Collaborate Disseminate
The sleep mask kit was first introduced in Cobalt Strike 4.4 to allow users to modify how the sleep mask function looks in memory in order to defeat static signatures that identified Beacon. This quickly took off by the community and its limits were pushed. Updates were made in 4.5 to help address some of these limits. Licensed users can download the updated kit from […]
A complementary strategy to the Host Rotation Strategy was introduced to Cobalt Strike 4.5. The max retry strategy was added to HTTP, HTTPS, and DNS beacon listeners. A max retry strategy allows a beacon to exit after a specified failure count. As the failure count increases, sleep is adjusted to a specified value. By default, […]
Continue reading A deeper look into the Max Retry Strategy option
Process injection is a core component to Cobalt Strike post exploitation. Until now, the option was to use a built-in injection technique using fork&run. This has been great for stability, but does come at the cost of OPSEC. Cobalt Strike 4.5 now supports two new Aggressor Script hooks: PROCESS_INJECT_SPAWN and PROCESS_INJECT_EXPLICIT. These hooks allow a user to define how the fork&run and explicit injection techniques are implemented when executing post […]
Continue reading Process Injection Update in Cobalt Strike 4.5
Cobalt Strike 4.5 is now available. This release sees new options for process injection, updates to the sleep mask and UDRL kits, evasion improvements and a command history update along with other, smaller changes. Security Updates Before getting into the details of the release, I just wanted to impress upon you how seriously we take […]
Continue reading Cobalt Strike 4.5: Fork&Run – you’re “history”
We will be making some changes to the Cobalt Strike infrastructure in late November/early December. We are not anticipating any downtime but we wanted to make you aware of what is changing and when. TLS certificate updates The current TLS certificates for www.cobaltstrike.com and verify.cobaltstrike.com both expire on 6th December. The certificates will be updated […]
The post Cobalt Strike infrastructure changes appeared first on Cobalt Strike Research and Development.
We will be making some changes to the Cobalt Strike infrastructure in late November/early December. We are not anticipating any downtime but we wanted to make you aware of what is changing and when. TLS certificate updates The current TLS certificates for www.cobaltstrike.com and verify.cobaltstrike.com both expire on 6th December. The certificates will be updated […]
The post Cobalt Strike infrastructure changes appeared first on Cobalt Strike Research and Development.
Motivation It is known that dumping Windows credentials is a technique often utilized for everyday attacks by adversaries and, consequently, Red Teamers. This process has been out there for several years and is well documented by MITRE under the T1003.001 technique. Sometimes, when conducting a Red Team engagement, there may be some limitations when trying […]
The post Nanodump: A Red Team Approach to Minidumps appeared first on Cobalt Strike Research and Development.
Motivation It is known that dumping Windows credentials is a technique often utilized for everyday attacks by adversaries and, consequently, Red Teamers. This process has been out there for several years and is well documented by MITRE under the T1003.001 technique. Sometimes, when conducting a Red Team engagement, there may be some limitations when trying […]
The post Nanodump: A Red Team Approach to Minidumps appeared first on Cobalt Strike Research and Development.
DLL attacks (hijacking, proxying, etc) are a challenge defenders must face. They can be leveraged in a Red Team engagement to help measure these defenses. Have you used this technique? In this post, I’ll walk through an example of adding a DLL proxy to beacon.dll for use in a DLL Proxy attack. What is a […]
The post Create a proxy DLL with artifact kit appeared first on Cobalt Strike Research and Development.
DLL attacks (hijacking, proxying, etc) are a challenge defenders must face. They can be leveraged in a red team engagement to help measure these defenses. Have you used this technique? In this post, I’ll walk through an example of adding a DLL proxy to beacon.dll for use in a DLL Proxy attack. What is a […]
The post Create a proxy DLL with artifact kit appeared first on Cobalt Strike Research and Development.