Cobalt Strike 4.9: Take Me To Your Loader

资讯 10个月前 admin
653 0 0

Cobalt Strike 4.9 is now available. This release sees an overhaul to Cobalt Strike’s post exploitation capabilities to support user defined reflective loaders (UDRLs), the ability to export Beacon without a reflective loader which adds official support for prepend-style UDRLs, support for callbacks in a number of built-in functions, a new in-Beacon data store and more.  
Cobalt Strike 4.9现已上市。此版本对Cobalt Strike的后开发功能进行了大修,以支持用户定义的反射加载程序(UDRL),在没有反射加载程序的情况下导出Beacon的能力,从而增加了对前置样式UDRL的官方支持,在许多内置函数中支持回调,新的信标内数据存储等。

We intend to publish a few follow-up blog posts over the next couple of weeks to provide more detail on some of the changes in this release, so please keep your eye on the blog for those updates. If you haven’t subscribed to the technical mailing list for blog updates, it is worth considering doing that as well so that you don’t miss anything!  

Post-Exploitation Overhaul

Cobalt Strike’s post-exploitation capabilities have been given an overhaul, with support for prepend-style User Defined Reflective Loaders being added to the following post-exploitation DLLs: 
Cobalt Strike 的开采后功能已经过全面改革,支持前置样式的用户定义反射加载器被添加到以下开发后 DLL 中:

  • browserpivot 浏览器枢轴
  • hashdump 哈希转储
  • invokeassembly 调用程序集
  • keylogger 键盘记录器
  • mimikatz 米米卡茨
  • netview 网景网景
  • portscan 端口扫描
  • powershell 电源外壳
  • screenshot 截图
  • sshagent sshagent

A new Aggressor Script hook, POSTEX_RDLL_GENERATE, has been added in order to implement this change, and replace the default reflective loader with a UDRL. Full details on this new hook and how it is used can be found in the documentation.  
添加了一个新的侵略者脚本挂钩 POSTEX_RDLL_GENERATE,以实现此更改,并将默认的反射加载程序替换为 UDRL。有关此新钩子及其使用方式的完整详细信息,请参阅文档。

It is important to note that UDRLs for Beacon payloads and post-exploitation payloads are very similar but have some subtle differences. Information on those differences, that relate to the loader entry function, the DLL’s entry point, the RDATA_SECTION pointer argument and the obfuscation start offset can be found in the documentation and should be carefully reviewed prior to making your own changes in this area. 
请务必注意,信标有效负载和开发后有效负载的 UDRL 非常相似,但存在一些细微差异。有关这些差异的信息,与加载程序入口函数、DLL 的入口点、RDATA_SECTION指针参数和模糊处理开始偏移量有关,可以在文档中找到,在对此问题进行自己的更改之前,应仔细查看这些信息。

You can find an example implementation of a post-exploitation loader in the UDRL-VS kit in the Cobalt Strike Arsenal Kit. 
您可以在 Cobalt Strike Arsenal 套件的 UDRL-VS 工具包中找到开发后加载程序的示例实现。

A new Malleable C2 option, post-ex.cleanup, has been added to specify whether or not to clean up the post-exploitation reflective loader memory when the DLL is loaded. We have also added the post-ex.transform-x64 and post-ex.transform-x86 blocks to the post-ex Malleable C2 block. Both new blocks support the strrep option, which replaces a string in all post-exploitation DLLs, and strrepex which replaces a string within a specific post-exploitation DLL. Valid DLL names are BrowserPivot, ExecuteAssembly, Hashdump, Keylogger, Mimikatz, NetView, PortScanner, PowerPick, Screenshot, and SSHAgent. For example:  
添加了一个新的可延展 C2 选项 post-ex.cleanup,用于指定在加载 DLL 时是否清理利用后的反射加载程序内存。我们还将 post-ex.transform-x64 和 post-ex.transform-x86 块添加到 post-ex 可延展 C2 块中。这两个新块都支持 strrep 选项,该选项替换所有开发后 DLL 中的字符串,以及 strrepex,用于替换特定开发后 DLL 中的字符串。有效的DLL名称是BrowserPivot,ExecuteAssembly,Hashdump,Keylogger,Mimikatz,NetView,PortScanner,PowerPick,Screenshot和SSHAgent。例如:

