558f61bfab60ef5e6bec15c8a6434e94249621f53e7838868cdb3206168a0937 *cobaltstrike.jar
# Cobalt Strike 4.0 (December 5, 2019)
558f61bfab60ef5e6bec15c8a6434e94249621f53e7838868cdb3206168a0937 Cobalt Strike 4.0 Licensed (cobaltstrike.jar)
Tested (On Windows with JRE 1.8) :– Hook.jar is clean (It hooks Authorization method providing the correct informations to validate license etc.) no Funky piece of code found
– CobaltStrike.jar Hash : Ok
– Lauching TeamServer : Ok
– Joining TeamServer with Client : Ok
– License appear valid to perpetual

Cobalt Strike Release Notes


Welcome to Cobalt Strike 4.x. Here are a few things you’ll want to know, right away:

1. Cobalt Strike 4.x is not compatible with Cobalt Strike 3.x. Stand up new

infrastructure and migrate accesses to it. Do not update 3.x infrastructure

to Cobalt Strike 4.x.

2. Do not move a cobaltstrike.auth file from Cobalt Strike 3.x to 4.x. The two file

formats are not compatible.

3. Aggressor Scripts written for Cobalt Strike 3.x may require changes to work with

Cobalt Strike 4.x. Please refer to this guide to update your scripts:


In Progress – Cobalt Strike 4.0


+ Rewrote the code for listener management and payload controller setup. Benefits:

– Improved user experience to add/edit payload listeners

– Cobalt Strike can now bind multiple egress Beacons to one team server

– Multiple TCP/SMB Beacons with alt. ports and pipes are now possible too.

– Added multiple payload-specific options to tweak (e.g., port bending)

+ Post-ex workflows updated to deliver stageless payloads (or to tightly couple the

stager with the action). x64 payloads are now options (sometimes, implicit and

other times, explicit) in these workflows.

+ Scripted Web Delivery is now stageless with an option for x64 payloads. The

regsvr32 built-in option is gone though. (Can’t jam a full payload into it).

+ Changed post-ex.amsi_disable to avoid a crash on latest Windows 10/.NET versions

+ connect [host] [port] and link [host] [pipe] links to an alt. TCP port or pipe

+ unlink now accepts [host] [pid] to identify a specific session to unlink from.

+ split the DNS Beacon and HTTP/S Beacons into separate agents. dns-txt is now the

default mode and there is no mode http in the DNS Beacon. The DNS Beacon also

sends output for jobs when it has it; regardless of whether or not there are

pending tasks.

+ Added payload arch to sessions table.

+ inject now passes a “exit thread” hint to Beacon payload stage.

+ Eliminated unneeded OpenProcess call in spawn+inject code paths.

+ Added [session] -> Access -> One-liner to host a one-use PowerShell script that

runs a payload

+ spawnas command now spawns temp process and inject into it. No powershell!

+ ps primitive uses PROCESS_QUERY_LIMITED_INFORMATION on Vista+

+ updated process dialog to grey out no-info processes in its process tree.

+ uac-token-duplication now executes inline w/i current Beacon. elevate

uac-token-duplication will inject payload into elevated process. No PowerShell.

+ getsystem now searches handles for system tokens and attempts to impersonate them

+ runu no longer steals parent process token

+ spawnu command now spawns temp process and injects into it. Also, no PowerShell.

+ kerberos_ticket_purge and kerberos_ticket_use are now inline-exec modules.

+ the &bipconfig primitive in Beacon now dynamically loads iphlpapi when used.

+ Added Beacon process name to sessions table, metadata, and reports

+ Added option to start External C2 via the listener management interface.

+ Expanded the size of the Beacon ID values.

+ Updated DNS server to prevent malformed response when sending empty TXT reply

+ Fixes to DNS TXT mode to better cope with (and limit) out of sync transactions

+ Added color row highlighting for creds, targets, services, applications, listeners,

and beacon session tables. Right-click and find the Color menu.

+ Removed SSH and reverse TCP sessions from unlink tab completion.

+ Pivot graph no longer reports the firewall node as a selected session.

+ Listener Manager now annotates pivot listeners with error if pivot is dead/missing

+ Added variant http-get, http-post, http-stager, and https-certificate blocks to

Malleable C2. A variant is an alternate configuration of your current profile that

is selectable when configuring an HTTP or HTTPS Beacon listener.

+ (Egress) listener name now shows up in sessions table.

+ Pivot graph now uses firewall icon as root node for all sessions. A yellow dashed

line indicates egress via the DNS Beacon. Green dashed line is the HTTP/S Beacon.

+ CS does a better job cleaning up closed dialog resources.

+ CS’s open or activate console logic now goes by Beacon ID and not tab title.

+ Beacon tab title dynamically updates when session metadata becomes available.

+ Added ‘jump’ command to spawn a session on a remote target. Built-in options are

psexec, psexec64, psexec_psh, winrm, and winrm64. All are stageless except for

psexec_psh which implicitly uses the bind_pipe stager every time.

+ Added an Aggressor Script API to add remote exploits to Beacon’s jump command

+ [host] -> Login menu is now [host] -> Jump and shows each available jump option.

– Removed bypassuac, psexec, psexec_psh, wdigest, winrm, and wmi commands.

+ Added svc-exe as a built-in elevate option (basically jump psexec to localhost)

+ Added set PSEXEC_SERVICE hook to control the service name used by psexec variants

+ Updated to mimikatz 2.2.0 20190813

+ IPv6 address checks now allow for embedded IPv4 addresses.

+ Screenshot filenames now use UTC times for hhmmss

+ weblog.log is now weblog_##.log where ## is the port number of the web server

+ View -> Targets -> Import Hosts can now pull multiple files in at one time.

+ Updated sleep.jar to build that fixes &&/|| code generation issues.

+ Added ‘added’ column to credential browser (date cred first added to model)

+ Fixed potential infinite loop caused by file read error during download.

+ Beacon controller now detects and notifies operator of incomplete/failed downloads.

+ connect and link primitives will now re-try for up to 15s to connect

+ help net [command] now tab completes properly.

+ Fixed null pointer exception when trying to do some actions on an empty DNS Beacon

+ Removed Ctrl+Alt+Del button from VNC viewer since it doesn’t quite… work 🙂

+ Beacon closes some process/thread handles that were left about.

+ Minor change to settings representation and updates to profile memory management.

+ Added several functions to Aggressor Script and revised some APIs as well. See the

compatability chapter in the Aggressor Script docs for a list of changes that may

affect your existing scripts.

+ Replaced MacOS X Java App stub with a script that uses java from $PATH

+ Encrypted several internal resources (this makes the CS .jar file much bigger).

+ runasadmin now runs a command in an elevated context using a command elevator

exploit registered with CS. uac-token-duplication and uac-cmstp are built-in.

+ Updated foreign listener URI length to match MSF staging URI length requirements

– Moved elevate ms14-058 out of CS and into the Elevate Kit

+ Added remote-exec to run command on remote target using a remote execute method

registered with CS. psexec, winrm, and wmi are built-in.

+ Added ‘domain’ verb to net module to get current host’s domain

+ Added ‘net domain_controllers’ to query Domain Controllers group to discover

domain controllers and populate Cobalt Strike’s data model.

+ Beacon tab completion for link and connect include by default

+ Added c2lint OPSEC warning for .host_stage=true

+ Setting up a reverse TCP pivot sets session interacted with flag internally

+ Fixed a disconnect bug in file browser when providing malformed UNC path.

+ Fixed crash with x64 net group/localgroup listings

+ SpawnAs dialog shows listener name in “faked” input

+ Desktop tab title is now consistent with other Beacon features (IP@PID)

+ Added c2lint check for maximum prepend length in http-stager block

+ Empty DNS Beacons are now shown in the pivot graph

+ Added -isactive [bid] predicate to Aggressor Script. Returns false if session is

not linked or if it’s acknowledged an exit message. True otherwise.

+ Targets view now uses active criteria to show host as compromised and to include

a menu for that session.

+ Listener ERROR! is now more obvious in the Listeners browser

+ Added a browser pivot client socket timeout to browser pivot proxy.

– Removed elevate uac-dll option.

– Removed Attacks -> Packages -> Windows Dropper and USB/CD Autoplay.

May 4, 2019 – Cobalt Strike 3.14


+ Updated blockdlls to call SetErrorMode when enabled to hide/skip Bad Image errors

+ Fixed External C2 error that occurs when started before an HTTP/DNS listener

+ External C2 reports Beacon metadata periodically (Remove no longer loses session)

May 2, 2019 – Cobalt Strike 3.14


+ Added blockdlls command; blocks non-Microsoft DLLs from Beacon’s child processes

+ Added python option to &artifact_stageless.

– Deprecated the process-inject -> disable “*” options from Cobalt Strike 3.12

+ Added process-inject -> execute to control thread creation functions used + order

+ Revised RtlCreateUserThread injection path to work x86 -> x86.

+ Overhauled injection path w/ NtQueueApcThread into existing processes

+ Added fake start addr Create[Remote]Thread variants to process-inject -> execute

+ Added process-inject option to push data to remote process with NtMapViewOfSection

+ .stage.cleanup now detects if memory is mapped and uses UnMapViewOfFile

+ Moved spawnto_x86, spawnto_x64, and amsi_disable to Malleable C2 post-ex block

+ Added post-ex.obfuscate to enable content and permission changes to post-ex DLLs

+ Added post-ex.smartinject; passes key function ptrs from Beacon to post-ex DLLs

+ Added NtQueueApcThread-s (for suspended processes) to process-inject -> execute

+ Added MITRE ATT&CK Tactic ID(s) to [task] entries in logs

+ Standardized time/date format in logs/; all times/dates are now UTC as well.

+ Added &brun Aggressor Script function (equivalent to the run command).

+ Hardened web server against spoofing of remote address value.

+ Added http-config -> trust_x_forwarded_for header. Forces web server to use the

X-Forwarded-For header value (when present, when valid) as HTTP external address.

+ Hardened Beacon C2’s open local port callback primitive against rogue sessions.

+ HTTP/S stagers now set INTERNET_FLAG_NO_COOKIES, when a Cookie header is specified

(the effect here is to ignore the local cookie jar and use the specified value).

+ Beacon does not set INTERNET_FLAG_NO_COOKIES if profile doesn’t use Cookie header

+ Removed INTERNET_FLAG_NO_AUTO_REDIRECT flag from HTTP/s stagers and Beacon.

+ Added credentials popup hook for credential manager.

+ Process Browser (single host) now displays a process tree for easier navigation

+ File browser now caches listings; added a tree to navigate/populate this cache

+ Added Copy option to get full file path in file browser right-click menu

+ Added Set as PPID option to process browser right-click menu

+ Updated to Mimikatz 2.2.0 20190414

+ Fixed an API use error (inconsequential?) in the parent process spoofing code

+ steal_token delays dropping current token (to use its rights stealing the token)

+ Updated “this session already has a browser pivot” error message with a remedy.

+ Failure to bind the DNS Beacon’s port 53 is now more clear in the error message.

+ Fixed potential truncation of execute-assembly output.

+ Added &listeners_stageless function to get &artifact_stageless compat listeners

+ Fixed another drives bug that popped up on some JVMs.

+ Fixed x64 pointer truncation in VNC server DLL.

+ Credential Add/Edit dialog can now edit the Host field.

+ Added Ctrl+R to quickly rename the current tab in Cobalt Strike.

+ Web server now reports error if an exception occurs when accepting new client.

+ File Browser’s Delete popup item now asks for confirmation of the action.

+ Browser Pivot is now case-agnostic looking for Content-Length, Host, etc.

+ Browser Pivot strips Strict-Transport-Security, Expect-CT, and Alt-Svc headers

January 2, 2019 – Cobalt Strike 3.13


+ CS now prints console warnings, on payload staging, when kill date is past.

+ dcsync [FQDN] now runs mimikatz’s dcsync with options to export all hashes

+ Added a parser to add dcsync [FQDN] hashes to credential store.

– Removed the ‘mode smb’ option to turn an arbitrary Beacon into an SMB Beacon

+ Refactored Beacon HTTP/HTTPS/DNS and Beacon SMB into separate binaries

+ Reworked the link management and link client for Beacon

+ Added stageless windows/beacon_reverse_tcp as a Beacon pivot listener option.

+ Removed extraneous space from HTTP status responses.

+ Implemented fail-safe timeout to release Beacon chain if read blocks for 5 mins

+ Added command-line argument spoofing for matching processes with argue command.

+ Added &str_xor to XOR mask a string with a specified key.

+ Ctrl+F search in console is now case insensitive.

+ Added windows/beacon_tcp/bind_tcp listener for peer-to-peer comms.

+ stage.sleep_mask is now set to false by default

+ SSH client is now much smaller after switch to mbed TLS and newer LibSSH2 version

+ Added x64 SSH client. x64 Beacon uses the x64 client, x86 Beacon uses x86 client

+ Brought the new/reworked link client backend from Beacon to the SSH client.

+ SSH sessions can now control bind and reverse TCP Beacons.

+ Added x64 portscanner and net module builds for use by x64 Beacon.

+ Removed PDB string and assembly manifest from post-ex job DLLs

+ In-memory obfuscation of Beacon now works with TCP and SMB Beacons. Both obfuscate

while waiting for a connection and during reads. Enable with stage.sleep_mask

+ Updated &bdllspawn with option to use impersonated/created token in child process

+ execute-assembly, net, portscan, and powerpick now use impersonated/created token

+ steal_token drops current token before attempt. This prevents a handle leak.

+ make_token creds now used with CreateProcessWithLogonW if execute w/ token fails

+ Beacon does better job of clearing memory content before freeing it.

+ Resource Kit+defaults now XOR mask stager prior to embed in PowerShell scripts

+ named pipe string is now embedded with or sent to Beacons only when needed.

+ desktop post-ex job, spawned from x64 Beacon, will launch x64 VNC server.

+ Updated to mimikatz 2.1.1 20181209

+ Added http-config Malleable C2 block to influence all HTTP server responses

+ Added MITRE ATT&CK Tactic ID to activity.tsv/activity.xml in data export.

+ Removed an extra comma when combining ATT&CK tactics for post-ex job launches

+ VPN pivot server now checks for /dev/net/tun before doing anything else.

+ Added a list of used MITRE ATT&CK tactics to Indicators of Compromise report

+ screenshot module now degrades SS quality when SS size is over transmit limit

+ Re-synced built-in MITRE ATT&CK matrix (April 2018) to add missed entries

+ Tagged a few mimikatz commands with more specific ATT&CK tactics.

