Protecting against Cobalt Strike
Preventative and Threat Hunting Methodology
Protecting Against Cobalt Strike:
Recently many large corporations have been struck by cyber-attacks, many of which were assumed or even proven to be perpetrated with the help of an offensive tool named Cobalt Strike. The protective measures developed by Black Cell Hungary Ltd. and described in this document are effective at preventing, detecting, and remediating such attacks. Cobalt Strike has 38 distinct capabilities, each of which requires the implementation of specific logical, physical, and administrative safeguards. These safeguards need to be applied through purpose-built security tools and devices.
Our methodology puts emphasis on the prevention of attacks. There are many easily detectable indicators of an impending attack, and through early detection and appropriate response, attacks can be stopped before any damage has been done. Of course, by the nature of cyber attacks, 100% protection can never be guaranteed, as such we have developed detailed methods for detecting, identifying, and mitigating successful attacks. Our methodology is also highly effective against myriads of other cyber-attacks, besides those perpetrated with the help of the Cobalt strike.
About Cobalt Strike:
Cobalt Strike is a commercial, full-featured penetration testing tool, that is designed to simulate the post-exploitation activities of malicious actors. Its interactive capabilities cover almost the entire range of known post-exploit activities, all in a single integrated tool. Besides its own capabilities, it also facilitates the use of other offensive tools, such as Metasploit and Mimikatz in order to broaden its capabilities. Recently this tool has been used increasingly for unauthorized, malicious uses and opening the door to many cyber attacks.
Technical Capabilities
1. Access Token Manipulation
2. BITS Jobs
3. Bypass User Account Control
4. Command-Line Interface
5. Commonly Used Port
6. Component Object Model and Distributed COM
7. Connection Proxy
8. Credential Dumping
9. Custom Command and Control Protocol
10. Data from Local System
11. Execution through API
12. Exploitation for Privilege Escalation
13. Indicator Removal from Tools
14. Input Capture
15. Man in the Browser
16. Multiband Communication
17. Network Service Scanning
18. Network Share Discovery
19. New Service
20. Parent PID Spoofing
21. Pass the Hash
22. PowerShell
23. Process Discovery
24. Process Hollowing
25. Process Injection
26. Remote Desktop Protocol
27. Remote Services
28. Remote System Discovery
29. Scheduled Transfer
30. Screen Capture
31. Scripting
32. Service Execution
33. Standard Application Layer Protocol
34. Timestomp
35. Windows Admin Shares
36. Valid Accounts
37. Windows Management Instrumentation
38. Windows Remote Management
Identifying an Attack:
Indicators:
The key to identifying the indicators of this attack is to detect its early stages and deploy preventative and protective measures. The attack begins (after reconnaissance has completed) by sending a document containing malicious code to an individual, or group of individuals with the hope that someone will open it. When one of the recipients opens the document, malicious code is executed. For persistence purposes, a beacon is installed by the malicious code which then begins to communicate with and take orders from a command and control (C2) server. A Cobalt Strike attack can thus be detected in the delivery phase of the cyber kill chain.
The simplest yet most important protective procedure is to inform and educate employees of the dangers of malicious documents and other cyber attack vectors, and to provide them with channels to communicate with cyber security professionals that can analyze suspicious documents before they are opened.
Most of Cobalt Strikes' capabilities can be detected through sufficient logging and log analysis, although some others require additional specialized software or hardware devices. With log analysis, threats relating to command lines, PowerShell, services, user accounts, remote access, and network scanning can be alleviated.
Cobalt Strike’s first phase starts with reconnaissance and the collection of organizational information. The attacker will use various network scanning utilities to detect network infrastructure components and related vulnerabilities. The scans are figuratively “loud” because the high volume of requests to different network components draws attention and is easy to detect. A SIEM system and sufficient logging are enough to detect and alert to these discovery activities. That said, these alerts in themselves won’t be able to identify Cobalt Strike attacks specifically, but will rather give IT security professionals sufficient time and information to prepare for a forthcoming attack.
Following the pre-exploit activities, the attacker will attempt to gain initial access and implant a beacon. This usually takes the form of a spear phishing campaign, where malicious documents are sent to various internal email addresses, in hopes of someone opening it.
This campaign is one of the most easily detectable parts of a Cobalt Strike attack. When a large number of emails are received from an unknown sender in a short amount of time, then an alert is triggered, and an IT security professional’s investigation will quickly reveal the malicious content of the email. The list of recipients and more specifically the people that opened the attachment can be collected and the necessary remediation steps can be taken. Furthermore, the hash value of the attachments of all emails can be automatically checked against other known malicious files helping to automatically identify phishing campaigns.
