Despite good-faith efforts from Cobalt Strike’s developers to prevent adversaries from cracking this post-exploitation tool, ransomware operators are still abusing older versions of the software.
Cobalt Strike continues to be a favorite post-exploitation tool for adversaries. At #8, it is the only post-exploitation framework to make the top 10. Ransomware operators in particular rely substantially on Cobalt Strike’s core functionalities as they seek to deepen their foothold in their victims’ environments. Its speed, flexibility, and advanced features are likely contributing factors as to why ransomware attacks have been ticking upward in recent years. Some of the most notorious ransomware operators— including groups like Lockbit and Royal—are known to rely heavily on Cobalt Strike in their attacks.
Cobalt Strike developers made multiple changes throughout 2022, including even more flexible C2 profiles, SOCKS5 proxy support, and injection options. These improvements allow adversaries to further customize their TTPs, making detection challenging. While those additions benefitted adversaries, the developers of Cobalt Strike also imposed major changes to discourage the cracking and abuse of Cobalt Strike packages. Notably, the developers changed how they distributed Cobalt Strike’s team server component, resulting in better product security. That said, we often observe Cobalt Strike beacons from older versions of the software, indicating that some criminal adversaries take advantage of older cracked or pirated versions over the newer ones.
The security community is embracing the fact that whatever functional label you place on Cobalt Strike, it’s here to stay, it’s implicated in all variety of intrusions, and it’s our duty to defend against it. Luckily for defenders, the security community has produced a plethora of great technical analysis and detection opportunities around preventing and investigating Cobalt Strike. For defenders getting started with understanding how the tool works and operates, we highly recommend reading each of the following resources because they all have unique takeaways and cover a majority of the most effective detection techniques:
There are several strategies to hunt proactively for Cobalt Strike team servers in the wild, mostly based around network data and service fingerprinting. These strategies include using tools such as Shodan and Censys to find servers using default TLS certificate values, default team server ports (50050), and default JARM hashes associated with Cobalt Strike. While many adversaries change these default values, we still often find adversaries that don’t change them, resulting in simpler identification. For more details on proactively identifying Cobalt Strike infrastructure, check out these resources:
This detection analytic identifies an adversary using a Cobalt Strike beacon implant to pivot and issue commands over SMB through the use of configurable named pipes. Cobalt Strike beacons have configurable options to allow SMB communication over named pipes, utilizing a host of default names commonly used by adversaries. Analysis should focus on any file modifications to a suspicious named pipe within this process.
rundll32.exe to spawn SQL Server Client Configuration Utility
This analytic identifies instances of rundll32.exe spawning the SQL Server Client Configuration Utility (cliconfg.exe). We often see this pattern of process execution when Cobalt Strike leverages DLL Search Order Hijacking as a method of UAC bypass.
parent_process == rundll32.exe
process == cliconfg.exe
Command-line patterns for Cobalt Strike beacons via GetSystem
This analytic identifies commonly observed command-line patterns when Cobalt Strike beacons escalate privileges via the GetSystem feature. Adversaries use GetSystem to impersonate a token for the SYSTEM account. This level of access allows an adversary to perform privileged actions beyond that of an administrator.
process == cmd.exe
*NOTE: The above regular expression will match on the following example what of using GetSystem may look like via a Cobalt Strike beacon: C:\Windows\system32\cmd.exe /c echo 92d8cc45954 >; \\.\pipe\446b3c
See what it's like to have a security ally.
Experience the difference between a sense of security and actual security.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.