+ cobaltstrike.exe launcher on Windows will run java.exe from %PATH%

+ Added a hard startup deny for OpenJDK “8” (too many problems w/ it on Kali)

+ Dialog to present a URL when browser can’t/won’t open now works on Kali 2018.4

+ bind_tcp x86/x64 stagers now exit on recv() failure.

+ Beacon console now checks Vista+ for target when using ppid, runu, or argue

+ Fixed the drives bug that popped up on some JVMs.

+ Default GUI font is now Dialog-PLAIN-12

+ c2lint now warns when the rundll32.exe default is not overriden/replaced

+ Added amsi_disable Malleable C2 option. Attempts to disable AMSI for psinject,

powerpick, and execute-assembly

+ Updated update program with faster routine to write out cobaltstrike.jar file.

September 6, 2018 – Cobalt Strike 3.12


+ Fixed targets_other popup hook. Now it passes the target info as an argument.

+ Fixed logic flaw in the kill date check.

+ Hardened reporting engine against unexpected characters in bookmark text.

+ configured MIME parser (used for phishing emails) to have fewer restrictions

+ Fixed bug ignoring the Name field in the Add Target dialog.

+ Updated target import codepaths to remove unexpected whitespace from addresses.

+ Added POWERSHELL_DOWNLOAD_CRADLE option to Resource Kit. Controls form of download

cradle used by powershell-import, spawnu, spawnas, and uac-token-bypass

+ powershell-import with empty file resets hints related to script hosting.

+ Added POWERSHELL_COMMAND option to Resource Kit. Controls form of [most] powershell

commands used throughout Cobalt Strike.

+ Added &sync_download to grab a downloaded file from the team server.

+ Added stage.sleep_mask Malleable PE option. When enabled, obfuscates Beacon in

memory before each Sleep() call. De-obfuscates Beacon prior to resuming execution

+ Added run command. Runs a program (+ shows output) without cmd.exe or powershell.exe

+ ssh-key command now accepts much larger key sizes (and warns when that’s exceeded)

+ Process injection path now allows argument via SetThreadContext when x64 -> x64

+ keylogger command, with no args, now spawns a temporary process and injects into it

+ screenshot+keylogger commands, spawn mode, now match Beacon’s arch for temp process

– Removed .create_remote_thread and .hijack_remote_thread options in Malleable C2

+ Added Malleable C2 options to modify Beacon’s process injection behaviors

+ Synced built-in MITRE ATT&CK matrix to the April 2018 release.

+ Updated to Mimikatz 2.1.1 20180820

+ DNS Beacon signaling now combines dns_idle profile value with signal values. A good

dns_idle value helps avoid IPv4 bogon responses in dns6 and dns-txt transfers.

+ DNS listener now sanity checks dns_idle value vs. Team Server IP.

+ Added &str_chunk to easily chunk a string into multiple same-size chunks.

+ Updated exe/dll checksum update process to leave artifact alone if there’s an error

+ Removed the OpenJDK checks/warnings from startup.

+ Updated the updater with new cert information. (Redownload the trial to get it)

May 24, 2018 – Cobalt Strike 3.11


+ Hardened Beacon against possible crashes on Win 10 when module stomping is setup.

+ Change size of Host column in IOCs report.

+ Updated the Malleable C2 ‘mask’ decoder to fail in a more graceful way.

+ Beacon HTTP controller now outputs much more detail when it can’t retrieve an id,

metadata, or process output from a Beacon HTTP request w/ the current profile.

+ Updated PowerShell injection templates to address issue w/ Windows 10.0.17134

+ Updated to Mimikatz 2.1.1 20180502

+ DNS Beacon now recovers from a failed AAAA download more gracefully.

+ Hardened DNS Beacon against an edge case for repeated/out-of-order requests

April 9, 2018 – Cobalt Strike 3.11


+ Added dllload command to Beacon. Calls LoadLibrary() w/ parameter in remote process.

+ Mitigated crash for Artifact Kit generated DLLs on certain loading conditions.

+ Added module stomping to Malleable PE options. Configures Beacon’s loader to load

an unneeded library and overwrite its space instead of using VirtualAlloc.

+ Synced built-in MITRE ATT&CK matrix to the January 2018 release.

+ Beacon downloads smaller file pieces per check-in when HTTP chunking is in use

+ stomppe Malleable PE option stomps MZ, PE, and e_lfanew values once Beacon is loaded

+ Extended Malleable PE obfuscate option to obfuscate Beacon’s DLL headers and header

slack space. This option also LoBoToMiZeS the DLL header once Beacon is loaded.

+ Added dns_max_txt and dns_ttl Malleable C2 options to tweak Beacon DNS C2 further.

+ &bdllspawn now accepts arguments larger than the previous 16KB limit.

+ Added execute-assembly to run a .NET executable on target without touching disk

+ Added Malleable PE options to change these fields of Beacon’s Reflective DLL:

– checksum: CheckSum value

– entry_point: AddressOfEntryPoint (Cosmetic. Does not affect execution)

– name: the Exported name (e.g., beacon.dll)

– rich_header: replace the Rich Header with some other rich header

+ Added Malleable C2 sample_name option to name your “payload” in the IOCs report.

+ Cobalt Strike now aggregates more info about your profile to the reporting engine

+ Updated the IOCs report to show PE info, contacted hosts, a traffic sample, and

interesting strings for the Malleable C2 profile associated with each server.

+ Added peclone utility to Cobalt Strike Linux package. This utility parses a PE

file and prints a Malleable PE stage block with extracted values.

+ Artifact Kit now pushes decoded payload directly into alloc’d memory.

+ Added cleanup option to Malleable PE. This asks Beacon to attempt to free the

memory associated with the self-bootstrapping package that loaded it.

+ Added reg query|queryv to Beacon to query the registry

+ Added setenv command to Beacon

+ Updated getsystem/pth to use %COMSPEC% instead of cmd.exe.

+ Updated to Mimikatz 2.1.1 20180325

+ Hardened SSH sessions against infinite blocking situations.

+ Changed quoting convention in PowerShell scripts.

+ Added functions: &breg_query, &breg_queryv, &bdllload, and &bexecute_assembly

+ Added hex and vbs options to &transform

+ Extended Resource Kit to control CS’s VBS and HTML Application output.

+ Added &transform_vbs to offer additional control over the VBS transform.

+ Added uac-token-duplication option to built-in privilege elevation options.

+ Added runasadmin to run a command in a high integrity context. This uses the UAC

Token Duplication attack. &brunasadmin gives scripts access to this too.

+ Rebuilt x86 VNC server DLL with v90 toolchain for maximum Windows 2000 fun.

+ Hardened the default (dist-pipe) Artifact Kit against rare error conditions.

+ Fixed a Beacon crash on Windows XP when CreateProcessWithTokenW is not present.

+ ReflectiveLoader now zeroes out its entire VirtualAlloc’d space

+ Made changes to the updater program for Java 9 compat and prep for cert changes

+ Internal script console implementation no longer uses $x and $error

+ Metadata verification now allows “unknown” as an internal IP value.

11 Dec 17 – Cobalt Strike 3.10


+ Added a ~1s delay to team server’s authentication answer to mitigate brute force

+ x86 HTTP staging protocol server check now requires right x86 stager URI checksum

+ Randomized the unused host padding inside of the DNS TXT record stager.

+ Made changes to x86 XOR stage encoder stub

+ Added SSL support to Cobalt Strike’s web-based social engineering features

+ Infused MITRE’s ATT&CK matrix into Cobalt Strike:

– &attack_* functions provide access to ATT&CK data for custom reports

– Added Tactics, Techniques, and Procedures report: maps activity to ATT&CK

– &btask now accepts a comma separated list of ATT&CK tactics as an argument

+ Fixed: short title in report export dialog now affects the generated report

+ Added &h4, &list_unordered, and &p_formatted functions for custom reports

+ File browser right-click popups now announce “input” for actions taken.

+ Updated Synthetica L&F to version that is compatible with Java 1.9

+ CS now uses session-specific ANSI/OEM codepages to encode input and decode output

+ Beacon logs now normalize output to UTF-8 encoding.

+ Added “GUI Font” to Cobalt Strike preferences. Changes the font used by the UI

+ cobaltstrike.exe launcher on Windows now searches for Java 1.9 in registry

+ Changed how Beacon sends routine error messages back to Cobalt Strike

+ Added getprivs command to Beacon. (The ps command no longer gets privs for you.)

+ Refactored shell and powershell commands to transfer logic from Beacon to CS

+ Added &beacon_execute_job to run a command as a post-ex job and report output to CS

+ Added &str_encode and &str_decode to encode and decode a string with specified charset

+ Added &beacon_host_imported_script to host previously imported script and return a

one-liner to download and evaluate it. Returns nothing if no imported script exists

+ Added Malleable PE options string, stringw, and data to populate the .rdata section

of Beacon’s rDLL with the specified strings.

+ Updated to mimikatz 2.1.1 20171106

+ HTTP server drops requests with malformed headers.

+ Proxy Server dialog is now friendly to @ in proxy username and password.

+ Fixed &format_size with larger file sizes

+ download now works with files >2GB. Reports an error if file is >4GB.

+ Minor syntax fix to C# shellcode output in Payload Generator

+ Fixed a Java 1.9 warning in the updater program.

+ Removed dependence on Java EE API (for 1.9 compatability. Ugh).

+ Added an admin check to [beacon] -> Access -> Dump Hashes

+ Added safety check to prevent SMB Beacon localhost staging failure when there’s a name

conflict with this listener between multiple servers.

+ Export Data now uses UTF-8 encoding for its output

NOTE: An in-place update of Cobalt Strike with live sessions is never recommended. With

Cobalt Strike 3.10, this is especially true. Cobalt Strike 3.10 cannot control sessions

from previous versions of Cobalt Strike.

26 Sept 17 – Cobalt Strike 3.9


+ Updated VBA and VBS shellcode embedding to accommodate 3.9’s larger stagers.

21 Sept 17 – Cobalt Strike 3.9


+ x86 HTTPS stager now (correctly) uses profile-specified URI

+ c2lint now flags absence of uri_x86 and uri_x64 as errors when a transform on the

stager output is present.

20 Sept 17 – Cobalt Strike 3.9


+ Added a startup check to verify -XX:+AggressiveHeap and -XX:+UseParallelGC are set.

+ Added a dialog to present a URL when the browser open action is not supported

+ powershell-import now uses a broader regex to find function names for tab completion

+ Changed the applet attack’s memory allocation/process injection characteristics

+ Limited the team server file sync primitives to the downloads/ folder only.

+ Malleable C2 now prints a console error when POST’d session ID is empty

+ Artifact Kit uses SetThreadContext/ResumeThread for same-arch cross-process injection

+ Added Malleable client parameters/headers and server transforms to HTTP/HTTPS staging

+ Added a startup check + warning for Wayland desktops. (Not supported with CS)

+ c2lint now checks syswow64/sysnative case for spawnto_x86/spawnto_x64. It’s important

+ &beacon_host_script now compresses imported PowerShell script (like powershell-import)

+ Made changes to the local staging process for the named pipe Beacon

! Removed windows/foreign/reverse_dns_txt as a listener (needed for the next change…)

+ Added dns_stager_prepend Malleable C2 option to offset DNS stage value in TXT records

+ Updated VNC server to remove unneeded “stuff” and improve reliability.

+ Restricted the team server file upload primitive to the uploads/ folder only.

+ Help -> System Information now includes environment variables

+ Licensed CS now requires a valid + non-expired authorization file to start. This file

is generated and refreshed by the update program in 3.9+

+ Licensed CS now embeds a 4-byte customer ID (from auth file) into stages and stagers

+ Added obfuscate Malleable PE option to mask import table strings

+ Updated to mimikatz 2.1.1 20170813

+ Added &gunzip function to Aggressor Script.

+ &closeClient now works when called from headless Agressor Script client.

+ &add_to_clipboard puts text into the clipboard and prompts the user.

+ headless Aggressor Script client now waits on global data before firing on ready event

+ Added light obfuscation to the System Profiler.

+ Added &encode function to obfuscate shellcode/stages with a CS encoder

+ Added &range and &iprange to generate a list of numbers/IPs from a string description

+ Added mask data transform to Malleable C2. Masks data with a random 4-byte value.

+ DNS Beacon accounts for in-progress HTTP GET-transfers when asked for IP address

23 May 17 – Cobalt Strike 3.8


+ Attacks -> Web Drive-by -> Host File maps .ps1 to text/plain (auto mime-type)

+ Host File dialog now checks that URI begins with a /

+ Fixed a bug with Malleable C2’s base64url encoder

+ Exceptions thrown by Aggressor Script function calls are sent to the Script Console

+ Added [beacon] -> Access -> Elevate to pick a registered priv escalation to launch.

+ &bmode can now accept a dns6 argument.

+ Beacon DNS processor now lowercases all requests. (This was a 3.0 regression)

+ Web server now prints information & errors the same way other CS features do

+ Added ppid command to set parent process for processes Beacon launches

+ Added runu to run an arbitrary program under a specific process ID.

+ Added spawnu to spawn a session under a specific process ID (uses powershell.exe)

+ Updated web server to drop non-HTTP requests with no response.

+ Reporting now shows DNS Beacon mode changes in session transcripts

+ Artifact Kit’s non-migrating artifacts start threads with memory backed by module

+ Improved c2lint’s SSL keystore checks.

+ Cobalt Strike now updates PE CheckSum field for its executables and DLLs

+ Beacon now uses SetThreadContext/ResumeThread to start jobs in patsy processes

+ Beacon process injection now uses CreateThread for injecting into self

+ Added shspawn command to spawn shellcode file as Beacon post-ex job.

+ The updater program now verifies downloads via https://verify.cobaltstrike.com

Download the latest trial package to get the updated updater.

+ Updated to Mimikatz 2.1.1-20170508

+ Added scripting hooks to grant users control over PowerShell, Python, and VBA

templates used throughout Cobalt Strike. See the “Resource Kit” in the Arsenal.

+ Added Malleable C2 options: hijack_remote_thread, create_remote_thread to tweak

Beacon’s process injection codepaths. Both are true/false options.

+ Added work-around for “Parallel GC” Java bug (Java 1.8u131) that prevents Cobalt

Strike from running. Download the latest trial package to benefit from this.

15 Mar 17 – Cobalt Strike 3.7


+ Added “set pipename_stager” Malleable C2 option to change named pipe stager pipe

+ Added manual proxy options to stageless Beacon artifacts

+ Attacks -> Packages -> Windows EXE (S) now shows listener names

+ Added &artifact_stageless function to generate stageless artifacts from scripts

+ &brm now rejects an empty argument

+ Added cp (copy) and mv (move) commands to Beacon. Added &bcp, &bmv for scripts

+ Added EXE and DLL code-signing capability to Cobalt Strike

– Malleable C2’s code-signer block specifies the keystore and attributes

– Attacks -> Packages -> Windows EXE and Windows EXE (S) have a checkbox

to request a signed EXE or DLL

– The &artifact_sign function signs its argument (presumably a PE file)

+ Malleable C2 is now tolerant of case-transformed headers

+ Added Aggressor Script APIs to create simple dialogs

+ Added a parser to add mimikatz lsadump::sam results to credential model.

+ Team server now uses SHA256 hash for its SSL-cert fingerprint

+ Added Malleable C2 options to modify Beacon’s payload stage/Reflective Loader

+ Reduced Beacon’s use of RWX permissions in its process injection code path

+ Reduced use of RWX permissions in non-trial Artifact Kit.

+ Fixed bug with SSH agent not always resolving path for file downloads

+ Added API for Cobalt Strike’s web server: &site_host, &site_kill.

+ Enhanced the error reporting for client/server disconnections

+ Updated DNS stager to not modify itself.

+ Added an x64 stage encoder for Beacon stages delivered over SMB and HTTP/S

+ Added dns_stager_subhost Malleable C2 option to change DNS TXT stager indicator

+ Updated to mimikatz 2.1.0-20170305

8 Dec 16 – Cobalt Strike 3.6


+ Added sanity check to HTTP header length.

+ Added script constants \c, \U, and \o to agscript client.

+ Beacon drops token when connecting to capability pipe anonymously. This should

mitigate some error 5s (permission denied) when using jobs after stealing a token

+ VNC client and Proxy Pivots -> Tunnel now use the IP address the CS client

connected to as the team server IP and not the value used when starting the

team server.

+ Added Preferences -> Cobalt Strike -> VNC Ports option. This configures the range

of ports CS should use for VNC client connections between the client and the

team server.

+ Added &layout to custom reports. It’s &table but without a border and col headers

+ Expanded Malleable C2 to allow additional flexibility with HTTP requests:

– Use ‘set verb’ to change the default HTTP verb for http-get/http-post

– http-get.client.metadata can now print if http-get’s verb is POST.

– http-post.client.output can now use uri-append, parameter, and header

Beacon will chunk output into small blocks when these options are used.

– http-post.client.id can now use print if http-post’s verb is POST.

– c2lint checks for possible mistakes/issues with the above.

+ c2lint now checks for assignment collissions.

+ c2lint now shows a preview of both http-get AND http-post.

+ added base64url encoding to Malleable C2. (This is a URL-safe encoding option).

+ SSH client now reports output sent to STDERR.

+ Added sanity check to HTTP POST Content-Length (max allowed is 10MB. Still big.)

+ SSH client now combines consecutive reads for a channel into one output blob.

+ Added entries to the Host File feature’s automatic mime-type assignment table.

+ Reworked spawnto to allow operator control over x86 and x64 behavior.

– Deprecated Malleable C2 set spawnto option (it’s ambiguous)

– Added set spawnto_x86 and set spawnto_x64 to Malleable C2.

– Beacon’s spawnto command now expects arch value to target right setting

+ Expanded spawn command to accept arch parameter (e.g., spawn x64 <listener>)

+ x64 Beacon falls back to RtlCreateUserThread when CreateRemoteThread fails.

+ Updated Beacon Job IDs to stick with job throughout its life

+ Added an Aggressor Script API to add exploits to Beacon’s elevate command

+ Added &powershell_encode_oneliner to Aggressor Script. This function base64

encodes a PowerShell expression and returns a one-liner to run it.

+ Added quiet variants of many session tasking Aggressor Script functions. These

functions task a session without an acknowledgement. [e.g., bshell!(“arp -a”)]

+ Added &bdllspawn. This function launches a Reflective DLL as a Beacon post-ex job.

This rDLL job can send output to Beacon by writing to STDOUT. This rDLL can also

receive an argument from &bdllspawn. Check out the Aggressor Script docs for info.

+ Added arch parameter to &bstage (to allow staging x64 SMB Beacon locally)

+ hashdump now does a better job with larger sets of users.

+ DNS C2 applies tighter criteria to determine if a request is a “beacon” or not.

+ CS client filters listeners w/o stages when Malleable C2 host_stage is false

+ Addressed a potential thread-conflict with a shared buffer in an encryption routine

+ Cobalt Strike Trial no longer encrypts Beacon tasks and responses. *pHEAR*

+ Re-revised foreign listeners to return x86 shellcode only.

+ Updated to Mimikatz 2.1 20161126.

+ Added &bsetenv to set an environment variable within Beacon.

+ Added &bpsexec_command to run a command on a target via the service control manager

+ Keystroke logger is now better about non-US keyboard layouts.

+ Team server now properly releases resources from non-CS client connections

+ Removed keylogger start|stop from tab completion [these options no longer exist]

+ CS’s web server returns 404 for HTTP proxy attempts when no proxy handler is setup

+ Fixed occasional x64 HTTP/HTTPS stager crash on Windows 10-era systems

3 Oct 16 – Cobalt Strike 3.5.1


This release implements measures to harden Cobalt Strike against malicious sessions.

+ Re-worked file download feature. Cobalt Strike continues to store downloaded files

in the downloads/ folder, but this time with a random name and no sub-folders. The

View -> Downloads and Sync Files user experience is restored to the behavior prior

to 3.5-hf1 and 3.5-hf2. The logs/[date]/downloads.log file contains a manifest of

downloaded files and maps known information about the file download to the random

names in the downloads/ folder.

+ Team server now uses a safe path concatenation function that compares canonical

paths of the parent and result concatenated path to make sure the result doesn’t

break out of its parent.

+ Added host_stage = true/false option to Malleable C2. This options allows you to

disable the public hosting of a payload stage over HTTP, HTTPS, and DNS.

+ Beacon controller now refuses to process most session responses if a session is

new and has not had a task yet. Some responses are still allowed prior to tasking.

+ Beacon controller drops sessions whose session metadata didn’t validate.

+ Beacon’s upload command with path no longer checks for 1MB limit

+ Added to team server’s list of hosts it won’t accept.

29 Sept 16 – Cobalt Strike 3.5-hf2


+ Broader hardening of the Beacon controller against the RCE security issue.

28 Sept 16 – Cobalt Strike 3.5-hf1


+ Hot fix for a security issue. See Cobalt Strike blog:


22 Sept 16 – Cobalt Strike 3.5


+ Fixed sanity checks when adding a listener.

+ Lateral Movement & Make Token dialogs use a . if user leaves Domain field blank

+ Beacon socks command now asks Beacon to checkin interactively (sleep 0)

+ Added ssh and ssh-key commands to Beacon to create an SSH session with a target.

These sessions allow you to run commands, upload/download files, and pivot

through targets over SSH.

+ Took steps to reduce likelihood of Beacon ID collissions

+ &bmimikatz function will now dispatch multiple commands separated by newlines.

+ SMB Beacon download feature now pulls bigger file chunks (~256KB) per checkin

+ Fixed double unlink notices for named pipe sessions.

+ Added several Aggressor Script enhancements:

– ssh_alias keyword to add commands to SSH sessions

– ssh_initial event to respond to new SSH events

– ssh popup hook

– &ssh_command_register to register SSH aliases with SSH help command

– &bssh, &bssh_key to launch an SSH session from a Beacon

– &bsudo to run the SSH session’s sudo alias

– &ssh_commands, &ssh_command_describe, &ssh_command_detail to grab help

information for SSH session commands.

– -issh $id, -isbeacon $id predicates to test whether an ID is a specific

type of session

– -isadmin $id predicate to check if a session is admin-level

– -is64 $id predicate to check if target is an x64 system.

– &sbrowser function to create a session browser GUI object

– SSH sessions have their own sets/events that are similar to the ones

that exist for Beacon sessions.

+ View -> Proxy Pivots now posts input for rportfwd stop/socks stop

+ Added sanity check for team server <host> parameter to avoid common mistakes

+ x86 stager generation code now always use x86-specific URI checksum.

29 Jul 16 – Cobalt Strike 3.4


+ Save dialog now defaults to the last saved file’s location

+ Cleaned up several strings in Beacon’s stage.

+ Added Malleable C2 option to set name of SMB Beacon’s named pipe name

+ Added command-line help options for team server startup.

+ Added a kill date parameter to team server. This will embed a drop dead date

into each Beacon stage generated by this team server.

+ Archiver on team server now truncates its entries to a set size. This prevents

a slow memory leak on the team server.

+ Fixed bug that capped Beacon’s jitter variance to 32s, regardless of sleep time

+ Added a cobaltstrike.server_port property to change team server’s default port

+ Fixed bug processing HTTP GET Malleable C2 recovery programs > 128 bytes.

+ Hardened Beacon’s Malleable C2 recover code against corrupted/unexpected data.

+ Added Beacon’s architecture (x86, x64) to session metadata as barch key. Also

added an (x64) indicator to statusbar in x64 Beacon consoles.

+ ‘mode dns’ now restricts DNS host length (for puts) to 25% of maxdns value.

The ‘mode dns-txt’ option is 100% of the maxdns value. ‘mode dns6’ is 50%

+ Beacon’s upload command now supports files larger than 1MB.

+ Fixed a bug in task queue chunker that could affect order of task execution

+ Cobalt Strike -> Listeners shows last listener error in red, if there is one.

+ Added option to export COM Scriptlet (.sct) to Payload Generator dialog

+ Spear Phishing tool now allows Windows-style line endings for targets file

+ Added dns_idle setting to Malleable C2. Changes DNS C&C idle IP from

+ Added dns_sleep Malleable C2 setting. Forces a sleep before all DNS requests

+ Added ‘mode dns6’ to use DNS AAAA records as a data channel for DNS Beacon.

+ maxdns is now interpreted as maximum length of hostname to send data back

+ Improved DNS data channel throughput when using hostnames to send data back.

+ Updated to mimikatz build (Jan 31, 2016) to address golden ticket indicator

+ Spear Phish mail server setup now adds option to force STARTTLS

+ Fixed a bug with STARTTLS upgrade (introduced in 3.0)

+ Added &bnet function to call Beacon’s net module.

+ Added &beacon_host_script function to (locally) host a PowerShell script and

return a one-liner to grab it/run it.

+ Fixed exception caused when hand-editing targets field in Spear Phish dialog

+ Fixed a potential exception caused by a race when removing a listener

18 May 16 – Cobalt Strike 3.3


+ Added krbtgt helper to Golden Ticket dialog.

+ Added filter feature (Ctrl+F) to most of Cobalt Strike’s tables.

+ Raised data model retention limits again.

+ cobaltstrike.exe on x64 Windows now looks for x86 Java if x64 Java is not found

+ Removed remnants of non-existant task command.

+ Aliased ? to help in Beacon console.

+ Mitigated DOS condition that could stop Team Server from accepting new clients

+ Fixed conflict between Malleable C2 partial URIs (uri-append) and HTTP/S

staging protocol. Malleable C2 partial URIs requests match to handler first.

+ Added c2profile info to Help -> System Information

+ Made keystroke logger loop tighter.

+ Added powerpick command to run PowerShell via Unmanaged PowerShell technique

+ Added psinject command to inject Unmanaged PowerShell into a specific process

+ Added 3389 to default portscan port list.

+ Made multiple error checking enhancements to c2lint.

+ Added Reload button to Script Manager dialog.

+ Added ready column to Script Manager to indicate if script is loaded or not.

+ Ctrl+Shift+D closes all tabs except the active one.

+ note[space][tab] now completes the current Beacon note.

+ Added net time to Beacon’s net module.

+ powershell-import size check occurs *after* compressing the script.

+ DNS server responds to (unexpected) AAAA requests with an empty answer section

+ Mimikatz parser now preserves passwords with spaces.

+ Beacon now uses encrypt-then-MAC to verify task/response message integrity

+ Updated web server to have enough Range request support to satisfy bitsadmin

+ Replaced PowerShell Web Delivery with Scripted Web Delivery. This dialog

generates artifacts and one-liners to deliver payloads with: bitsadmin,

powershell, python, and regsrv32.

+ Added VBA shellcode injection option to the HTML Application Attack.

+ Added an option to use x64 stagers/stages to:

– Attacks -> Packages -> Payload Generator

– Attacks -> Packages -> Windows Executable

– Attacks -> Packages -> Windows Executable (S)

+ Added x64 artifacts to the Artifact Kit

+ Added shinject command to inject shellcode into a process

+ Made the following updates to Aggressor Script:

– &binject now accepts an arch (x86, x64) parameter.

– Added &beacon_ids function to get all Beacon IDs

– Added &bpowerpick / &bpsinject functions to go with the above.

– Added &openScriptedWebDialog for Scripted Web Delivery

– Added &bshinject to go with shinject command

– Extended &shellcode with an x86/x64 architecture parameter

– Extended &artifact with an x86/x64 architecture parameter

– Extended &artifact types with powershell, vbscript, and python

– Extended &powershell with an x86/x64 architecture parameter

– &agServices now limits its results to hosts in targets model only.

+ The make_token command now accepts passwords with spaces.

+ Improved Bypass UAC attack’s reliability. It also gives feedback now.

4 April 16 – Cobalt Strike 3.2


+ Removed errant date parsing code from Mimikatz output scraper.

22 Mar 16 – Cobalt Strike 3.2


+ Fixed potential null pointer exception in multi-Beacon Process Browser

+ Fixed a type-issue that could cause client disconnect when editing credentials

+ Text displays show horizontal scrollbar if a text token is longer than display

+ Hardened report generator against empty bookmarks.

10 Mar 16 – Cobalt Strike 3.2


+ Standard dialogs (messages, prompts) are now created in Swing’s EDT

+ Merged client data sync process to one mechanism

+ Made slight change to bind TCP staging protocool.

+ Fixed bug with Beacon desktop command running twice when three args specified

+ Scrollbar now appears in connection list (when one is warranted).

+ Fixed VPN pivoting deployment error caused by internal API changes.

+ Added a startup warning for OpenJDK users. OpenJDK is not recommended for use

with Cobalt Strike. It has occasional bugs that severely impact CS users.

+ Bind TCP staging process now encodes x86 payloads

+ Raised the max entry limits in Cobalt Strike’s data model.

+ Port Scanner now properly ids Ubuntu OpenSSH banner as a Linux system

+ Added an x64 Beacon agent. You can now inject Beacon into x64 processes.

+ Added a timeout to VNC session handshake. If the timeout expires, you’re asked

to try the VNC process again.

+ [beacon] -> Explore -> Desktop announces desktop command to the beacon console

+ [beacon] -> Interact now activates Beacon’s existing tab, if one is open.

+ Fixed a bug downloading 0 byte files.

+ Raised max number of linked beacons from 15 to 40.

+ Added ‘net computers’ to query Domain Computers/Domain Controllers groups to

discover targets and populate Cobalt Strike’s data model.

+ VPN Pivot now filters the VPN client’s host and hosts in client’s pivot chain.

+ Added Reporting -> Reset Data to reset Cobalt Strike’s data model.

+ Modified teamserver script to avoid re-generating SSL cert if keystore exists

+ Website Keystroke Logger tool now logs to webkeystrokes.log on team server.

+ NMap import does not import hosts with no open services.

+ text prompts no longer fire their callback if dialog is cancelled.

+ Consoles now display a horizontal scrollbar when there is a text token longer

than the console can display.

+ PowerShell Web Delivery and powershell-import now compress hosted scripts.

+ Added warning to prevent deploying CovertVPN on Windows 10.

+ Hardened recursive task building logic against potential loops.

+ Changed screenshot publish/read protocol to avoid incomplete screenshots

+ Added processbrowser and processbrowser_multi popup hooks to Aggressor Script

+ upload and powershell-import report errors if content is too big.

+ Ctrl+Shift+T takes screenshot of entire CS window and pushes it to team server

+ Reporting engine frees up memory after report is generated.

+ Hardened report generator against empty pages and empty tables.


8 Dec 15 – Cobalt Strike 3.1


+ Fixed report generation bug when masking long email addresses

+ Fixed race that made metadata unavailable to beacon_initial event

+ &binfo(“id”) now returns all metadata for the specified beacon id

+ Screenshots in memory no longer cache their ready-to-render form. This prevents

out of memory exceptions for those of you watching busy desktops.

4 Dec 15 – Cobalt Strike 3.1


+ Fixed report generation issue with UTF-8 encoded characters.

+ SE Report now excludes campaigns with no delivered messages.

+ Spear Phishing tool now preserves base64 encoded parts with a Content-ID

+ Script Console e, x, and ? commands present errors in friendlier way.

2 Dec 15 – Cobalt Strike 3.1


+ Beacon help command complains when asked about a command that doesn’t exist

+ VNC server stage is now encoded

+ Bypass UAC on Windows 10 now takes steps to use an artifact that’s OK with

blocking DLL_PROCESS_ATTACH [not all techniques are OK with this].

+ Updated integrated mimikatz to 2.0 alpha 20151008

+ Added dcsync command to Beacon. Uses mimikatz to pull a hash from a DC. CS

parses its output and adds the credential to the creds model too.

+ Fixed null pointer exception when trying to save an edited listener.

+ mimikatz @module::command will force mimikatz to use beacon’s thread token

+ Download cancel now properly releases file handle in Beacon.

+ client now trims large data structures in the same way the team server does

+ Screenshot tool is now smarter. If user is idle, it returns one screenshot

every three minutes. If user is active, it will return one each check-in.

+ Session metadata is now in the Beacon logs on the team server.

+ CS now offers to direct user to team server documentation when they get a

Connection refused error.

+ Added headless option to run Aggressor Scripts. Use the agscript launcher

included with the Linux package.

+ Obfuscated Artifact Kit’s service entry point slightly.

+ DNS Beacon export option was not showing up in the stageless payload export

dialog if windows/beacon_dns/reverse_dns_txt was set as the listener. Fixed.

+ Scan dialog now complains if a Beacon session wasn’t selected.

+ Export Data and Sync Files features now mkdir folders that don’t exist.

+ Added check to prevent you from using CS with Java 1.6.

+ %TOKEN% is now replaced everywhere in phishing template, not just URL.

+ Added Export button to View -> Credentials. Exports creds in PWDump format

+ Fixed stager crash on exit after failure; caused by wrong byte order exitfunk

+ Added a sanity check for phishing target files w/ reversed email/name info

+ View -> Targets now has an import button. Imports: NMap XML & flat host files

+ IoC Report now only shows each hash once.

+ Fixed several bugs that could affect report generation.

+ Spear Phishing tool no longer strips attachments with a Content-ID header.

+ Added several APIs to Aggressor Script

+ DNS Stager now exits after all attempts exhausted (better than crashing)

24 Sept 15 – Cobalt Strike 3.0


+ Switched to the Aggressor project’s team server and client. Aggressor

was a long effort to rewrite Cobalt Strike’s team server and client without

the Armitage codebase and dependency on the Metasploit Framework. The

Aggressor project expanded Beacon’s post-exploitation capability and

re-aligns Cobalt Strike’s workflows around the Beacon payload.

+ psexec commands now query service before they shut it down. This fixes a

race condition that affected psexec’s success in some situations.

+ Beacon now acknowledges the exit command and a message is shown.

+ Team server now delivers very large Beacon taskings in chunks. Beacon has a

hard limit on taskings and this prevents large taskings (e.g., mimikatz sent

to 5+ different hosts) from crashing Beacon.

+ The sleep command in an SMB Beacon now sends the command up to the egress

Beacon to take effect.

+ psexec and friends tab complete target NetBIOS names from CS’s data model

+ Added port scanner and net [view] modules to Beacon.

+ Named pipe staging now aborts after 60s of attempts or an error 53.

+ Bypass UAC now works on Windows 10

+ Added a profile preview to the c2lint utility.

+ Updated Artifact Kit and Applet Kit to use Aggressor Script APIs to hook

into attack generation process.

12 Aug 15 – Cobalt Strike 2.5


+ Beacon’s lateral movement commands now show listener dialog when no

listener is specified.

+ Took steps to combat against Read Timeout errors during authentication

to team server.

– Updated YAML parser and other code to become compatible with Kali 2.0

– Console Queue now sets some options (e.g., TARGET) before it sets others

to avoid errors

29 Jul 15 – Cobalt Strike 2.5


+ Removed [beacon] -> Log Keystrokes menu. These options don’t make sense

now that keystroke logger injects into specific processes

+ Added make_token command to Beacon. Clones current access token to pass

username/password to remote systems. Requires admin access.

+ Added rm and mkdir commands to Beacon.

+ Added lateral movement commands to Beacon: psexec, psexec_psh, winrm,

and wmi. The psexec command uses a Service EXE from Artifact Kit. The

other options bootstrap a payload with PowerShell.

+ Replaced windows/beacon_smb/reverse_tcp with windows/beacon_smb/bind_pipe.

You may use this listener with Beacon’s lateral movement options. It will

stage the SMB Beacon over a named pipe (quite slick!). This listener is

also usable with other Beacon features (e.g., spawn, bypassuac, etc.)

+ Beacon now polls each SMB Beacon for data on checkin.

+ Backported Cobalt Strike 3.0’s SOCKS backend to 2.5.

+ Added rportfwd command to Beacon. This creates a reverse port forward (on

target) to catch connections and forward them to a host/server of your

choosing. The forwarded traffic/connections are tunneled through Beacon.

+ Added hta-psh to Attacks -> Packages -> Payload Generator. Uses MSF to

generate an HTML Application that bootstraps your payload with PowerShell

+ Browser Pivot dialog now shows processes on newer versions of Metasploit.

Newer versions of MSF omit the PPID column in Meterpreter’s ps output.

+ The PowerShell output for Windows Executable (S) is now much smaller!

+ Malleable C2 now allows escaping of quotes inside of strings #CommonSense

+ Added Malleable C2 options to import an SSL certificate for Beacon’s use

+ Added spawnas to Beacon to run a payload with the specified creds.

+ Beacon now uses CREATE_NEW_CONSOLE with cmd.exe/powershell.exe. This

fixes some weird situations where Beacon could not consume output from a

process created with a stolen token.

– Updated MsgPack library and code that uses it.

– Team server now authenticates client before exchanging serialized objects

21 May 15 – Cobalt Strike 2.4


+ Fixed a conflict with SMB Beacon pipenames due to random seed choice.

+ Added date stamp to View -> Web Log entries

+ Re-generated default Beacon HTTPS certificate with different parameters

+ Malleable C2 HTTPS certificate generation now uses different parameters

+ Slight refresh to the default artifact kit for executables and DLLs

10 Apr 15 – Cobalt Strike 2.4


+ Fixed ‘meterpreter’ command to tunnel Meterpreter through Beacon

+ Pressing cancel on the Set Note dialog for Beacon no longer clears note

+ Fixed mimikatz command with really long commands + arguments.

8 Apr 15 – Cobalt Strike 2.4


+ Added dllinject to Beacon. Injects a Reflective DLL into a process

– Sped up rendering of graph view on Windows and MacOS X.

+ Beacon now has a concept for long-running post exploitation jobs.

Use the jobs command to list jobs. Use the jobkill command to kill

a job. The keystroke logger, PowerShell tasks, and Command Shell tasks

now use this mechanism.

+ Keystroke logger now injects into an x86 or x64 process of your

choosing and reports keystrokes back to you.

+ Added hashdump command to Beacon

+ Integrated mimikatz into Beacon. Use wdigest to dump plaintext creds.

Use mimikatz [command] [args] to run an arbitrary mimikatz command.

+ Fixed Beacon’s internal types to allow working with large PIDs.

+ Revised VNC client -> server staging and connection process to

eliminate a layer of unnecessary tunneling and improve reliability.

+ Payload names in Listener dialog are now in alphabetical order. This

will mess with muscle memory for some of us. It’s for the best though

+ Added foreign listeners. These listeners are aliases for Meterpreter

or Beacon handlers managed elsewhere.

+ Added a sanity check for when an Applet Kit script can’t find its

jar resource.

+ Added PowerApplet to the Cobalt Strike Arsenal. This alternate

implementation of the Cobalt Strike Applet Attacks uses PowerShell

to inject a payload into memory.

– Made YAML parser more liberal with punctuation characters.

+ Fixed a malleable c2 bug that affected safebrowsing.profile

+ Improved c2lint utility with a few new checks and enhanced checks

+ Added another A/V bypass technique to the Artifact Kit.

+ Tweaked artifacts Cobalt Strike generates

+ Performed normal client-side database maintenance

22 Jan 15 – Cobalt Strike 2.3


+ Cobalt Strike now encodes Beacon’s DNS stage with a custom encoder.

+ kerberos_ticket_use with no arguments now prompts for file.

+ Staged Beacon’s PowerShell output is now x86/x64 PowerShell agnostic

+ Added Attacks -> Web Drive-by -> PowerShell Web Delivery.

– Fixed a repaint bug when removing last server button.

+ added runas command to Beacon.

+ Fix bug when prepend/append were used before base64/netbios encode in

Malleable C2 profiles.

+ Beacon now dynamically calls Wow64 disable/revert. This prevents a

crash when user tries to run powershell command on older XP systems.

+ c2lint now checks for a ? in URIs and warns user.

+ Beacon’s download command now gives feedback when it can’t open a file

+ Added pwd command to Beacon

20 Nov 14 – Cobalt Strike 2.2


– team server startup verifies default host is an IPv4 address.

– Prompt for default address is now more aggressive and continues to

ask until an address is put in. If a user hit cancel on this dialog,

threads to poll the database never get started. Bad day, for sure.

+ Rebuilt process to inject and connect to VNC server on target system.

New process is more likely to be ignored by host-based firewalls.

+ VNC client now uses a better visual cue for view-only, ctrl/alt lock

+ Vulnerability report now shows URLs for references from ZDI, MSB,


– Cobalt Strike now sends a keep-alive every 1-2mins over an idle team

server connection to combat disconnection by a NAT device

+ Beacon re-adds host to db if you remove its Beacon and it comes back.

+ Fixed Beacon replay attack counter 50-day roll over cycle.

+ c2lint now simulates impact of URL encode on parameters and mangled

binary data in headers when unit testing profiles.

+ Applet Kit shellcode injector now spawns a suspended process to

inject into.

+ Spear Phishing tool is better with more complicated message templates

+ Phishing preview no longer replaces links in plaintext preview that

would not be replaced in actual phish.

+ c2lint now checks length of useragent value

+ You may now tab complete file with kerberos_ticket_use in Beacon

+ Fixed (potential) deadlock with listener tab complete in Beacon

– Cobalt Strike client now shows disconnect message if it loses any

of its connections to the team server.

+ Added an ICMP channel to Covert VPN feature.

+ Fixed Covert VPN issue with encryption keys that contain null bytes

+ More small tweaks to the VBA macro.

Cortana Updates (for scripters)


– name field for hosts is now available.

30 Sept 14 – Cobalt Strike 2.1


+ Beacon’s powershell command always launches native arch PowerShell

+ powershell tab completion now tracks completeable cmdlets on a

beacon-by-beacon basis.

23 Sept 14 – Cobalt Strike 2.1


+ Beacons now use asymmetric cryptography to negotiate a unique

session key and authenticate with your Cobalt Strike instance.

– Added helper for SCRIPT option.

+ Added Malleable C2 options to customize SSL cert for HTTPS Beacon

+ You may now use PowerShell through Beacon. Use the powershell

command to evaluate a PowerShell expression. Use powershell-import

to import a script and make it available to the powershell command.

– Right-click a tab’s X button and use “Send to bottom” or Ctrl+B to

dock a tab to the bottom of the Cobalt Strike window. Use Ctrl+E to

to get rid of the docked tab.

+ Cobalt Strike’s web server now sends Content-Length when it’s known

+ Added file tab completion for some of Beacon’s commands.

+ Upload command now reports an error if Beacon can’t write the file

+ Rebuilt CovertVPN client as a Reflective DLL. This will make client

deployment more reliable.

+ Cobalt Strike -> Interfaces now auto-refreshes itself every second

+ Split Covert VPN TCP channel into Bind and Reverse options. Reverse

works as before and makes a connection to you. Bind uses a portfwd

to connect to VPN client through Meterpreter [in effect tunneling

frames through Meterpreter].

+ HTTP channel in Covert VPN now uses User-Agent from Malleable C2

– Added more YAML warnings to save heartache for custom installs

+ Added a user-driven attack: Attacks -> Packages -> HTML Application

+ Performed normal client-side database maintenance

– Database layer now uses core.version results to decide which MSF

data model to use.

– File tab completion (Beacon, Cortana console) better handles ~

+ Made a small tweak to the VBA macro.

+ Updated Firefox Add-on Attack launcher to work with MSF updates

+ Updated artifact kit build.sh to account for increased beacon size

Cortana Updates (for scripters)


– &credential_add, &credential_delete now take into account Metasloit

version (pre 4.10, post 4.10) and do the right thing.

18 Aug 14 – Cobalt Strike


– Added hard-coded database.yml path as fallback for Kali users

– Updated internal db.creds/db.creds2 calls to pull from new creds

model in database.

– [meterpreter] -> Access -> Dump Hashes -> wdigest uses sso post

module now. New creds model makes this better.

– Import option in View -> Credentials now works with new data model

16 Jul 14 – Cobalt Strike 2.0.49


+ Fixed SE PDF report generation bug when masked emails collided

– Command Shell experience on Windows Meterpreter is much better now

– Java Meterpreter may now interact with a bash shell

! Removed [host] -> Meterpreter -> Access -> Migrate Now! menu item

– Ctrl+Escape temporarily drops the timeout times for Meterpreter

commands to 5s, across the board. If a Meterpreter session appears

unresponsive, try this to force any hung commands to timeout

+ Listener dialog now complains if user leaves host field blank

+ Added ‘veil’ option to Payload Generator. Outputs shellcode in a

format suitable for use with Veil [as custom shellcode].

+ Added Malleable C&C – a domain specific language to re-define

indicators in Beacon. Now you can make Beacon look like whatever

you need for your mission needs. *pHEAR*

+ Add windows/beacon_https/reverse_https which is an HTTPS Beacon.

+ Added [host] -> Meterpreter -> Access -> Bypass UAC. Launches the

bypassuac_inject module w/ an Artifact Kit-made DLL for AV evasion

+ Fixed unicode issue with Website Clone Tool

– Cobalt Strike now warns when a team server is non-responsive by

making its server button purple. When the server is responsive again,

the button will turn back to its normal color. This requires that

you’re connected to multiple team servers.

+ Added kill and ps commands to Beacon

+ Listener dialog now complains if user tries to use multiple hosts in

host field.

+ Added kerberos_ticket_use and kerberos_ticket_purge commands to Beacon.

These commands allow you to inject a Kerberos ticket into the session

and purge it. Use with a Golden Ticket generated by Mimikatz 2.0.

+ Beacon’s inject, spawn, and bypassuac commands pop up a listener dialog

if no listener is specified.

– Windows EXE launcher for Cobalt Strike now finds 64-bit Java.

15 May 14 – Cobalt Strike 1.49


– Worked around invisible text selection bug with latest Java on Kali

13 May 14 – Cobalt Strike 1.49


+ Fixed Beacon HTTP Stager bug on Windows XP

+ Worked around VBA syntax error caused by stagers that are too long.

23 Apr 14 – Cobalt Strike 1.49 (NCCDC Edition)


– Keyboard shortcuts to change text size now work in table view

+ Browser Pivoting now uses a self-signed cert that expires in 10 years

+ Added ability to assign a non-persistent note to a Beacon

– Added Copy button to View -> Creds

+ Beacon’s process injection now falls back to APC Queue process injection

technique when CreateRemoteThread fails.

+ Listeners dialog now complains if you try to use an out-of-range port

+ Beacon DNS processor now lowercases all requests.

+ Beacon’s HTTP stager now prompts user for proxy creds when proxy

authentication fails. This prompt is the same one Internet Explorer uses.

– Services tab right-click menu now has options to edit a service’s info

– YAML parser now gives better errors and forgives errant whitespace

– CS now intercepts shell command with arguments and spawns a command shell.

+ Beacon socks command prints an error if it can’t bind the requested port

+ [beacon] -> Sleep menu now lets you specify a jitter factor.

+ Beacon’s ‘meterpreter’ command now automatically changes the sleep time to

something interactive.

+ Windows Executable (S) Package now has raw and PowerShell output

+ Fixed a bug that broke features when a custom Artifact Kit is loaded

– Logging now deals with IPv6 addresses better for Windows users

– Launching psexec at 4+ hosts will no longer open a tab for each host

– Cobalt Strike no longer allows two buttons with the same name in its team

server button bar.

+ Listeners dialog now warns when Beacon hosts/domains list is too long

+ Beacon’s spawn and meterpreter commands now create processes in a

suspended state and inject into rundll32.exe by default.

+ Beacon’s spawn and meterpreter commands no longer use the impersonated

token to create the process to inject code into. This change reduces

“surprises” for you and gives you the flexibility to steal a token or

getsystem from the new session

Cortana Updates (for scripters)


– Added &script_load to load a script (as if the user did this)

– Added &script_unload to unload a script

13 Mar 14 – Cobalt Strike 1.48 (NECCDC Edition)


+ PsExec now waits longer for a session

+ Added timestomp command to Beacon

+ Beacon’s bypassuac now waits up to 10s for privileged file copy to complete

+ Beacon’s ‘meterpreter’ command now checks for a pivot that could interfere

with staging meterpreter through Beacon and presents a warning about it.

– Added Ctrl+L to quickly add an entry to timeline.[xml|tsv] (exported

through View -> Reporting -> Export Data)

+ Added Attacks -> Packages -> Windows Executable (S) to export a staged

Beacon as a DLL or executable.

– Added osx-app to Output: type for payloads. Outputs a zipped MacOS X

app archive.

+ Auto-Exploit Server now uses MSF’s HTTP stager for Beacons. The custom stager

is too big for most of MSF’s client-side attacks.

– Scrubbed Cobalt Strike to eliminate unnecessary blocking calls from Sleep

source code. This improves Cobalt Strike’s responsiveness and takes away

many opportunities for deadlock.

– Sync Files for Loot and Downloads is now much better with large files

+ Beacon now warns you when you try to upload a file bigger than its 1MB limit

– Cobalt Strike now properly notifies you when you lose a connection to a

team server. This was probably a long time coming.

27 Feb 14 – Cobalt Strike 1.48


+ Beacon now reports Windows 8.1 correctly.

+ Beacon’s interactive mode (sleep 0) is now 10-100ms delay between requests

+ Windows Dropper attack now uses a language-neutral method to determine

Documents folder to write dropped file to.

+ Beacon’s Task URL command now uses EXITFUNC of process to prevent metasploit

generated shellcode from crashing after executed program closes.

+ Worked around known Java bug that prevents Spear Phishing HTML Preview from

displaying text when a META tag is present.

+ Added Pivot Listeners–a listener that calls home through an existing

Meterpreter session. Go to [host] -> Meterpreter -> Pivoting -> Listener…

+ Added WebRTC IP address decloak to System Profiler. Based on technique at:


+ Beacon’s ‘meterpreter’ command now uses bind_tcp shellcode that binds to explicitly. This will prevent some host firewall warnings.

+ Modified MSF’s HTTP stager to specify a User-Agent. This is necessary to

get through proxies that whitelist browsers. This modified stager is used

to stage Beacon via Social Engineering Packages and when you task a Beacon

to spawn a new Beacon for you.

+ Added Attacks -> Packages -> Payload Generator to output sourcecode or an

artifact to deliver a Cobalt Strike payload to a host.

+ Added windows/beacon_smb/reverse_tcp payload to listeners dialog. This

will deliver a Beacon peer to a host (staged over a reverse TCP connection).

You must have an HTTP or DNS Beacon setup before you create this listener.

+ Beacon SMB (reverse_tcp/bind_tcp) now kills the socket used to stage it.

+ Beacon now obfuscates session metadata better.

+ Added several commands for privilege escalation and token stealing to

Beacon: steal_token, getuid, rev2self, getsystem, and bypassuac. This change

gets one entry in this log but it was a lot of added grey hair to pull off

+ Beacons tab now shows a * next to user to indicate Beacon is run as admin

+ Type upload[enter] in a Beacon to immediately see a file chooser dialog

– Windows opened by Ctrl+W now show the proper application icon.

– Cobalt Strike now uses a JFrame to display its dialogs. This will give each

window its own button in the taskbar regardless of window manager.

+ Beacon’s inject and spawn commands will now deliver a DNS Beacon over DNS

[just use spawn [listener] (DNS)]

+ Took steps to suppress “host called home” messages in Beacon console for

data relayed through a P2P link/SOCKS pivot.

+ Beacon auto-migrate now spawns a process that isn’t notepad.exe 😉

8 Jan 14 – Cobalt Strike 1.48


+ You may now assign a host on a per listener basis. Useful if you’d like a

listener to call home to a FQDN, an IPv6 host, or a hop point.

+ Added “shell (connect to target)” to PsExec dialogs.

+ Spear Phishing Preview now renders HTML and Plain Text previews of message

+ System Profiler is now compatible with IE11 and it detects Windows 8.1

+ Added an option to disable Java Applet with System Profiler. This will pull

less information, but it also prevents click-to-run raising suspicion

+ Attacks -> Packages -> Windows EXE now generates an x86 EXE, x86 DLL,

x86 Service EXE, and an x64 DLL. These artifacts are generated by Cobalt

Strike. Source code to this Artifact Kit is in the Cobalt Strike arsenal.

+ Added Attacks -> Packages -> Windows Dropper. This package drops a document

to disk and opens it, while silently executing a payload.

+ Ported MSF’s MS Office Macro Attack to Cobalt Strike with a few enhancements.

Updated Office Macro now intelligently spawns payload into an x86 process–

allowing the same macro to work when run on x86 or x64 Office. This also

keeps your session safe if the user closes Office before you can migrate.

! Removed Attacks -> Packages -> Adobe PDF. This feature references a

Metasploit Framework module that is no longer very useful.

! Removed Attacks -> Packages -> MacOS X Trojan. This one was my fault.

+ Cobalt Strike now uses Artifact Kit to generate executables for its lateral

movement dialogs. [host] -> Login -> psexec and psexec (token)

– Cobalt Strike.app for MacOS X now works with Oracle’s Java 1.7

+ Added Microsoft Silverlight detection to the System Profiler

+ Updated client-side attack database with the latest and greatest

– Cobalt Strike console is now a mouse hot spot. Right-click a host in the

console to see its menu. Click a module to open the module’s launcher

– Cobalt Strike module launch console ignores false meterpreter prompt from

msfrpcd after a successful exploit job is run. This work-around isn’t

perfect but it’s much better than doing nothing.

– hashdump and wdigest menus now add usernames with spaces to creds table

+ Attacks -> Web Drive-by -> Firefox Add-on now uses Artifact Kit to generate

an executable for its payload.

– IPv6 reverse sessions now associate with their host properly.

+ Added [listener] -> Debug… to restart a listener in a console where you

can directly observe its output (and error messages)

+ Removed Set LHOST from View -> Beacons. Since LHOST no longer affects

the listener callback address–it made sense to do this.

+ Cobalt Strike web server now uses proper MIME types for MS Office 2007 docs

21 Nov 13 – Cobalt Strike 1.48


– Missing MSF_DATABASE_CONFIG error now gives troubleshooting steps too

– Added another check to detect and correct a corrupt module cache

– [host] -> Operating System -> Firewall works again.

+ Browser Pivoting now supports 64-bit Internet Explorer

+ Added peer-to-peer communication to Beacon. Use ‘mode smb’ to put turn a

Beacon into a peer node. Use ‘link [ip address]’ to link a Beacon to a

peer. You may recursively link peers as well.

+ Beacon DNS C2 is now more robust.

+ Default port for MSF exploits in auto-exploit server is now 8080

+ Reporting Engine now links ZDI advisories

– You can now set PAYLOAD for windows/local/wmi exploit

+ Added [host] -> Login -> psexec (token+psh) to run current_user_psexec with

the PowerShell injection technique.

+ Added [host] -> Login -> wmi (token+psh) to run windows/local/wmi with the

PowerShell injection techniques. WMI is another option for lateral movement

+ Beacon checkin command now displays output stating the task was added

+ Beacon console now logs to a separate file for each beacon

+ Browser Pivoting now shows output/errors from reflective DLL injection step

+ Updated client-side attack database

+ Listener “sanity check” feature now gives the old non-HTTP listener more time

to close before warning that the listener may fail.

+ PsExec windows/meterpreter/bind_tcp payload option now encodes second stage

– Default meterpreter/reverse_tcp listener now encodes its second stage

+ Browser Pivoting can now connect to sites on non-standard ports

+ Added a check to prevent user from creating multiple beacon listeners on one

Cobalt Strike instance.

+ Added Permissions and Application-Name to Signed Java Applet manifest. This

supresses a big warning on the latest version of Java 1.7

+ Some PsExec options show ‘beacon (connect to target)’ as a listener option.

This will deliver Beacon setup as a peer. Link to it from another Beacon.

+ Beacon now times out WinINet requests after 4 minutes. If something traumatic

happens to your poor Beacon, you’ll get it back in 4 minutes. This is better

than the WinINet default of 60 minutes.

+ Beacon now automatically checks in when a file download is in progress.

26 Sept 13 – Cobalt Strike 1.47


– Fixed webcam selection logic that I broke last update.

+ Adjusted max RPC messages/second to 200 (from 20). This mitigates a message

backlog from multiple interactive beacons.

+ Beacon’s ‘meterpreter’ command now initiates a connection to localhost

(tunneled through Beacon, of course) instead of the host’s known external

address. This makes a session more likely to happen in most cases.

– Added a helper for PATH option

+ System Profiler now translates internal host -> unknown. If you

use this information to determine if an applet ran, look in the web log.

The System Profiler will report a note to state that this change happened.

+ Added CVE-2013-2465 to Smart Applet Attack. This expands the Smart Applet

Attack coverage to users with Java 1.6.0_45 or earlier.

– Java 1.6 is no longer a supported environment to run Cobalt Strike. Added

a warning message to indicate as much.

+ Added Browser Pivoting to Cobalt Strike. A Browser Pivot is a proxy server

that fulfills requests with a target’s browser (Internet Explorer 32-bit

only). This setup convienently inherits the user’s cookies, HTTP

authenticated sites, and client-SSL certificates too. To set it up:

[host] -> Meterpreter -> Explore -> Browser Pivot

+ System Profiler now detects MS Office in some cases.

– Connect dialog now masks the password field.

+ Updated client-side attack database with new additions

– Cobalt Strike no longer allows you to start msfrpcd on Windows. It shows an

error stating that you need to connect to a team server on Linux.

– Fixed a potential deadlock when opening a module launcher dialog.

+ Small changes to make the applet kit more robust.

+ Cobalt Strike now performs sanity checks when starting a listener. If a port

is bound, Cobalt Strike will notify you.