post-ex {
    # cleanup the post-ex UDRL memory when the post-ex DLL is loaded 
    set cleanup "true";
    transform-x64 {
        # replace a string in the port scanner dll
        strrepex "PortScanner" "Scanner module is complete" "Scan is complete";
        # replace a string in all post exploitation dlls
        strrep "is alive." "is up.";
    transform-x86 {
        # replace a string in the port scanner dll
        strrepex "PortScanner" "Scanner module is complete" "Scan is complete";
        # replace a string in all post exploitation dlls
        strrep "is alive." "is up.";

You can find more information on this change in the documentation. 

Export Beacon Without A Reflective Loader

Beacon can now be used without the exported reflective loader function when using UDRLs. This change also improves support for prepend-style UDRLs.  
使用 UDRL 时,现在可以在没有导出的反射加载程序功能的情况下使用信标。此更改还改进了对前置样式 UDRL 的支持。

The BEACON_RDLL_SIZE Aggressor Script hook is called when Beacon is being prepared and can now be used to remove the entire reflective loader space from the Beacon DLL. By returning a value of “0”, a Beacon without the reflective loader is passed to the BEACON_RDLL_GENERATE and BEACON_RDLL_GENERATE_LOCAL hooks. For example: 
BEACON_RDLL_SIZE侵略者脚本挂钩在准备信标时调用,现在可用于从信标 DLL 中删除整个反射加载程序空间。通过返回值“0”,没有反射加载程序的信标将传递到BEACON_RDLL_GENERATE并BEACON_RDLL_GENERATE_LOCAL钩子。例如:

# ------------------------------------
# $1 = DLLfilename
# $2 = arch
# ------------------------------------
    warn("Running 'BEACON_RDLL_SIZE' for DLL " .$1. " with architecture " .$2);   

As a result of this change, the default BEACON_RDLL_SIZE return value has been changed from 0 to 5.  
由于此更改,默认BEACON_RDLL_SIZE返回值已从 0 更改为 5。

Callback Support 回调支持

We have had a number of requests from our users to make it easier to process the results of certain function calls. This is challenging due to the asynchronous nature of Cobalt Strike’s communications, but this has been addressed in this release by the addition of callbacks for a number of built-in functions. Callbacks are triggered following a response to a command by Beacon, and also when dealing with custom dialogs via dialog input and action button clicks.  
我们收到了来自用户的许多请求,以便更轻松地处理某些函数调用的结果。由于Cobalt Strike通信的异步性质,这具有挑战性,但在此版本中,通过添加许多内置函数的回调解决了这一问题。回调是在 Beacon 响应命令后触发的,也是在通过对话框输入和操作按钮单击处理自定义对话框时触发的。

Support for callbacks has been added to the following Aggressor Script functions: 

  • bnet 网络
  • beacon_inline_execute beacon_inline_execute
  • binline_execute binline_execute
  • bdllspawn BDLL生成
  • bexecute_assembly bexecute_assembly
  • bhashdump 巴什转储
  • bmimikatz 比米米卡茨
  • bmimikatz_small bmimikatz_small
  • bportscan bportscan
  • bpowerpick B电源拾取
  • bpowershell bpowershell
  • bpsinject BPSINJECT

In general, there are three types of techniques that can be used to deal with callbacks – anonymous closure, named closure, and lambda closure. 
通常,有三种类型的技术可用于处理回调 – 匿名闭包、命名闭包和 lambda 闭包。

An anonymous closure is useful when you want to keep a small amount of code inline with the caller. For example, logging output from a BOF to the Beacon console would look like this: 
当您希望将少量代码与调用方内联时,匿名闭包很有用。例如,将输出从 BOF 记录到 Beacon 控制台如下所示:

alias cs_example {
    # User setup code removed for brevity     
    beacon_inline_execute($bid, $data, "go", $args, { blog($1, $2); });

named closure is useful when you have a lot of code that you may want to reuse. In this example, we create a closure named “bof_cb”, which is executed when data is returned by the BOF: 
当您有大量可能需要重用的代码时,命名闭包很有用。在此示例中,我们创建一个名为“bof_cb”的闭包,当 BOF 返回数据时执行:

$1 - bid, $2 - result, $3 - info map
sub bof_cb {
    # User defined code removed for brevity
alias cs_example {
    local('$bid $data $args');
    # User setup code removed for brevity
    beacon_inline_execute($bid, $data, "go", $args, &bof_cb);

lambda closure is useful when you want to pass variables that would not be in scope using the previous examples. This example demonstrates how you are able to access the $test_num variable, which is in the scope of the cs_example alias: 
当您想要传递使用前面的示例传入的变量时,lambda 闭包非常有用。此示例演示如何访问 $test_num 变量,该变量位于 cs_example 别名的范围内:

# $1 - bid, $2 – result, $3 - infomap, $4 - test_num
sub bof_cb{
    # User defined code removed for brevity
alias cs_example {
    local('$bid $file $test_num');
    # User setup code removed for brevity 
    binline_execute($bid, $file, $test_num, lambda({ bof_cb($1, $2, $3, $test_num); }, \$test_num);

Examples can also be found in a public Cobalt Strike GitHub repository, found here
示例也可以在公共Cobalt Strike GitHub存储库中找到,可在此处找到。

Beacon Data Store 信标数据存储

Along similar lines to the token store in the 4.8 release, we have added a Beacon Data Store that allows you to store BOFs and .NET assemblies in Beacon’s memory, allowing the stored items to be executed multiple times without having to resend the item. The Cobalt Strike client will automatically detect whether an object to be executed is already in the data store so there is nothing additional that you need to do on your part once an object is stored. Stored entries are masked by default, only becoming unmasked when used. It is also possible to store generic files in the data store which will be available for BOFs to use.  
与 4.8 版本中的令牌存储类似,我们添加了一个信标数据存储,允许您将 BOF 和 .NET 程序集存储在 Beacon 的内存中,从而允许多次执行存储的项目,而无需重新发送项目。Cobalt Strike 客户端将自动检测要执行的对象是否已在数据存储中,因此一旦存储了对象,您无需执行任何其他操作。默认情况下,存储的条目被屏蔽,只有在使用时才会被取消屏蔽。还可以将通用文件存储在可供 BOF 使用的数据存储中。

The default data store size is 16 entries, although this can be modified by configuring the stage.data_store_size option within your Malleable C2 profile.  
默认数据存储大小为 16 个条目,但可以通过在可延 C2 配置文件中配置 stage.data_store_size 选项来修改。

data-store load [bof|dotnet|file] <name> [path] stores an item in the store. 
数据存储加载 [bof|dotnet|file] [path] 将项目存储在存储中。

data-store unload [index] removes a stored item.
数据存储卸载 [索引] 删除存储的项目。

data-store list lists all items available in the data store. 

