In recognition of Cyber Security Awareness Month, RedLegg’s 96 Bravo team will be providing security focused content for the Information Security community at large, in hopes of proactively fostering a security conscious mindset. In this week’s diary we’ll hack into one of the most prolific command and control frameworks used by defenders and adversaries – Cobalt Strike.
It has been just shy of a decade since the Cobalt Strike framework was first brought to life. Since inception, the framework has proven to be an invaluable emulation tool for defenders and threat actors alike. Designed as a realistic adversarial framework, Cobalt Strike encompasses a slew of built-in features that aid in amplifying the success rate of penetration testing. The Cobalt Strike framework was originally intended to help organizations realize the risks present within their network. Ultimately, Cobalt Strike was developed as a world class penetration testing utility used to identify, exploit, and offer detailed reporting on the vulnerabilities observed within a targeted network.
In 2015, the first iteration of the Cobalt Strike framework was released as a standalone emulation platform. Cobalt Strike 3.0 included a number of strategic alterations such as asynchronous post-exploit with beacon functionality, target acquisition, and lateral movement. Shortly after this revision, security researchers began observing the first of many threat actors abusing the Cobalt Strike framework. In the last few years, Cobalt Strike has been used in many high-profile attacks, including the recent Solar Winds supply chain attack. The entire framework is comprised of several parts that come together to make this design whole. We’ll briefly discuss a few of the most vital components:
Cobalt Strike Architect
Team Server: The team server acts as the C2 server, allowing client connections on TCP port 50050. Team server is restrictive, in that it only supports execution on Linux systems.
Client: The client allows the operator to interact with and connect to the C2 team server. Linux, Windows, and macOS systems can be executed using the client connection.
Beacon: The BEACON is depicted as the standard malware payload used to establish connections to the team server. BEACON comprises two distinct types:
- Stager: The stager allows the operators to orchestrate the malware payload. The initial BEACON shellcode is sent to perform a simple analysis and shortly after a query is run on the previously configured C2 server.
- Full Backdoor: The backdoor functions in memory and allows several options when establishing connections to the team server.
JEKYLL & HYDE
Among the first attackers observed using Cobalt Strike is FIN7, an adversarial group that is often seen using point-of-sale malware. In 2016, FIN7 successfully launched an implanted Cobalt Strike attack specifically targeting financial organizations. Although FIN7 was among the first to employ Cobalt Strike, the 2020 SolarWinds supply chain attack is arguably the most noteworthy. Following the SolarWinds attack, investigators were able to tie the threat actors to Russia’s Foreign Intelligence Service. The attackers succeeded in posting a digitally signed trojanized update to the vendor website. This tactic allowed for a more widespread range of targeted acquisition, impacting public and private organizations.
Detection for Cobalt Strike will generally include a combination of many resolutions. Defenders can build detections against the artifacts of beacons that are left behind during post exploitation. Distributing the Cobalt Strike BEACON to additional servers from a compromised host allows defenders to identify which service is established on the remote host. Default settings such as default certificates and beacon names can also be leveraged to support detection. The Rundll32 utility is used by default when executing commands. Security researchers have also discovered that a combination of dynamic, static, and genetic analysis poses as an ideal detection strategy.
Since version 3.0 was released, the use of the Cobalt Strike framework has continued to increase over time. In light of this evidence, it is important to highlight, legitimate offensive security tools will remain in high demand as both sides aim for more pragmatic strategies when addressing vulnerabilities. It is essential defenders consider early detection and thorough comprehension of the attacker’s final objective when defending against Cobalt Strike related attacks. Combined, these techniques synergize to yield an effective defense against these attacks and no longer becomes a dance with fate.
Cobalt Strike (S0154):
- Reconnaissance (TA0043)
- Initial Access (TA0001)
- Execution (TA0002)
- Persistence (TA0003)
- Privilege Escalation (TA0004)
- Defense Evasion (TA0005)
- Credential Access (TA0006)
- Discovery (TA0007)
- Lateral Movement (TA0008)
- Collection (TA0009)
- Command and Control (TA0011)
- Exfiltration (TA0010)