Carding 4 Carders
Professional
Who will appreciate the innovations more: pentesters or cybercriminals?
The new version of Cobalt Strike 4.9 is now available for all users . This release introduces improvements to the post-exploitation capabilities of Cobalt Strike, including exporting Beacon without a reflective loader, adding official URL support to prepend, callback support in many built-in functions, and many other updates.
Next, we'll take a closer look at the most significant changes in the release, trying not to go beyond the format of a brief squeeze.
Improvements in post-operational capabilities
The Cobalt Strike postexploitation DLL suite now supports UDRL in prepend. The list of such DLLs includes browserpivot, hashdump, invokeassembly, keylogger, mimikatz, netview, portscan, powershell, screenshot, and sshagent.
To perform this modification and replace the default reflective loader with UDRL, a new Aggressor Script interceptor called POSTEX_RDLL_GENERATE was introduced.
Exporting a Beacon without a reflective loader
Beacon can now be used without the reflective loader export feature, which improves prepend's UDRL support.
Callback support
After numerous requests from users, callbacks for a number of built-in functions were added to the Aggressor Script, their list goes on: bnet, beacon_inline_execute, binline_execute, bdllspawn, bexecute_assembly, bhashdump, bmimikatz, bmimikatz_small, bportscan, bpowerpick, bpowershell, bpsinject.
Beacon Data Warehouse
The new release introduces the Beacon data warehouse, which allows you to save BOFs and .NET in Beacon memory for later launch without transferring elements.
Beacon User Data
This is a new C framework that allows Reflective Loaders to pass additional data to Beacons and solve the problem of providing system call information.
WinHTTP support
Beacon now supports the WinHTTP library in addition to the previously used WinInet. A new group of C2 profiles with a compliant http beacon can be assigned as protocol listeners.
Inter-client communication and BOF updates
New Aggressor Script methods for processing and using custom events have been introduced, as well as new APIs for supporting key / value storage in Beacon.
Sleep Mask Update
Sleep mask processing has been modified. It now masks the corrected sleep mask code in Beacon.
System call Updates
Added support for direct and indirect system calls for the DuplicateHandle, ReadProcessMemory, and WriteProcessMemory functions.
Product Security Updates
Authorization files have been modified to make them incompatible with older versions of Cobalt Strike. The minimum supported Java version will be updated from Java 8 to Java 11 in the next release.
Users with a valid license can download the new version of Cobalt Strike from the official website or using the update program. Developers also recommend that you read the release notes before installing the update.
The new version of Cobalt Strike 4.9 is now available for all users . This release introduces improvements to the post-exploitation capabilities of Cobalt Strike, including exporting Beacon without a reflective loader, adding official URL support to prepend, callback support in many built-in functions, and many other updates.
Next, we'll take a closer look at the most significant changes in the release, trying not to go beyond the format of a brief squeeze.
Improvements in post-operational capabilities
The Cobalt Strike postexploitation DLL suite now supports UDRL in prepend. The list of such DLLs includes browserpivot, hashdump, invokeassembly, keylogger, mimikatz, netview, portscan, powershell, screenshot, and sshagent.
To perform this modification and replace the default reflective loader with UDRL, a new Aggressor Script interceptor called POSTEX_RDLL_GENERATE was introduced.
Exporting a Beacon without a reflective loader
Beacon can now be used without the reflective loader export feature, which improves prepend's UDRL support.
Callback support
After numerous requests from users, callbacks for a number of built-in functions were added to the Aggressor Script, their list goes on: bnet, beacon_inline_execute, binline_execute, bdllspawn, bexecute_assembly, bhashdump, bmimikatz, bmimikatz_small, bportscan, bpowerpick, bpowershell, bpsinject.
Beacon Data Warehouse
The new release introduces the Beacon data warehouse, which allows you to save BOFs and .NET in Beacon memory for later launch without transferring elements.
Beacon User Data
This is a new C framework that allows Reflective Loaders to pass additional data to Beacons and solve the problem of providing system call information.
WinHTTP support
Beacon now supports the WinHTTP library in addition to the previously used WinInet. A new group of C2 profiles with a compliant http beacon can be assigned as protocol listeners.
Inter-client communication and BOF updates
New Aggressor Script methods for processing and using custom events have been introduced, as well as new APIs for supporting key / value storage in Beacon.
Sleep Mask Update
Sleep mask processing has been modified. It now masks the corrected sleep mask code in Beacon.
System call Updates
Added support for direct and indirect system calls for the DuplicateHandle, ReadProcessMemory, and WriteProcessMemory functions.
Product Security Updates
Authorization files have been modified to make them incompatible with older versions of Cobalt Strike. The minimum supported Java version will be updated from Java 8 to Java 11 in the next release.
Users with a valid license can download the new version of Cobalt Strike from the official website or using the update program. Developers also recommend that you read the release notes before installing the update.
