Commandandcontrol — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/commandandcontrol/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000Detection of Default Cobalt Strike PowerShell Beaconhttps://feed.craftedsignal.io/briefs/2024-01-cobalt-strike-powershell-beacon/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-cobalt-strike-powershell-beacon/This brief outlines detection strategies for default Cobalt Strike PowerShell beacons, which are used for command and control, by identifying specific function and variable names within PowerShell script block logs.Cobalt Strike is a popular commercial penetration testing tool often abused by threat actors for command and control (C2) after initial compromise. This brief focuses on detecting the default PowerShell beacon component of Cobalt Strike, which uses recognizable function and variable names in its scripts. By identifying these default names within PowerShell script block logs, defenders can detect Cobalt Strike activity even if the initial delivery mechanism is unknown. This detection is focused on the default variable names and function names within the tool and as such more sophisticated users of the tool may modify their scripts to evade this detection. This brief will aid in detecting default Cobalt Strike PowerShell beacons, giving defenders a chance to respond quickly.

Attack Chain

  1. The attacker gains initial access to a target system through various means (e.g., spear phishing, exploiting a vulnerability).
  2. A PowerShell script is executed on the target system, either through direct execution or by being called from another process (cmd.exe, mshta.exe).
  3. The PowerShell script contains default Cobalt Strike PowerShell beacon code, including functions and variables like func_get_proc_address, $var_unsafe_native_methods, $var_gpa.Invoke, func_get_delegate_type, and $var_type_builder.
  4. The script uses these functions and variables to dynamically load and execute malicious code in memory, bypassing traditional file-based antivirus solutions.
  5. The beacon establishes a connection to the attacker’s C2 server, allowing for remote command execution.
  6. The attacker uses the C2 connection to perform reconnaissance, move laterally within the network, and escalate privileges.
  7. The attacker deploys additional tools or malware to achieve their objectives, such as data exfiltration or ransomware deployment.
  8. The attacker maintains persistence on the compromised system to ensure continued access.

Impact

Successful exploitation via Cobalt Strike can lead to a complete compromise of the targeted system and potentially the entire network. Attackers can steal sensitive data, deploy ransomware, disrupt business operations, and cause significant financial and reputational damage. While the exact number of victims is unknown, Cobalt Strike is used in a wide range of attacks across various sectors, including healthcare, finance, and government. A successful attack could lead to significant data breaches, system downtime, and regulatory fines.

Recommendation

  • Enable PowerShell script block logging (Event ID 4104) on all Windows endpoints to capture the necessary data for detection.
  • Deploy the Sigma rule “Detect Default Cobalt Strike PowerShell Beacon” to your SIEM and tune for your environment using the included false positive guidance.
  • Investigate any alerts generated by the Sigma rule, paying close attention to the parent processes and network connections associated with the PowerShell scripts.
  • Implement network segmentation to limit the lateral movement of attackers within the network after initial compromise.
  • Review and update PowerShell execution policies to prevent the execution of unsigned or untrusted scripts.
]]>highadvisorycobaltstrikepowershellbeaconcommandandcontrolwindows