No command output

[M1ck3yS3c]

I am running the jquery-2.4.0.profile on my test lab. The stageless beacon reaches back to the team server. Unfortunately there is no command output at all even with a sleep time set to 0. Profiles from Raphael Mudge's repo work fine. Any idea what is wrong here?

Sample: beacon> getuid [] Tasked beacon to get userid [+] host called home, sent: 8 bytes beacon> ps [] Tasked beacon to list processes [+] host called home, sent: 12 bytes

[andrewchiles]

My first thought would be to check your teamserver console output for any C2 profile related errors to help narrow down the issue. Are all C2 comms occurring within your local lab environment or are they traversing the internet?

I just validated locally that CS 4.1 (most recent) and the stock jquery-c2.4.0.profile functions as expected without any teamserver errors.

[M1ck3yS3c]

Thanks for your reply! Got it sorted out thanks to a line in this article. "if your Cobalt Strike Malleable C2 profile contains an Accept-Encoding header for gzip, your Apache install may compress that traffic by default and cause your Beacon to be unresponsive or function incorrectly."

As my test lab had a redirector it made my beacon unresponsive to commands :)

Cheers!

[andrewchiles]

Yep gzip will mess you up. The safest option is to probably set Accept-Encoding: identity in your profile to prevent your Apache redirector (or anything between from compressing your traffic. You can disable that of course in your redirector, but I've seen egress network controls (probably BlueCoat proxy) break C2 comms due to encoding as well. Glad you got it worked out!

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding