{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cobaltstrike/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["cobaltstrike","powershell","beacon","commandandcontrol","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eCobalt Strike is a popular commercial penetration testing tool often abused by threat actors for command and control (C2) after initial compromise. This brief focuses on detecting the default PowerShell beacon component of Cobalt Strike, which uses recognizable function and variable names in its scripts. By identifying these default names within PowerShell script block logs, defenders can detect Cobalt Strike activity even if the initial delivery mechanism is unknown. This detection is focused on the default variable names and function names within the tool and as such more sophisticated users of the tool may modify their scripts to evade this detection. This brief will aid in detecting default Cobalt Strike PowerShell beacons, giving defenders a chance to respond quickly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a target system through various means (e.g., spear phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eA PowerShell script is executed on the target system, either through direct execution or by being called from another process (cmd.exe, mshta.exe).\u003c/li\u003e\n\u003cli\u003eThe PowerShell script contains default Cobalt Strike PowerShell beacon code, including functions and variables like \u003ccode\u003efunc_get_proc_address\u003c/code\u003e, \u003ccode\u003e$var_unsafe_native_methods\u003c/code\u003e, \u003ccode\u003e$var_gpa.Invoke\u003c/code\u003e, \u003ccode\u003efunc_get_delegate_type\u003c/code\u003e, and \u003ccode\u003e$var_type_builder\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script uses these functions and variables to dynamically load and execute malicious code in memory, bypassing traditional file-based antivirus solutions.\u003c/li\u003e\n\u003cli\u003eThe beacon establishes a connection to the attacker\u0026rsquo;s C2 server, allowing for remote command execution.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 connection to perform reconnaissance, move laterally within the network, and escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys additional tools or malware to achieve their objectives, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the compromised system to ensure continued access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via Cobalt Strike can lead to a complete compromise of the targeted system and potentially the entire network. Attackers can steal sensitive data, deploy ransomware, disrupt business operations, and cause significant financial and reputational damage. While the exact number of victims is unknown, Cobalt Strike is used in a wide range of attacks across various sectors, including healthcare, finance, and government. A successful attack could lead to significant data breaches, system downtime, and regulatory fines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell script block logging (Event ID 4104) on all Windows endpoints to capture the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Default Cobalt Strike PowerShell Beacon\u0026rdquo; to your SIEM and tune for your environment using the included false positive guidance.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, paying close attention to the parent processes and network connections associated with the PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the lateral movement of attackers within the network after initial compromise.\u003c/li\u003e\n\u003cli\u003eReview and update PowerShell execution policies to prevent the execution of unsigned or untrusted scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-cobalt-strike-powershell-beacon/","summary":"This brief outlines detection strategies for default Cobalt Strike PowerShell beacons, which are used for command and control, by identifying specific function and variable names within PowerShell script block logs.","title":"Detection of Default Cobalt Strike PowerShell Beacon","url":"https://feed.craftedsignal.io/briefs/2024-01-cobalt-strike-powershell-beacon/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["cobaltstrike","powershell","malware","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis brief focuses on detecting the PowerShell loader pattern frequently employed by Cobalt Strike, a commercial penetration testing tool often abused by threat actors, including ransomware groups, for malicious purposes. Cobalt Strike is favored due to its stealthy and customizable beacons, enabling encrypted communication with command-and-control (C2) servers. The PowerShell loader decompresses executable payloads, facilitating the execution of malicious code on compromised systems. This technique is observed in various attack scenarios, including scripted web delivery, where attackers leverage PowerShell to download and execute malicious payloads directly from web servers. Defenders should prioritize detecting this pattern to identify and prevent Cobalt Strike infections early in the attack chain.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access through various means, such as exploiting web application vulnerabilities or using social engineering to trick users into clicking malicious links.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWeb Delivery:\u003c/strong\u003e A user clicks a link, leading to the download of a malicious file or script.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePowerShell Execution:\u003c/strong\u003e The downloaded file, often a script, executes PowerShell.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLoader Invocation:\u003c/strong\u003e The PowerShell script contains the Cobalt Strike PowerShell loader code, designed to decompress and execute the embedded payload.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDecompression:\u003c/strong\u003e The PowerShell loader utilizes \u003ccode\u003eIO.Compression.GzipStream\u003c/code\u003e to decompress a Gzip-compressed executable payload.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Execution:\u003c/strong\u003e After decompression, the payload is executed in memory using \u003ccode\u003eIEX\u003c/code\u003e (Invoke-Expression).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBeacon Deployment:\u003c/strong\u003e The executed payload deploys a Cobalt Strike Beacon, establishing a connection with the C2 server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The attacker gains remote access to the compromised system and can perform various actions, such as data exfiltration, lateral movement, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete system compromise, allowing attackers to steal sensitive data, deploy ransomware, or use the compromised system as a foothold for further attacks within the network. Cobalt Strike\u0026rsquo;s flexibility and stealth make it a potent tool for advanced persistent threats (APTs) and ransomware operators, potentially impacting organizations across various sectors. Early detection of the PowerShell loader can prevent significant damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (Event ID 4104) to capture the necessary data for detecting the Cobalt Strike PowerShell loader pattern.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule (\u003ccode\u003eCobalt Strike PowerShell Loader\u003c/code\u003e) to your SIEM to identify PowerShell scripts containing the GzipStream decompression pattern.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate penetration testing activities and authorized red team exercises to reduce false positives, as detailed in the \u003ccode\u003eknown_false_positives\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eInvestigate systems where the Sigma rule triggers to determine the origin of the malicious PowerShell script and contain the potential breach.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-cobalt-strike-powershell-loader/","summary":"This brief details a detection for a PowerShell loader pattern commonly used with Cobalt Strike to decompress and execute payloads, often observed in scripted web delivery attacks.","title":"Cobalt Strike PowerShell Loader Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-cobalt-strike-powershell-loader/"}],"language":"en","title":"CraftedSignal Threat Feed — Cobaltstrike","version":"https://jsonfeed.org/version/1.1"}