Cobalt Strike 4.2 (November 6, 2020)

admin 2020年11月7日00:37:22评论194 views字数 8416阅读28分3秒阅读模式

# Cobalt Strike 4.2 (November 6, 2020)

56a53682084c46813a5157d73d7917100c9979b67e94b05c1b3244469e7ee07a Cobalt Strike 4.2 Licensed (cobaltstrike.jar)


# Distribution Packages (released with Cobalt Strike 4.2)

f82531f3e18de0801bf18a4f65070cd927b656c3ef4b9ae8fb2c666338e65352  Cobalt Strike Linux Distributions Package (20201106)

ad5348bc090fd47a414329a27c80c14de5bd739b58ef5aa66ab886219a27c9f6  Cobalt Strike Windows Distribution Package (20201106)

4592a252a1b72928c87a7a38f4ec13cc929cbc3bdd8861ac51e678a55559167c  Cobalt Strike MacOSX Distribution Package (20201106)


Cobalt Strike 4.2 (November 6, 2020)



Cobalt Strike 4.2今天发布正式版。


这是一个涉及产品许多方面的大版本。更新范围包括user exploitation, Beacon&post-ex DLL behavior and IOC flexibility, Malleable C2 enhancements等。


1. Cobalt Strike 4.2重新审视了Cobalt Strike的屏幕截图和击键记录工具。这两个功能现在都从其运行的上下文中报告当前用户,桌面会话和活动窗口标题。在日志,报告和用户界面中使用了此添加的上下文,来更好地讲述故事并提高操作员的意识。其次还添加了一种替代方法,使用强制PrintScr按键来拍摄屏幕截图。这是printscreen命令。并且,还添加了SetWindowsHookEx击键记录器选项。在用户的Malleable C2开发后块中指定了击键记录器的实现。


2.更新也对fork&run post-ex DLL的功能进行了改进。post-ex-> obfuscate选项现在使某些post-ex DLL中的行为能够掩盖post-ex DLL中嵌入的字符串,并仅在需要时才取消掩盖它们。屏幕截图和击键记录工具是此新行为的受益者。还添加了post-ex-> pipename来更改fork&run post-ex DLL用来将结果传达给Cobalt Strike的命名管道名称。并且,添加了post-ex-> thread_hint,以使post-ex DLL也创建具有欺骗性起始地址的新线程。


3. Beacon还获得了一些内存中的行为和IOC灵活性。magic_mz_x86,magic_mz_x64和magic_pe选项(在阶段代码块中)使用户可以将Beacon的Reflective DLL程序包中的MZ和PE魔术字节更改(由其加载程序使用)。阅读此文档,因为magic_mz_ *必须是有效的说明。现在,可以使用stage-> allocator选项指定Beacon的Reflective DLL包如何为已加载的Beacon有效负载分配内存。新选项包括HeapAlloc和MapViewOfFile。这些是默认VirtualAlloc和3.11的模块扩展之外的功能。


4.而且,更新也在Malleable C2上做了一些工作。新版本将useragent设置和已编译的http-get.client / http-post.client块的最大大小加倍。这意味着用户现在可以在配置文件中添加更多标题和参数。知道用户当中的几个人受到以前的限制。新的headers_remove选项是一种在HTTP事务后期强制删除指定的HTTP客户端标头的方法。如果WinInet添加了您不想要的标题,这就是用户摆脱它的方式。并且,添加了一个全局data_jitter选项。这是一种在信标的C2通信中的HTTP响应中具有随机长度噪声的方法。


5.沟通弹性也是一个主题。新版本全面审查了信标DNS控制器如何管理其缓存并跟踪/完成正在进行的事务的各个方面。如果你曾经看过“ [Beacon]保护了1个公开对话(罢工X为256)”;这些更改可解决此问题。受保护的对话行为是一个修补程序,前一段时间是为了解决[来自某些解析器]的无害DNS解析器行为,该行为在新版本的DNS C&C方法中造成了问题。撰写此最新的修订内容时,对DNS解析程序的行为有了更深刻的理解。还更新了Beacon的HTTP / S实现,以在检测到故障时重试将输出发送到CS的HTTP请求。


