat disconnection by a NAT device
+ Beacon re-adds host to db if you remove its Beacon and it comes back.
+ Fixed Beacon replay attack counter 50-day roll over cycle.
+ c2lint now simulates impact of URL encode on parameters and mangled
binary data in headers when unit testing profiles.
+ Applet Kit shellcode injector now spawns a suspended process to
+ Spear Phishing tool is better with more complicated message templates
+ Phishing preview no longer replaces links in plaintext preview that
would not be replaced in actual phish.
+ c2lint now checks length of useragent value
+ You may now tab complete file with kerberos_ticket_use in Beacon
+ Fixed (potential) deadlock with listener tab complete in Beacon
- Cobalt Strike client now shows disconnect message if it loses any
of its connections to the team server.
+ Added an ICMP channel to Covert VPN feature.
+ Fixed Covert VPN issue with encryption keys that contain null bytes
+ More small tweaks to the VBA macro.
Cortana Updates (for scripters)
- name field for hosts is now available.
30 Sept 14 - Cobalt Strike 2.1
+ Beacon's powershell command always launches native arch PowerShell
+ powershell tab completion now tracks completeable cmdlets on a
23 Sept 14 - Cobalt Strike 2.1
+ Beacons now use asymmetric cryptography to negotiate a unique
session key and authenticate with your Cobalt Strike instance.
- Added helper for SCRIPT option.
+ Added Malleable C2 options to customize SSL cert for HTTPS Beacon
+ You may now use PowerShell through Beacon. Use the powershell
command to evaluate a PowerShell expression. Use powershell-import
to import a script and make it available to the powershell command.
- Right-click a tab's X button and use "Send to bottom" or Ctrl+B to
dock a tab to the bottom of the Cobalt Strike window. Use Ctrl+E to
to get rid of the docked tab.
+ Cobalt Strike's web server now sends Content-Length when it's known
+ Added file tab completion for some of Beacon's commands.
+ Upload command now reports an error if Beacon can't write the file
+ Rebuilt CovertVPN client as a Reflective DLL. This will make client
deployment more reliable.
+ Cobalt Strike -> Interfaces now auto-refreshes itself every second
+ Split Covert VPN TCP channel into Bind and Reverse options. Reverse
works as before and makes a connection to you. Bind uses a portfwd
to connect to VPN client through Meterpreter [in effect tunneling
frames through Meterpreter].
+ HTTP channel in Covert VPN now uses User-Agent from Malleable C2
- Added more YAML warnings to save heartache for custom installs
+ Added a user-driven attack: Attacks -> Packages -> HTML Application
+ Performed normal client-side database maintenance
- Database layer now uses core.version results to decide which MSF
data model to use.
- File tab completion (Beacon, Cortana console) better handles ~
+ Made a small tweak to the VBA macro.
+ Updated Firefox Add-on Attack launcher to work with MSF updates
+ Updated artifact kit build.sh to account for increased beacon size
Cortana Updates (for scripters)
- &credential_add, &credential_delete now take into account Metasloit
version (pre 4.10, post 4.10) and do the right thing.
18 Aug 14 - Cobalt Strike 126.96.36.199
- Added hard-coded database.yml path as fallback for Kali users
- Updated internal db.creds/db.creds2 calls to pull from new creds
model in database.
- [meterpreter] -> Access -> Dump Hashes -> wdigest uses sso post
module now. New creds model makes this better.
- Import option in View -> Credentials now works with new data model
16 Jul 14 - Cobalt Strike 2.0.49
+ Fixed SE PDF report generation bug when masked emails collided
- Command Shell experience on Windows Meterpreter is much better now
- Java Meterpreter may now interact with a bash shell
! Removed [host] -> Meterpreter -> Access -> Migrate Now! menu item
- Ctrl+Escape temporarily drops the timeout times for Meterpreter
commands to 5s, across the board. If a Meterpreter session appears
unresponsive, try this to force any hung commands to timeout
+ Listener dialog now complains if user leaves host field blank
+ Added 'veil' option to Payload Generator. Outputs shellcode in a
format suitable for use with Veil [as custom shellcode].
+ Added Malleable C&C - a domain specific language to re-define
indicators in Beacon. Now you can make Beacon look like whatever
you need for your mission needs. *pHEAR*
+ Add windows/beacon_https/reverse_https which is an HTTPS Beacon.
+ Added [host] -> Meterpreter -> Access -> Bypass UAC. Launches the
bypassuac_inject module w/ an Artifact Kit-made DLL for AV evasion
+ Fixed unicode issue with Website Clone Tool
- Cobalt Strike now warns when a team server is non-responsive by
making its server button purple. When the server is responsive again,
the button will turn back to its normal color. This requires that
you're connected to multiple team servers.
+ Added kill and ps commands to Beacon
+ Listener dialog now complains if user tries to use multiple hosts in
+ Added kerberos_ticket_use and kerberos_ticket_purge commands to Beacon.
These commands allow you to inject a Kerberos ticket into the session
and purge it. Use with a Golden Ticket generated by Mimikatz 2.0.
+ Beacon's inject, spawn, and bypassuac commands pop up a listener dialog
if no listener is specified.
- Windows EXE launcher for Cobalt Strike now finds 64-bit Java.
15 May 14 - Cobalt Strike 1.49
- Worked around invisible text selection bug with latest Java on Kali
13 May 14 - Cobalt Strike 1.49
+ Fixed Beacon HTTP Stager bug on Windows XP
+ Worked around VBA syntax error caused by stagers that are too long.
23 Apr 14 - Cobalt Strike 1.49 (NCCDC Edition)
- Keyboard shortcuts to change text size now work in table view
+ Browser Pivoting now uses a self-signed cert that expires in 10 years
+ Added ability to assign a non-persistent note to a Beacon
- Added Copy button to View -> Creds
+ Beacon's process injection now falls back to APC Queue process injection
technique when CreateRemoteThread fails.
+ Listeners dialog now complains if you try to use an out-of-range port
+ Beacon DNS processor now lowercases all requests.
+ Beacon's HTTP stager now prompts user for proxy creds when proxy
authentication fails. This prompt is the same one Internet Explorer uses.
- Services tab right-click menu now has options to edit a service's info
- YAML parser now gives better errors and forgives errant whitespace
- CS now intercepts shell command with arguments and spawns a command shell.
+ Beacon socks command prints an error if it can't bind the requested port
+ [beacon] -> Sleep menu now lets you specify a jitter factor.
+ Beacon's 'meterpreter' command now automatically changes the sleep time to
+ Windows Executable (S) Package now has raw and PowerShell output
+ Fixed a bug that broke features when a custom Artifact Kit is loaded
- Logging now deals with IPv6 addresses better for Windows users
- Launching psexec at 4+ hosts will no longer open a tab for each host
- Cobalt Strike no longer allows two buttons with the same name in its team
server button bar.
+ Listeners dialog now warns when Beacon hosts/domains list is too long
+ Beacon's spawn and meterpreter commands now create processes in a
suspended state and inject into rundll32.exe by default.
+ Beacon's spawn and meterpreter commands no longer use the impersonated
token to create the process to inject code into. This change reduces
"surprises" for you and gives you the flexibility to steal a token or
getsystem from the new session
Cortana Updates (for scripters)
- Added &script_load to load a script (as if the user did this)
- Added &script_unload to unload a script
13 Mar 14 - Cobalt Strike 1.48 (NECCDC Edition)
+ PsExec now waits longer for a session
+ Added timestomp command to Beacon
+ Beacon's bypassuac now waits up to 10s for privileged file copy to complete
+ Beacon's 'meterpreter' command now checks for a pivot that could interfere
with staging meterpreter through Beacon and presents a warning about it.