A number of BOF API functions have also been added to allow you to access and protect items that are stored in the Beacon Data Store:  
还添加了许多 BOF API 函数,以允许您访问和保护存储在信标数据存储中的项目:

BeaconDataStoreGetItem(size_t index) returns a pointer to the specified item. The function will return NULL if no entry exists at the specified index. 
BeaconDataStoreGetItem(size_t index) 返回指向指定项的指针。如果指定索引中不存在任何条目,则该函数将返回 NULL。

BeaconDataStoreProtectItem(size_t index) obfuscates a specific item in the Beacon Data Store. 
BeaconDataStoreProtectItem(size_t索引)混淆Beacon Data Store中的特定项目。

BeaconDataStoreUnprotectItem(size_t index) deobfuscates a specific item in the  Beacon Data Store. 
BeaconDataStoreUnprotectItem(size_t index) 对 Beacon Data Store 中的特定项目进行去混淆处理。

BeaconDataStoreMaxEntries() returns the maximum size of the Beacon Data Store. 
BeaconDataStoreMaxEntries() 返回 Beacon Data Store的最大大小。

Beacon User Data 信标用户数据

Beacon User Data is a C structure that allows Reflective Loaders to pass additional data to Beacons. It is passed as a pointer to Beacon by calling Beacon’s DllMain function with a custom reasoning known as DLL_BEACON_USER_DATA (0x0d). This must be passed to Beacon before the standard DLL_PROCESS_ATTACH reason is invoked. It is not required to keep the structure in memory after the DLL_BEACON_USER_DATA call because Beacon copies necessary values from it during the call.  
信标用户数据是一种 C 结构,允许反射加载器将其他数据传递给信标.它作为指向 Beacon 的指针传递,方法是使用称为 DLL_BEACON_USER_DATA (0x0d) 的自定义推理调用 Beacon 的 DllMain 函数。这必须在调用标准DLL_PROCESS_ATTACH原因之前传递给信标。在DLL_BEACON_USER_DATA调用后,不需要将结构保留在内存中,因为 Beacon 会在调用期间从中复制必要的值。

A version number is contained in the structure to ensure backward compatibility between different versions of Beacons and Reflective Loaders. Newer Beacons will therefore be able to handle and utilize older Beacon User Data structures without crashing.  

Beacon User Data also allows a Reflective Loader to resolve and pass system call information to Beacon, overriding Beacon’s default system call resolver. The SYSCALL_API_ENTRY structure is used for each supported system call. The SYSCALL_API structure holds these entries. Each entry contains information on the jump address (depending on system architecture), the system call number and the address of the corresponding Nt* function. The jump address and system call number are required for indirect system calls, whilst the function address is required for direct system calls. If values are not specified, Beacon will fall back to the corresponding WinAPI call. If the system calls fields in the USER_DATA structure points to NULL, then the system call information is skipped.  
信标用户数据还允许反射加载程序解析系统呼叫信息并将其传递给信标, 覆盖信标的默认系统调用解析器.SYSCALL_API_ENTRY结构用于每个受支持的系统调用。SYSCALL_API结构保存这些条目。每个条目都包含有关跳转地址(取决于系统体系结构)、系统呼叫号码和相应 Nt* 函数地址的信息。间接系统调用需要跳转地址和系统调用号,直接系统调用需要函数地址。如果未指定值,信标将回退到相应的 WinAPI 调用。如果USER_DATA系统调用结构中的字段指向 NULL,则跳过系统调用信息。

Beacon User Data also allows a Reflective Loader to pass a small (32 bytes) data buffer to Beacon, allowing users to specify and pass their own custom data. BOFs can retrieve a pointer to this data with the BeaconGetCustomUserData function.  
信标用户数据还允许反射加载器将一个小 (32 字节) 数据缓冲区传递给信标, 允许用户指定和传递自己的自定义数据.BOF可以使用BeaconGetCustomUserData函数检索指向此数据的指针。

You can download beacon_user_data.h here and you can find a usage example in the UDRL-VS, which can be found in the Arsenal Kit.  
您可以在此处下载 beacon_user_data.h,您可以在 UDRL-VS 中找到使用示例,该示例可以在阿森纳套件中找到。

WinHTTP Support WinHTTP 支持

Up until now, Beacon’s HTTP(S) listener has used the WinInet library by default. Based on feedback from a number of users, support for the WinHTTP library has been added.  
到目前为止,Beacon的HTTP(S)侦听器默认使用WinInet库。根据许多用户的反馈,添加了对 WinHTTP 库的支持。