6.并且...还添加了rportfwd_local。就像rportfwd。它通过SSH或Beacon会话绑定端口。它将连接转发到指定的主机和端口。rportfwd_local与rportfwd的不同之处在于发起前向连接的位置。rportfwd_local从您的Cobalt Strike客户端启动连接。转发连接的流量封装在Cobalt Strike客户端和团队服务器之间的现有连接中。这是一种枢转模式,可通过信标轴使本地托管并与团队服务器基础结构分开的其他植入物或笔测试工具的控制器。


Cobalt Strike Release Notes

-------------

Welcome to Cobalt Strike 4.x. Here are a few things you'll want to know, right away:


1. Cobalt Strike 4.x is not compatible with Cobalt Strike 3.x. Stand up new

   infrastructure and migrate accesses to it. Do not update 3.x infrastructure

   to Cobalt Strike 4.x.


2. Do not move a cobaltstrike.auth file from Cobalt Strike 3.x to 4.x. The two file

   formats are not compatible.


3. Aggressor Scripts written for Cobalt Strike 3.x may require changes to work with 

   Cobalt Strike 4.x. Please refer to this guide to update your scripts:


   https://www.cobaltstrike.com/aggressor-script/migrate.html


November 6, 2020 - Cobalt Strike 4.2

----------------

+ Refactored Beacon Reflective Loader and added mechanism to patch rDLL loader into

  Beacon (vs. shipping a static loader with the agent).

+ Added stage -> allocator (VirtualAlloc, HeapAlloc, or MapViewOfFile) to set

  which allocator Beacon's RDLL loader will use for the Beacon stage.

+ stage -> obfuscate now obfuscates .text section in rDLL package

+ Fixed client NPE triggered by missing download start metadata

+ Added Cobalt Strike client IP address to join message in events.log

+ Added -Dcobaltstrike.server_bindto=address (in teamserver script, java command) 

  to change the address the team server will bind to. Default is 0.0.0.0.

+ Team server now uses a more resilient process to write its data model

+ Screenshot tool now reports user, session, and active window title.

+ Updated View -> Screenshots and other UX to use screenshot context info

+ Added color highlighting to View -> Screenshots

+ http-post C2 handler now detects another type of corruption.

+ Added color highlighting to View -> Downloads

+ Added color highlighting to View -> Keystrokes

+ Keystroke logger now reports user and session information

+ Updated View -> Keystrokes and other UX to use keylogger context info

+ Added option to "remove" screenshot or keystrokes from interface via menu

+ Added screenshots.log to logs/[date]/[target]/ folder with screenshot meta-data

+ Stripped color codes from keystroke logs and added desktop session/user context

+ Added Save option to keystroke and screenshot browser right-click menu.

+ Split screenshot into two commands: screenshot and screenwatch. screenshot takes 

  a single screenshot. screenwatch takes periodic screenshots until terminated 

  with jobkill command.

+ Added printscreen command to take screenshot by forcing PrintScr keypress and 

  grabbing contents from the keyboard.

+ Added post-ex -> thread_hint to spawn threads with specified module!func+offset

  start address. Affects the browserpivot, keylogger, net, portscan, and 

  powerpick/psinject post-ex DLLs.

+ Added post-ex -> keylogger to set keystroke logging method. Current options are

  SetWindowsHookEx and GetAsyncKeyState.

+ post-ex -> obfuscate now enables behavior to mask DLL strings, when not needed, 

  in execute-assembly, keystroke logger, screenshot, and SSH client DLLs.

+ Added stage -> magic_mz_[arch] and magic_pe to set the MZ and PE header values to

  something else in Beacon's DLL package. Read the docs on this one as the MZ 

  values have to be valid executable instructions that [should] repair any changes 

+ Added a c2lint warning for operation-impacting high dns_ttl values.

+ HTTP and DNS C2 specific configs no longer show up outside of their payloads

+ Beacon now detects http-post block request failures and tries requests again.

