Detecting Cobalt Strike Beacons

Introduction

Cobalt Strike is a commercial tool for adversary simulation.

PREVENTION, DETECTION AND RESPONSE TOOLS

  • Static File Hash analysis: Windows Defender.
  • Endpoint Telemetry: Sysmon (Sysinternals).
  • EDR agent and SIEM: Wazuh.
  • Threat Intel platform: MISP

PREVENTION.

Many of the Cobalt Strike beacons in the wild and additional payloads downloaded as part of the attack chain are going to be flagged and removed by Windows Defender via local file analysis (file hash) or its real time analysis engine.

Windows Defender Settings
Information level events — Process running and in healthy state
Information level events — Signatures Updated
Information level events — Periodic scans

DETECTION.

Network Activity

Communication to C2 Server:

Network Activity — Least Seen Processes
Network Activity — Process Map
Network Activity — Sysmon Event 15

Process Activity.

rundll32.exe:

Processes Spawning Rundll32.exe

Parent Process Spoofing:

Parent process spoofing is a common technique used by Cobalt Strike beacons. With this technique the beacon tries to evade common detection methods such as processes related to the Office suite launching unusual child processes.

UNIQUE RELATIONSHIP PROCESS FILE HASH — PROCESS EXECUTED

Powershell execution (and command line arguments).

Suspicious command line arguments used:

Memory artifacts / Process Injection.

Downloaded payloads try to be executed under the memory space of “Rundll32.exe”.

Unsigned DLLs loaded in memory.
Process and DLL side loading map.

Lateral Movement.

PSEXEC is one of the most common processes used by Cobalt strike beacons for lateral movement.

System Services Activity and Telemetry.

--

--

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).