A new Malleable C2 group, .http-beacon, has been created. Additionally, a .http-beacon.library option has been added to allow you to set the default library used when creating a new HTTP(S) listener. Valid values are wininet and winhttp. If the new Malleable C2 profile option is not specified, new HTTP(S) listeners will continue to default to WinInet.  
一个新的可延展 C2 组 .http-beacon 已创建。此外,还添加了 .http-beacon.library 选项,允许您设置创建新的 HTTP(S) 侦听器时使用的默认库。有效值为 wininet 和 winhttp。如果未指定新的可延展 C2 配置文件选项,则新的 HTTP(S) 侦听器将继续默认为 WinInet。

The new http-beacon Malleable C2 profile group also supports variants, which can then be assigned to listeners. For example:  
新的 http-beacon 可延展 C2 配置文件组还支持变体,然后可以将其分配给侦听器。例如:

http-beacon {
    set library "winhttp";
http-beacon "httplib-wininet" {
    set library "wininet";
http-beacon "httplib-winhttp" {
    set library "winhttp";

The default value in the Malleable C2 profile can be overridden via the new HTTP library option in the stageless payload generator, generate all payloads, and windows executable dialogs. For example:  
可延展 C2 配置文件中的默认值可以通过无阶段有效负载生成器中的新 HTTP 库选项覆盖,生成所有有效负载和 Windows 可执行文件对话框。例如:

Cobalt Strike 4.9: Take Me To Your Loader
Cobalt Strike 4.9: Take Me To Your Loader

Support has also been added in a number of Aggressor Script functions, which have been updated to add support for the new optional library parameter. When the parameter is not specified, the default library value is resolved from the listener definition. When specified, the value must be either an empty string, $nullwininet or winhttp. The following functions have been updated to support this additional parameter: 
还在许多 Aggressor 脚本函数中添加了支持,这些函数已更新为添加了对新的可选库参数的支持。如果未指定参数,则从侦听器定义解析默认库值。指定时,该值必须是空字符串、$null、wininet 或 winhttp。以下函数已更新以支持此附加参数:

  • payload 有效载荷
  • payload_local payload_local
  • artifact_payload artifact_payload
  • all_payloads all_payloads

Host Profile Support for HTTP(S) Listeners
对 HTTP(S) 侦听器的主机配置文件支持

Cobalt Strike’s HTTP(S) processing has limitations. Whilst we will be reviewing this and plan to make other, impactful changes in a future release, we have identified and addressed a couple of limitations in the scope of this release. Specifically, up to now, callback host names are assigned to a single URI when the Beacon payload is generated, and HTTP(S) parameters and headers are defined at a profile or variant level. This means that all HTTP(S) traffic to that host looks very similar.  
Cobalt Strike的HTTP(S)处理有局限性。虽然我们将对此进行审查,并计划在未来版本中进行其他有影响力的更改,但我们已经确定并解决了此版本范围内的一些限制。具体来说,到目前为止,在生成信标有效负载时,回调主机名将分配给单个 URI,并且在配置文件或变体级别定义 HTTP(S) 参数和标头。这意味着到该主机的所有 HTTP(S) 流量看起来非常相似。

We have addressed these limitations by adding a new Malleable C2 profile group – http-host-profiles. This allows you to define HTTP characteristics (URI, headers and parameters) that will be used for HTTP(S) communications for a specific host name. Dynamic (randomly selected) values are supported. Variants are used to define host profiles for multiple host names.
我们通过添加新的可延 C2 配置文件组 – http-host-profiles 解决了这些限制。这允许您定义将用于特定主机名的 HTTP(S) 通信的 HTTP 特征(URI、标头和参数)。支持动态(随机选择)值。变体用于为多个主机名定义主机配置文件。