21 Aug 13 – Cobalt Strike 1.47


– Fixed a potential deadlock when updating the host display

– Updated multiplexing code to be compatible with enumdesktops command

– Updated multiplexing code to be compatible with webcam_list command

– You may now choose which camera to take a Webcam Shot from

– Close button now shows w/ Cobalt Strike dialogs on Kali Linux.

– Module Launcher dialog is now always active when opened.

– EXE::Custom is no longer treated as an advanced option. When available it’s

always present for you to modify in a module.

– Meterpreter -> Access -> Persistence now uses the local exploit module

(default settings now work without tweaks too)

– Meterpreter -> Access -> Pass Session and Process -> Inject now use the

payload_inject local exploit module.

– Added Meterpreter -> Access -> Dump Hashes -> wdigest to run mimikatz’s

wdigest command, to retrieve plaintext creds.

– Cobalt Strike now uses a better method to shuttle files to team server and

notify you of the progress of this action.

+ Added [host] -> Login -> psexec (psh) to run PsExec with PowerShell module

+ Added a Help button to psexec dialogs.

+ Added ‘meterpreter’ command to Beacon–spawns a Meterpreter session that

tunnels through Beacon’s C2 channel.

– Made multiplexing code smarter about load and use commands.

+ Beacon stage encoding process now has a much higher timeout. On slower

systems, the encoding process could exceed this timeout.

+ Added ability to specify a jitter factor with Beacon’s sleep command. The

jitter factor is a random percentage for Beacon to vary its sleep time with

+ Beacon download command now sends files, one piece with each checkin

– Added a check to detect a corrupt module cache and clean it. If you see a

message asking you to restart the Metasploit Framework… please heed it.

– Added ANSI color markup to Cobalt Strike’s console output. It’s less scary

than the default messages and it’s nicer to look at.

– Added cmd/unix/reverse to payload selection logic.

+ Java Applet attacks now take steps to prevent loading injector DLL twice.

+ Java Applet attacks now inject shellcode on Windows 64bit JVMs too.

+ Added CVE-2013-2460 to Cobalt Strike’s Smart Applet Attack

+ Auto-exploit server eliminates “smart applet” attack if system profiler did

not IP address through Java applet (indicating that applets don’t auto run)

+ System Profiler now annotates 64-bit Windows and Internet Explorer

+ Added an option to mask email addresses in the social engineering report

+ Added an option to mask passwords in the hosts report

– Updated the payload output formats to match what’s now possible in MSF

+ Fixed bug that sometimes prevented profiler associating info w/ phished user

+ Renamed Beacon -> Download to Beacon -> Task URL

+ Beacon’s DNS C2 now recovers from a failed conversation more quickly

+ Beacon SOCKS Proxy capability is now faster and more robust

+ Cobalt Strike Listeners feature now uses a different encoder for the second

stage of Meterpreter.

– [host] -> Login options set DB_ALL_CREDS to false.

9 Jul 13 – Cobalt Strike 1.46


+ System profiler now uses a fallback measure to detect Java and report its

version information to you. Necessary for latest IE10 update.

+ Beacon will no longer attempt to report keystrokes if it could not make a

GET request to checkin. This prevents logged keystrokes from getting lost

if one of your checkin domains is blocked or otherwise unavailable.

+ Added pivoting capability to Beacon. Use “socks [port]” to start a SOCKS4a

proxy server that relays traffic through the Beacon instance. This works

regardless of the type of Beacon or communication strategy in use. Use

“socks stop” to stop the proxy server for that Beacon.

+ Added checkin command to ask Beacon to connect to you and dump keystrokes.

This command is necessary as the DNS Beacon does not connect to you unless

one or more tasks are waiting for it.

+ HTTP Beacon now sends output after task execution as a single POST request.

+ Added ‘mode dns-txt’ to Beacon. This sets the Beacon data channel to use

DNS TXT records. This mode transmits ~189 bytes per request versus 4 bytes

per request with ‘mode dns’ which uses DNS A records.

+ Increased Beacon DNS data channel output throughput to 84 bytes/request. Up

from 28 bytes/request. This output method is used with both DNS channels.

+ Fixed a race that could prevent generation of Beacon stage when setting up

the listener.

+ Fixed Beacon key generation bug. Some bytes in the key could end up null.

When this happened, you’d get a non-responsive Beacon (e.g., it will always

seem to “die” after a task). This is fixed. If you’ve see this behavior,

you’ll need to force Cobalt Strike to generate a new key. To do so, stop

Cobalt Strike and change to the folder you normally start Cobalt Strike

from and type:

rm -f .cobaltstrike.beacon

+ Updated client-side attack database with new additions

+ Website Clone Tool now follows 301 (permanent) redirects

– Removed sunrpc and dcerpc modules from MSF Scans feature

+ quick-msf-setup’s Git option is now based on DarkOperator’s msf_install.sh

script. The updater script now updates quick-msf-setup as well.

6 Jun 13 – Cobalt Strike 1.46


+ Added Login -> ssh (key) to let you login to a host with an SSH key file

or select from a key that worked previously.

+ Added a helper to KEY_FILE to let you select from a known-working SSH key

or specify one to upload.

– Added vmauthd to the Login menu

+ Fixed Beacon’s “automatically migrate option”

+ Spear Phish dialog now warns on missing or incomplete parameters again.

– Increased the number of modules run in response to services found during

a sweep with the MSF Scans feature.

– Attack menu attached to host now splits menus up if there are more than

10 items. This will help with the webapp and http menus.

+ Beacon no longer gets confused when a hostname or username contain

whitespace. I’m now using a better separator for metadata sent to it.

+ Fixed bug preventing Beacon upload from triggering a task request

+ Added DNS as a data channel to Beacon. This option is designed as a way

to control Beacon when it can’t communicate with you over HTTP. Deploy

the DNS Beacon like normal. Type ‘mode dns’ in the Beacon console to

switch its communication scheme to use DNS. This mode can both transmit

and receive data.

+ Cobalt Strike now enables second stage encoding for Windows listeners it

manages through Cobalt Strike -> Listeners.

+ Added option to stage DNS Beacon over DNS. This option is available with

certain Cobalt Strike attack packages. Select “listener name (DNS)” to

have Cobalt Strike stage the listener over DNS.

+ Added random send delay option to the spear phishing tool. Click … next

to the Mail Server field. Specify the number of seconds to delay to.

+ Spear phishing tool now ignores extra whitespace in targets file

– Added a menu to mark a host as a firewall

+ slight tweak to the Smart Applet attack (arsenal source updated too)

– Added a type-fix hack for MsgPack Long types

Cortana Updates (for scripters)


– Updated &log_resource to account for new log folder layout scheme that

involves a description of the current Armitage server

– Fixed a potential argument corruption bug with filters

9 May 13 – Cobalt Strike 1.46


+ Fixed data correction issue that could prevent reports from generating

+ Improved formatting of vulnerability description information in reports

– Attacks -> Hail Mary now asks you to confirm the action.

– Fixed a potential table view sorting issue.

+ Added a check to auto-ex server to make sure a listener is defined

+ Updated client-side attack database

– Changed how some tables are updated to minimize blocking of other tasks.

This should make UI feel snappier in many cases.

– Credential helper now shows credentials from all servers that you’re

connected to.

– Updated multiplexing code to be compatible with mimikatz extension’s

output scheme.

– Meterpreter upload command (with no arguments) now prompts for a file.

This file will be bounced to team server (if one is present) and

uploaded to the target for you.

+ Auto-exploit Server now works with listeners defined on another Cobalt

Strike team server.

– Cred tables no longer show SSH keys (since they’re not actionable in

these contexts yet…)

10 Apr 13 – Cobalt Strike 1.45


+ Beacon now uses a random filename for files to download/execute. This

works around a problem where subsequent download/execute taskings fail

because the first downloaded file (with the same name) is still running

– The correct OS icon is now shown for Windows 2012 Server.

– Added an Inject button to the Process Explorer

+ VNC Viewer starts view-only by default. Untoggle the spy button to

assume control of the target’s desktop

+ Added ‘spawnto’ command to Beacon. This command gives you control over

which program Beacon will spawn to inject shellcode inside of.

+ Added checks to prevent a user from defining a listener with incomplete


– Event log now shows date with timestamp

+ Many fixes to report generation when connected to multiple team servers.

– Messages to your nick in the event log are now highlighted

20 Mar 13 – Cobalt Strike 1.45


– Jobs dialog now queries job info in a separate thread context,

stopping it from locking up your Cobalt Strike instance.

– Fixed console queue display bug when a required option has no setting

– Hashdump -> lsass method now pops open a Meterpreter tab and shows

its progress. Should help when there’s a lot of hashes coming back.

– Hail Mary attack now gives better feedback about what it’s doing

+ Beacon now has a 1MB limit on its output.

+ Fixed a potential memory leak in Beacon (in the output posting)

+ Beacon now uses a different User-Agent string each run

+ Added an upload command to Beacon (to upload files).

+ Added a download command to Beacon. [And renamed the download+exec

command to task].

– Fixed blank line showing when a host label exists and a session w/o

any information is associated with the host.

+ Listener dialog now refreshes when updating LHOST

+ Added an execute command to Beacon. This will run a program without

posting output back to you.

Cortana Updates (for scripters)


– Added work-around to prevent &psexec failing due to Ruby complaining

about incompatible encodings.

6 Mar 13 – Cobalt Strike 1.45


+ Updated quick-msf-setup script to pull framework source code via Git.

+ Spear phishing Preview button works in team server mode again.

+ Updated Beacon to auto-dump keystrokes with each beacon home.

+ Updated HTTP Beacon to change its signature profile.

+ Beacon domains now show in Cobalt Strike -> Listeners table.

– Active console now gets higher priority when polling msf for output

– Improved team server responsiveness in high latency situations by

creating additional connections to server to balance messages over

+ Updated Web Drive-by -> Manage to allow stopping multiple sites at once

+ Performed client-side db maintenance

+ Added a helper to set URL option from Cobalt Strike hosted stuff.

– Preferences are now shared among each Cobalt Strike connection.

+ Website clone tool no longer validates SSL cert for HTTPs cloned sites

6 Mar 13 (2000h)


+ Fixed a null pointer warning when starting the team server.

Cortana Updates (for scripters)


– Added a &publish, &query, &subscribe API to allow inter-script

communication across the team server.

– Added &table_update to set the contents of a table tab without

disturbing the highlighted rows.

– Added an exec_error event. Fired when &m_exec or &m_exec_local fail

due to an error reported by meterpreter.

– Fixed a bug that sometimes caused session_sync to fire twice (boo!)

– Added a 60s timeout to &s_cmd commands. Cortana will give a shell

command 60s to execute. If it doesn’t finish in that time, Cortana

will release the lock on the shell so the user can control it.

(ideally, this shouldn’t happen… this is a safety mechanism)

– Changed Meterpreter command timeout to 2m from 12s. This is because

https meterpreter might not checkin for up to 60s, if it’s been

idle for a long time. This will make &m_cmd less likely to timeout

12 Feb 13 – Cobalt Strike 1.45


– Fixed RPC call cache corruption in team server mode. This bug could lead

to some exploits defaulting to a shell payload when meterpreter was

a possibility.

– Slight optimization to some DB queries. I no longer pull unused

fields making the query marginally faster. Team server is more

efficient too as changes to unused fields won’t force data (re)sync.

– Hosts -> Clear Database now clears host labels.

– Cobalt Strike listener dialogs now size columns properly.

– Added the ability to manage multiple team server instances through

Cobalt Strike. Go to Cobalt Strike -> New Connection to connect to

another server. A button bar will appear that allows you to switch

active Cobalt Strike connections.

– Credentials available across instances are pooled when using

the [host] -> Login menu and the credential helper.

+ Listeners across instances are pooled in the listener select

dialogs. You may seamlessly launch exploits from one instance

and have sessions show up in another instance. It’s also easy

to pass sessions between instances and task beacons to send

active sessions to other instances.

+ Cobalt Strike hosted sites are pooled across instances too.

+ Cobalt Strike’s reporting engine merges data across instances

before generating a report for you.

You may now pen test through many points of presence and use

Cobalt Strike’s reports to help tell the full story.

+ Pressing Cancel on a Save dialog will now cancel the action.

+ Performed regular maintenance of client-side attack database.

– Rewrote the event log management code in the team server

– Added nickname tab completion to event log window

+ Spear phishing tool now sends phishes from the team server. Now that you

can connect to multiple Cobalt Strike servers, it makes sense to do this.

+ Revamped spear phishing tool output

– Hosts -> Clear Database now asks you to confirm the action.

+ Hosts -> Clear Database stops all listeners before dropping the database

– Hosts -> Import Hosts announces successful import to event log again.

+ Obfuscated Smart Applet attack

+ Beacon staging no longer shows in Social Engineering report

+ Updated hosts report generation process to use all possible host icons

28 Jan 13 – Cobalt Strike 1.45


– Added helpers to set EXE::Custom and EXE::Template options.

– Fixed a bug displaying a Windows 8 icon for Windows 2008 hosts

– Cleaned up Cobalt Strike -> SOCKS Proxy job management code. The code

to check if a proxy server is up was deadlock prone. Removed it.

– Starting SOCKS Proxy module now opens a tab displaying the module

start process. An event is posted to the event log too.

– Created an option helper to select credentials for SMBUser, SMBPass,


– Added a feature to label hosts. A label will show up in its own column

in table view or below all info in graph view. Any team member may

change a label through [host] -> host -> Set Label. You may also use

dynamic workspaces to show hosts with certain labels attached.

– Fixed bad things happening when connecting Cobalt Strike to ‘localhost’

and not ‘’.

+ System profiler now auto-redirects a visitor after 20s if no profile

is returned. Moved up from 5s.

+ Fixed a bad merge that took away the Login -> psexec (token) menu

+ File hosting feature now works in teamserver mode again. Moved file

verification logic to the server where it belongs.

+ Ported the CVE-2013-0422 (java_jre17_jmxbean) exploit to the Smart

Applet attack. This attack is also available to the auto-exploit server.

+ Fixed a potential deadlock condition with the Beacon viewer.

– Cobalt Strike now centers screenshots/webcam shots in their tab

+ Added a VNC Viewer to Cobalt Strike. [host] -> Meterpreter -> Interact

-> Desktop (VNC) will now open a tab with the user’s desktop.

– Added an alternate .bat file to start msfrpcd on Windows in the

Metasploit 4.5 installer’s environment. *cough* Remember using Cobalt

Strike to connect to the Framework on Windows is not supported. *cough*

– Added a color-style for [!] warning messages

+ Mitigated race condition that stopped Beacon listeners from restarting

when connected to a team server.

