Cobalt Strike 4.2

  • Автор темы Admin


Cobalt Strike 4.2 - ломаная версия с raida

November 6, 2020 - Cobalt Strike 4.2
+ Refactored Beacon Reflective Loader and added mechanism to patch rDLL loader into
Beacon (vs. shipping a static loader with the agent).
+ Added stage -> allocator (VirtualAlloc, HeapAlloc, or MapViewOfFile) to set
which allocator Beacon's RDLL loader will use for the Beacon stage.
+ stage -> obfuscate now obfuscates .text section in rDLL package
+ Fixed client NPE triggered by missing download start metadata
+ Added Cobalt Strike client IP address to join message in events.log
+ Added -Dcobaltstrike.server_bindto=address (in teamserver script, java command)
to change the address the team server will bind to. Default is
+ Team server now uses a more resilient process to write its data model
+ Screenshot tool now reports user, session, and active window title.
+ Updated View -> Screenshots and other UX to use screenshot context info
+ Added color highlighting to View -> Screenshots
+ http-post C2 handler now detects another type of corruption.
+ Added color highlighting to View -> Downloads
+ Added color highlighting to View -> Keystrokes
+ Keystroke logger now reports user and session information
+ Updated View -> Keystrokes and other UX to use keylogger context info
+ Added option to "remove" screenshot or keystrokes from interface via menu
+ Added screenshots.log to logs/[date]/[target]/ folder with screenshot meta-data
+ Stripped color codes from keystroke logs and added desktop session/user context
+ Added Save option to keystroke and screenshot browser right-click menu.
+ Split screenshot into two commands: screenshot and screenwatch. screenshot takes
a single screenshot. screenwatch takes periodic screenshots until terminated
with jobkill command.
+ Added printscreen command to take screenshot by forcing PrintScr keypress and
grabbing contents from the keyboard.
+ Added post-ex -> thread_hint to spawn threads with specified module!func+offset
start address. Affects the browserpivot, keylogger, net, portscan, and
powerpick/psinject post-ex DLLs.
+ Added post-ex -> keylogger to set keystroke logging method. Current options are
SetWindowsHookEx and GetAsyncKeyState.
+ post-ex -> obfuscate now enables behavior to mask DLL strings, when not needed,
in execute-assembly, keystroke logger, screenshot, and SSH client DLLs.
+ Added stage -> magic_mz_[arch] and magic_pe to set the MZ and PE header values to
something else in Beacon's DLL package. Read the docs on this one as the MZ
values have to be valid executable instructions that [should] repair any changes
+ Added a c2lint warning for operation-impacting high dns_ttl values.
+ HTTP and DNS C2 specific configs no longer show up outside of their payloads
+ Beacon now detects http-post block request failures and tries requests again.
+ Rewrote how DNS C2 caches and clears cache of conversations and entries. This
fixes DNS C2 stability/performance for servers that send parent domain before
each FQDN request. It looked like a checkin to Beacon and was wreaking havoc.
+ Implemented remote-exec wmi as a BOF.
+ Max length of useragent field in Malleable C2 profile is now 255 characters.
+ Fixed bug with [possible] domain truncation in DNS/HTTP Beacon config if the total
length of the specified domains exceeded 255 characters.
+ 8+ years in and I think y'all deserve some generosity from the Cobalt Strike
product. As my kind act, I have doubled the max size of the http-get.client and
http-post.client programs in your profile.
+ Added headers_remove global option to force Beacon's WinINet to remove specified
headers late in the HTTP/S transaction process.
+ Added a "this goes into your config" notice to the HTTP Beacon proxy config dialog
+ Added an empty BOF content sanity check to &beacon_inline_execute
+ Added rportfwd_local to create a port forward that initiates connection and routes
from Beacon to team server onwards through the requester's Cobalt Strike client.
+ Implemented spunnel and spunnel_local commands to spawn shellcode and tunnel
connection to specified controller. spunnel_local forwards via Cobalt Strike client
and spunnel forwards via the team server.
+ Added pivot socket read governor to limit read loop to max ~4s per Beacon checkin.
+ Bug fixto link module read functions
+ Multiple improvements to existing rportfwd implementation.
+ rportfwd (and spunnel) are now friendly to having the rportfwd for a session/port
redefined without the need to release the bound port and rebind it.
+ Pivot socket writes now happen on a connection specific thread to prevent session
deadlock if the team server-side relayed connection becomes unresponsive or blocked.
+ Fixed a handle leak in socks pivoting sub-system
+ DNS Beacon C2 now drops requests that are not A, AAAA, or TXT.
+ Added post-ex -> pipename Malleable C2 option to change post-ex job output pipename
+ Added set ssh_pipename to set the named pipe used by Cobalt Strike's SSH sessions
+ Proxy server config parser now strips trailing / (which impacted the port value).
+ Any # in Malleable C2 pipename options is now replaced with a random hex digit.
+ Fixed BeaconUseToken BOF API to return a BOOL as documented
+ Added BeaconSpawnTemporaryProcess BOF API.
+ Fixed parser to extract creds from dcsync [domain] output
+ Made changes to avoid unneeded VirtualProtect when startrwx/userwx in process-inject
block are both true.
+ BOF executable memory now honors startrwx/userwx hints from process-inject block
+ Added script hook to enable use of alt. mimikatz, provided by us, between releases
+ Updated to Mimikatz 2.2.0-20200918-fix
+ Greatly reduced the size of mimikatz-min and mimikatz-chrome DLLs.
+ Added chromedump alias to run dpapi::chrome in mimikatz.
+ Improved recoverability of parent Beacon if a child TCP Beacon process "fails"
+ Added Vista+ check to getsystem in Beacon console.
+ Browser Pivot HTTP Proxy is now manageable via View -> Proxy Pivots
+ Added &bmimikatz_small to Aggressor Script.
+ Moved capability to query network interfaces to a BOF and out of core Beacon
+ Added some ptr cleanup to post-ex RDLL loaders.
+ Fixed SSH agent bug where session was sometimes incorrectly reported as elevated
+ Added set data_jitter "X" to add noise to Beacon's HTTP/S beaconing by adding
up to X (random each time) random bytes to the output of each http-get and
http-post response
+ c2lint warns for a bad process-inject -> execute config for Windows XP-era systems.
+ execute-assembly now stomps DOS header when post-ex -> obfuscate is true
+ Added c2lint check for dangerous headers to overwrite with http-config.