Cobalt Strike 4.9: Take Me To Your Loader
Cobalt Strike 4.9 is now available. This release sees an overhaul to Cobalt Strike’s post exploitation capabilities to support user defined reflective loaders (UDRLs), the
Revisiting the User-Defined Reflective Loader Part 2: Obfuscation and Masking
This is the second installment in a series revisiting the User-Defined Reflective Loader (UDRL). In part one, we aimed to simplify the development and debugging
Simplifying BOF Development: Debug, Test, and Save Your B(e)acon
Beacon Object Files (BOFs) were introduced in Cobalt Strike 4.1 in 2020. Since their release, BOFs have played a key role in post-exploitation activities, surpassing
Cobalt Strike and Outflank Security Tooling: Friends in Evasive Places
This is a joint blog written by the Cobalt Strike and Outflank teams. It is also available on the Outflank site. Over the past few months
Cobalt Strike and YARA: Can I Have Your Signature?
Over the past few years, there has been a massive proliferation of YARA signatures for Beacon. We know from conversations with our customers that this
Stopping Cybercriminals From Abusing Security Tools
Microsoft’s Digital Crimes Unit (DCU), cybersecurity software company Fortra™ and Health Information Sharing and Analysis Center (Health-ISAC) are taking technical and legal action to disrupt
Cobalt Strike 2023 Roadmap and Strategy Update
I blogged about the Cobalt Strike roadmap in March last year and while the fundamental tenets of our approach to R&D remain unaltered, a lot
Revisiting the User-Defined Reflective Loader Part 1: Simplifying Development
This blog post accompanies a new addition to the Arsenal Kit – The User-Defined Reflective Loader Visual Studio (UDRL-VS). Over the past few months, we
Cobalt Strike 4.8: (System) Call Me Maybe
Cobalt Strike 4.8 is now available. This release sees support for system calls, options to specify payload guardrails, a new token store, and more. We
Behind the Mask: Spoofing Call Stacks Dynamically with Timers
This blog introduces a PoC technique for spoofing call stacks using timers. Prior to our implant sleeping, we can queue up timers to overwrite its