+ Fixed Beacon -> Download menu. It now properly tasks highlighted items.

Cortana Updates (for scripters)


– &handler function now works as advertised.

– Cortana functions now avoid core.setg

2 Jan 13 – Cobalt Strike 1.45


– Set postgres_payload exploits to use a reverse payload by default

+ Updated JavaScript keystroke logger to work with IE9 and later. Also

fixed a regression preventing it from working in IE in general.

+ Added Cobalt Strike Java Attacks. The Signed Applet Attack option is a

simple self-signed applet. The Smart Applet Attack attempts to disable the

Java Security Sandbox using an exploit. Both options are available under

the Attacks -> Web Drive-by menu.

These Java Attacks use a Cobalt Strike Java Injector Payload. This payload

accepts both a Windows and Java listener. You don’t want to lose a shell

when a MacOS X user visits your Windows attack, right? The payload injects

shellcode into memory on Windows and dynamically links Java meterpreter for

other operating systems.

Source code, build files, and a Cortana script to integrate changes to the

applet attacks are available in the Cobalt Strike Arsenal. Help -> Arsenal

+ Major overhaul to the Cobalt Strike Auto Exploit feature. This went from

being a neglected feature to the most cutting edge exploit guidance system

outside of the crime kit universe. The Auto Exploit feature now shares

code with the system profiler and uses this information to zap visitors

with the right exploit. The new Auto Exploit feature also takes advantage of

the Cobalt Strike-hosted Java attacks.

+ Added a data sanitization pass to the reporting engine. Prevents

non-printable characters from disrupting the report generation process.

+ The Applications portion of the Social Engineering reports now sorts the

applications and removes duplicate entries.

+ The SE report now puts a page break between the end of the Campaigns section

and the beginning of the Users section.

+ Fixed “incompatible character encodings: ASCII-8BIT and UTF-8” exceptions

caused by my use of the core.setg RPC-call in Beacon’s UI. This RPC call

leaks improperly encoded stuff into Metasploit’s global datastore.


12 Dec 12 – Cobalt Strike 1.45


+ Beacon’s spawn command now creates a separate process to inject

shellcode into. This way a failure in the shellcode will not cause

Beacon process to exit.

+ Beacon download command now uses payload/windows/download_exec module

+ Added a keystroke logger to Beacon. Use:

keylogger start – to start the keylogger

keylogger – to dump collected keystrokes

keylogger stop – to stop the keylogger and dump keystrokes.

Beacon must live inside of a process associated with the desktop and

user you want to log keystrokes for.

+ Added inject command to Beacon. Use this to spawn a session by injecting

shellcode into a specific process id.

+ View -> Beacons table now properly sorts its columns when you ask it to

– Added a helper to set REXE option

+ Web Drive-by -> Host File now complains if file does not exist

+ Performed normal client-side database maintenance

+ Website clone tool now uses an MSIE user agent, instead of the Java one.

+ Website clone tool detects empty cloned site results and shows an error.

It then instructs you to try the HTTPS version of the URL. Java’s URL

library will not follow a redirect from one protocol to another.

+ System Profiler now detects and reports Windows 8

+ System Profiler’s local IP address detection is much more reliable now

– Added Windows 8 icon

+ Cobalt Strike now starts persistent listers *after* it determines local

IP address. This is important as the meterpreter reverse_http[s] payloads

need to be bound to a specific LHOST to work.

– [host] -> Login menu is now built using open services for all highlighted

hosts, not just the first one.

– [host] -> Login items now escape punctuation characters in passwords

before passing them to a framework module.

+ PDF reports properly wordwrap password hashes and other long strings again

Cortana Updates (for scripters)


– &credential_add and &credential_delete no longer break when a password has

creative punctuation in it.

26 Nov 12 – Cobalt Strike 1.44


+ Added support for some SMTP authentication schemes to Cobalt Strike’s

spear phishing tool. You may also connect to an SSL enabled SMTP

server too. Special thanks to Allen Harper who provided infrastructure

to test all of this against.

+ Spear phishing tool now strips more headers from template messages

+ Editing Targets field in spear phish dialog no longer locks up for

several seconds when the value of the field is a folder.

+ Updated client-side attack database (regular maintenance…)

+ You may now export Cobalt Strike reports as MS Word documents. *pHEAR*

– add_user and add_[local]group_user now show all of their output when

the -h flag is used to operate on a remote host.

– added a Delete menu to creds table. Right-click a cred to delete it

+ Added an import button to the creds viewer to quickly add credentials

+ Fixed a bug that caused Vulnerability report export to fail when a

vuln had no associated references.

+ Hosts report no longer shows vulnerability description twice (this

would happen when the same vulnerability was exploited against two

or more ports listening with the vulnerable service).

+ Multiple cosmetic improvements to the display of vulnerabilities in

hosts and vulnerability reports.

Cortana Updates (for scripters)


– aliased &data_delete to &data_clear to match the documentation.

– &file_get, &loot_get, and &file_content no longer delete the remote

file when connected to a teamserver.

8 Nov 12 – Cobalt Strike 1.44


– Windows command shell tab is now friendlier to commands that prompt

for input (e.g., time command)

– [host] -> Meterpreter -> Access -> Escalate Privileges now shows all

the framework’s new exploit/windows/local modules too

– [host] -> Shell -> Post Modules now shows the framework’s unix/local

and exploit/linux/local modules

– Added Ctrl+I shortcut. Lets you choose a session to interact with.

– Added Steal Token button to Processes dialog.

– Cobalt Strike now requests a non-expiring token after connecting to

msfrpcd. This makes your connection to msfrpcd more robust.

+ Cobalt Strike psexec dialog now lets you choose one of your configured

Cobalt Strike reverse listeners

+ You may now select a custom executable in both psexec dialogs

+ Added Help -> Arsenal which will take you to the Cobalt Strike arsenal.

The Cobalt Strike arsenal will contain scripts to aid your penetration

testing process. These features will only be available to licensed

Cobalt Strike users (usually with full source code too).

The first arsenal item is topaz, a script to embed shellcode into an

anti-virus bypass executable. Topaz will intercept module launches (such as

psexec and current_user_psexec), generate a new executable, and use the

new executable with the module.

Full source code to topaz is available. You may use it as-is, modify

it to pass other products, or use it as a template to make your AV

bypass executable work with Cobalt Strike.


16 Oct 12 – Cobalt Strike 1.44


– Added port 5985 to Scan feature port list.

– Meterpreter -> Access -> Persistence sets ACTION option for you

– Changed how LHOST and LPORT are set globally to prevent Ruby

character encoding conversion error in the framework.

+ Fixed a potential deadlock in the listener management dialogs

+ You can now use Beacon to spawn a Beacon.

– Log Keystrokes, Persist, and Pass Session now use a new thread to

query module information.

+ Beacon last callback time is now computed on team server. Prevents

whackiness when client’s have different time value from server.

– Cobalt Strike now shows URL/folder in a popup dialog when trying to

open a file/URL on a desktop where Java’s JDesktop is not supported

– Check all credentials option now filters duplicate entries.

– Exploit payload selection now selects cmd/unix/interact when required

– Explore -> Processes works with Java Meterpreter again.

+ Beacon callback events are now suppressed from reports and logs

– MSF Scans feature now runs http_version against port 443

27 Sept 12 – Cobalt Strike 1.44


+ Added Beacon management feature. Beacon is a Cobalt Strike payload

that periodically phones home to request taskings. Beacon will check

task availability over HTTP or DNS.

To start Beacon listener, go to Cobalt Strike -> Listeners.

Go to View -> Beacons to see activity and task beacons.

Use Beacon like any other reverse listener. Embed it in social

engineering packages, use it with client-side attacks, etc.

+ Updated client-side database

+ Cobalt Strike only shows token passing dialog if current_user_psexec

module exists (for 4.4-release compatability)

5 Sept 12 – Cobalt Strike 1.44


+ Added CovertVPN feature. CovertVPN is a Windows client that provides

the Cobalt Strike host with a virtual interface on a target’s network.

CovertVPN is able to relay raw frames over a TCP, UDP, or HTTP channel.

To use it:

[host] -> Meterpreter -> Pivoting -> Deploy VPN

+ Added a helper for INTERFACE option to select a CovertVPN interface

– Setup dialog now trims host, port, user, and pass fields.

– Cobalt Strike now complains when it can’t write to your preferences file

(versus just hanging without a real error message)

– View -> Jobs now queries jobs in a thread outside of UI thread

– Tab completion now uses a separate thread to call into the RPC server.

This prevents a deadlock if server is not responding.

– Login -> psexec now shows when 445 is open on a Windows machine. The old

criteria was too restrictive.

– Added a helper to set Wordlist option

+ Updated client-side exploit database with two new exploits

+ Added help button to Cobalt Strike -> Scripts

– Cobalt Strike now sets a random LPORT for non-exploit modules with an

LPORT option (e.g., post modules that do priv escalation)

– Cobalt Strike now shows an error if it can’t open a Windows command shell

– Steal Token dialog now uses incognito module to get token data instead of

the MSF post module. This is more reliable.

– current_user_psexec module now allows you to set the payload options

+ Added [host] -> Login -> psexec (token) to use a stolen token to psexec

into all highlighted hosts.

Cortana Updates (for scripters)


– added an eventlog popup hook

16 Aug 12 – Cobalt Strike 1.44


– Dynamic workspaces now removes closed services from its set of

hosts matching certain open ports.

– Cortana console now reports a clear error message a built-in

command is executed without the right number of arguments.

– Added host icons for Android and iOS. You may now set these

operating systems by going to [host] -> Host -> Operating System

– Cobalt Strike now shows the client-side exploit dialog for exploits

that do not target an RHOST (for example, windows/smb/smb_relay)

– Added support for remote exploits that use RHOSTS over RHOST

(this includes the new windows/local/current_user_psexec)

– Added a helper for setting the SESSION option

+ Added preferences for customizing Cobalt Strike reports:

* reporting.accent.color

the color of links and the solid bar below the header image

* reporting.header_image.file

an 1192x257px/300dpi header image for your reports

+ Added a helper to set file preferences

+ System Profiler now reports Apple iOS and Android operating systems

+ System Profiler now reports host with OS it could not determine

Cortana Updates (for scripters)


– s_cmd no longer times out after 60s. It will wait forever for a

command to complete now.

– added shell_read event which fires when a shell s_cmd comes back

with intermediate output.

– fixed a potential deadlock with &open_console_tab

– scripts now have the ability to redefine the max size of a workspace:

db_workspace(%(size => #####));

08.05.12 – Cobalt Strike 1.44


– Rebuilt the 08.02.12 release with missing internal files used by

Cortana. Sorry about this!

08.02.12 – Cobalt Strike 1.44


– Team server now buffers all of its output. SO_NODELAY is no longer

used. This will improves team performance on a congested network

without a hit to responsiveness otherwise.

+ Spear phishing tool now strips CC field from template messages

– Added Cortana, a DARPA funded scripting technology, into Armitage.

There’s a lot of fun to be had here.

– Cobalt Strike now queues messages to destroy a console rather than

spinning up a new thread for each closed console.

– Rendering of icons for hosts now happens outside of UI thread.

+ Fixed highlight rendering issue in spearphish message preview.

+ Spear phishing tool more aggressively replaces links in template


+ Spear phishing tool now displays a message when something goes

wrong while processing a template file.

– Increased timeout for meterpreter read command

– Cobalt Strike now detects a corrupt module cache and attempts to

clear it so it can be rebuilt.

07.19.12 – Cobalt Strike 1.44


+ Updated client-side vulns database (a typical maintenance action)

+ Fixed host report generation failure when there are two hosts with

the same IP address in the hosts database.

+ Vulnerability Report and Hosts Report vulnerability descriptions

are now compatible with the latest Metasploit Framework database

schema changes.

– Pass-the-Hash and Login dialogs now honor the shift+Launch convention

which keeps the dialog open after launching the action.

+ Cobalt Strike now binds reverse_http/reverse_https listeners to the

LHOST value for the host. Previously, they bound to to accept

connections on any interface. This no longer works though and established

http/https sessions hang. This change fixes this problem.

+ Added set LHOST button to Cobalt Strike -> Listeners. This button will

update the global LHOST option in MSF, update the value saved in Cobalt

Strike and it will restart all listeners to take advantage of the change

+ Added Attacks -> Packages -> USB/CD AutoPlay feature. This package turns

a USB stick or CD into an attack vector against Windows XP/Vista

07.05.12 – Cobalt Strike 1.43


– Login -> psexec now sets a different LPORT for each host it’s

launched against when using a reverse payload. Fixes a bug where

using a reverse connect payload against X hosts didn’t work.

– Progressbar Cancel button now works with the Sync Files button

in View -> Downloads and View -> Loot

– Fixed a potential deadlock with the Sync Files feature

– Clicking the Size column in View -> Downloads now sorts properly

+ Fixed a race condition that sometimes prevented the display of

the old data in View -> Web Log

06.23.12 – Cobalt Strike 1.43


+ Updated client-side database with latest changes.

– Added View item to File Browser popup menu. Views and logs text files.

+ Added Attacks -> Web Drive-by -> Host File. This feature hosts a file

using the Cobalt Strike web server.

+ Web Drive-by options that start a Cobalt Strike server now have blue-ish


06.14.12 – Cobalt Strike 1.43


– Meterpreter -> Kill now uses session.stop RPC call

– Cleaned up code to kill jobs acting as a service

– Added an option to disable TCP_NODELAY from the comamnd line:

java -Darmitage.enable_nagle=true -jar armitage.jar

Use this if you see “bad mac” SSL errors when connected to a

team server.

– Log Keystrokes tab now changes color when there is activity

– Randomized filename for USERPASS_FILE to allow multiple brute

forces to happen at once.

+ Updated client-side database with ms12-037 information

06.07.12 – Cobalt Strike v1.43


– Fixed an exception when killing a session or removing a route

– ps command added a new column to its output. Updated ps parser

– Hosts -> Import Hosts now works under Windows again

– Hail Mary now sets LHOST option. This is necessary for some attacks to

work properly

– Tweaked console create code in beginning of Cobalt Strike setup to avoid

aggravating a deadlock condition

– Disabled Nagles Algorithm for team server and client SSL sockets. This

drastically improves responsiveness for Windows 7 clients.

– Starting jobs like the SOCKS Proxy server now shows the Service Started

message again.

