Detecting Cobalt Strike Beacons

Introduction

PREVENTION, DETECTION AND RESPONSE TOOLS

PREVENTION.

Windows Defender Settings
Information level events — Process running and in healthy state
Information level events — Signatures Updated
Information level events — Periodic scans

DETECTION.

Network Activity

Network Activity — Least Seen Processes
Network Activity — Process Map
Network Activity — Sysmon Event 15

Process Activity.

Processes Spawning Rundll32.exe

Parent Process Spoofing:

UNIQUE RELATIONSHIP PROCESS FILE HASH — PROCESS EXECUTED

Powershell execution (and command line arguments).

Memory artifacts / Process Injection.

Unsigned DLLs loaded in memory.
Process and DLL side loading map.

Lateral Movement.

System Services Activity and Telemetry.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).