Detecting Amateur CobaltStrike Operators

Detecting Amateur CobaltStrike Operators

As CobaltStrike becomes a more common arsenal tools, detection of baseline-level attacks are becoming increasingly important

·

6 min read

CobaltStrike by HelpSystems is an adversary simulation tool with advanced attack and evasion strategies. While its use have gained popularity within red teams, its abuse has also been increasing with threat actors. CobaltStrike is used by sophisticated groups, and even state-backed entities from China are known to use the software to gain a foothold inside corporate and governmental institutions.

image1.png

The rise of cracked versions of CobaltStrike have also further proliferated the tool among threat actors, due to pirated of the software being very easy to come by due to CobaltStrike’s design in Java (to be honest, CS is easier to crack than Minecraft at this point).

Cobalt Strike’s popularity is mainly due to its beacons being stealthy, stable, and highly customizable. CS beacons are stealthy due to in-memory execution via reflection into the memory of a process without affecting the file system. Cobalt Strike’s post-exploitation suite includes support for keylogging, command execution, credential dumping, file transfer, port scanning, and more. Malleable C2 allows attackers to change how its beacons look and mimic other legitimate traffic to stay ahead of network intrusion detection systems.

While there are no one-stop solutions for detecting and preventing CobaltStrike due to its inherent customizable nature, there are several ways to spot adversaries that are less careful in their implementation of attack attempts.

Trial Version Deficiencies

Evaluation copies of CobaltStrike are somewhat rare to encounter, but still somewhat common as there is a large gradation of technical levels for the users of CobaltStrike. The trial version however embeds alot of default values for it to be easily detected inside production infrastructure to make sure that the evaluasion version isn’t abused for professional or adverserial work.

Using it’s infamous Malleable C2 profiles, CobaltStrike embeds each GET transaction from the trial version with an X-Malware header, specifically RFC 3514 EICAR string which is an IPv4 flag to allow traffic to flag itself as malicious. The EICAR string is also present in the Java Applet attacks that ship with CobaltStrike trial version, with the EICAR file being embedded inside the jar.

CobaltStrike’s Artifact Kit, an executable generate to smuggle payloads past some AV/EDR products, is also modified in the trial version. The Artifact Kit in the trial version embeds CobaltStrike’s stager shellcode into executables and DLLs with no steps to disrupt an AV/EDR sandbox system.

DNS Labels

EmnIZnfXcAAG2rM-large.jpg

In late 2020, the entirety of CobaltStrike’s 4.0 source code was leaked onto GitHub. The source code reveals that Cobalt Strike uses three DNS unique labels : cdn for A records, api for TXT records and www6 for AAAA records. Through this you can build custom detection rules from your IPS/IDS solution to flag these DNS requests for further investigation.

Named Pipes

Named pipes are essential for the operation of Cobalt Strike beacons as it is used for AV evasion, lateral movement, communications between multiple beacons, and various post-exploitation activities. Before version 4.2, CobaltStrike didn’t allow the operators to change the default naming scheme of named pipes.

However, in a blogpost by the HelpSystems, they provide an overview on Named Pipes and how operators should change their default values for OPSEC considerations. However, due to less-sophisticated threat actors getting their hands on the software, there is an opportunity to stop some attacks by deploying Sysmon detection rules for default CobalStrike pipe names.

<PipeName condition="contains all">MSSE-;-server</PipeName>
<PipeName condition-"begin with">\postex_</PipeName>
<PipeName condition-"begin with">\postex_ssh_</PipeName>
<PipeName condition-"begin with">\status_</PipeName>
<PipeName condition="begin with">\mojo.5688.8052.183894939787088877</PipeName>
<PipeName condition-"begin with">\mojo.5688.8052.35780273329370473</PipeName>
<PipeName condition="begin with">\mypipe-f</PipeName>
<PipeName condition="begin with">\mypipe-h</PipeName>
<PipeName condition-"begin with">\windows.update.manager</PipeName>
<PipeName condition-"begin with">\msagent_</PipeName>
<PipeName condition="begin with">\DserNamePipe</PipeName>
<PipeName condition-"begin with">\Intsvcs_</PipeName>
<PipeName condition="begin with">\scerpc_</PipeName>
<PipeName condition="begin with">\scerpc</PipeName>
<PipeName condition="begin with">\ntsvcs</PipeName>
<PipeName condition="begin with">\wkssvc</PipeName>

These detection rules are able to caught a large portion of CobaltStrike attacks that are configured with default values, perhaps thanks to many individuals not reading the instructions. Below is a Sysmon event ID 17 for a CobaltStrike SMB beacon pipe.

image20-EID17-18-pipeevednts.png

Abnormal Login Events

Lateral movement using Cobalt Strike (and other offensive tools) can also generate abnormal Windows login events. One example of a detection strategy would be to look for event ID 4624 in the Windows Security log, with a LogonType value of 9 (NewCredentials — A caller cloned its current token and specified new credentials for outbound connections, and the new logon session has the same local identity, but uses different credentials for other network connections).

Beacon Traffic Detection

CobaltStrike beacons are customizable with many public and private configurations existing to hide potential traffic from network monitors. By default a CobaltStrike beacon will check into a server every 60 seconds, but this can be changed to add connection jitters in order to mimic real network connections. However, many less sophisticated threat-actors don’t customize beacon traffic sufficiently to avoid detection.

Screenshot 2022-10-25 at 13.19.18.png

One default configuration characteristic for detecting CobaltStrike beacons is the URL string /submit.php?id=[9-10 digit string]. This string is observable in HTTP POST communications when using some cracked or trial versions of CobaltStrike, which may not include all of the features of a licensed and updated version.

C2 Server Detection

There are various publicly known methods for identifying CobaltStrike C2 Servers:

  • The default controller port for CobaltStrike Team Server is 50050/TCP, a port not usually open on other servers. Using Shodan to search open port:50050 can give visibility to CobaltStrike control ports, but could still be a false positive.
  • Detection of CobaltStrike's JARM signature (a tool by Salesforce to fingerprint TLS servers) by using Shodan and typing the query ssl:jarm:<07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1>, however this methodology could be a false positive.
  • Cobalt Strike servers are shipped with a default security certificate that can be used to fingerprint them unless the administrator changes it. If you search Shodan for ssl.cert.serial:146473198 you can identify servers making use of this default SSL certificate.
  • There is an extraneous space in the HTTP server response of NanoHTTPD servers that are visible even in Malleable C2 team servers. This bug is present in CobaltStrike versions below 3.13, which are the versions commonly used in many cracked copies. This can be rolled into a snort rule with the PCRE rule /^HTTP/1.1 200 OK \r\nContent-Type: [^\r\n]{0,100}\r\nDate: [^\r\n]{0,100} GMT\r\n(Content-Length: \d+\r\n)\r\n/".

Conclusion

CobaltStrike represents a more advanced progression of adversary tools from the days of Metasploit Framework (HelpSystems actually made Armitage, a GUI solution for msfconsole that morphed into CobaltStrike). As new systems to tackle attacks are developed, more sophisticated tools are developed to dismantle them in a perpetual weapons race.

Despite the advent of these more advanced tools many adversaries, especially those who are less technically-savvy, still sometimes forget to harden their payloads to evade certain detection techniques. There is also a large chunk of threat actors using cracked versions of CobaltStrike, which also give blue teams leeway into detecting certain patterns such as various information leaks by outdated beacon systems.

While CobaltStrike provides alot of leeway in their default configurations, for example the default naming options of pipes that mimic common Windows services, its still easy to spot the pattern in these default value attacks.