- Added Ctrl+L to quickly add an entry to timeline.[xml|tsv] (exported
through View -> Reporting -> Export Data)
+ Added Attacks -> Packages -> Windows Executable (S) to export a staged
Beacon as a DLL or executable.
- Added osx-app to Output: type for payloads. Outputs a zipped MacOS X
+ Auto-Exploit Server now uses MSF's HTTP stager for Beacons. The custom stager
is too big for most of MSF's client-side attacks.
- Scrubbed Cobalt Strike to eliminate unnecessary blocking calls from Sleep
source code. This improves Cobalt Strike's responsiveness and takes away
many opportunities for deadlock.
- Sync Files for Loot and Downloads is now much better with large files
+ Beacon now warns you when you try to upload a file bigger than its 1MB limit
- Cobalt Strike now properly notifies you when you lose a connection to a
team server. This was probably a long time coming.
27 Feb 14 - Cobalt Strike 1.48
+ Beacon now reports Windows 8.1 correctly.
+ Beacon's interactive mode (sleep 0) is now 10-100ms delay between requests
+ Windows Dropper attack now uses a language-neutral method to determine
Documents folder to write dropped file to.
+ Beacon's Task URL command now uses EXITFUNC of process to prevent metasploit
generated shellcode from crashing after executed program closes.
+ Worked around known Java bug that prevents Spear Phishing HTML Preview from
displaying text when a META tag is present.
+ Added Pivot Listeners--a listener that calls home through an existing
Meterpreter session. Go to [host] -> Meterpreter -> Pivoting -> Listener...
+ Added WebRTC IP address decloak to System Profiler. Based on technique at:
+ Beacon's 'meterpreter' command now uses bind_tcp shellcode that binds to
127.0.0.1 explicitly. This will prevent some host firewall warnings.
+ Modified MSF's HTTP stager to specify a User-Agent. This is necessary to
get through proxies that whitelist browsers. This modified stager is used
to stage Beacon via Social Engineering Packages and when you task a Beacon
to spawn a new Beacon for you.
+ Added Attacks -> Packages -> Payload Generator to output sourcecode or an
artifact to deliver a Cobalt Strike payload to a host.
+ Added windows/beacon_smb/reverse_tcp payload to listeners dialog. This
will deliver a Beacon peer to a host (staged over a reverse TCP connection).
You must have an HTTP or DNS Beacon setup before you create this listener.
+ Beacon SMB (reverse_tcp/bind_tcp) now kills the socket used to stage it.
+ Beacon now obfuscates session metadata better.
+ Added several commands for privilege escalation and token stealing to
Beacon: steal_token, getuid, rev2self, getsystem, and bypassuac. This change
gets one entry in this log but it was a lot of added grey hair to pull off
+ Beacons tab now shows a * next to user to indicate Beacon is run as admin
+ Type upload[enter] in a Beacon to immediately see a file chooser dialog
- Windows opened by Ctrl+W now show the proper application icon.
- Cobalt Strike now uses a JFrame to display its dialogs. This will give each
window its own button in the taskbar regardless of window manager.
+ Beacon's inject and spawn commands will now deliver a DNS Beacon over DNS
[just use spawn [listener] (DNS)]
+ Took steps to suppress "host called home" messages in Beacon console for
data relayed through a P2P link/SOCKS pivot.
+ Beacon auto-migrate now spawns a process that isn't notepad.exe ;)
8 Jan 14 - Cobalt Strike 1.48
+ You may now assign a host on a per listener basis. Useful if you'd like a
listener to call home to a FQDN, an IPv6 host, or a hop point.
+ Added "shell (connect to target)" to PsExec dialogs.
+ Spear Phishing Preview now renders HTML and Plain Text previews of message
+ System Profiler is now compatible with IE11 and it detects Windows 8.1
+ Added an option to disable Java Applet with System Profiler. This will pull
less information, but it also prevents click-to-run raising suspicion
+ Attacks -> Packages -> Windows EXE now generates an x86 EXE, x86 DLL,
x86 Service EXE, and an x64 DLL. These artifacts are generated by Cobalt
Strike. Source code to this Artifact Kit is in the Cobalt Strike arsenal.
+ Added Attacks -> Packages -> Windows Dropper. This package drops a document
to disk and opens it, while silently executing a payload.
+ Ported MSF's MS Office Macro Attack to Cobalt Strike with a few enhancements.
Updated Office Macro now intelligently spawns payload into an x86 process--
allowing the same macro to work when run on x86 or x64 Office. This also
keeps your session safe if the user closes Office before you can migrate.
! Removed Attacks -> Packages -> Adobe PDF. This feature references a
Metasploit Framework module that is no longer very useful.
! Removed Attacks -> Packages -> MacOS X Trojan. This one was my fault.
+ Cobalt Strike now uses Artifact Kit to generate executables for its lateral
movement dialogs. [host] -> Login -> psexec and psexec (token)
- Cobalt Strike.app for MacOS X now works with Oracle's Java 1.7
+ Added Microsoft Silverlight detection to the System Profiler
+ Updated client-side attack database with the latest and greatest
- Cobalt Strike console is now a mouse hot spot. Right-click a host in the
console to see its menu. Click a module to open the module's launcher
- Cobalt Strike module launch console ignores false meterpreter prompt from
msfrpcd after a successful exploit job is run. This work-around isn't
perfect but it's much better than doing nothing.
- hashdump and wdigest menus now add usernames with spaces to creds table
+ Attacks -> Web Drive-by -> Firefox Add-on now uses Artifact Kit to generate
an executable for its payload.
- IPv6 reverse sessions now associate with their host properly.
+ Added [listener] -> Debug... to restart a listener in a console where you
can directly observe its output (and error messages)
+ Removed Set LHOST from View -> Beacons. Since LHOST no longer affects
the listener callback address--it made sense to do this.
+ Cobalt Strike web server now uses proper MIME types for MS Office 2007 docs
21 Nov 13 - Cobalt Strike 1.48
- Missing MSF_DATABASE_CONFIG error now gives troubleshooting steps too
- Added another check to detect and correct a corrupt module cache
- [host] -> Operating System -> Firewall works again.
+ Browser Pivoting now supports 64-bit Internet Explorer
+ Added peer-to-peer communication to Beacon. Use 'mode smb' to put turn a
Beacon into a peer node. Use 'link [ip address]' to link a Beacon to a
peer. You may recursively link peers as well.
+ Beacon DNS C2 is now more robust.
+ Default port for MSF exploits in auto-exploit server is now 8080
+ Reporting Engine now links ZDI advisories
- You can now set PAYLOAD for windows/local/wmi exploit
+ Added [host] -> Login -> psexec (token+psh) to run current_user_psexec with
the PowerShell injection technique.
+ Added [host] -> Login -> wmi (token+psh) to run windows/local/wmi with the
PowerShell injection techniques. WMI is another option for lateral movement
+ Beacon checkin command now displays output stating the task was added
+ Beacon console now logs to a separate file for each beacon
+ Browser Pivoting now shows output/errors from reflective DLL injection step
+ Updated client-side attack database
+ Listener "sanity check" feature now gives the old non-HTTP listener more time
to close before warning that the listener may fail.
+ PsExec windows/meterpreter/bind_tcp payload option now encodes second stage
- Default meterpreter/reverse_tcp listener now encodes its second stage
+ Browser Pivoting can now connect to sites on non-standard ports
+ Added a check to prevent user from creating multiple beacon listeners on one
Cobalt Strike instance.