Dynamic data is surrounded by square brackets and supports a list of values (up to 32) separated by a pipe character. A single value will be randomly selected from the list of dynamic data values, per request. It can also be embedded in static data, randomising part of the string.
动态数据用方括号括起来,并支持用竖线字符分隔的值列表(最多 32 个)。每个请求将从动态数据值列表中随机选择一个值。它也可以嵌入到静态数据中,随机化字符串的一部分。

The host-name field is a fixed string that links the host profile to the matching HTTP Hosts field on the HTTP(S) listener dialog. 
主机名字段是一个固定字符串,用于将主机配置文件链接到 HTTP(S) 侦听器对话框中匹配的 HTTP 主机字段。

Up to 10 values are supported for the parameter and header values in a single host profile get/post definition. Both options support dynamic data syntax. Parameters and headers defined in a host profile are added in addition to any parameters and headers defined in the applicable default or variant profile.  
单个主机配置文件获取/发布定义中的参数和标头值最多支持 10 个值。这两个选项都支持动态数据语法。除了在适用的默认或变体配置文件中定义的任何参数和标头之外,还会添加主机配置文件中定义的参数和标头。

Beacons support up to 8 host profile definitions per listener. A generated Beacon has space for 1024 bytes of host profile data in total. If multiple hosts are defined then they must all fit within 1024 bytes. 
信标支持最多 8 每个侦听器主机配置文件定义.生成的信标总共有空间容纳 1024 字节的主机配置文件数据.如果定义了多个主机,则它们必须全部适合 1024 字节。

You can find a Malleable C2 profile with an example http-host-profiles block here.
您可以在此处找到带有示例 http-host-profiles 块的可延展 C2 配置文件。

Inter-Client Communications

This release sees the addition of Aggressor Script support for sending and receiving data between Cobalt Strike clients. Up until this point, the only way to share data between clients was via Cobalt Strike’s Event Log – for example, @Octoberfest73’s MemFiles uses this approach to share data between clients and this is an excellent example use case for this new feature.  
此版本增加了侵略者脚本支持,用于在Cobalt Strike客户端之间发送和接收数据。到目前为止,在客户端之间共享数据的唯一方法是通过Cobalt Strike的事件日志 – 例如,@Octoberfest73的MemFiles使用这种方法在客户端之间共享数据,这是此新功能的一个很好的示例用例。

Three new Aggressor Script functions have been added to facilitate the firing and consumption of custom events:  

custom_event is used to broadcast a custom event to all Cobalt Strike clients.
custom_event用于向所有Cobalt Strike客户端广播自定义事件。

Arguments are:   参数是:
$1 – the topic name 
$1 – 主题名称

$2 – the event data 
$2 – 事件数据

custom_event_private is used to send a custom event to a single, specific Cobalt Strike client.
custom_event_private用于将自定义事件发送到单个特定的Cobalt Strike客户端。

Arguments are: 参数是:
$1 – who to send the custom event to 
$1 – 将自定义事件发送给谁

$2 – the topic name 
$2 – 主题名称

$3 – the event data 
$3 – 事件数据

custom_event_<topic-name> is fired when a client receives a custom event from another client.

Arguments are: 参数是:
$1 – who sent the custom event 
$1 – 谁发送了自定义事件

$2 – the event data 
$2 – 事件数据

$3 – the time the event was sent 
$3 – 发送事件的时间

BOF Updates 转场更新

A feature that we’ve had on our backlog for quite some time is to add a key/value store to Beacon, which is intended to be used as a persistent store between BOF executions. As we have had recent customer requests along those lines, we figured that now would be a good time to address this.  
我们在积压工作中已有一段时间的一项功能是向 Beacon 添加一个键/值存储,该存储旨在用作 BOF 执行之间的持久存储。由于我们最近收到了类似的客户请求,我们认为现在是解决这个问题的好时机。

Three new APIs have been added to Beacon to support this key/value store:  
Beacon 中添加了三个新的 API 来支持此键/值存储:

BeaconAddValue(const char * key, void * ptr) allows you to add a memory address to a key. 
BeaconAddValue(const char * key, void * ptr) 允许您向密钥添加内存地址.

