Cobalt Strike 3.4 – Operational DetailsJuly 29, 2016
Cobalt Strike 3.4 is now available. This release focuses on the DNS Beacon and a few additions to Malleable C2. Here are the highlights:
New Malleable C2 Options
This release extends the Malleable C2 feature with several useful options. The dns_idle option allows you to change the IP address the DNS Beacon uses to signal that it’s idle. The default value is 0.0.0.0 and this is an indicator some use to zero-in on Cobalt Strike’s DNS Beacon payload. I recommend you set this option in your Malleable C2 profiles.
This release also adds a dns_sleep option. This option forces the DNS Beacon to sleep before each of its DNS requests. This is guaranteed to make DNS data channels very painful to use! This option is now available for those of you who asked for it.
The pipename option allows you to change the name of the named pipe SMB Beacon uses for peer-to-peer communication.
DNS IPv6 AAAA Record Data Channel
The DNS Beacon received a few enhancements beyond the Malleable C2 options above. The mode dns6 command now sets your DNS Beacon to use AAAA records as a data channel. This is similar to the mode dns option, which asks Beacon to use A records as a data channel. The benefit is that the AAAA records give you more data per request.
By popular request, Cobalt Strike now allows you to embed a kill date into the Beacon payload. Beacon will automatically exit, when run, on or after its kill date. Beacon also checks the kill date each time it wakes up and exits if it’s on or after the kill date.
To take advantage of this feature, simply specify a kill date when you start your Cobalt Strike team server. Your team server will propagate the specified kill date to all payload stages it generates. Here’s the format:
./teamserver [ip address] [malleable C2 profile] [YYYY-MM-DD]