+ Added Permissions and Application-Name to Signed Java Applet manifest. This
supresses a big warning on the latest version of Java 1.7
+ Some PsExec options show 'beacon (connect to target)' as a listener option.
This will deliver Beacon setup as a peer. Link to it from another Beacon.
+ Beacon now times out WinINet requests after 4 minutes. If something traumatic
happens to your poor Beacon, you'll get it back in 4 minutes. This is better
than the WinINet default of 60 minutes.
+ Beacon now automatically checks in when a file download is in progress.
26 Sept 13 - Cobalt Strike 1.47
- Fixed webcam selection logic that I broke last update.
+ Adjusted max RPC messages/second to 200 (from 20). This mitigates a message
backlog from multiple interactive beacons.
+ Beacon's 'meterpreter' command now initiates a connection to localhost
(tunneled through Beacon, of course) instead of the host's known external
address. This makes a session more likely to happen in most cases.
- Added a helper for PATH option
+ System Profiler now translates internal host 127.0.0.1 -> unknown. If you
use this information to determine if an applet ran, look in the web log.
The System Profiler will report a note to state that this change happened.
+ Added CVE-2013-2465 to Smart Applet Attack. This expands the Smart Applet
Attack coverage to users with Java 1.6.0_45 or earlier.
- Java 1.6 is no longer a supported environment to run Cobalt Strike. Added
a warning message to indicate as much.
+ Added Browser Pivoting to Cobalt Strike. A Browser Pivot is a proxy server
that fulfills requests with a target's browser (Internet Explorer 32-bit
only). This setup convienently inherits the user's cookies, HTTP
authenticated sites, and client-SSL certificates too. To set it up:
[host] -> Meterpreter -> Explore -> Browser Pivot
+ System Profiler now detects MS Office in some cases.
- Connect dialog now masks the password field.
+ Updated client-side attack database with new additions
- Cobalt Strike no longer allows you to start msfrpcd on Windows. It shows an
error stating that you need to connect to a team server on Linux.
- Fixed a potential deadlock when opening a module launcher dialog.
+ Small changes to make the applet kit more robust.
+ Cobalt Strike now performs sanity checks when starting a listener. If a port
is bound, Cobalt Strike will notify you.
21 Aug 13 - Cobalt Strike 1.47
- Fixed a potential deadlock when updating the host display
- Updated multiplexing code to be compatible with enumdesktops command
- Updated multiplexing code to be compatible with webcam_list command
- You may now choose which camera to take a Webcam Shot from
- Close button now shows w/ Cobalt Strike dialogs on Kali Linux.
- Module Launcher dialog is now always active when opened.
- EXE::Custom is no longer treated as an advanced option. When available it's
always present for you to modify in a module.
- Meterpreter -> Access -> Persistence now uses the local exploit module
(default settings now work without tweaks too)
- Meterpreter -> Access -> Pass Session and Process -> Inject now use the
payload_inject local exploit module.
- Added Meterpreter -> Access -> Dump Hashes -> wdigest to run mimikatz's
wdigest command, to retrieve plaintext creds.
- Cobalt Strike now uses a better method to shuttle files to team server and
notify you of the progress of this action.
+ Added [host] -> Login -> psexec (psh) to run PsExec with PowerShell module
+ Added a Help button to psexec dialogs.
+ Added 'meterpreter' command to Beacon--spawns a Meterpreter session that
tunnels through Beacon's C2 channel.
- Made multiplexing code smarter about load and use commands.
+ Beacon stage encoding process now has a much higher timeout. On slower
systems, the encoding process could exceed this timeout.
+ Added ability to specify a jitter factor with Beacon's sleep command. The
jitter factor is a random percentage for Beacon to vary its sleep time with
+ Beacon download command now sends files, one piece with each checkin
- Added a check to detect a corrupt module cache and clean it. If you see a
message asking you to restart the Metasploit Framework... please heed it.
- Added ANSI color markup to Cobalt Strike's console output. It's less scary
than the default messages and it's nicer to look at.
- Added cmd/unix/reverse to payload selection logic.
+ Java Applet attacks now take steps to prevent loading injector DLL twice.
+ Java Applet attacks now inject shellcode on Windows 64bit JVMs too.
+ Added CVE-2013-2460 to Cobalt Strike's Smart Applet Attack
+ Auto-exploit server eliminates "smart applet" attack if system profiler did
not IP address through Java applet (indicating that applets don't auto run)
+ System Profiler now annotates 64-bit Windows and Internet Explorer
+ Added an option to mask email addresses in the social engineering report
+ Added an option to mask passwords in the hosts report
- Updated the payload output formats to match what's now possible in MSF
+ Fixed bug that sometimes prevented profiler associating info w/ phished user
+ Renamed Beacon -> Download to Beacon -> Task URL
+ Beacon's DNS C2 now recovers from a failed conversation more quickly
+ Beacon SOCKS Proxy capability is now faster and more robust
+ Cobalt Strike Listeners feature now uses a different encoder for the second
stage of Meterpreter.
- [host] -> Login options set DB_ALL_CREDS to false.
9 Jul 13 - Cobalt Strike 1.46
+ System profiler now uses a fallback measure to detect Java and report its
version information to you. Necessary for latest IE10 update.
+ Beacon will no longer attempt to report keystrokes if it could not make a
GET request to checkin. This prevents logged keystrokes from getting lost
if one of your checkin domains is blocked or otherwise unavailable.
+ Added pivoting capability to Beacon. Use "socks [port]" to start a SOCKS4a
proxy server that relays traffic through the Beacon instance. This works
regardless of the type of Beacon or communication strategy in use. Use
"socks stop" to stop the proxy server for that Beacon.
+ Added checkin command to ask Beacon to connect to you and dump keystrokes.
This command is necessary as the DNS Beacon does not connect to you unless
one or more tasks are waiting for it.
+ HTTP Beacon now sends output after task execution as a single POST request.
+ Added 'mode dns-txt' to Beacon. This sets the Beacon data channel to use
DNS TXT records. This mode transmits ~189 bytes per request versus 4 bytes
per request with 'mode dns' which uses DNS A records.
+ Increased Beacon DNS data channel output throughput to 84 bytes/request. Up
from 28 bytes/request. This output method is used with both DNS channels.
+ Fixed a race that could prevent generation of Beacon stage when setting up
+ Fixed Beacon key generation bug. Some bytes in the key could end up null.
When this happened, you'd get a non-responsive Beacon (e.g., it will always
seem to "die" after a task). This is fixed. If you've see this behavior,
you'll need to force Cobalt Strike to generate a new key. To do so, stop
Cobalt Strike and change to the folder you normally start Cobalt Strike
from and type:
rm -f .cobaltstrike.beacon
+ Updated client-side attack database with new additions
+ Website Clone Tool now follows 301 (permanent) redirects
- Removed sunrpc and dcerpc modules from MSF Scans feature
+ quick-msf-setup's Git option is now based on DarkOperator's msf_install.sh
script. The updater script now updates quick-msf-setup as well.
6 Jun 13 - Cobalt Strike 1.46
+ Added Login -> ssh (key) to let you login to a host with an SSH key file
or select from a key that worked previously.
+ Added a helper to KEY_FILE to let you select from a known-working SSH key
or specify one to upload.
- Added vmauthd to the Login menu
+ Fixed Beacon's "automatically migrate option"
+ Spear Phish dialog now warns on missing or incomplete parameters again.
- Increased the number of modules run in response to services found during
a sweep with the MSF Scans feature.