+ Rewrote how DNS C2 caches and clears cache of conversations and entries. This 

  fixes DNS C2 stability/performance for servers that send parent domain before 

  each FQDN request. It looked like a checkin to Beacon and was wreaking havoc.

+ Implemented remote-exec wmi as a BOF.

+ Max length of useragent field in Malleable C2 profile is now 255 characters.

+ Fixed bug with [possible] domain truncation in DNS/HTTP Beacon config if the total

  length of the specified domains exceeded 255 characters.

+ 8+ years in and I think y'all deserve some generosity from the Cobalt Strike 

  product. As my kind act, I have doubled the max size of the http-get.client and 

  http-post.client programs in your profile.

+ Added headers_remove global option to force Beacon's WinINet to remove specified

  headers late in the HTTP/S transaction process.

+ Added a "this goes into your config" notice to the HTTP Beacon proxy config dialog

+ Added an empty BOF content sanity check to &beacon_inline_execute

+ Added rportfwd_local to create a port forward that initiates connection and routes

  from Beacon to team server onwards through the requester's Cobalt Strike client.

+ Implemented spunnel and spunnel_local commands to spawn shellcode and tunnel 

  connection to specified controller. spunnel_local forwards via Cobalt Strike client

  and spunnel forwards via the team server.

+ Added pivot socket read governor to limit read loop to max ~4s per Beacon checkin.

+ Bug fixto link module read functions

+ Multiple improvements to existing rportfwd implementation.

+ rportfwd (and spunnel) are now friendly to having the rportfwd for a session/port

  redefined without the need to release the bound port and rebind it.

+ Pivot socket writes now happen on a connection specific thread to prevent session

  deadlock if the team server-side relayed connection becomes unresponsive or blocked.

+ Fixed a handle leak in socks pivoting sub-system

+ DNS Beacon C2 now drops requests that are not A, AAAA, or TXT.

+ Added post-ex -> pipename Malleable C2 option to change post-ex job output pipename

+ Added set ssh_pipename to set the named pipe used by Cobalt Strike's SSH sessions

+ Proxy server config parser now strips trailing / (which impacted the port value).

+ Any # in Malleable C2 pipename options is now replaced with a random hex digit.

+ Fixed BeaconUseToken BOF API to return a BOOL as documented

+ Added BeaconSpawnTemporaryProcess BOF API. 

+ Fixed parser to extract creds from dcsync [domain] output

+ Made changes to avoid unneeded VirtualProtect when startrwx/userwx in process-inject

  block are both true.

+ BOF executable memory now honors startrwx/userwx hints from process-inject block

+ Added script hook to enable use of alt. mimikatz, provided by us, between releases

+ Updated to Mimikatz 2.2.0-20200918-fix

+ Greatly reduced the size of mimikatz-min and mimikatz-chrome DLLs.

+ Added chromedump alias to run dpapi::chrome in mimikatz.

+ Improved recoverability of parent Beacon if a child TCP Beacon process "fails"

+ Added Vista+ check to getsystem in Beacon console.

+ Browser Pivot HTTP Proxy is now manageable via View -> Proxy Pivots

+ Added &bmimikatz_small to Aggressor Script.

+ Moved capability to query network interfaces to a BOF and out of core Beacon

+ Added some ptr cleanup to post-ex RDLL loaders.

+ Fixed SSH agent bug where session was sometimes incorrectly reported as elevated

+ Added set data_jitter "X" to add noise to Beacon's HTTP/S beaconing by adding

  up to X (random each time) random bytes to the output of each http-get and 

  http-post response 

+ c2lint warns for a bad process-inject -> execute config for Windows XP-era systems.

+ execute-assembly now stomps DOS header when post-ex -> obfuscate is true

+ Added c2lint check for dangerous headers to overwrite with http-config.



下载地址:https://lrxa.herokuapp.com/(暂无软件,以后更新)

本文始发于微信公众号(利刃信安):Cobalt Strike 4.2 (November 6, 2020)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2020年11月7日00:37:22
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Cobalt Strike 4.2 (November 6, 2020)http://cn-sec.com/archives/180153.html

发表评论

匿名网友 填写信息