Cobalt Strike, a leading platform for red team operations, has unveiled its latest version, Cobalt Strike 4.11.
This release introduces several significant enhancements aimed at improving evasion capabilities and enhancing the overall effectiveness of red team engagements.
One of the key features is a novel process injection technique called ObfSetThreadContext, designed to bypass advanced detection methods used by Endpoint Detection and Response (EDR) systems.
Enhanced Evasion Capabilities
The new ObfSetThreadContext technique allows Beacon, Cobalt Strike’s core component, to inject into processes without leaving detectable threads.
This is achieved by setting the injected thread’s start address to a legitimate entry point, such as a function within the ntdll module, making it harder for security tools to identify suspicious activity.
Additionally, Cobalt Strike 4.11 includes a new Sleepmask feature, which automatically obfuscates Beacon and its heap allocations at runtime, providing robust protection against static signatures without requiring additional configuration.
This feature is enabled by default for HTTP(S) and DNS Beacons, with plans to extend it to pivot Beacons in future releases.
Asynchronous BOFs and Stealthy Network Communications
Cobalt Strike 4.11 also introduces asynchronous execution of Beacon Object Files (BOFs), allowing operators to run multiple BOFs simultaneously without blocking Beacon.
This is facilitated by the async-execute Postex DLL, which operates in single-shot or background modes, enabling efficient execution of BOFs in separate threads.
Furthermore, the release includes a DNS over HTTPS (DoH) Beacon, providing a stealthy network communication option.
This feature allows Beacon to communicate over encrypted DNS channels, making it more challenging for defenders to detect and intercept communications.
In addition to these major enhancements, Cobalt Strike 4.11 includes several quality of life updates.
These updates include improved command line variables for Beacon metadata, a reorganized help command with support for custom commands, and enhanced host rotation capabilities.
Users can now specify chunk sizes for GET and POST requests to evade data exfiltration detection.
The release also features GUI improvements, such as customizable console buffer sizes and better text wrapping for easier copying and pasting.
Overall, Cobalt Strike 4.11 is designed to provide red teams with more sophisticated tools for evading detection and conducting effective operations.