BeaconGetValue(const char * key) allows you to retrieve the memory address associated with a key. 
BeaconGetValue(const char * key) 允许您检索与密钥关联的内存地址.

BeaconRemoveValue(const char * key) allows you to remove the key. Note that this will not do any memory clean-up; in order to prevent memory leaks, this clean-up should be handled by the BOF. 
BeaconRemoveValue(const char * key) 允许您删除密钥.请注意,这不会执行任何内存清理;为了防止内存泄漏,此清理应由 BOF 处理。

We have also added a new API that can be used by BOFs to get information on Beacon such as the Beacon address, sections to mask, heap records to mask, the mask, sleep mask address and sleep mask size information: 
我们还添加了一个新的 API,BOF 可以使用该 API 获取有关信标的信息,例如信标地址、要屏蔽的部分、要屏蔽的堆记录、掩码、睡眠掩码地址和睡眠掩码大小信息:

BeaconInformation(BEACON_INFO * pBeaconInfo)
信标信息(BEACON_INFO * p信标信息)

This API is particularly useful for the Sleep Mask BOF as it uses it to populate the BEACON_INFO data structure, and this information can then be passed to the evasive sleep implementation to provide size information that is required to hide the sleep mask BOF. The sleep mask kit in the Arsenal kit has been updated with these changes.  
此 API 对于睡眠掩码 BOF 特别有用,因为它使用它来填充BEACON_INFO数据结构,然后可以将此信息传递给规避睡眠实现,以提供隐藏睡眠掩码 BOF 所需的大小信息。阿森纳球衣中的睡眠面罩套件已根据这些更改进行了更新。

Examples of these changes have been added to the bof_template project in the public Cobalt Strike GitHub
这些更改的示例已添加到公共Cobalt Strike GitHub的bof_template项目中。

Whilst not part of the main product release, another relevant update that we recently released is the ability to debug and test BOFs without having to spawn a Beacon. The BOF-VS template was created and a blog post authored during the current release cycle, and I’m including a reference here to highlight that work. Following user feedback and questions around how the BOF-VS is licensed and how they can publish their own work, we have decided to move the BOF-VS out of the Arsenal kit and publish it in the public Cobalt-Strike GitHub to address those issues. 
虽然不是主要产品版本的一部分,但我们最近发布的另一个相关更新是调试和测试 BOF 的能力,而无需生成 Beacon。BOF-VS 模板是在当前发布周期中创建的,并撰写了一篇博客文章,我在此处包含一个参考资料以突出这项工作。根据用户反馈和关于BOF-VS如何获得许可以及如何发布自己的作品的问题,我们决定将BOF-VS从阿森纳工具包中移出,并将其发布在公共的Cobalt-Strike GitHub上以解决这些问题。

Sleep Mask Update 睡眠面膜更新

The sleep mask processing has been updated to mask the sleep mask code that is patched into Beacon.  
睡眠掩码处理已更新,以屏蔽修补到 Beacon 中的睡眠掩码代码。

System Call Updates 系统调用更新

An update has been made to the system call support that was added in the 4.8 release. Support for direct and indirect system calls has been added for the following functions:  
对 4.8 版本中添加的系统调用支持进行了更新。为以下函数添加了对直接和间接系统调用的支持:

  • DuplicateHandle 重复句柄
  • ReadProcessMemory 读取进程内存
  • WriteProcessMemory 写入进程内存

Product Security Updates

A change has been made to authorization files so that they are no longer backwards compatible with older versions of Cobalt Strike. This means that the authorization file generated when you update to or install the 4.9 release will not work with any 4.8 versions that you may also need to use. Whilst this change should not affect the majority of our users, we do know that some users test newer versions before using them in engagements and could be impacted by this change.  
对授权文件进行了更改,以便它们不再向后兼容旧版本的Cobalt Strike。这意味着更新或安装 4.9 版本时生成的授权文件不适用于您可能还需要使用的任何 4.8 版本。虽然此更改不会影响我们的大多数用户,但我们确实知道一些用户在参与中使用较新版本之前会测试它们,并且可能会受到此更改的影响。

Licensed users that need an old (pre-4.9) authorization file can generate one here:
需要旧的(4.9 之前)授权文件的许可用户可以在此处生成一个:

Backwards Compatibility 向后兼容性

While we are on the subject of backwards compatibility of the authorization files, I feel that this is a good opportunity to reaffirm that Cobalt Strike itself is not backwards compatible with previous versions. This is a subject that comes up frequently after each new release.  
虽然我们讨论的是授权文件的向后兼容性问题,但我认为这是一个很好的机会来重申Cobalt Strike本身与以前的版本不向后兼容。这是每个新版本发布后经常出现的主题。

If you want to put Cobalt Strike into play in an existing engagement, you need to stand up a new team server and new Beacons need to be started. Ideally, users would wait until new engagements are about to be started before switching to the latest release rather than attempting this in the middle of an existing engagement. This is, of course, up to you – but please be aware of the issues that may arise when doing this.
如果你想在现有的交战中发挥钴打击的作用,你需要建立一个新的团队服务器,新的信标需要启动。理想情况下,用户应等到新的活动即将开始,然后再切换到最新版本,而不是在现有活动中间尝试此操作。当然,这取决于您 – 但请注意执行此操作时可能出现的问题。

Other Updates 其他更新

We have made a few other, smaller changes in this release. 

The listeners listed in the Listener Chooser are now listed by name, instead of presented in a random order. 

The about box has been given an update so that it’s more responsive when it is expanded. 

We have added support for spawning processes under the impersonated user security context.  

A new Malleable C2 option, sleep, has been added to match the sleep command syntax added in the 4.8 release. The new setting accepts both seconds/jitter values or using the new d/h/m/s/j syntax. For example: 
添加了一个新的可延展 C2 选项“睡眠”,以匹配 4.8 版本中添加的睡眠命令语法。新设置接受秒/抖动值或使用新的 d/h/m/s/j 语法。例如:

sleep 20 25
sleep 1d 3h 15m 30s 50j

Note that if the sleep value is set, the existing sleeptime and jitter values cannot be used. The settings are mutually exclusive. 

Java Support 爪哇支持

Whilst we haven’t made any changes in this release, we just wanted to give our users advanced notice that we are planning to update the minimum supported Java version from Java 8 to Java 11 in the next release. Hopefully, this won’t negatively impact any of our users but this should give you enough time to factor this in, if you need to make changes to your environment.  
虽然我们没有在此版本中进行任何更改,但我们只是想提前通知用户,我们计划在下一个版本中将支持的最低 Java 版本从 Java 8 更新到 Java 11。希望这不会对我们的任何用户产生负面影响,但如果您需要对环境进行更改,这应该会给您足够的时间来考虑这一点。

To see a full list of what’s new in Cobalt Strike 4.9, please check out the release notes. Licensed users can run the update program to get the latest version, or download version 4.9 from the website. To purchase Cobalt Strike or learn more, please contact us
要查看Cobalt Strike 4.9中新增功能的完整列表,请查看发行说明。许可用户可以运行更新程序以获取最新版本,或从网站下载版本 4.9。要购买钴罢工或了解更多信息,请联系我们。

原文始发于Greg Darwin:Cobalt Strike 4.9: Take Me To Your Loader

版权声明:admin 发表于 2023年9月20日 上午8:59。
转载请注明:Cobalt Strike 4.9: Take Me To Your Loader | CTF导航