-
Notifications
You must be signed in to change notification settings - Fork 374
/
Copy pathcobalt_strike.yml
60 lines (51 loc) · 2.98 KB
/
cobalt_strike.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
name: Cobalt Strike
id: bcfd17e8-5461-400a-80a2-3b7d1459220c
version: 1
date: '2021-02-16'
author: Michael Haag, Splunk
description: Cobalt Strike is threat emulation software. Red teams and penetration
testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature
security programs. Most recently, Cobalt Strike has become the choice tool by threat
groups due to its ease of use and extensibility.
narrative: 'This Analytic Story supports you to detect Tactics, Techniques and Procedures
(TTPs) from Cobalt Strike. Cobalt Strike has many ways to be enhanced by using aggressor
scripts, malleable C2 profiles, default attack packages, and much more. For endpoint
behavior, Cobalt Strike is most commonly identified via named pipes, spawn to processes,
and DLL function names. Many additional variables are provided for in memory operation
of the beacon implant. On the network, depending on the malleable C2 profile used,
it is near infinite in the amount of ways to conceal the C2 traffic with Cobalt
Strike. Not every query may be specific to Cobalt Strike the tool, but the methodologies
and techniques used by it.
Splunk Threat Research reviewed all publicly available instances of Malleabe C2
Profiles and generated a list of the most commonly used spawnto and pipenames.
`Spawnto_x86` and `spawnto_x64` is the process that Cobalt Strike will spawn and
injects shellcode into.
Pipename sets the named pipe name used in Cobalt Strikes Beacon SMB C2 traffic.
With that, new detections were generated focused on these spawnto processes spawning
without command line arguments. Similar, the named pipes most commonly used by Cobalt
Strike added as a detection. In generating content for Cobalt Strike, the following
is considered:
- Is it normal for spawnto_ value to have no command line arguments? No command
line arguments and a network connection?
- What is the default, or normal, process lineage for spawnto_ value?
- Does the spawnto_ value make network connections?
- Is it normal for spawnto_ value to load jscript, vbscript, Amsi.dll, and clr.dll?
While investigating a detection related to this Analytic Story, keep in mind the
parent process, process path, and any file modifications that may occur. Tuning
may need to occur to remove any false positives.'
references:
- https://www.cobaltstrike.com/
- https://www.infocyte.com/blog/2020/09/02/cobalt-strike-the-new-favorite-among-thieves/
- https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/
- https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html
- https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html
- https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence
- https://github.com/zer0yu/Awesome-CobaltStrike
tags:
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection