What is Cobalt Strike?
Cobalt Strike is a powerful toolset being used by offensive security firms across the globe. With built in tools for reconnaissance, active exploitation, and post exploitation, Cobalt Strike has become one of the go-to tool sets for white hat security companies. The Cobalt Strike website labels the tool as a “threat emulation software.” This may lead one to believe that the software package is only being used for ethical simulations. Unfortunately, that is not the case, as we have seen a rise in Cobalt Strike being used for malicious purposes. During the WastedLocker ransomware attack, Cobalt Strike was used for lateral movement around the internal network. Cobalt Strike has also been used to target government entities in South Asia.
So how does Cobalt Strike work? The powerful tool uses a multi-stage attack process that allows an attacker to gain quiet, persistent access on network machines.
Reconnaissance
Cobalt Strike has a built in “system profiler.” This tool starts up a web server and fingerprints any machine that visits the rogue site. The valuable information that is collected can assist an attacker when deciding how to attack a machine.
Attacks
Cobalt Strike has a slew of options for getting a payload to execute on a target machine. By hosting a web drive-by attack or transforming a file into a trojan, attackers have a multitude of attack vectors for system takeover. Cobalt Strike has a proprietary website cloning tool that serves as an “innocent” place for victims to download a malicious file. Both Microsoft Office Documents and Microsoft Windows Programs can be transformed into malicious files that give an attacker persistent code execution on a machine.
Post-Exploitation
Once an attacker has found a way to exploit a network machine, Cobalt Strike really begins to show how powerful it is. The “Beacon” is a post-exploitation agent that is installed to gain persistent access to the compromised machine. The “Beacon” executes PowerShell scripts, acts as a keylogger, takes screenshots of desktop environments, downloads system files, and allows for the deployment of malicious software such as ransomware.
Detection and Prevention
Cobalt Strike is rather difficult to detect on a network due to its shellcode obfuscation abilities and Malleable Command and Control. These techniques allow the tool to successfully bypass most Anti-Virus controls that an organization would have in place. So how can your organization actively detect Cobalt Strike?
- Examine network traffic. Cobalt Strike utilizes encryption over HTTPS, so a TLS inspection tool must be used.
- Examine uncommon external destinations.
- Examine network communications. Traffic that is generated by a C2 framework such as Cobalt Strike will generally be consistent and uniform. This type of traffic can be detected and examined. Keep in mind that there are “good bots” that exist on a network. OS and software updates have consistent traffic that can look similar to traffic generated by a command and control agent.
- There are many resources out there that give advanced techniques for detecting and quarantining Cobalt Strike on a network. Review these and develop a quality solution for analyzing network traffic.
