Hackers love Cobalt Strike: It was spotted in nearly a quarter of 2021 intrusions. Here's how to spot its use
Top tips from an experienced crew...
Cobalt Strike was the single most widely seen offensive tool used by Advanced Persistent Threat (APT) actors in the last quarters of 2021, according to analysis by security firm Trellix. Secureworks meanwhile found Cobalt Strike playing a role in 19% of the network intrusions it investigated in 2021. The “threat emulation” framework ($3,500 per user for a year’s license, if bought commercially from owner Help Systems) was first released in 2012 by creator Raphael Mudge, who led its development until March 2021. The product now has a full research and development team behind it – and hackers can’t get enough of it: Blue Teams need to pay close attention.
Its ubiquity is such that in late 2021 it even emerged Emotet malware now installs Cobalt Strike “beacons” (its payload to model an advanced actor, which executes PowerShell scripts, logs keystrokes, spawns other payloads, etc.). While prevention of intrusion is, of course, better than cure – identify your assets, patch them religiously, enforce MFA, restrict credentials, reduce AD attack paths, kill off those unused and poorly protected VPN accounts — detecting Cobalt Strike is Good Medicine and more attention needs to be on doing so.
We asked some experienced security folks for their tips on detecting Cobalt Strike.
CrowdStrike's Adam Meyers, who leads the Threat Intelligence line of business for the company, noted: “Its client agent, ‘Beacon’, is executed in the memory space of a compromised system and leaves minimal on-disk footprints. Adversaries often install tooling such as Cobalt Strike for establishing an initial foothold, and post-exploitation activities including command and control and lateral movement…
“When uncovering suspicious activity, open source intelligence can often be a source of invaluable information and can prevent your team from recreating work already produced by other malware analysts. Cryptographic and fuzzy hashing can be used to gain an idea of the type of threat faced like the malware family responsible. Armed with this information, analysts may use tools like Didier Stevens’ 1768.py to pull licensing and embedded C2 configuration from decoded beacons. These insights can be used to impose an operational cost on the adversary by blocking the C2 at the perimeter,” said Meyers in an emailed comment to The Stack.
See also: From C2 to C3: Hackers are getting esoteric at exfiltration
He added: “Due to the high prevalence of Cobalt Strike in contemporary intrusions it’s wise to collect EID 400 (PowerShell Engine Startup) and EID 7045 event logs (Service Installation) for monitoring and alerting in a centralised SIEM platform. Additionally, upgrade to the most recent version of PowerShell and disable previous versions, as PowerShell is backward compatible. These measures can aid in detecting Cobalt Strike.
"The majority of PowerShell Engine Startup events generated by Cobalt Strike will have the HostApplication field begin with a command prefix. With the default configuration that command prefix is powershell -nop -exec -bypass -EncodedCommand. Although this prefix is configurable, we have observed adversaries leverage the default configuration in multiple incident response engagements," he noted.
Crowdstrike's Meyer added that defenders can also make sure they “maintain a baseline of 'known good' command line arguments, especially those associated with signed binaries such as installutil.exe, msbuild.exe, mshta.exe and rundll32.exe. Remain alert to instances of productivity applications interacting suspiciously with system processes, as adversaries may inject a phishing payload into rundll32.exe. Inspecting file changes made by these utilities is also a great way to check for possible malicious use of signed binaries. Familiarise yourself with the command line operators that adversaries can invoke in a malicious rundll32.exe function call.
"Additional operators can enable adversaries to modify or acquire files, or even execute arbitrary code such as Javascript. Monitor file paths associated with DLLs being executed by rundll32.exe. For example, observing a DLL loaded from a suspicious path such as %Temp% would be highly unusual for most environments.”
Detecting Cobalt Strike: Beware"rundll32.exe" instances that...
Gustavo Palazolo, Staff Threat Research Engineer at Netskope also had some useful tips and tool suggestions, noting “Using the Pyramid of Pain concept, we can start by blocking known IOCs from Cobalt Strike through threat intelligence feeds, like ThreatFox and MalwareBazaar. This will protect against known threat actors and binaries spotted in the wild. Next, we need to implement more proactive defenses at the network level, where IDS/IPS tools such as Snort and Suricata can be used to hunt Cobalt Strike. Snort has built-in rules specifically for Cobalt Strike, detecting both outbound and inbound beacon communication using known patterns. Both tools can be augmented with additional rules, such as those provided by Emerging Threats.
He added: “Another useful tool for detecting Cobalt Strike is SSL fingerprinting. The Zeek network security monitor can compute the JA3 and JA3s from observed traffic, or the active JARM algorithm can be used. These can be fed into your SIEM and correlated with known Cobalt Strike Fingerprints. Another useful resource are Sigma rules based on Cobalt Strike behavior, like DNS and HTTP beaconing. A few example patterns are a high quantity of DNS queries to a single domain and a high quantity of TXT records from a single domain in a short period of time. From the endpoint perspective, we can use common TTPs to identify an ongoing attack.
"For example, Cobalt Strike often creates instances of "rundll32.exe" without any command line parameters during process injection, which is an unusual activity. Named pipes are also used for communication between the beacon and spawned processes, where defenders can use Sysmon to detect Cobalt Strike named pipes."
Follow The Stack on LinkedIn
TJ Nelson, Director, Secureworks Counter Threat Unit also noted that catching PowerShell stagers (used to execute beacons in memory) early can be a big win for Blue Teams when it comes to detecting Cobalt Strike.
He points out that "portions of this stager have unique byte sequences that can be seen when executed in memory. The invocation of the stager can also be detected by generic file-less malware detection signatures such as looking at the execution of `/b /c start /b /min PowerShell` in the command line execution history. A signature like this detects meterpreter, which goes a long way in the early detection of an intrusion. The malleable command-and-control (C2) is another typical tell for a cobalt strike attack. The goal of this C2 framework is to allow the Cobalt Strike Beacon payload to redefine the communication to blend in as legitimate traffic. A collection of malleable C2 profiles is curated online on Github.
"Detecting the patterns from these profiles by their user-agent strings, headers, and SSL certificates helps identify potential attacks on a network level. For example," he adds, "during a Darkside Ransomware engagement, we identified a profile that appeared to originate from a Google 'web bug." Defenders could use network signatures looking for these malleable C2 patterns in their networks.
Alistair Thomson, product management lead at Adarma meanwhile emphasises that with the source code for Cobalt Strike versions 4 and 4.1 publicly leaked. criminals often use cracked copies of these versions which narrows down the most likely set of functions and behaviours to look for. These include:
Default SSL Certificate: The default SSL certificate serial number is 146473198. This can be used for proactively scanning internet infrastructure to identify teamservers.
Suspicious system process patterns
- Rundll32.exe process with no command-line parameters
- Rundll32.exe spawned by rundll.exe with loopback connections on a high random port
- Multiple rundll32.exe processes spawned by a single powershell process.
- Multiple similarly-named processes spawned by a single powershell process.
- Powershell spawned by powershell
- Powershell spawned by wmi (esp. if it contains BASE64 encoded commands
Binaries executed from suspicious locations: Esp. using Rundll32, Regsvr32 and MSHTA to execute files from locations like C:\ProgramData, C:\Users\Public, temp folders. Binaries executed from $ADMIN share, where the parent process name is ‘services.exe’ and the executable name matches 7 alpha-numeric characters - RegEx: [0-9a-zA-Z]{7}(\.exe){0,1} (Cobalt Strike built-in psexec module for lateral movement)
Suspicious PowerShell patterns: Large blocks of encoded commands in the PowerShell logs
DNS Beacon
Adarma's Thompson adds: "By default Cobalt Strike DNS server responds to DNS A requests received with a default value of 0.0.0.0. Generally, hunt for encoded data in DNS payloads. E.g. hunt for large volumes of DNS requests to a single domain, and large volumes of unique subdomains."
It might seem like a lot of work given that you've already been popped, but detecting Cobalt Strike activity early -- if you have the resource or skills to do so -- can help Blue Teams ensure an initial breach and exploratory movements are caught before someone pulls the crown jewels or drops a ransomware payload.
Happy Hunting.