A complementary strategy to the Host Rotation Strategy was introduced to Cobalt Strike 4.5. The max retry strategy was added to HTTP, HTTPS, and DNS beacon listeners. A max retry strategy allows a beacon to exit after a specified failure count. As the failure count increases, sleep is adjusted to a specified value. By default, sleep is adjusted at 50% of the failure count.
A max retry can be selected from a list via the create listener GUI
The list can be updated with custom values using the aggressor hook LISTENER_MAX_RETRY_STRATEGIES.
The values in aggressor allow combination of options to be set vs. selecting from the default list.
# Use a hard coded list of strategies set LISTENER_MAX_RETRY_STRATEGIES { local('$out'); $out .= "exit-18-12-5m\n"; $out .= "exit-22-14-5m\n"; return $out; } # Use loops to build a list of strategies set LISTENER_MAX_RETRY_STRATEGIES { local('$out'); @attempts = @(50, 100); @durations = @("5m", "15m"); $increase = 25; foreach $attempt (@attempts) { foreach $duration (@durations) { $out .= "exit $+ - $+ $attempt $+ - $+ $increase $+ - $+ $duration\n"; } } return $out; }
Understanding the Max Retry Syntax
The syntax is broken into four section separated by a dash
Column | Description |
1 | exit |
2 | Exit beacon after this number of failures |
3 | Number of failures to begin adjust sleep |
4 | Sleep time to set when sleep failures are met. Note: The jitter is kept to the current setting. |