Fortra has officially released Cobalt Strike 4.12, introducing a comprehensive suite of new features designed to enhance red team operations and offensive security research.
The update delivers a modernized GUI, a groundbreaking REST API, User Defined Command and Control (UDC2), advanced process injection techniques, new UAC bypasses, and enhanced evasion capabilities via drip-loading Malleable C2 options.
The latest release features a completely redesigned graphical interface with multiple customizable themes, including Dracula, Solarized, and Monokai.
The updated Pivot Graph visualization now displays listener names for egress Beacons and pivot types (SMB/TCP) for ingress Beacons, providing operators with clearer situational awareness during engagements.
Perhaps the most significant addition is the new REST API, currently released in beta. This feature enables red team operators to script Cobalt Strike using any programming language for the first time, facilitating advanced automation and server-side storage capabilities.
The API also opens pathways for developing custom Cobalt Strike clients and integrating with machine learning tools demonstrated through a proof-of-concept MCP Server for Anthropic’s Claude AI.
Command and Control (UDC2)
UDC2 represents a significant evolution from the legacy extc2 framework. Unlike its predecessor, which relied on named pipes and SMB Beacon relays, UDC2 allows security researchers to develop custom C2 channels as Beacon Object Files (BOFs).
The UDC2 BOF integrates directly during payload creation, proxying all Beacon traffic through custom channels while maintaining compatibility with custom User Defined Reflective Loaders (UDRLs).
Fortra has open-sourced an ICMP UDC2 implementation alongside the UDC2-VS development framework to accelerate custom channel development.
Cobalt Strike 4.12 introduces four new process injection techniques implemented as BOFs:
- RtlCloneUserProcess – Based on DirtyVanity research, leveraging cloned processes to evade EDR detection
- TpDirect – Manipulates target process TP_DIRECT structures for remote thread creation
- TpStartRoutineStub – Exploits thread pool manipulation for code execution
- EarlyCascade – Redirects process initialization routines for stealthy fork/run injection
Operators can now add custom injection techniques through new Aggressor hooks (PROCESS_INJECT_EXPLICIT_USER/PROCESS_INJECT_SPAWN_USER), expanding the framework’s extensibility.
UAC Bypass Refresh and Evasion
Two new UAC bypasses compatible with Windows 10 through Windows 11 24H2 have been added: uac-rpc-dom (based on James Forshaw’s AppInfo ALPC bypass) and uac-cmlua (utilizing the ICMLuaUtil elevated COM interface).
The release also introduces drip loading capabilities for both reflective loading and process injection, configurable through Malleable C2 options. This technique writes payloads in small chunks with configurable delays, disrupting EDR event correlation detection methods.
Other improvements include IPv6 SOCKS5 support, fixed SSH Beacon compatibility for newer Mac/Linux distributions, enhanced logging with task ID mapping, and updated Java 17 minimum requirements.
Pivot Beacons now support the evasive Sleepmask introduced in version 4.11, with simplified asynchronous communication reducing code complexity.
The new BeaconDownload BOF API enables in-memory buffer downloads up to 2GB without disk writes critical for credential dumping operations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.