Cobalt Strike and Outflank Security Tooling: Friends in Evasive Places

This is a joint blog written by the Cobalt Strike and Outflank teams. It is also available on the Outflank site. Over the past few months there has been increasing collaboration and knowledge sharing internally between the Cobalt Strike and Outflank R&D teams. We are excited about the innovation opportunities made possible by this teamwork […]

Read More…

Continue reading Cobalt Strike and Outflank Security Tooling: Friends in Evasive Places

Cobalt Strike 2023 Roadmap and Strategy Update

I blogged about the Cobalt Strike roadmap in March last year and while the fundamental tenets of our approach to R&D remain unaltered, a lot has changed behind the scenes over the past year or so. I try to engage with our customers on various platforms and over the past few months, I’ve been asked […]

Read More…

Continue reading Cobalt Strike 2023 Roadmap and Strategy Update

Revisiting the User-Defined Reflective Loader Part 1: Simplifying Development

This blog post accompanies a new addition to the Arsenal Kit – The User-Defined Reflective Loader Visual Studio (UDRL-VS). Over the past few months, we have received a lot of feedback from our users that whilst the flexibility of the UDRL is great, there is not enough information/example code to get the most out of […]

Read More…

Continue reading Revisiting the User-Defined Reflective Loader Part 1: Simplifying Development

Cobalt Strike 4.8: (System) Call Me Maybe

Cobalt Strike 4.8 is now available. This release sees support for system calls, options to specify payload guardrails, a new token store, and more.   We had originally planned to get this release out late in 2022 but progress was stymied due to the 4.7.1 and 4.7.2 patch releases that we had to put out to […]

Read More…

Continue reading Cobalt Strike 4.8: (System) Call Me Maybe

Behind the Mask: Spoofing Call Stacks Dynamically with Timers

This blog introduces a PoC technique for spoofing call stacks using timers. Prior to our implant sleeping, we can queue up timers to overwrite its call stack with a fake one and then restore the original before resuming execution. Hence, in the same way we can mask memory belonging to our implant during sleep, we […]

Read More…

Continue reading Behind the Mask: Spoofing Call Stacks Dynamically with Timers