Cobalt Strike 1.49 – HTTP Proxy Authentication? No Problem.

April 23, 2014

I spend a lot of time on the road in March and April—using my tools. During these months, I take careful notes of the usability issues I’d like to address and small tweaks that would make life better for Cobalt Strike’s hacker corps.

Today’s Cobalt Strike release is the result of notes and my first-hand experience from five different exercises. There’s a lot of great stuff here, particularly for Beacon users.

Beacon’s HTTP stager uses WinINet to communicate [even before this update]. This has a benefit. The HTTP stager will authenticate to a proxy server when stored credentials are available. Sometimes, the current process does not know the credentials needed to get through a web proxy server. Beacon’s HTTP stager now detects this situation and prompts the user for credentials. The dialog is the same one Internet Explorer uses. Between Beacon’s new HTTP stager and DNS stager—you now have the tools to defeat most tough egress restrictions.

Cobalt Strike’s Staged Executable Generator now gives you options to output Beacon as a raw blob of position independent shellcode. You also have the option to output a fully-staged Beacon as a PowerShell script too.

You may now assign a tiny note/label to each Beacon. This label is immediately visible to your teammates too. This makes Beacon management much easier.

13.19.43 Beacons

Beacon’s process injection code now falls back to an alternate method when CreateRemoteThread fails. This means you’ll have an easier time injecting into explorer.exe and other processes across logon sessions.

Beacon’s session spawning now creates patsy processes in a suspended state. This allows you to use spawnto with almost any program you can think of. And hurrah! Beacon no longer uses notepad.exe as the default process to spawn and inject code into.

These changes are the highlights. For a full accounting of changes, give the Release Notes a read. Licensed Cobalt Strike users may use the update program to get the latest. A 21-day trial is available too.


  1. Hi Raphael. The last two updates are really nice and adding options for real live pen testing and red teaming. Well done!! In this update I especially like the WinINet option. I’m encountering tough egress situations with proxy servers more and more the last year, so this is a great feature that I’ll be using in an actual running assessment within an hour or so!

    • Thanks for the note Guido. I think things are definitely moving along. Glad you’re seeing a benefit from it. 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s