redcanary.com
Open in
urlscan Pro
104.198.136.223
Public Scan
URL:
https://redcanary.com/threat-detection-report/threats/cobalt-strike/
Submission: On August 29 via api from US — Scanned from DE
Submission: On August 29 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
GET /threat-detection-report/search/
<form method="get" class="sidenav-search" action="/threat-detection-report/search/" __bizdiag="-906336856" __biza="WJ__"> <input id="input-search" class="search-input" name="search" type="text" placeholder="Search" autocomplete="off"
autocorrect="off" autocapitalize="off" spellcheck="false"> <input type="submit" class="search-btn" value="Search"></form>GET https://redcanary.com/
<form method="get" class="search-form" action="https://redcanary.com/" __bizdiag="115" __biza="WJ__"> <svg width="20" height="19" viewBox="0 0 20 19" fill="none" xmlns="http://www.w3.org/2000/svg">
<line x1="12.8839" y1="12.1161" x2="18.8839" y2="18.1161" stroke="black" stroke-width="2.5"></line>
<circle cx="7.5" cy="7.5" r="6.25" stroke="black" stroke-width="2.5"></circle>
</svg> <input id="input-search" class="search-input" name="s" type="text" placeholder="Search" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false"> <input type="submit" class="search-btn" value="Search"></form>Text Content
Skip Navigation
Backdoors & Breaches - See a Live Playthrough of the Hit Game Join Us on 8/31
Get a Demo
* Trends
* All trends
* Ransomware
* Initial access tradecraft
* Command and control frameworks
* Email threats
* Stealers
* Identity attacks
* Adversary emulation and testing
* Threats
* All threats
* Qbot
* Impacket
* AdSearch
* Gootloader
* Mimikatz
* SocGholish
* Raspberry Robin
* Cobalt Strike
* BloodHound
* Gamarue
* Yellow Cockatoo
* Emotet
* PlugX
* Techniques
* All techniques
* Windows Command Shell
* PowerShell
* Windows Management Instrumentation
* Obfuscated Files or Information
* Rundll32
* Ingress Tool Transfer
* Process Injection
* Service Execution
* Rename System Utilities
* LSASS Memory
* Modify Registry
* Gatekeeper Bypass
* Setuid and Setgid
* Mark-of-the-Web Bypass
* SMB/Windows Admin Shares
* Multi-Factor Authentication Request Generation
* Beats
* Archive
* Download Reports
* Abridged Report PDF
* Executive Summary
Download PDF
THREAT
COBALT STRIKE
Despite a rise in alternatives, Cobalt Strike remains a popular command and
control (C2) framework among adversaries, particularly ransomware operators.
Pairs with this song
#8
OVERALL RANK
3.0%
CUSTOMERS AFFECTED
* Analysis
* Detection
THREAT SOUNDS
Despite good-faith efforts from Cobalt Strike’s developers to prevent
adversaries from cracking this post-exploitation tool, ransomware operators are
still abusing older versions of the software.
ANALYSIS
Cobalt Strike continues to be a favorite post-exploitation tool for adversaries.
At #8, it is the only post-exploitation framework to make the top 10. Ransomware
operators in particular rely substantially on Cobalt Strike’s core
functionalities as they seek to deepen their foothold in their victims’
environments. Its speed, flexibility, and advanced features are likely
contributing factors as to why ransomware attacks have been ticking upward in
recent years. Some of the most notorious ransomware operators— including groups
like Lockbit and Royal—are known to rely heavily on Cobalt Strike in their
attacks.
STRIKING DEVELOPMENTS
Cobalt Strike developers made multiple changes throughout 2022, including even
more flexible C2 profiles, SOCKS5 proxy support, and injection options. These
improvements allow adversaries to further customize their TTPs, making detection
challenging. While those additions benefitted adversaries, the developers of
Cobalt Strike also imposed major changes to discourage the cracking and abuse of
Cobalt Strike packages. Notably, the developers changed how they distributed
Cobalt Strike’s team server component, resulting in better product security.
That said, we often observe Cobalt Strike beacons from older versions of the
software, indicating that some criminal adversaries take advantage of older
cracked or pirated versions over the newer ones.