- Attack menu attached to host now splits menus up if there are more than
10 items. This will help with the webapp and http menus.
+ Beacon no longer gets confused when a hostname or username contain
whitespace. I'm now using a better separator for metadata sent to it.
+ Fixed bug preventing Beacon upload from triggering a task request
+ Added DNS as a data channel to Beacon. This option is designed as a way
to control Beacon when it can't communicate with you over HTTP. Deploy
the DNS Beacon like normal. Type 'mode dns' in the Beacon console to
switch its communication scheme to use DNS. This mode can both transmit
and receive data.
+ Cobalt Strike now enables second stage encoding for Windows listeners it
manages through Cobalt Strike -> Listeners.
+ Added option to stage DNS Beacon over DNS. This option is available with
certain Cobalt Strike attack packages. Select "listener name (DNS)" to
have Cobalt Strike stage the listener over DNS.
+ Added random send delay option to the spear phishing tool. Click ... next
to the Mail Server field. Specify the number of seconds to delay to.
+ Spear phishing tool now ignores extra whitespace in targets file
- Added a menu to mark a host as a firewall
+ slight tweak to the Smart Applet attack (arsenal source updated too)
- Added a type-fix hack for MsgPack Long types
Cortana Updates (for scripters)
- Updated &log_resource to account for new log folder layout scheme that
involves a description of the current Armitage server
- Fixed a potential argument corruption bug with filters
9 May 13 - Cobalt Strike 1.46
+ Fixed data correction issue that could prevent reports from generating
+ Improved formatting of vulnerability description information in reports
- Attacks -> Hail Mary now asks you to confirm the action.
- Fixed a potential table view sorting issue.
+ Added a check to auto-ex server to make sure a listener is defined
+ Updated client-side attack database
- Changed how some tables are updated to minimize blocking of other tasks.
This should make UI feel snappier in many cases.
- Credential helper now shows credentials from all servers that you're
- Updated multiplexing code to be compatible with mimikatz extension's
- Meterpreter upload command (with no arguments) now prompts for a file.
This file will be bounced to team server (if one is present) and
uploaded to the target for you.
+ Auto-exploit Server now works with listeners defined on another Cobalt
Strike team server.
- Cred tables no longer show SSH keys (since they're not actionable in
these contexts yet...)
10 Apr 13 - Cobalt Strike 1.45
+ Beacon now uses a random filename for files to download/execute. This
works around a problem where subsequent download/execute taskings fail
because the first downloaded file (with the same name) is still running
- The correct OS icon is now shown for Windows 2012 Server.
- Added an Inject button to the Process Explorer
+ VNC Viewer starts view-only by default. Untoggle the spy button to
assume control of the target's desktop
+ Added 'spawnto' command to Beacon. This command gives you control over
which program Beacon will spawn to inject shellcode inside of.
+ Added checks to prevent a user from defining a listener with incomplete
- Event log now shows date with timestamp
+ Many fixes to report generation when connected to multiple team servers.
- Messages to your nick in the event log are now highlighted
20 Mar 13 - Cobalt Strike 1.45
- Jobs dialog now queries job info in a separate thread context,
stopping it from locking up your Cobalt Strike instance.
- Fixed console queue display bug when a required option has no setting
- Hashdump -> lsass method now pops open a Meterpreter tab and shows
its progress. Should help when there's a lot of hashes coming back.
- Hail Mary attack now gives better feedback about what it's doing
+ Beacon now has a 1MB limit on its output.
+ Fixed a potential memory leak in Beacon (in the output posting)
+ Beacon now uses a different User-Agent string each run
+ Added an upload command to Beacon (to upload files).
+ Added a download command to Beacon. [And renamed the download+exec
command to task].
- Fixed blank line showing when a host label exists and a session w/o
any information is associated with the host.
+ Listener dialog now refreshes when updating LHOST
+ Added an execute command to Beacon. This will run a program without
posting output back to you.
Cortana Updates (for scripters)
- Added work-around to prevent &psexec failing due to Ruby complaining
about incompatible encodings.
6 Mar 13 - Cobalt Strike 1.45
+ Updated quick-msf-setup script to pull framework source code via Git.
+ Spear phishing Preview button works in team server mode again.
+ Updated Beacon to auto-dump keystrokes with each beacon home.
+ Updated HTTP Beacon to change its signature profile.
+ Beacon domains now show in Cobalt Strike -> Listeners table.
- Active console now gets higher priority when polling msf for output
- Improved team server responsiveness in high latency situations by
creating additional connections to server to balance messages over
+ Updated Web Drive-by -> Manage to allow stopping multiple sites at once
+ Performed client-side db maintenance
+ Added a helper to set URL option from Cobalt Strike hosted stuff.
- Preferences are now shared among each Cobalt Strike connection.
+ Website clone tool no longer validates SSL cert for HTTPs cloned sites
6 Mar 13 (2000h)
+ Fixed a null pointer warning when starting the team server.
Cortana Updates (for scripters)
- Added a &publish, &query, &subscribe API to allow inter-script
communication across the team server.
- Added &table_update to set the contents of a table tab without
disturbing the highlighted rows.
- Added an exec_error event. Fired when &m_exec or &m_exec_local fail
due to an error reported by meterpreter.
- Fixed a bug that sometimes caused session_sync to fire twice (boo!)
- Added a 60s timeout to &s_cmd commands. Cortana will give a shell
command 60s to execute. If it doesn't finish in that time, Cortana
will release the lock on the shell so the user can control it.
(ideally, this shouldn't happen... this is a safety mechanism)
- Changed Meterpreter command timeout to 2m from 12s. This is because
https meterpreter might not checkin for up to 60s, if it's been
idle for a long time. This will make &m_cmd less likely to timeout
12 Feb 13 - Cobalt Strike 1.45
- Fixed RPC call cache corruption in team server mode. This bug could lead
to some exploits defaulting to a shell payload when meterpreter was
- Slight optimization to some DB queries. I no longer pull unused
fields making the query marginally faster. Team server is more
efficient too as changes to unused fields won't force data (re)sync.
- Hosts -> Clear Database now clears host labels.
- Cobalt Strike listener dialogs now size columns properly.
- Added the ability to manage multiple team server instances through
Cobalt Strike. Go to Cobalt Strike -> New Connection to connect to
another server. A button bar will appear that allows you to switch
active Cobalt Strike connections.
- Credentials available across instances are pooled when using
the [host] -> Login menu and the credential helper.
+ Listeners across instances are pooled in the listener select
dialogs. You may seamlessly launch exploits from one instance
and have sessions show up in another instance. It's also easy
to pass sessions between instances and task beacons to send
active sessions to other instances.
+ Cobalt Strike hosted sites are pooled across instances too.
+ Cobalt Strike's reporting engine merges data across instances
before generating a report for you.
You may now pen test through many points of presence and use
Cobalt Strike's reports to help tell the full story.
+ Pressing Cancel on a Save dialog will now cancel the action.
+ Performed regular maintenance of client-side attack database.
- Rewrote the event log management code in the team server
- Added nickname tab completion to event log window
+ Spear phishing tool now sends phishes from the team server. Now that you
can connect to multiple Cobalt Strike servers, it makes sense to do this.
+ Revamped spear phishing tool output
- Hosts -> Clear Database now asks you to confirm the action.
+ Hosts -> Clear Database stops all listeners before dropping the database
- Hosts -> Import Hosts announces successful import to event log again.
