Cobalt Strike 4.0 – HTTP Variants

By Red Siege | December 31, 2019

We can all celebrate that the 4.0 release of Cobalt Strike has happened before the holidays, and with it comes some really useful changes! One of the biggest changes I would like to talk about is the introduction of malleable profile variants! Let’s dive into what “variants” are and how they can help us.

3.X vs. 4.0

Before we can talk about how variants work, we need to understand one of the major changes in Cobalt Strike listeners from 3.X to 4.0. When we created a Listener in 3.X of Cobalt Strike, we would give our listener a name, specify the payload type we want to use, specify the Host value, and provide the port number to listen on, shown in the screenshot below.

 

3.X Listener Screen

 

However, 4.0 has changed the way we can configure listeners. Outside of the addition of “variants”, another one of the biggest changes to Cobalt Strike 4.0 is the ability to have multiple listeners on a single team server! The next question you might ask is, if we configure multiple listeners on a single team server, do they all use the same malleable profile? That is where malleable profile variants step in!

Variants

Malleable profile variants allow you to define multiple network indicator blocks within a single malleable profile. To be specific, we can now define multiple blocks of “http-get”, “http-post”, “http-stager”, and “https-certificate”. So how does this look?

Let’s start by reviewing a standard malleable profile. We can define the “default” profile by building the above profile blocks just like how we also do.

 

Standard http-get Profile Block

 

However, we can define an extra http-get block just by providing a name for the variant next to the “http-get” definition. In the screenshot below, we call the variant “var1”.

 

http-get Variant

 

After you define variants for all the code blocks that you want (might as well do it for each “http-get”, “http-post”, and “http-stager” at a minimum), your next step would be to run c2lint to ensure it passes the lint. After it passes, and you start your teamserver with the malleable profile, when you go to your listeners menu, you will now see that you have another option within the profile section.

 

Additional Malleable Profile

 

Our variant now shows up in the “Profile” selection box within the Listener menu allowing us to choose from the default profile, or the “var1” profile. At this point, we would just select the profile of our choice, and configure the rest of the listener!

Hopefully this helps show how variants will be extremely useful in the latest version of Cobalt Strike. If you have any questions at all, don’t hesitate to contact us!

Dumping LSASS Like it’s 2019

By Red Siege | March 4, 2024

By Alex Reid, Current Red Siege Intern   A long-time tactic of threat actors and offensive security professionals alike, tampering with LSASS.exe in order to recover credentials remains a highly […]

Learn More
Dumping LSASS Like it’s 2019

Better Living Through OpenSSH Config Files

By Red Siege | February 15, 2024

By: Justin Palk, Senior Security Consultant   SSH is an incredibly valuable tool for penetration testing. It provides us with a secure channel for administering machines, remotely executing tools, transferring […]

Learn More
Better Living Through OpenSSH Config Files

GraphStrike: Anatomy of Offensive Tool Development

By Red Siege | January 22, 2024

By: Alex Reid, Current Red Siege Intern Introduction This blog post accompanies the release of an open source tool called GraphStrike which can be found here. Those familiar with my […]

Learn More
GraphStrike: Anatomy of Offensive Tool Development

Find Out What’s Next

Stay in the loop with our upcoming events.