Cobalt Strike Updates 04.10.13April 10, 2013
March and April are the busy season for me. I’m on the road traveling to various exercises, testing out my wares. Starting this weekend, I will play red in three exercises back-to-back. One advantage to playing in all of these exercises is that I’m able to leverage my experiences and feedback from my fellow red team members to improve Armitage and Cobalt Strike.
Here are a few of the exercise-inspired changes that made it into this release:
- The VNC Viewer in Cobalt Strike now starts out view only. Untoggle the spy button to take control of the user’s desktop. — I’m having a lot of fun with VNC at these various exercises, but unfortunately I keep giving myself away by accidentally moving a student’s mouse. This change will ensure that I’m only moving a cursor when I want to.
- Added a spawnto command to Beacon. This command forces Beacon to use the specified program to spawn shellcode into. — Pro-tip for RAT Developers: if you inject shellcode into the current process, you risk losing your access if the shellcode crashes the process. To get around this, Beacon spawns shellcode into a notepad.exe instance. I use notepad.exe because its location is reliable. Unfortunately, the world is getting wise to dirty hacker tricks, such as connecting to the internet from notepad.exe. With this change, you can have Beacon spawn shellcode into something else on the user’s system (e.g., Internet Explorer).
- The event log now shows the date next to the time associated with each message. Cobalt Strike also highlights messages that mention your nickname.
- After Western Regional CCDC, I tried to generate a report from the four team servers I was connected to. The merged report wasn’t up to my standards. Most fields weren’t sorted, credentials weren’t merged across servers, and several other details were out of whack. Instead of one report, I generated four (one from each server) and used the reports to give students feedback. For this update, I went through the various data merging issues and corrected them. Next event, it’s my hope to generate one report that tells the full story.
I’ve also added installation instructions for Kali Linux. The full list of changes is in the Cobalt Strike Release Notes file. Licensed users may run the update program to get the latest. A 21-day trial of Cobalt Strike is also available.