{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/beacon/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["MuddyWater"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Google Update"],"_cs_severities":["high"],"_cs_tags":["muddywater","powgoop","dll-sideloading","powershell","c2","beacon"],"_cs_type":"threat","_cs_vendors":["Google","Splunk"],"content_html":"\u003cp\u003eThe detection identifies a specific stage in the MuddyWater (also known as SeedWorm, Static Kitten, and MERCURY) infection chain, focusing on the execution of the PowGoop loader. MuddyWater has been actively using PowGoop since at least 2020 as their primary initial access method. PowGoop abuses DLL side-loading, specifically targeting a fake GoogleUpdate.exe, to initiate a multi-stage decoding process. This ultimately leads to the deployment of a fully functional PowerShell backdoor disguised with a benign extension. The backdoor uses a config.txt file that contains a hardcoded C2 address and victim GUID. The malware beacons via modified base64-encoded HTTP, attempting to blend C2 traffic with legitimate Google Update processes to evade network-based detections.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through an unknown vector (e.g., spearphishing) leading to the execution of a malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL is sideloaded by a fake GoogleUpdate.exe, masquerading as a legitimate Google application.\u003c/li\u003e\n\u003cli\u003eThe DLL initiates a multi-stage decoding chain to decrypt and execute a PowerShell script.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script reads a \u003ccode\u003econfig.txt\u003c/code\u003e file containing a hardcoded C2 address and victim GUID.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script decodes the C2 address from the config file to establish command and control.\u003c/li\u003e\n\u003cli\u003ePowerShell uses FromBase64String to decode the payload.\u003c/li\u003e\n\u003cli\u003eThe PowerShell backdoor establishes persistence and begins beaconing to the C2 server via modified base64-encoded HTTP requests.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established C2 channel to perform reconnaissance, lateral movement, and data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful PowGoop infection allows MuddyWater to gain persistent access to the compromised system. This access can be leveraged for a variety of malicious activities, including data theft, espionage, and further propagation of malware within the network. MuddyWater has been linked to numerous cyber espionage campaigns targeting government and commercial entities, particularly in the Middle East. The group\u0026rsquo;s activities pose a significant risk to organizations seeking to protect sensitive information and maintain operational integrity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (process creation) logging to capture the necessary process execution details for the Sigma rules provided.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any PowerShell processes spawned by rundll32.exe that decode base64 strings and reference \u003ccode\u003econfig.txt\u003c/code\u003e, as highlighted in the rule \u0026ldquo;Detect Windows PowGoop Beacon Decoding via CommandLine\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for base64-encoded HTTP requests originating from the Google Update process, as this is a technique used by PowGoop to mask C2 communications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-powgoop-beacon/","summary":"This detection identifies a DLL decoding and executing the PowGoop config.txt payload, indicating a stage in the MuddyWater infection chain where an obfuscated PowerShell beacon is unwrapped and live C2 communication starts.","title":"MuddyWater PowGoop Beacon Decoding Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-powgoop-beacon/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["cobaltstrike","powershell","beacon","commandandcontrol","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eCobalt Strike is a popular commercial penetration testing tool often abused by threat actors for command and control (C2) after initial compromise. This brief focuses on detecting the default PowerShell beacon component of Cobalt Strike, which uses recognizable function and variable names in its scripts. By identifying these default names within PowerShell script block logs, defenders can detect Cobalt Strike activity even if the initial delivery mechanism is unknown. This detection is focused on the default variable names and function names within the tool and as such more sophisticated users of the tool may modify their scripts to evade this detection. This brief will aid in detecting default Cobalt Strike PowerShell beacons, giving defenders a chance to respond quickly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a target system through various means (e.g., spear phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eA PowerShell script is executed on the target system, either through direct execution or by being called from another process (cmd.exe, mshta.exe).\u003c/li\u003e\n\u003cli\u003eThe PowerShell script contains default Cobalt Strike PowerShell beacon code, including functions and variables like \u003ccode\u003efunc_get_proc_address\u003c/code\u003e, \u003ccode\u003e$var_unsafe_native_methods\u003c/code\u003e, \u003ccode\u003e$var_gpa.Invoke\u003c/code\u003e, \u003ccode\u003efunc_get_delegate_type\u003c/code\u003e, and \u003ccode\u003e$var_type_builder\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script uses these functions and variables to dynamically load and execute malicious code in memory, bypassing traditional file-based antivirus solutions.\u003c/li\u003e\n\u003cli\u003eThe beacon establishes a connection to the attacker\u0026rsquo;s C2 server, allowing for remote command execution.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 connection to perform reconnaissance, move laterally within the network, and escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys additional tools or malware to achieve their objectives, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the compromised system to ensure continued access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via Cobalt Strike can lead to a complete compromise of the targeted system and potentially the entire network. Attackers can steal sensitive data, deploy ransomware, disrupt business operations, and cause significant financial and reputational damage. While the exact number of victims is unknown, Cobalt Strike is used in a wide range of attacks across various sectors, including healthcare, finance, and government. A successful attack could lead to significant data breaches, system downtime, and regulatory fines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell script block logging (Event ID 4104) on all Windows endpoints to capture the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Default Cobalt Strike PowerShell Beacon\u0026rdquo; to your SIEM and tune for your environment using the included false positive guidance.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, paying close attention to the parent processes and network connections associated with the PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the lateral movement of attackers within the network after initial compromise.\u003c/li\u003e\n\u003cli\u003eReview and update PowerShell execution policies to prevent the execution of unsigned or untrusted scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-cobalt-strike-powershell-beacon/","summary":"This brief outlines detection strategies for default Cobalt Strike PowerShell beacons, which are used for command and control, by identifying specific function and variable names within PowerShell script block logs.","title":"Detection of Default Cobalt Strike PowerShell Beacon","url":"https://feed.craftedsignal.io/briefs/2024-01-cobalt-strike-powershell-beacon/"}],"language":"en","title":"CraftedSignal Threat Feed — Beacon","version":"https://jsonfeed.org/version/1.1"}