+ Obfuscated Smart Applet attack
+ Beacon staging no longer shows in Social Engineering report
+ Updated hosts report generation process to use all possible host icons
28 Jan 13 - Cobalt Strike 1.45
- Added helpers to set EXE::Custom and EXE::Template options.
- Fixed a bug displaying a Windows 8 icon for Windows 2008 hosts
- Cleaned up Cobalt Strike -> SOCKS Proxy job management code. The code
to check if a proxy server is up was deadlock prone. Removed it.
- Starting SOCKS Proxy module now opens a tab displaying the module
start process. An event is posted to the event log too.
- Created an option helper to select credentials for SMBUser, SMBPass,
USERNAME, and PASSWORD.
- Added a feature to label hosts. A label will show up in its own column
in table view or below all info in graph view. Any team member may
change a label through [host] -> host -> Set Label. You may also use
dynamic workspaces to show hosts with certain labels attached.
- Fixed bad things happening when connecting Cobalt Strike to 'localhost'
and not '127.0.0.1'.
+ System profiler now auto-redirects a visitor after 20s if no profile
is returned. Moved up from 5s.
+ Fixed a bad merge that took away the Login -> psexec (token) menu
+ File hosting feature now works in teamserver mode again. Moved file
verification logic to the server where it belongs.
+ Ported the CVE-2013-0422 (java_jre17_jmxbean) exploit to the Smart
Applet attack. This attack is also available to the auto-exploit server.
+ Fixed a potential deadlock condition with the Beacon viewer.
- Cobalt Strike now centers screenshots/webcam shots in their tab
+ Added a VNC Viewer to Cobalt Strike. [host] -> Meterpreter -> Interact
-> Desktop (VNC) will now open a tab with the user's desktop.
- Added an alternate .bat file to start msfrpcd on Windows in the
Metasploit 4.5 installer's environment. *cough* Remember using Cobalt
Strike to connect to the Framework on Windows is not supported. *cough*
- Added a color-style for [!] warning messages
+ Mitigated race condition that stopped Beacon listeners from restarting
when connected to a team server.
+ Fixed Beacon -> Download menu. It now properly tasks highlighted items.
Cortana Updates (for scripters)
- &handler function now works as advertised.
- Cortana functions now avoid core.setg
2 Jan 13 - Cobalt Strike 1.45
- Set postgres_payload exploits to use a reverse payload by default
fixed a regression preventing it from working in IE in general.
+ Added Cobalt Strike Java Attacks. The Signed Applet Attack option is a
simple self-signed applet. The Smart Applet Attack attempts to disable the
Java Security Sandbox using an exploit. Both options are available under
the Attacks -> Web Drive-by menu.
These Java Attacks use a Cobalt Strike Java Injector Payload. This payload
accepts both a Windows and Java listener. You don't want to lose a shell
when a MacOS X user visits your Windows attack, right? The payload injects
shellcode into memory on Windows and dynamically links Java meterpreter for
other operating systems.
Source code, build files, and a Cortana script to integrate changes to the
applet attacks are available in the Cobalt Strike Arsenal. Help -> Arsenal
+ Major overhaul to the Cobalt Strike Auto Exploit feature. This went from
being a neglected feature to the most cutting edge exploit guidance system
outside of the crime kit universe. The Auto Exploit feature now shares
code with the system profiler and uses this information to zap visitors
with the right exploit. The new Auto Exploit feature also takes advantage of
the Cobalt Strike-hosted Java attacks.
+ Added a data sanitization pass to the reporting engine. Prevents
non-printable characters from disrupting the report generation process.
+ The Applications portion of the Social Engineering reports now sorts the
applications and removes duplicate entries.
+ The SE report now puts a page break between the end of the Campaigns section
and the beginning of the Users section.
+ Fixed "incompatible character encodings: ASCII-8BIT and UTF-8" exceptions
caused by my use of the core.setg RPC-call in Beacon's UI. This RPC call
leaks improperly encoded stuff into Metasploit's global datastore.
12 Dec 12 - Cobalt Strike 1.45
+ Beacon's spawn command now creates a separate process to inject
shellcode into. This way a failure in the shellcode will not cause
Beacon process to exit.
+ Beacon download command now uses payload/windows/download_exec module
+ Added a keystroke logger to Beacon. Use:
keylogger start - to start the keylogger
keylogger - to dump collected keystrokes
keylogger stop - to stop the keylogger and dump keystrokes.
Beacon must live inside of a process associated with the desktop and
user you want to log keystrokes for.
+ Added inject command to Beacon. Use this to spawn a session by injecting
shellcode into a specific process id.
+ View -> Beacons table now properly sorts its columns when you ask it to
- Added a helper to set REXE option
+ Web Drive-by -> Host File now complains if file does not exist
+ Performed normal client-side database maintenance
+ Website clone tool now uses an MSIE user agent, instead of the Java one.
+ Website clone tool detects empty cloned site results and shows an error.
It then instructs you to try the HTTPS version of the URL. Java's URL
library will not follow a redirect from one protocol to another.
+ System Profiler now detects and reports Windows 8
+ System Profiler's local IP address detection is much more reliable now
- Added Windows 8 icon
+ Cobalt Strike now starts persistent listers *after* it determines local
IP address. This is important as the meterpreter reverse_http[s] payloads
need to be bound to a specific LHOST to work.
- [host] -> Login menu is now built using open services for all highlighted
hosts, not just the first one.
- [host] -> Login items now escape punctuation characters in passwords
before passing them to a framework module.
+ PDF reports properly wordwrap password hashes and other long strings again
Cortana Updates (for scripters)
- &credential_add and &credential_delete no longer break when a password has
creative punctuation in it.
26 Nov 12 - Cobalt Strike 1.44
+ Added support for some SMTP authentication schemes to Cobalt Strike's
spear phishing tool. You may also connect to an SSL enabled SMTP
server too. Special thanks to Allen Harper who provided infrastructure
to test all of this against.
+ Spear phishing tool now strips more headers from template messages
+ Editing Targets field in spear phish dialog no longer locks up for
several seconds when the value of the field is a folder.
+ Updated client-side attack database (regular maintenance...)
+ You may now export Cobalt Strike reports as MS Word documents. *pHEAR*
- add_user and add_[local]group_user now show all of their output when
the -h flag is used to operate on a remote host.
- added a Delete menu to creds table. Right-click a cred to delete it
+ Added an import button to the creds viewer to quickly add credentials
+ Fixed a bug that caused Vulnerability report export to fail when a
vuln had no associated references.
+ Hosts report no longer shows vulnerability description twice (this
would happen when the same vulnerability was exploited against two
or more ports listening with the vulnerable service).
+ Multiple cosmetic improvements to the display of vulnerabilities in
hosts and vulnerability reports.
Cortana Updates (for scripters)
- aliased &data_delete to &data_clear to match the documentation.
- &file_get, &loot_get, and &file_content no longer delete the remote
file when connected to a teamserver.
8 Nov 12 - Cobalt Strike 1.44
- Windows command shell tab is now friendlier to commands that prompt
for input (e.g., time command)
- [host] -> Meterpreter -> Access -> Escalate Privileges now shows all
the framework's new exploit/windows/local modules too
- [host] -> Shell -> Post Modules now shows the framework's unix/local
and exploit/linux/local modules
- Added Ctrl+I shortcut. Lets you choose a session to interact with.
- Added Steal Token button to Processes dialog.
- Cobalt Strike now requests a non-expiring token after connecting to
msfrpcd. This makes your connection to msfrpcd more robust.
+ Cobalt Strike psexec dialog now lets you choose one of your configured
Cobalt Strike reverse listeners
+ You may now select a custom executable in both psexec dialogs
+ Added Help -> Arsenal which will take you to the Cobalt Strike arsenal.
The Cobalt Strike arsenal will contain scripts to aid your penetration
testing process. These features will only be available to licensed
Cobalt Strike users (usually with full source code too).
The first arsenal item is topaz, a script to embed shellcode into an
anti-virus bypass executable. Topaz will intercept module launches (such as
psexec and current_user_psexec), generate a new executable, and use the
new executable with the module.
Full source code to topaz is available. You may use it as-is, modify
it to pass other products, or use it as a template to make your AV
bypass executable work with Cobalt Strike.
16 Oct 12 - Cobalt Strike 1.44
- Added port 5985 to Scan feature port list.
- Meterpreter -> Access -> Persistence sets ACTION option for you
- Changed how LHOST and LPORT are set globally to prevent Ruby
character encoding conversion error in the framework.
+ Fixed a potential deadlock in the listener management dialogs
+ You can now use Beacon to spawn a Beacon.
- Log Keystrokes, Persist, and Pass Session now use a new thread to
query module information.
+ Beacon last callback time is now computed on team server. Prevents
whackiness when client's have different time value from server.
- Cobalt Strike now shows URL/folder in a popup dialog when trying to
open a file/URL on a desktop where Java's JDesktop is not supported
- Check all credentials option now filters duplicate entries.
- Exploit payload selection now selects cmd/unix/interact when required
- Explore -> Processes works with Java Meterpreter again.
+ Beacon callback events are now suppressed from reports and logs
- MSF Scans feature now runs http_version against port 443
27 Sept 12 - Cobalt Strike 1.44
+ Added Beacon management feature. Beacon is a Cobalt Strike payload
that periodically phones home to request taskings. Beacon will check
task availability over HTTP or DNS.
To start Beacon listener, go to Cobalt Strike -> Listeners.
Go to View -> Beacons to see activity and task beacons.
Use Beacon like any other reverse listener. Embed it in social
engineering packages, use it with client-side attacks, etc.
+ Updated client-side database
+ Cobalt Strike only shows token passing dialog if current_user_psexec
module exists (for 4.4-release compatability)
5 Sept 12 - Cobalt Strike 1.44
+ Added CovertVPN feature. CovertVPN is a Windows client that provides
the Cobalt Strike host with a virtual interface on a target's network.
CovertVPN is able to relay raw frames over a TCP, UDP, or HTTP channel.
To use it:
[host] -> Meterpreter -> Pivoting -> Deploy VPN
+ Added a helper for INTERFACE option to select a CovertVPN interface
- Setup dialog now trims host, port, user, and pass fields.
- Cobalt Strike now complains when it can't write to your preferences file
(versus just hanging without a real error message)
- View -> Jobs now queries jobs in a thread outside of UI thread
- Tab completion now uses a separate thread to call into the RPC server.
This prevents a deadlock if server is not responding.
- Login -> psexec now shows when 445 is open on a Windows machine. The old
criteria was too restrictive.
- Added a helper to set Wordlist option
+ Updated client-side exploit database with two new exploits
+ Added help button to Cobalt Strike -> Scripts
- Cobalt Strike now sets a random LPORT for non-exploit modules with an
LPORT option (e.g., post modules that do priv escalation)
- Cobalt Strike now shows an error if it can't open a Windows command shell
- Steal Token dialog now uses incognito module to get token data instead of
the MSF post module. This is more reliable.
- current_user_psexec module now allows you to set the payload options
+ Added [host] -> Login -> psexec (token) to use a stolen token to psexec
into all highlighted hosts.
Cortana Updates (for scripters)
- added an eventlog popup hook
16 Aug 12 - Cobalt Strike 1.44
- Dynamic workspaces now removes closed services from its set of
hosts matching certain open ports.
- Cortana console now reports a clear error message a built-in
command is executed without the right number of arguments.
- Added host icons for Android and iOS. You may now set these
operating systems by going to [host] -> Host -> Operating System
- Cobalt Strike now shows the client-side exploit dialog for exploits
that do not target an RHOST (for example, windows/smb/smb_relay)
- Added support for remote exploits that use RHOSTS over RHOST
(this includes the new windows/local/current_user_psexec)
- Added a helper for setting the SESSION option
+ Added preferences for customizing Cobalt Strike reports:
the color of links and the solid bar below the header image
an 1192x257px/300dpi header image for your reports
+ Added a helper to set file preferences
+ System Profiler now reports Apple iOS and Android operating systems
+ System Profiler now reports host with OS it could not determine
Cortana Updates (for scripters)
- s_cmd no longer times out after 60s. It will wait forever for a
command to complete now.
- added shell_read event which fires when a shell s_cmd comes back
with intermediate output.
- fixed a potential deadlock with &open_console_tab
- scripts now have the ability to redefine the max size of a workspace:
db_workspace(%(size => #####));
08.05.12 - Cobalt Strike 1.44
- Rebuilt the 08.02.12 release with missing internal files used by
Cortana. Sorry about this!
08.02.12 - Cobalt Strike 1.44
- Team server now buffers all of its output. SO_NODELAY is no longer
used. This will improves team performance on a congested network
without a hit to responsiveness otherwise.
+ Spear phishing tool now strips CC field from template messages
- Added Cortana, a DARPA funded scripting technology, into Armitage.
There's a lot of fun to be had here.
- Cobalt Strike now queues messages to destroy a console rather than
spinning up a new thread for each closed console.
- Rendering of icons for hosts now happens outside of UI thread.
+ Fixed highlight rendering issue in spearphish message preview.
+ Spear phishing tool more aggressively replaces links in template
+ Spear phishing tool now displays a message when something goes
wrong while processing a template file.
- Increased timeout for meterpreter read command
- Cobalt Strike now detects a corrupt module cache and attempts to
clear it so it can be rebuilt.
07.19.12 - Cobalt Strike 1.44
+ Updated client-side vulns database (a typical maintenance action)
+ Fixed host report generation failure when there are two hosts with
the same IP address in the hosts database.
+ Vulnerability Report and Hosts Report vulnerability descriptions
are now compatible with the latest Metasploit Framework database
- Pass-the-Hash and Login dialogs now honor the shift+Launch convention
which keeps the dialog open after launching the action.
+ Cobalt Strike now binds reverse_http/reverse_https listeners to the
LHOST value for the host. Previously, they bound to 0.0.0.0 to accept
connections on any interface. This no longer works though and established
http/https sessions hang. This change fixes this problem.
+ Added set LHOST button to Cobalt Strike -> Listeners. This button will
update the global LHOST option in MSF, update the value saved in Cobalt
Strike and it will restart all listeners to take advantage of the change
+ Added Attacks -> Packages -> USB/CD AutoPlay feature. This package turns
a USB stick or CD into an attack vector against Windows XP/Vista
07.05.12 - Cobalt Strike 1.43
- Login -> psexec now sets a different LPORT for each host it's
launched against when using a reverse payload. Fixes a bug where
using a reverse connect payload against X hosts didn't work.
- Progressbar Cancel button now works with the Sync Files button
in View -> Downloads and View -> Loot
- Fixed a potential deadlock with the Sync Files feature
- Clicking the Size column in View -> Downloads now sorts properly
+ Fixed a race condition that sometimes prevented the display of
the old data in View -> Web Log
06.23.12 - Cobalt Strike 1.43
+ Updated client-side database with latest changes.
- Added View item to File Browser popup menu. Views and logs text files.
+ Added Attacks -> Web Drive-by -> Host File. This feature hosts a file
using the Cobalt Strike web server.
+ Web Drive-by options that start a Cobalt Strike server now have blue-ish
06.14.12 - Cobalt Strike 1.43
- Meterpreter -> Kill now uses session.stop RPC call
- Cleaned up code to kill jobs acting as a service
- Added an option to disable TCP_NODELAY from the comamnd line:
java -Darmitage.enable_nagle=true -jar armitage.jar
Use this if you see "bad mac" SSL errors when connected to a
- Log Keystrokes tab now changes color when there is activity
- Randomized filename for USERPASS_FILE to allow multiple brute
forces to happen at once.
+ Updated client-side database with ms12-037 information
06.07.12 - Cobalt Strike v1.43
- Fixed an exception when killing a session or removing a route
- ps command added a new column to its output. Updated ps parser
- Hosts -> Import Hosts now works under Windows again
- Hail Mary now sets LHOST option. This is necessary for some attacks to
- Tweaked console create code in beginning of Cobalt Strike setup to avoid
aggravating a deadlock condition
- Disabled Nagles Algorithm for team server and client SSL sockets. This
drastically improves responsiveness for Windows 7 clients.
- Starting jobs like the SOCKS Proxy server now shows the Service Started
- Fixed a highlighting bug with the find feature in the View tab
05.21.12 - Cobalt Strike v1.43
- Fixed a bug that triggered when resizing text in a Loot/Download View tab.
+ Updated IE date guessing database for more accuracy. This makes the system
- Cobalt Strike's console now uses color to highlight information and make
it clearer. This applies to all consoles. Set console.show_colors.boolean to
false to disable this behavior.
- Default console font color is now grey.
+ Cobalt Strike now catches internal errors related to phishing messages (e.g.,
a poorly formed template/address) and displays these in the phishing console.
- Fixed a bug preventing input field from getting focus when using Ctrl+W to
open a console in its own window.
+ Updated entries in client-side attack database that have changed.
- Improved performance of module launches (through a console) when in team mode.
- Improved performance of msf scans feature when in team mode.
+ Spear phishing window no longer piggy backs off of a normal console tab.
- Improved perceived performance of posting chat messages
- Fixed text search feature (Ctrl+F) on Windows
- Fixed View -> Downloads -> Sync Files feature on Windows
05.14.12 - Cobalt Strike v1.43
- Dynamic workspace keyboard shortcuts are now always bound (previously
you had to visit workspaces menu before they'd bind)
- Improved console pool's ability to detect dead consoles
- Bound Ctrl+Backspace to show all hosts (without a workspace)
- Added Ctrl+T to quickly take a screenshot of the active tab and save it
- Added Ctrl+W to open the active tab in its own window
- Cobalt Strike team server is now SSL enabled. The server will present the
SHA1 hash of its certificate on startup. When connecting, Cobalt Strike
will present the SHA1 hash of the certificate presented to it. You'll have
the opportunity to trust it or reject it.
+ Updated entries in client-side attack database that have changed.
- Added Ctrl+Left / Ctrl+Right to navigate tabs with the keyboard
+ quick-msf-setup script now downloads 64-bit msf installer on 64-bit systems
- Fixed a bug that prevented command shells from opening on some sessions
+ Web log messages are now delivered in batches (vs. one at a time)
- Team server client now caches some calls to RPC server
- Reworked View button in Download and Loot tabs. The button now displays the
contents of all the highlighted rows in one tab. Further, I've added a
Sync Files button to download the highlighted loot or download files when
in a team situation.
05.07.12 - Cobalt Strike v1.43
- Cobalt Strike's team server is now compatible with the latest changes to
- Added Ctrl+D keyboard shortcut to close the active tab
- Module description in module launcher dialog is now resizable.
- Cobalt Strike now uses (more robust) console queue for launching post
modules, handlers, brute force attacks, and other things.
- Fixed a race condition in the Jobs tab refresh after killing a job
- Cobalt Strike now filters smb hashes from non-psexec/smb login dialogs.
keystrokes show up in the web log (View -> Web Log) and in the social
+ System Profiler now reports applications grabbed to weblog and not the raw
stuff posted back. This is a move to make the web log a generic console to
view Cobalt Strike web activity in.
- Added armitage.log_data_here.folder setting. This setting lets you
specify where Cobalt Strike will save its logs, downloaded files, and
+ Cobalt Strike now properly reports "web server" errors when in team mode.
Previously these weren't making it back to the user.
+ Cobalt Strike web apps (system profiler, cloned site, etc.) now work with or
without the ending /.
- Update console reading code to make Cobalt Strike compatible with latest
- Console commands are now queued. Hopefully they'll execute in order now
when launched in consoles automagically..
+ Added Refresh button to Listeners dialog
+ Cobalt Strike now runs in Metasploit 4.3.0* (before it'd only run in
+ Added support for EDB (Exploit DB) references in vulnerability reports
+ Added multi/browser/java_setdifficm_bof to client-side database.
+ Added multi/browser/java_atomicreferencearray to client-side database.
- Module browser search now filters modules as you type.
- Added keyboard shortcuts to switch dynamic workspaces.
Ctrl+1 = first workspace
Ctrl+2 = second workspace
Ctrl+0 = show all hosts
+ Added generic/shell/reverse_tcp to listener options. Use this for Linux
and OS X reverse shells (or even as a netcat listener).
- Cobalt Strike now uses a more aggressive read strategy for hashdump lsass
method. You should now see the entire output added to the creds table
more often. :)
+ Updated Internet Explorer version data with hints from MS12-010 and MS12-023.
+ Fixed a typo in the MacOS X update command script.
- Added Ctrl+N to open a new Metasploit(r) console and Ctrl+O to open the
- You may now use Ctrl+Alt to deselect a row in the Jobs and Workspaces tables.
- Added Shell -> Pass Session to *NIX shell sessions. Allows you to duplicate
a *NIX access or pass it to another Cobalt Strike instance.
+ Updated auto-exploit server to use multi/browser/java_atomicreferencearray
+ Added Attacks -> Packages -> Web Drive-by -> Firefox Addon dialog. This is a
new social engineering attack module in Metasploit that prompts the user to
install a Firefox addon. This is a very cool option against Firefox users.
Note: This release contains changes that will require redownloading Cobalt
Strike. It's not a requirement, but if you want to take advantage of some of
these changes, you'll need to get the whole package.
+ Updated the updater program to not rely on the cache when pulling down a
Cobalt Strike update. You will need to redownload Cobalt Strike to get the
latest updater program though. http://www.advancedpentest.com/download
- Cobalt Strike team server now uses a batch method to send chat messages to
clients. This should be much better.
- Cobalt Strike now minimizes the number of messages it sends to the collab
server during a team engagement. The goal is to make the system less likely
to back up on messages when there's a lot of latency in the environment.
- Added an optimization to make command shell feel more responsive in team mode
- Hosts -> DNS Enumerate now populates the NS field with the current highlighted
+ Tweaked Java parameters for Cobalt Strike to prevent it from "giving up" when
attempting to do something requiring a lot of memory (like generate a huge PDF
report). You will need to redownload Cobalt Strike to get the updated CS
launchers with these tweaked parameters.
- Improved tab management:
-- Shift+click to close like tabs now ignores the session id when
deciding if a tab is alike. So Shift+Click on a Screenshot tab will
close *all* Screenshot tabs.
-- Added a tooltip to session related tabs to indicate the host associated
with the session.
+ Hosts listed in Vulnerability Report are now sorted.
+ Added Restart button to Cobalt Strike -> Listeners. Use this to quickly stop/restart
listeners if a handler becomes non-responsive.
+ Cobalt Strike now queues certain Metasploit commands and executes them in turn. This
will make the system feel more responsive over all. Cobalt Strike features that log
activity (e.g., spear phishing, hosted attacks, etc.) will respond faster too.
- Added a List Drives button to File Browser for Windows meterpreter sessions.
- File Browser can now navigate to folders with apostrophes in their names.
+ System profiler now reports external IP as a firewall if it's able to get the internal
IP and the internal IP does not match the external IP.
22 Mar 12
- Cobalt Strike NMap profiles are now improved with the following options:
-n [do not attempt to resolve reverse hosts for IPs]
-T4 [wait longer to determine whether a service is alive or not]
--min-hostgroup 96 [scan more hosts in parallel]
- Cobalt Strike now intercepts webcam_snap and screenshot meterpreter commands
and performs the appropriate actions.
- View -> Creds -> Export now works in team mode.
+ Cobalt Strike web server now returns a 404 to visitors with curl, wget, or
lynx user agents. This is an easy measure to defeat, but we're all about
offense in depth with this project.
- VMware icon now shows when a VMware ESXi host is identified by Metasploit
- Fixed a bug preventing commands like del /S (which prompts for Y/N) from
working from a command shell tab.
- Added a check to prevent old Cobalt Strike and Armitage clients from connecting
to the team server. In the future, I may restrict the Cobalt Strike team server
to Cobalt Strike clients only.
- Added a * indicator to active workspace in Workspaces menu
+ Added a check to prevent user from defining a persistent listener to a port
that already has a persistent listener bound to it.
- Added Hosts -> DNS Enumerate to discover hosts through a name server.
- Cobalt Strike now displays a pivot relationship between a host and the NAT
device it is communicating through when there is an active session.
+ Added windows/browser/adobe_flash_mp4_cprt to client-side database
- Added Copy button to Services tab. Copies highlighted hosts to clipboard.
+ Added windows/browser/ms10_002_ie_object to client-side database
- Improved reverse payload selection logic. Cobalt Strike now chooses php
meterpreter when it makes sense.
- Cobalt Strike now assigns a random LPORT for each exploit module launched with
a reverse payload.
7 Mar 12
- Cobalt Strike now uses an IPv6 bind payload when exploting an IPv6 host
- Cobalt Strike now displays a firewall icon for hosts marked as a firewall
with no associated operating system. This marking is something done by
- Cobalt Strike is now explicitly sets RPORT for psexec and msf scan modules
2 Mar 12
- Meterpreter now reports the IP of the owned system in a consistent way.
Cobalt Strike now places the session info and lightning bolts on this
owned system. No longer will you have X session menus attached to a
firewall / NAT device. This is good news.
- Cobalt Strike now uses a random payload listener for any client side
attack by default (previously--it used a default reverse listener for
windows client attacks--lost benefit of automigrating)
- Token stealing dialog now disables Refresh button while grabbing tokens
and enables it when tokens are grabbed. Now you kind of know what it's
- Updated Topaz to improve its stability.
1 Mar 12
- Doh! Trial license code was messed up. Fixed how I calculate the
difference between dates.
- Fixed Topaz EXITFUNC so Topaz binary does not crash when exiting meterp
session or migrating.
- Fixed bug with "check all credentials" feature not working in team mode
when server and client run from the same folder.
- Added a rename tab feature. Right-click the tab X and select rename tab
- Cobalt Strike now displays an XP/2003 era logo for hosts self reporting
as .NET server.
- Added a minimum amount of version checking to Cobalt Strike startup.
This version now requires Metasploit 4.3.0-dev
- Updated ARP Scan and Pivoting dialogs to parse the new route output in
- Cobalt Strike now deletes notes.* for a host when you manually set its
OS. This is done to allow a future scan to set the host's OS to
- Cloned websites now use the favicon of the cloned site. *pHEAR*
26 Feb 12
- Fixed a system profiler bug caused when profiled client with IE does
not have Windows Media Player installed.
- Added a slight delay between commands issued to a console to prevent
them from executing out of order.
- Adjusted graph view scrolling increments to something sane.
- Fixed keyboard accelerators when right-clicking in the graph view.
- Made the file browser directory up button more obvious.
- Team server now returns the last-100 events (instead of all of the
engagement events) when connecting.
- Improved Host -> Remove feature when removing many hosts.
- Dynamic workspaces feature now allows to comma separated entries
with no spaces between them.
- Table view now allows rows to be deselected in an interval (they
won't become reselected automatically like before).
24 Feb 12
- Added quick-msf-setup script to the Linux package. This script will
download and install Metasploit, setup the postgres db to start on
boot, and set the system to point to the Java included with Metasploit
- Cobalt Strike doesn't write to /Applications any more...
- Added a VMWare icon for hosts whose OS is reported as ESX or ESXi
- Greatly improved token stealing user experience. It's awesome now.
- Greatly improved the responsiveness of the file browser.
20 Feb 12
- A space inside of a module search is now treated as a wildcard. This
means you can type: win meterp and it will be treated as win*meterp
- Removed Host option from Adobe PDF dialog (not needed since we're
embedding an EXE that already knows the host it wants to connect to)
- Modified listener stop/start code so that actions happen asynchronous
to the UI (meaning working with listeners won't block the UI)
- Social Engineering report now rounds summary stats to two decimal places.
I was recording a screencast and generated a report--imagine my surprise
when a bunch of sixes were going across the cover page.
- Hovering over an edge in graph view no longer shows a "null" tooltip
- Completely fixed parsing of ps output. The process dialog through
meterpreter will now be accurate regardless of OS :) [Caveat: so long as
the meterpreter session reports processes-Java meterp on OS X f/e does
19 Feb 12
- Made a change to how some commands are synchronized... this should
have no negative effects, but only testing will tell.
- Command sync change fixes a bug preventing system profiler from
adding hosts to display in a team situation.
- Fixed a bug in export data with client-side report data
- Fixed "No client vulns" always showing up at the bottom of the client
side vulnerability report
- Client-side Vuln. reported and exported client vulns now treats
hosts external/internal combinations as unique hosts.
18 Feb 12
- Added windows/browser/java_mixer_sequencer to client-side vuln db
- Fixed a bug in the teamserver start script for Linux (you'll need to
redownload the package to get this updated script)
- Adobe PDF package now prompts you where to save PDF file whether
MSF is local or remote to Cobalt Strike.
- Added Cut/Copy/Paste/Clear menu to table cell editor
- Started work modifying the about dialog so I can provide proper
attribution of the various open source projects used by Cobalt Strike
16 Feb 12
- Client-side vulnerability report was producing duplicate entries for
vulnerabilities with both a fileformat and browser exploit. Fixed.
- System profiler was accidentally reporting some Windows hosts as
Windows Media Center edition. Fixed.
- Cobalt Strike reports now have the Cobalt Strike logo
- Updated Help menu with Cobalt Strike stuff.
- Help button in Connect dialog now points to advancedpentest.com/start
so does the "hey msfrpcd crashed from underneath me" dialog.
- Released "helper" indicator with a thick square (vs. the thick cross
- Added a teamserver script to UNIX distribution of Cobalt Strike. This
script will check the environment to make sure everything is in place.
- Cobalt Strike was saving preferences to wrong file.
14 Feb 12
- Added Cobalt Strike update tool
- Created packages for Windows, MacOS X, and Linux
- = a change made in Armitage and Cobalt Strike
+ = a Cobalt Strike specific change
! = a removed feature