TAKE ACTION
The security community is embracing the fact that whatever functional label you
place on Cobalt Strike, it’s here to stay, it’s implicated in all variety of
intrusions, and it’s our duty to defend against it. Luckily for defenders, the
security community has produced a plethora of great technical analysis and
detection opportunities around preventing and investigating Cobalt Strike. For
defenders getting started with understanding how the tool works and operates, we
highly recommend reading each of the following resources because they all have
unique takeaways and cover a majority of the most effective detection
techniques:
* Defining Cobalt Strike Components & BEACON
* New Snort, ClamAV coverage strikes back against Cobalt Strike
* Cobalt Strike, a Defender’s Guide – Part 1
* Cobalt Strike, a Defender’s Guide – Part 2
* Full-Spectrum Cobalt Strike Detection
HUNTING TEAM SERVERS
There are several strategies to hunt proactively for Cobalt Strike team servers
in the wild, mostly based around network data and service fingerprinting. These
strategies include using tools such as Shodan and Censys to find servers using
default TLS certificate values, default team server ports (50050), and default
JARM hashes associated with Cobalt Strike. While many adversaries change these
default values, we still often find adversaries that don’t change them,
resulting in simpler identification. For more details on proactively identifying
Cobalt Strike infrastructure, check out these resources:
* Hunting Cobalt Strike C2 with Shodan by Michael Koczwara
* Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the
Wild
DETECTION OPPORTUNITIES
COBALT STRIKE BEACON IMPLANT
This detection analytic identifies an adversary using a Cobalt Strike beacon
implant to pivot and issue commands over SMB through the use of configurable
named pipes. Cobalt Strike beacons have configurable options to allow SMB
communication over named pipes, utilizing a host of default names commonly used
by adversaries. Analysis should focus on any file modifications to a suspicious
named pipe within this process.
file_modifications_include ('pipe\msagent_' || 'pipe\interprocess_' || 'pipe\lsarpc_' || 'pipe\samr_' || 'pipe\netlogon_' || 'pipe\wkssvc_' || 'pipe\srvsvc_' || 'pipe\mojo_' || 'pipe\postex' || 'pipe\status_' || 'pipe\msse-')
RUNDLL32.EXE TO SPAWN SQL SERVER CLIENT CONFIGURATION UTILITY
This analytic identifies instances of rundll32.exe spawning the SQL Server
Client Configuration Utility (cliconfg.exe). We often see this pattern of
process execution when Cobalt Strike leverages DLL Search Order Hijacking as a
method of UAC bypass.
parent_process == rundll32.exe
&&
process == cliconfg.exe
COMMAND-LINE PATTERNS FOR COBALT STRIKE BEACONS VIA GETSYSTEM
This analytic identifies commonly observed command-line patterns when Cobalt
Strike beacons escalate privileges via the GetSystem feature. Adversaries use
GetSystem to impersonate a token for the SYSTEM account. This level of access
allows an adversary to perform privileged actions beyond that of an
administrator.
process == cmd.exe
&&
command_includes ('/(?i)echo\s+[0-9a-f]{11}\s+\>\;?\s+\\\\\.\\pipe\\[0-9a-f]{6}/.match')*
*NOTE: The above regular expression will match on the following example what of
using GetSystem may look like via a Cobalt Strike beacon:
C:\Windows\system32\cmd.exe /c echo 92d8cc45954 >; \\.\pipe\446b3c
SEE WHAT IT'S LIKE TO HAVE A SECURITY ALLY.
EXPERIENCE THE DIFFERENCE BETWEEN A SENSE OF SECURITY AND ACTUAL SECURITY.
Get a Demo
SEE WHAT IT'S LIKE TO HAVE A SECURITY ALLY.
EXPERIENCE THE DIFFERENCE BETWEEN A SENSE OF SECURITY AND ACTUAL SECURITY.
Get a Demo
*
*
*
* Products
* Managed Detection and Response (MDR)
* Readiness Exercises
* Linux EDR
* Atomic Red Team™
* Mac Monitor
* Solutions
* Deliver Enterprise Security Across Your IT Environment
* Get a 24×7 SOC Instantly
* Protect Your Corporate Endpoints and Network
* Protect Your Users’ Email, Identities, and SaaS Apps
* Protect Your Cloud
* Protect Critical Production Linux and Kubernetes
* Stop Business Email Compromise
* Replace Your MSSP or MDR
* Run More Effective Tabletops
* Train Continuously for Real-World Scenarios
* Operationalize Your Microsoft Security Stack
* Minimize Downtime with After-Hours Support
* Resources
* View all Resources
* Blog
* Integrations
* Guides & Overviews
* Case Studies
* Videos
* Webinars
* Events
* Customer Help Center
* Newsletter
* Partners
* Overview
* Incident Response
* Insurance & Risk
* Managed Service Providers
* Solution Providers
* Technology Partners
* Apply to Become a Partner
* Company
* About Us
* The Red Canary Difference
* News & Press
* Careers – We’re Hiring!
* Contact Us
* Trust Center and Security
© 2014-2023 Red Canary. All rights reserved. info@redcanary.com +1 855-977-0686
Privacy Policy Trust Center and Security
Our website uses cookies to provide you with a better browsing experience. More
information can be found in our Privacy Policy.
OK
Privacy & Cookies Policy
Close
PRIVACY OVERVIEW
This website uses cookies to improve your experience while you navigate through
the website. Out of these cookies, the cookies that are categorized as necessary
are stored on your browser as they are essential for the working of basic
functionalities...
Necessary
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly.
This category only includes cookies that ensures basic functionalities and
security features of the website. These cookies do not store any personal
information.
Non-necessary
Non-necessary
Any cookies that may not be particularly necessary for the website to function
and is used specifically to collect user personal data via analytics, ads, other
embedded contents are termed as non-necessary cookies. It is mandatory to
procure user consent prior to running these cookies on your website.
SAVE & ACCEPT
Back to Top