This page documents Cobalt Strike changes version-to-version that may affect compatability with your current Aggressor Scripts. In general, it's Strategic Cyber LLC's goal that a script written for Cobalt Strike 3.0 is forward-compatible with future 3.x releases. Major product releases (e.g., 3.0 -> 4.0) do give us some license to revisit APIs and break some of this compatability. Sometimes, a compatability breaking API change is inevitable. These changes are documented here.
1. Cobalt Strike 4.0 made major changes to Cobalt Strike's listener management systems. These changes included name changes for several payloads. Scripts that analyze the listener payload name should note these changes:
2. Cobalt Strike 4.0 moves away from payload stagers. Stageless payloads are preferred in all post-ex workflows. Where stageless isn't possible; use an explicit stager that works with all payloads.
The jump psexec_psh lateral movement attack is a good example of the above. This automation generates a bind_pipe stager to fit within the size constraints of a PowerShell one-liner. All payloads are sent through this staging process; regardless of their configuration.
This convention change will break some privilege escalation scripts that follow the pre-4.0 patterns in the Elevate Kit. &bstage is now gone as its underlying functionality was changed too much to include in Cobalt Strike 4.0. Where possible, privilege escalation scripts should use &payload to export a payload, run it via the technique, and use &beacon_link to connect to the payload. If a stager is required; use &stager_bind_tcp to export a TCP stager and &beacon_stage_tcp to stage a payload through this stager.
2. Cobalt Strike 4.0 removes the following Aggressor Script functions:
|&bbypassuac||&belevate||&belevate is the preferred function to spawn an elevated session on the local system|
|&bpsexec_psh||&bjump||&bjump is the preferred function to spawn a session on a remote target|
|&brunasadmin||&belevate_command||runasadmin was expanded to allow multiple options to run a command in an elevated context|
|&bstage||multiple functions||&bstage would stage AND link when needed. Bind staging is now explicit with &beacon_stage_tcp or &beacon_stage_pipe. &beacon_link is the general "link to this listener" step.|
|&bwdigest||&bmimikatz||Use &bmimikatz to run this command... if you really want to. :)|
|&bwinrm||&bjump, winrm or winrm64||&bjump is the preferred function to spawn a session on a remote target|
|&bwmi||No stageless WMI lateral movement option exists in CS 4.0|
3. Cobalt Strike 4.0 deprecates the following Aggressor Script functions:
|&artifact||&artifact_stager||Consistent arguments; consistent naming convetion|
|&artifact_stageless||&artifact_payload||Consistent naming; no need for a callback in Cobalt Strike 4.0|
|&drow_proxyserver||Proxy config is now tied to the listener and not needed when exporting a payload stage.|
|&drow_listener_smb||&drow_listener_stage||These functions are now equivalent to eachother|
|&listener_create||&listener_create_ext||A lot more options required a change in how arguments are passed|
|&powershell||&powershell_command, &artifact_stager||Consistency; de-emphasis on PowerShell one-liners in API|
|&powershell_encode_stager||&powershell_command, &artifact_general||Consistency; clearer separation of parts in API|
|&shellcode||&stager||Consistent arguments; consistent naming|