![]() ![]() ![]() | User Agent: Mozilla/5.0 ( Windows NT 6.3 Trident/ 7.0 rv: 11.0) like Gecko | Spawnto_圆4: %windir%\sysnative\dllhost.exe | Spawnto_x86: %windir%\syswow64\dllhost.exe | User Agent: Mozilla/ 5.0 (Windows NT 6.3 Trident/ 7.0 rv: 11.0) like Gecko Common Cobalt Strike config: | grab_beacon_config: The self-signed certificates for intrusions 2 and 3 also contained the same fake attributes trying to pose as regular jquery traffic. TrickBot still alive and well – January 11, 2021Īll the above intrusions made use of the same profile that mimics a legitimate jquery request.The threat actors have the ability to change anything from the network communication (like user agent, headers, default URIs) to individual post-exploitation functions such as process injection and payload obfuscation capabilities.Īcross many of our investigations the profiles used differ, but you can see that actors do often reuse or pattern emege among intrusion like in the following 3 cases: This makes life harder for defenders as the footprint can change with each profile modification. More information on this service and others can be found here.Ĭobalt Strike has adopted Malleable profiles and allows the threat actors to customize almost every aspect of the C2 framework. Our Threat Feed service tracks hundreds of Cobalt Strike servers and other C2 infrastructure. ![]() Image taken from the official cobalt strike documentation: This makes the malicious infrastructure harder for the defenders to discover and block. Threat actors can hide their infrastructure behind an army of redirectors and conceal the actual C2 server. Redirectors are hosts that do what the name implies, redirect traffic to the real C2 server. Additionally, Cobalt Strike is able to make use of “redirectors.” Therefore, some of these servers could be a redirector instead of the actual Cobalt Strike C2 server. Remote-exec (Run a single command using the above methods on remote host)Ĭhanging infrastructure will always be inconvenient for the threat actors, but it is not a difficult task. Jump winrm (Run a PowerShell script via WinRM on remote host) Jump psexec_psh (Run a PowerShell one-liner on remote host via a service) Jump psexec (Run service EXE on remote host) Net (commands to find targets on the domain) Getsystem (SYSTEM account impersonation using named pipes)Įlevate svc-exe (creates a services that runs a payload as SYSTEM)Ĭhromedump (Recover Google Chrome passwords from current user) In the table below, the “Documented Features” correspond to the Cobalt Strike execution commands via the interactive shell as per official documentation: Capabilitiesĭllinject (for reflective dll injection)ĭllload ( for loading an on-disk DLL to memory) This is not an exhaustive list of commands available, but it contains most of the built-in features that we encounter in most cases. Below are some of the capabilities that we see being used by operators. His videos are handy to watch if you want to get a glimpse of all the features that Cobalt Strike has to offer in various phases of the intrusion. Raphael has an extensive playlist on youtube that demonstrates the many features of Cobalt Strike and step-by-step guides on how to use its full potential. Raphael Mudge was the primary maintainer for many years before the acquisition from Core Security. Thanks to Kostastsale for helping put this guide together! Cobalt Strike CapabilitiesĬobalt Strike has many features, and it is under constant development by a team of developers at Core Security by Help Systems. Threat actors turn to Cobalt Strike for its ease of use and extensibility. Cobalt Strike is chosen for the second stage of the attack as it offers enhanced post-exploitation capabilities. QakBot), Ursnif, Hancitor, Bazar and TrickBot. Some of the most common droppers we see are IcedID (a.k.a. Having said that, not all of Cobalt Strike’s features will be discussed.Īs you have noticed from our reporting so far, Cobalt Strike is used as a post-exploitation tool with various malware droppers responsible for the initial infection stage. The primary purpose of this post is to expose the most common techniques that we see from the intrusions that we track and provide detections. Therefore, defenders should know how to detect Cobalt Strike in various stages of its execution. In most of our cases, we see the threat actors utilizing Cobalt Strike. In our research, we expose adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools they use to execute their mission objectives. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |