h1

What happened to my Kill Date?

August 24, 2016

Cobalt Strike 3.4 introduced a Kill Date feature. This is a date that Cobalt Strike embeds into each Beacon stage. If a Beacon artifact is run on or after this date, it immediately exits. If a running Beacon wakes up on or after this date, it immediately exits. I don’t see kill dates as a replacement for tracking artifacts and cleaning up after an engagement. I see them as an extra piece of assurance.

To use Cobalt Strike’s kill date feature, you must specify a kill date when you start the team server. Here’s the help for the teamserver script:

teamserverhelp

Here’s an example of starting a team server with a kill date embedded in it:

teamserverrunning

You’ll notice that it is mandatory to specify a Malleable C2 profile, if you want to take advantage of kill dates. I’ve had a few folks ask if there is a way around this. The answer is no, not right now. The default profile isn’t anything special. It looks like a simple piece of malware on the wire. Specify a profile. 🙂 You’re better off for it.

I want to call your attention to one detail though. Notice that the team server acknowledges both the profile and the kill date. This is Cobalt Strike telling you that it sees these parameters and it’s using them as you asked it to.

If you do not see this acknowledgement, Cobalt Strike is not using your custom profile, and it does not have a kill date embedded into the Beacon stage.

You may wonder, how is this situation possible? If you specify the parameters correctly, why wouldn’t Cobalt Strike use them? This is a good question and it’s the real reason for this blog post.

Cobalt Strike 3.0 and 3.1 shipped with a teamserver script that passed either two or three arguments to the Cobalt Strike software. The teamserver script shipped with these versions of Cobalt Strike would not pass an arbitrary number of arguments. The update program that ships with Cobalt Strike does not update the teamserver script.

If you have a teamserver script from Cobalt Strike 3.0 or 3.1, Cobalt Strike will not use the kill date you specify or the profile you specify when a kill date is present. If this applies to you: download the trial for the latest Cobalt Strike Linux package, update it to the licensed version with the built-in update program, and you’re set again.

The teamserver script with Cobalt Strike 3.2 and later will work fine.

2 comments

  1. Two questions:
    1. Will the date also be implemented in SMB payloads I generate?
    2. Will the date be implentes in a stageless beacon (let’s state due to firewalling it will never reach my teamserver, will it die!?)


    • 1. Will the date also be implemented in SMB payloads I generate?

      The kill date is implemented into the Beacon stage. It’s checked when the payload “wakes up” and when the stage is first run.

      SMB Beacon is a weird case, because when it’s not linked, it’s not doing anything. It’s blocking waiting for a connection. If the kill date passes while an SMB Beacon is waiting for a link, it will continue to exist until the target reboots or a parent Beacon links to it. When it’s linked to by a valid parent, it will “wake up”, observe the kill date is passed and exit.

      2. Will the date be implentes in a stageless beacon (let’s state due to firewalling it will never reach my teamserver, will it die!?)

      A stageless Beacon is an artifact to deliver a Beacon stage without a stager. The kill date is already embedded into the stage. Therefor, stageless artifacts have the kill date.

      Stagers do not embed the kill date and probably never will. None of the stagers in CS persist trying a connection, again and again, forever. They all have their limits. The most persistent one is the DNS Beacon stager and even it will give up after a certain number of failed tries.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s