Cobalt Strike 4.0 – HTTP Variants

By Red Siege | December 31, 2019

We can all celebrate that the 4.0 release of Cobalt Strike has happened before the holidays, and with it comes some really useful changes! One of the biggest changes I would like to talk about is the introduction of malleable profile variants! Let’s dive into what “variants” are and how they can help us.

3.X vs. 4.0

Before we can talk about how variants work, we need to understand one of the major changes in Cobalt Strike listeners from 3.X to 4.0. When we created a Listener in 3.X of Cobalt Strike, we would give our listener a name, specify the payload type we want to use, specify the Host value, and provide the port number to listen on, shown in the screenshot below.


3.X Listener Screen


However, 4.0 has changed the way we can configure listeners. Outside of the addition of “variants”, another one of the biggest changes to Cobalt Strike 4.0 is the ability to have multiple listeners on a single team server! The next question you might ask is, if we configure multiple listeners on a single team server, do they all use the same malleable profile? That is where malleable profile variants step in!


Malleable profile variants allow you to define multiple network indicator blocks within a single malleable profile. To be specific, we can now define multiple blocks of “http-get”, “http-post”, “http-stager”, and “https-certificate”. So how does this look?

Let’s start by reviewing a standard malleable profile. We can define the “default” profile by building the above profile blocks just like how we also do.


Standard http-get Profile Block


However, we can define an extra http-get block just by providing a name for the variant next to the “http-get” definition. In the screenshot below, we call the variant “var1”.


http-get Variant


After you define variants for all the code blocks that you want (might as well do it for each “http-get”, “http-post”, and “http-stager” at a minimum), your next step would be to run c2lint to ensure it passes the lint. After it passes, and you start your teamserver with the malleable profile, when you go to your listeners menu, you will now see that you have another option within the profile section.


Additional Malleable Profile


Our variant now shows up in the “Profile” selection box within the Listener menu allowing us to choose from the default profile, or the “var1” profile. At this point, we would just select the profile of our choice, and configure the rest of the listener!

Hopefully this helps show how variants will be extremely useful in the latest version of Cobalt Strike. If you have any questions at all, don’t hesitate to contact us!

Vishing: How to Protect Your Business from Phone-Based Social Engineering Attacks

By Red Siege | September 22, 2023

from Jason Downey, Security Consultant In our digital world today, where cyber stuff keeps changing all the time, there’s this sneaky attack method that’s been popping up more and more […]

Learn More
Vishing: How to Protect Your Business from Phone-Based Social Engineering Attacks

House cat to Hashcat

By Red Siege | August 22, 2023

by Jason Downey, Security Consultant   The Basics  Password cracking is a key tool in every penetration tester’s toolbox and is something blue teamers should do on a regular basis […]

Learn More
House cat to Hashcat

Obfuscating Shellcode Using Jargon

By Red Siege | July 31, 2023

by Mike Saunders, Principal Security Consultant In a recent blog , we discussed how encrypting shellcode leads to increased entropy, which may result in your shellcode loader being blocked and/or […]

Learn More
Obfuscating Shellcode Using Jargon

Find Out What’s Next

Stay in the loop with our upcoming events.