Cobalt Strike: White Hat Hacker Powerhouse in the Wrong Hands

Cobalt Strike is a tool developed for ethical hackers, but like many other offensive cybersecurity tools, it has fallen into the wrong hands. This powerful network attack platform combines social engineering, unauthorized access tools, network pattern obfuscation and a sophisticated mechanism for deploying malicious executable code on compromised systems. It can now be used by attackers to deploy advanced persistent threat (APT) attacks against your organization.

In this article you will learn:

• What is Cobalt Strike
• Cobalt Strike features
• Cobalt Strike Beacon: the delivery mechanism
• Detecting Cobalt Strike
• All-in-one Cobalt Strike protection with Cynet 360

Compromised by Cobalt Strike?

Cynet is a trusted partner that deploys powerful endpoint detection and response (EDR) security software on your endpoints, combined with advanced network analytics and behavioral analysis. It can help defend, mitigate and eradicate against a wide range of known and zero-day threats, including the Cobalt Strike platform.

Cynet provides CyOps, an outsourced incident response team on call 24/7/365 to respond to critical incidents quickly and effectively.

What is Cobalt Strike?

Cobalt Strike is a commercial penetration testing tool, which gives security testers access to a large variety of attack capabilities. Cobalt Strike can be used to conduct spear-phishing and gain unauthorized access to systems, and can emulate a variety of malware and other advanced threat tactics.

White Cobalt Strike is a legitimate tool used by ethical hackers, which carries a price tag of $3,500 per user, it is also widely used by threat actors to launch real attacks against organizations. Some attackers obtain the trial version of Cobalt Strike and crack its software protection, while others may obtain access to a commercial copy of the software.

Cobalt Strike Features

Cobalt Strike is a threat emulation program that provides the following capabilities:

• Reconnaissance—discovers which client-side software your target uses, with version info to identify known vulnerabilities.
• Attack Packages—provides a social engineering attack engine, creates trojans poised as innocent files such as Java Applets, Microsoft Office documents or Windows programs, and provides a website clone to enable drive-by downloads.
• Collaboration—Cobalt Team Server allows a group host to share information with a group of attackers, communicate in real time and share control of compromised systems.
• Post Exploitation—Cobalt Strike uses Beacon, a dropper that can deploy PowerShell scripts, log keystrokes, takes screenshots, download files, and execute other payloads.
• Covert Communication—enables attackers to modify their network indicators on the fly. Makes it possible to load C2 profiles to appear like another actor, and egress into a network using HTTP, HTTPS, DNS or SMB protocol.
• Browser Pivoting—can be used to get around two-factor authentication.

Cobalt Strike Beacon: The Delivery Mechanism

Cobalt Strike uses Beacon to gain a foothold on a target network, download and execute malicious payloads. It can be transmitted over HTTP, HTTPS, DNS, or the Windows SMB protocol. It can perform low-profile asynchronous communication, as well as real time interactive communication with the Cobalt Strike server.

Beacon can modify its network signature, using C2 profiles to appear as another attacker, emulate the behavior of different types of malware, or pretend to be legitimate traffic.

Beacon provides several commands for executing malicious code on the target machine:

• Shell executes a command via cmd.exe
• Run executes a command without cmd.exe and without showing the output
• Execute runs a command as a background process
• PowerShell executes PowerShell code on the compromised machine
• Psinject runs Unmanaged PowerShell in a specific process and executes your cmdlets in the compromised process
• Powershell-import imports a PowerShell script from an external source
• Execute-assembly runs a local .NET executable as a post-explotiation job
• Setenv sets an environment variable on the compromised machine

Detecting Cobalt Strike

Cobalt Strike servers can be difficult to detect, but older unpatched versions of the software are more visible. You can combine several techniques to identify a Cobalt Strike deployment:

• Look for the default TLS certificate from the official developer. If this wasn’t changed by admin, it’s a sure sign.
• The Cobalt Strike DNS server reacts to requests with a bogus IP address (0.0.0.0) if busy
• Look for open port on 50050/TCP
• Perform an HTTP request and look for 404 Not Found error
• Even though there could still be space for mistake, mixing the a variety of detection techniques should offer high confidence outcomes. The usage of this default TLS certification, however, remains the most straightforward approach to recognize a Cobalt Strike host.
• Inspect suspicious network traffic and look for TLS negotiation between host and remote server. TLS fingerprints such as protocol version, approved ciphers, and elliptic curve data can be used to identify a Cobalt Strike server. You can use JA3 to create SSL client fingerprints.

All-in-One Cobalt Strike Protection with Cynet

Cynet 360 is a holistic security solution that can protect against the large variety of threat vectors and attack techniques provided by Cobalt Strike software.

1.Network Attacks and Unauthorized Access Prevention

• Blocking suspicious behavior—monitors endpoints to identify behavioral patterns that may indicate an exploit. This means that even if credentials are breached, the threat actor’s ability to use them will be limited.
• UBA—updates a behavioral baseline based on continued, real-time user behavior analysis, and provides alerts when it identifies a behavioral anomaly. This anomaly may indicate a compromised user account or an unauthorized action by a user.
• Uncover hidden threats—acts like an adversary to uncover threats, identifying indicators of compromise and anomalous behavior across endpoints, users, files, and networks. This provides a holistic account of the attack process and helps identify vulnerable points.
• Deception—allows you to plant decoy tokens, such as data files, passwords, network shares, RDP and others, on assets within the protected network. Cynet’s decoys lure sophisticated attackers, tricking them into revealing their presence.

2. Endpoint Protection and Endpoint Detection and Response (EDR)

• Advanced endpoint threat detection—full visibility and predicts how an attacker might operate, based on continuous monitoring of endpoints and behavioral analysis.
• Investigation and validation—search and review historic or current incident data on endpoints, investigate threats, and validate alerts. This allows you to confirm the threat before responding to it, reducing dwell-time and performing faster remediation.
• Rapid deployment and response—deploy across thousands of endpoints within two hours. You can then use it to perform automatic or manual remediation of threats on the endpoints, disrupt malicious activity and minimize damage caused by attacks.

3. Malware Protection

• Pre-download—applies multiple mechanisms against exploits and fileless malware, preventing it from getting to the endpoint in the first place.
• Pre-execution prevention—applies machine-learning-based static analysis to identify malware patterns in binary files before they are executed.
• In runtime—employs behavioral analysis to identify malicious behavior, and kill a process if it exhibits such behavior.
• Threat intelligence—uses a live feed comprising over 30 threat intelligence feeds to identify known malware.
• Fuzzy Hash detection—employs a fuzzy hashing detection mechanism to detect automated variants of known malware.
• Sandbox—runs any loaded file in a sandbox and blocks execution upon identification of malware-like behavior.
• Propagation blocking—identifies the networking activity signature generated by hosts when malware is auto-propagating, and isolates the hosts from the network.

Learn more about Cynet 360.