close
close

Cobalt Strike 4.11 published with built -in evasive features for red teams

Cobalt Strike, a highly advanced tool for emulation of threats, has published version 4.11 and packed a robust series of functions that are intended to improve the alternative functions for red teams.

In this latest update, several new technologies and improvements are introduced, which consolidate the position of Cobalt Strike as a leading platform for offensive safety processes.

Key features of Cobalt Strike 4.11

1. Improved alternative options

One of the highlights of Cobalt Streik 4.11 are the improved alternative options, including:

  • New like sleep mask: The new Sleepmask -Beacon, its HEAP assignments and itself, which means that it is automatically activated via modbar C2, which means that it is robust against static signatures without requiring additional configuration. In contrast to previous versions, it now integrates seamlessly into Beacon and improves the term masking.
A screenshot that shows the results of the Get-Injected Threadex that scans a process in which a 4.11 beacon has just been injected.
A screenshot that shows the results of Get-InjectedThreadEx Scanning a process in which a 4.11 Beacon has just been injected.
  • New process injection technology: Cobalt Strike introduces “Obfsetthreadcontext”, a custom method that defines the injected thread start address as a legitimate remote image. This technology deals with typical methods for recognizing thread injection by ensuring that injected threads look as if they come from legitimate executable images. Users can configure this by specifying a module and functional offset for the thread start address in the configuration file:
process-inject {

    execute {

        # Accepts a module!function + offset for thread start address.

        ObfSetThreadContext “ntdll!TpReleaseCleanupGroupMembers+0x450”;

        NtQueueApcThread;    # backup injection option 1

        SetThreadContext;    # backup injection option 2

    }

}

2nd overtaken reflective loader

Cobalt Strike has revised Beacon's reflective loaders and shifted to a preparation loader/SRDI loader. This overhaul contains several important functions:

  • EAF bypass: Users can now use the stage to handle the export address filter techniques (EAF).
  • Indirect systems: The stage.
  • Disacification routines: The function of transform obfuscate {} enables the use of complex veiling routines on Beacon protection loads. For example, a configuration could look like this:
stage {

    transform-obfuscate {

        lznt1;

        rc4 "64";          # NB The max supported rc4 key size is 128

        xor "32";           # NB The max supported xor key size is 2048

        base64;

    }

}

3. Asynchronous Beacon object files (BOFS)

Cobalt Strike introduces Async-Execute.dll, so that the execution of BOFS in new threads without blocking Beacon is made possible.

This function supports both individual and background execution modes and improves the flexibility of activities after exploitation.

The operators can now carry out several BOFs at the same time within the same process, with their own task with output in the cobalt strike -Gui.

    The dialog box for payload generation for a DNS list is shown by the new DNS Comm mode option. This can be configured in such a way that a DOH -BEACON is set up that uses the standard -DOH settings.    The dialog box for payload generation for a DNS list is shown by the new DNS Comm mode option. This can be configured in such a way that a DOH -BEACON is set up that uses the standard -DOH settings.
The dialog box of the payload generation for a DNS listener that shows the new DNS Comm Mode Option. This can be configured in such a way that a DOH -BEACON is set up that uses the standard -DOH settings.

V.

The publication includes a DNS via HTTPS BEACON, which offers another secret option for network output courses. Users can easily configure the DOH settings using formable C2:

dns-beacon "DOH_EXAMPLE" {

    set comm_mode "dns-over-https";        # [dns | dns-over-https]

    dns-over-https {

        # Verb: GET | POST (Default: POST)

        set doh_verb "GET";

        # User Agent

        set doh_useragent "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)";

        # Proxy Server for HTTP

        # set doh_proxy_server "123.123.123.123:4321";

        # DOH Server List (Default: "mozilla.cloudflare-dns.com,cloudflare-dns.com")

        set doh_server "cloudflare-dns.com";

        # Accept

        set doh_accept "application/dns-message";

        # Headers

        header "Content-Type" "application/dns-message";

        header "header1" "value1";

    }

}
A screenshot with the updated help command from Beacon, which was reorganized in groups.A screenshot with the updated help command from Beacon, which was reorganized in groups.
A screenshot with the updated help command from Beacon, which was reorganized in groups.

5. Quality of life updates

Cobalt Strike 4.11 also contains several updates of the quality of life:

  • Improved command line variables: New variables such as $ $ BEACON_PID and $ BEACON_ORCH can be used during the command.
  • Reorganized Beacon -aid command: Commands are now grouped for easier access.
  • Improved host rotation: Users can exchange several C2 hosts at the same time.
  • Data on the prevention of data on ex -filtration: Beacon now supports the control of the chunking size of Get/Post inquiries.

Cobalt Strike 4.11 represents a significant leap in the world of threat emulation and enables red teams with advanced alternative capacities and improved operating flexibility.

The integrated features not only improve stealth operations, but also offer a robust framework for adapting crafts in the Cobalt Streik ecosystem.

This publication underlines the commitment of the developers to continuously innovate and support demanding offensive security operations.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.