Cobalt Strike

Cobalt Strike continues to be a favorite C2 tool among adversaries, as many rely on its functionality to maintain a foothold into victim organizations.

Pairs with this song






Cobalt Strike has never been more popular, as adversaries are increasingly adopting it as their favorite C2 tool. Adversaries—ransomware operators in particular—rely substantially on Cobalt Strike’s core functionalities as they seek to deepen their foothold in their victims’ environments. Its speed, flexibility, and advanced features are likely contributing factors as to why ransomware attacks have been ticking upward in recent years. Some of the most notorious ransomware operators— including groups like Conti, Ryuk, and REvil/Sodinokibi—are known to rely heavily on Cobalt Strike in their attacks.

The security community is embracing the fact that whatever functional label you place on Cobalt Strike, it’s here to stay, it’s implicated in all variety of intrusions, and it’s our duty to defend against it. Luckily for defenders, over the course of this past year the security community has produced a plethora of great technical analysis and detection opportunities around preventing and investigating Cobalt Strike. Some of the more common detection strategies documented in public reporting include:

  • command-line monitoring
  • public network infrastructure scanning
  • in-memory scanning
  • dynamic/static binary analysis
  • abnormal process lineage
  • network traffic monitoring
  • baselining the prevalence of reconnaissance commands

Keep in mind that although many of these methods of detection can be easily bypassed with changes to the Cobalt Strike configurations, we highly suggest using them as a stopgap until your teams develop more advanced methods.

The security community has shared invaluable public resources on analyzing and detecting Cobalt Strike. Our detection opportunities from last year’s Threat Detection Report remain effective. For defenders getting started with understanding how the tool works and operates, we highly recommend reading each of the following resources because they all have unique takeaways and cover a majority of the most effective detection techniques:

Detection opportunities

Cobalt Strike beacon implant

This detection analytic identifies an adversary using a Cobalt Strike beacon implant to pivot and issue commands over SMB through the use of configurable named pipes. Cobalt Strike beacons have configurable options to allow SMB communication over named pipes, utilizing a host of default names commonly used by adversaries. Analysis should focus on any file modifications to a suspicious named pipe within this process.

file_modifications_include ('pipe\msagent_', 'pipe\interprocess_', 'pipe\lsarpc_', 'pipe\samr_', 'pipe\netlogon_', 'pipe\wkssvc_', 'pipe\srvsvc_', 'pipe\mojo_', 'pipe\postex', 'pipe\status_', 'pipe\msse-')

Rundll32.exe to spawn SQL Server Client Configuration Utility

This analytic identifies instances of rundll32.exe spawning the SQL Server Client Configuration Utility (cliconfg.exe). We often see this pattern of process execution when Cobalt Strike leverages DLL Search Order Hijacking as a method of UAC bypass.

parent_process == rundll32.exe
process == cliconfg.exe

Command-line patterns for Cobalt Strike beacons via GetSystem

This analytic identifies commonly observed command-line patterns when Cobalt Strike beacons escalate privileges via the GetSystem feature. Adversaries use GetSystem to impersonate a token for the SYSTEM account. This level of access allows an adversary to perform privileged actions beyond that of an administrator.

process == cmd.exe
command_line_includes ('/(?i)echo\s+[0-9a-f]{11}\s+\>\;?\s+\\\\\.\\pipe\\[0-9a-f]{6}/.match')

The above regular expression will match on the following example what of using GetSystem may look like via a Cobalt Strike beacon:
C:\Windows\system32\cmd.exe /c echo 92d8cc45954 >; \\.\pipe\446b3c