[vc_row content_placement=”middle”][vc_column width=”2/3″][vc_wp_text]
[xyz-ips snippet=”metadatatitle”]
[/vc_wp_text][vc_empty_space][/vc_column][vc_column width=”1/3″][vc_wp_text][xyz-ips snippet=”metadatatime”]
[/vc_wp_text][/vc_column][/vc_row][vc_row content_placement=”middle”][vc_column width=”2/3″][vc_column_text]
The Cobalt Strike is a framework designed for adversary simulation. It is commonly used by penetration testers and red teams to test an organization’s resilience against targeted attacks. It can be configured using Malleable C&C profiles which can be used to customize the behavior of its beacon, giving users the ability to emulate the TTP’s of in the wild threat actors.
Though Cobalt Strike is designed for adversary simulation, somewhat ironically the framework has been adopted by an ever-increasing number of malicious threat actors: from financially motivated criminals such as Navigator/FIN7, to state-affiliated groups motivated by political espionage such as APT29. In recent years, both red teams and threat actors have increasingly made use of publicly and commercially available hacking tools. A major reason for this is likely their ease of use and scalability.
Due to the unique characteristics of the Cobalt Strike we can detect Process Injection attacks in QRadar or Splunk Cobalt Strike with the following searches:
- QRadar:
SELECT UTF8(payload) as search_payload from events where (LOGSOURCETYPENAME(devicetype)=’Microsoft Windows Security Event Log’ and “Event ID Code”=’8′ and TargetProcessAddress ilike ‘%0B80’)
Spulnk:
(source=”WinEventLog:Microsoft-Windows-Sysmon/Operational” EventCode=”8″ TargetProcessAddress=”*0B80″)
[/vc_column_text][/vc_column][vc_column width=”1/3″][/vc_column][/vc_row][vc_row][vc_column width=”2/3″][vc_column_text]
References:
https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/
https://uncoder.io/[/vc_column_text][/vc_column][vc_column width=”1/3″][/vc_column][/vc_row]