The malicious macros employed by Cobalt Strike can also be easily detected. The malicious VBA scripts spawn new processes, that with sufficient process creation logging, will trigger an alert in the SIEM system, even if the attacker has successfully disabled the antivirus software or cleared the relevant log files after the fact.
Therefore mentioned basic logging combined with a SIEM system, makes successful Cobalt Strike attacks extraordinarily unlikely, in fact, a few adjustments can prevent the most common attack vectors, such as the RDP brute force attack detailed in this image. Even if a successful attack takes place, there are still many protection methods that can warn us before significant damage can be done. The beacon installed during a successful Cobalt Strike attack will have to communicate with a C2 server sooner or later. This communication will often be disguised via various obfuscation techniques.
This concealed communication can be easily identified with a sufficient Next Generation Firewall (NGF) or Intrusion Detection System (IDS). These devices conduct deep analysis on the packets that form the communication flowing through them, looking for anomalies indicative of malicious activity.
The defensive methods described above make successful, undetected Cobalt Strike attacks near impossible. However, there are still as of yet unmentioned capabilities (with mostly local effects), that cannot be detected through common log collection and analysis techniques. These require advanced Endpoint Detection and Response (EDR) and/or vulnerability management tools.
The previously described detection methods provide robust, reliable protection against Cobalt Strike attacks, by detecting its pre- and post-exploit capabilities. There are some other detection methods that rely on detecting aspects specific to the framework, that Cobalt Strike provides, rather than the effects of its functions.
• Default certificate hash: Cobalt Strike’s default certificate often remains unchanged. Thus, if we detect this certificate’s hash on any device or in network communication, then we know that a Cobalt Strike attack has taken place.
• Default controller port: Cobalt Strike’s default port for communication is 50050. If we detect this port open or find it in any network communication, then we know a Cobalt Strike attack has taken place.
• HTTP response whitespace: Cobalt Strike servers pre-version 3.13 contain an easily detectable anomaly in their HTTP responses.
As seen in the above picture, there is a unusual whitespace after the status code, that is not present in legitimate communication.
• TLS negotiation fingerprint: TLS is a protocol that encrypts network traffic, to enable secure communication. To create a secure communication channel, a synchronization process needs to take place, that happens unencrypted. It is possible to create a “fingerprint” of this process, that can be used to identify similar network communication. With a sufficient IDS solution, we can analyze network traffic for fingerprints that allude to Cobalt Strike communication.
• In memory detection: If there is suspicion of a Cobalt Strike attack, then we can use an image created from the endpoint’s working memory, to detect whether a Cobalt Strike beacon is running. This process cannot necessarily be made automatic but can provide valuable information to validate and remediate attacks.
YARA:
YARA is a tool used to identify and categorize malware indicators and samples. With the help of this tool, we can also identify Cobalt Strike-related indicators. Below you can find a demonstration of a few YARA rules with the aforementioned purpose:
Suggested solutions:
Above we have defined many methods of detecting Cobalt Strike attacks, all of which require the implementation of various security tools and devices. Below you can find the recommended solutions for the methodology developed by Black Cell Hungary Ltd.
Log collection and analysis system: Splunk
Splunk is a platform for searching, monitoring, and analyzing real-time data. The data is stored in a searchable repository from which graphs, reports, alerts, dashboards, and visualizations can be generated. The previously described detection rules will be implemented in Splunk and the necessary logs can be easily collected with the low overhead, secure Splunk agent.
IDS (Intrusion Detection System): Suricata
Suricata is an open-source network threat management software that provides IDS and IPS capabilities. It is notably good at deep packet analysis and detection of malicious signatures, which makes it essential for the detection of Cobalt Strike network indicators.
NGFW (Next-Generation Firewall): Palo Alto
Palo Alto Next-Generation firewalls combine the functionality of traditional firewalls with the functionality of other network security appliances, such as application firewalls, packet analysis devices, and IDS/IPS systems. These firewalls have industry-leading technologies such as TLS / SSL encrypted traffic inspection, QoS, advanced virus and threat protection, application-specific rule application, and user identification. A Next-Generation Firewall helps prevent Cobalt Strike attacks through its traditional firewall functions, packet analysis, and threat protection and can help identify indicators of successful attacks.
EDR (Endpoint Detection and Response) & Vulnerability management: MDATP
Microsoft Defender Advanced Threat Protection is a platform designed to help organizations prevent, detect, investigate, and react to advanced threats. It uses endpoint behavior detectors, cloud-based security analysis, threat intelligence, and vulnerability management to protect against even the most advanced threats. MDATP is used to protect against, detect, and alleviate Cobalt Strike capabilities that threaten endpoints.
