Cobalt Strike 4.0 – HTTP Variants

By Red Siege | December 31, 2019

We can all celebrate that the 4.0 release of Cobalt Strike has happened before the holidays, and with it comes some really useful changes! One of the biggest changes I would like to talk about is the introduction of malleable profile variants! Let’s dive into what “variants” are and how they can help us.

3.X vs. 4.0

Before we can talk about how variants work, we need to understand one of the major changes in Cobalt Strike listeners from 3.X to 4.0. When we created a Listener in 3.X of Cobalt Strike, we would give our listener a name, specify the payload type we want to use, specify the Host value, and provide the port number to listen on, shown in the screenshot below.

 

3.X Listener Screen

 

However, 4.0 has changed the way we can configure listeners. Outside of the addition of “variants”, another one of the biggest changes to Cobalt Strike 4.0 is the ability to have multiple listeners on a single team server! The next question you might ask is, if we configure multiple listeners on a single team server, do they all use the same malleable profile? That is where malleable profile variants step in!

Variants

Malleable profile variants allow you to define multiple network indicator blocks within a single malleable profile. To be specific, we can now define multiple blocks of “http-get”, “http-post”, “http-stager”, and “https-certificate”. So how does this look?

Let’s start by reviewing a standard malleable profile. We can define the “default” profile by building the above profile blocks just like how we also do.

 

Standard http-get Profile Block

 

However, we can define an extra http-get block just by providing a name for the variant next to the “http-get” definition. In the screenshot below, we call the variant “var1”.

 

http-get Variant

 

After you define variants for all the code blocks that you want (might as well do it for each “http-get”, “http-post”, and “http-stager” at a minimum), your next step would be to run c2lint to ensure it passes the lint. After it passes, and you start your teamserver with the malleable profile, when you go to your listeners menu, you will now see that you have another option within the profile section.

 

Additional Malleable Profile

 

Our variant now shows up in the “Profile” selection box within the Listener menu allowing us to choose from the default profile, or the “var1” profile. At this point, we would just select the profile of our choice, and configure the rest of the listener!

Hopefully this helps show how variants will be extremely useful in the latest version of Cobalt Strike. If you have any questions at all, don’t hesitate to contact us!

Adventures in Shellcode Obfuscation! Part 1: Overview

By Red Siege | June 17, 2024

by Mike Saunders, Principal Security Consultant This blog is the first in a series of articles on methods for obfuscating shellcode. I’ll be focusing on how to obfuscate shellcode to […]

Learn More
Adventures in Shellcode Obfuscation! Part 1: Overview

Essential Steps for Management to Maximize the Value of a Penetration Test Report

By Red Siege | June 3, 2024

by Tim Medin, CEO Penetration testing is a critical component of a well-rounded cybersecurity strategy. Penetration testing identifies vulnerabilities before malicious actors can exploit them. However, the true value of […]

Learn More
Essential Steps for Management to Maximize the Value of a Penetration Test Report

Fun With JWT X5u

By Red Siege | May 30, 2024

by Senior Security Consultant Douglas Berdeaux On a recent web application penetration test engagement, I came across a JSON Web Token (JWT) that contained an x5u header parameter. I almost […]

Learn More
Fun With JWT X5u

Find Out What’s Next

Stay in the loop with our upcoming events.