– Fixed a highlighting bug with the find feature in the View tab

05.21.12 – Cobalt Strike v1.43


– Fixed a bug that triggered when resizing text in a Loot/Download View tab.

+ Updated IE date guessing database for more accuracy. This makes the system

profiler better.

– Cobalt Strike’s console now uses color to highlight information and make

it clearer. This applies to all consoles. Set console.show_colors.boolean to

false to disable this behavior.

– Default console font color is now grey.

+ Cobalt Strike now catches internal errors related to phishing messages (e.g.,

a poorly formed template/address) and displays these in the phishing console.

– Fixed a bug preventing input field from getting focus when using Ctrl+W to

open a console in its own window.

+ Updated entries in client-side attack database that have changed.

– Improved performance of module launches (through a console) when in team mode.

– Improved performance of msf scans feature when in team mode.

+ Spear phishing window no longer piggy backs off of a normal console tab.

– Improved perceived performance of posting chat messages

– Fixed text search feature (Ctrl+F) on Windows

– Fixed View -> Downloads -> Sync Files feature on Windows

05.14.12 – Cobalt Strike v1.43


– Dynamic workspace keyboard shortcuts are now always bound (previously

you had to visit workspaces menu before they’d bind)

– Improved console pool’s ability to detect dead consoles

– Bound Ctrl+Backspace to show all hosts (without a workspace)

– Added Ctrl+T to quickly take a screenshot of the active tab and save it

– Added Ctrl+W to open the active tab in its own window

– Cobalt Strike team server is now SSL enabled. The server will present the

SHA1 hash of its certificate on startup. When connecting, Cobalt Strike

will present the SHA1 hash of the certificate presented to it. You’ll have

the opportunity to trust it or reject it.

+ Updated entries in client-side attack database that have changed.

– Added Ctrl+Left / Ctrl+Right to navigate tabs with the keyboard

+ quick-msf-setup script now downloads 64-bit msf installer on 64-bit systems

– Fixed a bug that prevented command shells from opening on some sessions

+ Web log messages are now delivered in batches (vs. one at a time)

– Team server client now caches some calls to RPC server

– Reworked View button in Download and Loot tabs. The button now displays the

contents of all the highlighted rows in one tab. Further, I’ve added a

Sync Files button to download the highlighted loot or download files when

in a team situation.

05.07.12 – Cobalt Strike v1.43


– Cobalt Strike’s team server is now compatible with the latest changes to

Metasploit 4.3.0.

– Added Ctrl+D keyboard shortcut to close the active tab

– Module description in module launcher dialog is now resizable.

– Cobalt Strike now uses (more robust) console queue for launching post

modules, handlers, brute force attacks, and other things.

– Fixed a race condition in the Jobs tab refresh after killing a job

– Cobalt Strike now filters smb hashes from non-psexec/smb login dialogs.

+ Dumped the “capture form data” in favor of a Javascript key logger. Logged

keystrokes show up in the web log (View -> Web Log) and in the social

engineering report.

+ System Profiler now reports applications grabbed to weblog and not the raw

stuff posted back. This is a move to make the web log a generic console to

view Cobalt Strike web activity in.

– Added armitage.log_data_here.folder setting. This setting lets you

specify where Cobalt Strike will save its logs, downloaded files, and


+ Cobalt Strike now properly reports “web server” errors when in team mode.

Previously these weren’t making it back to the user.

+ Cobalt Strike web apps (system profiler, cloned site, etc.) now work with or

without the ending /.



– Update console reading code to make Cobalt Strike compatible with latest

Metasploit changes.

– Console commands are now queued. Hopefully they’ll execute in order now

when launched in consoles automagically..

+ Added Refresh button to Listeners dialog

+ Cobalt Strike now runs in Metasploit 4.3.0* (before it’d only run in




+ Added support for EDB (Exploit DB) references in vulnerability reports

+ Added multi/browser/java_setdifficm_bof to client-side database.

+ Added multi/browser/java_atomicreferencearray to client-side database.

– Module browser search now filters modules as you type.

– Added keyboard shortcuts to switch dynamic workspaces.

Ctrl+1 = first workspace

Ctrl+2 = second workspace

Ctrl+0 = show all hosts

+ Added generic/shell/reverse_tcp to listener options. Use this for Linux

and OS X reverse shells (or even as a netcat listener).

– Cobalt Strike now uses a more aggressive read strategy for hashdump lsass

method. You should now see the entire output added to the creds table

more often. 🙂

+ Updated Internet Explorer version data with hints from MS12-010 and MS12-023.

+ Fixed a typo in the MacOS X update command script.

– Added Ctrl+N to open a new Metasploit(r) console and Ctrl+O to open the

preferences dialog.

– You may now use Ctrl+Alt to deselect a row in the Jobs and Workspaces tables.

– Added Shell -> Pass Session to *NIX shell sessions. Allows you to duplicate

a *NIX access or pass it to another Cobalt Strike instance.

+ Updated auto-exploit server to use multi/browser/java_atomicreferencearray

+ Added Attacks -> Packages -> Web Drive-by -> Firefox Addon dialog. This is a

new social engineering attack module in Metasploit that prompts the user to

install a Firefox addon. This is a very cool option against Firefox users.



Note: This release contains changes that will require redownloading Cobalt

Strike. It’s not a requirement, but if you want to take advantage of some of

these changes, you’ll need to get the whole package.

+ Updated the updater program to not rely on the cache when pulling down a

Cobalt Strike update. You will need to redownload Cobalt Strike to get the

latest updater program though. http://www.advancedpentest.com/download

– Cobalt Strike team server now uses a batch method to send chat messages to

clients. This should be much better.

– Cobalt Strike now minimizes the number of messages it sends to the collab

server during a team engagement. The goal is to make the system less likely

to back up on messages when there’s a lot of latency in the environment.

– Added an optimization to make command shell feel more responsive in team mode

– Hosts -> DNS Enumerate now populates the NS field with the current highlighted


+ Tweaked Java parameters for Cobalt Strike to prevent it from “giving up” when

attempting to do something requiring a lot of memory (like generate a huge PDF

report). You will need to redownload Cobalt Strike to get the updated CS

launchers with these tweaked parameters.

– Improved tab management:

— Shift+click to close like tabs now ignores the session id when

deciding if a tab is alike. So Shift+Click on a Screenshot tab will

close *all* Screenshot tabs.

— Added a tooltip to session related tabs to indicate the host associated

with the session.

+ Hosts listed in Vulnerability Report are now sorted.

+ Added Restart button to Cobalt Strike -> Listeners. Use this to quickly stop/restart

listeners if a handler becomes non-responsive.

+ Cobalt Strike now queues certain Metasploit commands and executes them in turn. This

will make the system feel more responsive over all. Cobalt Strike features that log

activity (e.g., spear phishing, hosted attacks, etc.) will respond faster too.

– Added a List Drives button to File Browser for Windows meterpreter sessions.

– File Browser can now navigate to folders with apostrophes in their names.

+ System profiler now reports external IP as a firewall if it’s able to get the internal

IP and the internal IP does not match the external IP.

22 Mar 12


– Cobalt Strike NMap profiles are now improved with the following options:

-n [do not attempt to resolve reverse hosts for IPs]

-T4 [wait longer to determine whether a service is alive or not]

–min-hostgroup 96 [scan more hosts in parallel]

– Cobalt Strike now intercepts webcam_snap and screenshot meterpreter commands

and performs the appropriate actions.

– View -> Creds -> Export now works in team mode.

+ Cobalt Strike web server now returns a 404 to visitors with curl, wget, or

lynx user agents. This is an easy measure to defeat, but we’re all about

offense in depth with this project.

– VMware icon now shows when a VMware ESXi host is identified by Metasploit

– Fixed a bug preventing commands like del /S (which prompts for Y/N) from

working from a command shell tab.

– Added a check to prevent old Cobalt Strike and Armitage clients from connecting

to the team server. In the future, I may restrict the Cobalt Strike team server

to Cobalt Strike clients only.

– Added a * indicator to active workspace in Workspaces menu

+ Added a check to prevent user from defining a persistent listener to a port

that already has a persistent listener bound to it.

– Added Hosts -> DNS Enumerate to discover hosts through a name server.

– Cobalt Strike now displays a pivot relationship between a host and the NAT

device it is communicating through when there is an active session.

+ Added windows/browser/adobe_flash_mp4_cprt to client-side database

– Added Copy button to Services tab. Copies highlighted hosts to clipboard.

+ Added windows/browser/ms10_002_ie_object to client-side database

– Improved reverse payload selection logic. Cobalt Strike now chooses php

meterpreter when it makes sense.

– Cobalt Strike now assigns a random LPORT for each exploit module launched with

a reverse payload.

7 Mar 12


– Cobalt Strike now uses an IPv6 bind payload when exploting an IPv6 host

– Cobalt Strike now displays a firewall icon for hosts marked as a firewall

with no associated operating system. This marking is something done by


– Cobalt Strike is now explicitly sets RPORT for psexec and msf scan modules

2 Mar 12


– Meterpreter now reports the IP of the owned system in a consistent way.

Cobalt Strike now places the session info and lightning bolts on this

owned system. No longer will you have X session menus attached to a

firewall / NAT device. This is good news.

– Cobalt Strike now uses a random payload listener for any client side

attack by default (previously–it used a default reverse listener for

windows client attacks–lost benefit of automigrating)

– Token stealing dialog now disables Refresh button while grabbing tokens

and enables it when tokens are grabbed. Now you kind of know what it’s


– Updated Topaz to improve its stability.

1 Mar 12


– Doh! Trial license code was messed up. Fixed how I calculate the

difference between dates.

– Fixed Topaz EXITFUNC so Topaz binary does not crash when exiting meterp

session or migrating.

– Fixed bug with “check all credentials” feature not working in team mode

when server and client run from the same folder.

– Added a rename tab feature. Right-click the tab X and select rename tab

– Cobalt Strike now displays an XP/2003 era logo for hosts self reporting

as .NET server.

– Added a minimum amount of version checking to Cobalt Strike startup.

This version now requires Metasploit 4.3.0-dev

– Updated ARP Scan and Pivoting dialogs to parse the new route output in

Metasploit 4.3.0-dev

– Cobalt Strike now deletes notes.* for a host when you manually set its

OS. This is done to allow a future scan to set the host’s OS to

something else.

– Cloned websites now use the favicon of the cloned site. *pHEAR*

26 Feb 12


– Fixed a system profiler bug caused when profiled client with IE does

not have Windows Media Player installed.

– Added a slight delay between commands issued to a console to prevent

them from executing out of order.

– Adjusted graph view scrolling increments to something sane.

– Fixed keyboard accelerators when right-clicking in the graph view.

– Made the file browser directory up button more obvious.

– Team server now returns the last-100 events (instead of all of the

engagement events) when connecting.

– Improved Host -> Remove feature when removing many hosts.

– Dynamic workspaces feature now allows to comma separated entries

with no spaces between them.

– Table view now allows rows to be deselected in an interval (they

won’t become reselected automatically like before).

24 Feb 12


– Added quick-msf-setup script to the Linux package. This script will

download and install Metasploit, setup the postgres db to start on

boot, and set the system to point to the Java included with Metasploit

if necessary.

– Cobalt Strike doesn’t write to /Applications any more…

– Added a VMWare icon for hosts whose OS is reported as ESX or ESXi

– Greatly improved token stealing user experience. It’s awesome now.

– Greatly improved the responsiveness of the file browser.

20 Feb 12


– A space inside of a module search is now treated as a wildcard. This

means you can type: win meterp and it will be treated as win*meterp

– Removed Host option from Adobe PDF dialog (not needed since we’re

embedding an EXE that already knows the host it wants to connect to)

– Modified listener stop/start code so that actions happen asynchronous

to the UI (meaning working with listeners won’t block the UI)

– Social Engineering report now rounds summary stats to two decimal places.

I was recording a screencast and generated a report–imagine my surprise

when a bunch of sixes were going across the cover page.

– Hovering over an edge in graph view no longer shows a “null” tooltip

– Completely fixed parsing of ps output. The process dialog through

meterpreter will now be accurate regardless of OS 🙂 [Caveat: so long as

the meterpreter session reports processes-Java meterp on OS X f/e does


19 Feb 12


– Made a change to how some commands are synchronized… this should

have no negative effects, but only testing will tell.

– Command sync change fixes a bug preventing system profiler from

adding hosts to display in a team situation.

– Fixed a bug in export data with client-side report data

– Fixed “No client vulns” always showing up at the bottom of the client

side vulnerability report

– Client-side Vuln. reported and exported client vulns now treats

hosts external/internal combinations as unique hosts.

18 Feb 12


– Added windows/browser/java_mixer_sequencer to client-side vuln db

– Fixed a bug in the teamserver start script for Linux (you’ll need to

redownload the package to get this updated script)

– Adobe PDF package now prompts you where to save PDF file whether

MSF is local or remote to Cobalt Strike.

– Added Cut/Copy/Paste/Clear menu to table cell editor

– Started work modifying the about dialog so I can provide proper

attribution of the various open source projects used by Cobalt Strike

16 Feb 12


– Client-side vulnerability report was producing duplicate entries for

vulnerabilities with both a fileformat and browser exploit. Fixed.

– System profiler was accidentally reporting some Windows hosts as

Windows Media Center edition. Fixed.

– Cobalt Strike reports now have the Cobalt Strike logo

– Updated Help menu with Cobalt Strike stuff.

– Help button in Connect dialog now points to advancedpentest.com/start

so does the “hey msfrpcd crashed from underneath me” dialog.

– Released “helper” indicator with a thick square (vs. the thick cross

in Armitage).

– Added a teamserver script to UNIX distribution of Cobalt Strike. This

script will check the environment to make sure everything is in place.

– Cobalt Strike was saving preferences to wrong file.

14 Feb 12


– Added Cobalt Strike update tool

– Created packages for Windows, MacOS X, and Linux



– = a change made in Armitage and Cobalt Strike

+ = a Cobalt Strike specific change

! = a removed feature

Treadstone 71 Training and Webinars

By Treadstone 71

@Treadstone71LLC Cognitive Warfare Training, Intelligence and Counterintelligence Tradecraft, Influence Operations, Cyber Operations, OSINT,OPSEC, Darknet, Deepweb, Clandestine Cyber HUMINT, customized training and analysis, cyber psyops, strategic intelligence, Open-Source Intelligence collection, analytic writing, structured analytic techniques, Target Adversary Research, strategic intelligence analysis, estimative intelligence, forecasting intelligence, warning intelligence, Disinformation detection, Analysis as a Service