Cobalt Strike 4.0 – HTTP Variants

We can all celebrate that the 4.0 release of Cobalt Strike has happened before the holidays, and with it comes some really useful changes! One of the biggest changes I would like to talk about is the introduction of malleable profile variants! Let’s dive into what “variants” are and how they can help us.

3.X vs. 4.0

Before we can talk about how variants work, we need to understand one of the major changes in Cobalt Strike listeners from 3.X to 4.0. When we created a Listener in 3.X of Cobalt Strike, we would give our listener a name, specify the payload type we want to use, specify the Host value, and provide the port number to listen on, shown in the screenshot below.

3.X Listener Screen

However, 4.0 has changed the way we can configure listeners. Outside of the addition of “variants”, another one of the biggest changes to Cobalt Strike 4.0 is the ability to have multiple listeners on a single team server! The next question you might ask is, if we configure multiple listeners on a single team server, do they all use the same malleable profile? That is where malleable profile variants step in!

Variants

Malleable profile variants allow you to define multiple network indicator blocks within a single malleable profile. To be specific, we can now define multiple blocks of “http-get”, “http-post”, “http-stager”, and “https-certificate”. So how does this look?

Let’s start by reviewing a standard malleable profile. We can define the “default” profile by building the above profile blocks just like how we also do.

Standard http-get Profile Block

However, we can define an extra http-get block just by providing a name for the variant next to the “http-get” definition. In the screenshot below, we call the variant “var1”.

http-get Variant

After you define variants for all the code blocks that you want (might as well do it for each “http-get”, “http-post”, and “http-stager” at a minimum), your next step would be to run c2lint to ensure it passes the lint. After it passes, and you start your teamserver with the malleable profile, when you go to your listeners menu, you will now see that you have another option within the profile section.

Additional Malleable Profile

Our variant now shows up in the “Profile” selection box within the Listener menu allowing us to choose from the default profile, or the “var1” profile. At this point, we would just select the profile of our choice, and configure the rest of the listener!

Hopefully this helps show how variants will be extremely useful in the latest version of Cobalt Strike. If you have any questions at all, don’t hesitate to contact us!