threat

Cobalt Strike

Cobalt Strike is a post-exploitation tool used by many adversaries and associated with many threats. It’s a force multiplier that adds value for adversaries during nearly any incident.

Pairs with this song

#2

OVERALL RANK

11.6%

CUSTOMERS AFFECTED

Analysis

Cobalt Strike is an adversary simulation platform used by both red teams and adversaries. The tool integrates with functionality from multiple offensive security projects and can extend its functionality with aggressor scripts. In 2020 we observed adversaries using Cobalt Strike during targeted attacks to steal payment card data, ransomware incidents to retain a foothold, red team engagements, and even incidents involving malicious document droppers. Adversaries can buy Cobalt Strike, and there are older, cracked versions of Cobalt Strike freely available to adversaries online.

Cobalt Strike fills adversaries’ needs by providing a reliable post-exploitation agent that works well and allows the adversaries to focus on other parts of the attack lifecycle. It fills this need so well that multiple cybercrime enterprises and advanced threats have used the tool as part of compromises involving ransomware, data theft, and more. In incidents involving Bazar malware, we observed adversaries deploying Cobalt Strike payloads prior to Ryuk ransomware. In these cases, the adversaries often moved quickly, taking as little as two hours to reach their objective. In other cases—such as 2020’s Solorigate supply chain compromise—adversaries created custom shellcode loaders to deploy Cobalt Strike payloads. Cobalt Strike is so common and reliable that adversaries create their own custom tooling to simply deploy the payloads, knowing that they will likely succeed if they can just get the payload past security controls. This capability demonstrates how Cobalt Strike fits into the threat model for nearly any organization.

Cobalt Strike can generate and execute payloads in the form of an EXE, DLL, or shellcode; these payloads are what Cobalt Strike refers to as a Beacon. Beacons allow adversaries to leverage multiple code delivery and execution methods during attacks. Cobalt Strike beacons evade defenses using Process Injection to execute malicious code within the memory space of native Windows binaries such as the Windows DLL Host rundll32.exe. During lateral movement, Cobalt Strike beacons may execute as Windows services spawning PowerShell code or binaries that mirror the functions of PsExec. In addition, adversaries may pivot between endpoints using WMI commands or SMB named pipe communication. For privilege escalation, Cobalt Strike can use named pipe impersonation to execute code as NT AUTHORITY \SYSTEM for unfettered access to an endpoint.

 

Detection opportunities

Detection opportunity 1

Beacons executing via PowerShell
ATT&CK technique(s): T1059.001 Command and Scripting Interpreter: PowerShell, T1027 Obfuscated Files or Information
ATT&CK tactic(s): Execution, Defense Evasion

Details: Cobalt Strike beacons can execute in PowerShell form, with powershell.exe loading obfuscated code into memory for execution. These beacons may execute as Windows services or from other persistence mechanisms determined by the adversary. To detect these beacons, you can search for powershell.exe processes with command lines containing plaintext and Base64-encoded variations of the following common keyword combinations:

  • IO.MemoryStream
  • FromBase64String
  • New-Object

For example, the highlighted portion of the encoded PowerShell in the screenshot below decodes to $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String.

Detection opportunity 2

Privilege escalation through named pipe impersonation
ATT&CK technique(s): T1543.003 Create or Modify System Process: Windows Service
ATT&CK tactic(s): Privilege Escalation

Details: Cobalt Strike beacons can execute commands to escalate privileges to the NT AUTHORITY\SYSTEM account from certain security contexts. To achieve this, the beacon can schedule the execution of a Windows Service that manipulates data using a named pipe. You can detect this activity by identifying instances of Command Processor cmd.exe where the command line contains the keywords echo and pipe. Note that Metasploit will demonstrate similar artifacts when performing named-pipe impersonation. Additional context and detection guidance can be found in this blog.

Detection opportunity 3

Defense Evasion by Process Injection
ATT&CK technique(s): T1055.012 Process Injection: Process Hollowing 
ATT&CK tactic(s): Defense Evasion

Details: Cobalt Strike beacons can inject code into memory. To perform this function, a Beacon will spawn a native Windows binary and then manipulate its memory space. In many cases, the spawned processes do not have command-line arguments specified when they should under normal operation. To detect this activity, identify instances of these processes initiating network connections without any command-line arguments specified:

  • rundll32.exe
  • werfault.exe
  • searchprotocolhost.exe
  • gpupdate.exe
  • regsvr32.exe
  • svchost.exe
  • msiexec.exe

Tony Lambert
INTELLIGENCE ANALYST
Tony is a professional geek who loves to jump into all things related to detection and digital forensics. After working in enterprise IT administration and detection engineering for several years, he now applies his DFIR skills to research malware, detect malicious activity, and recommend remediation paths. Tony is a natural teacher and regularly shares his findings and expertise through blogs, research reports, and presentations at conferences and events.
Tony is a professional geek who loves to jump into all things related to detection and digital forensics. After working in enterprise IT administration and detection engineering for several years, he now applies his DFIR skills to research malware, detect malicious activity, and recommend remediation paths. Tony is a natural teacher and regularly shares his findings and expertise through blogs, research reports, and presentations at conferences and events.