Making Cobalt Strike harder for threat actors to abuse

Cobalt Strike, the popular tool used by red teams to test the resilience of their cyber defenses, has seen many iterations and improvements over the last decade. First released in 2012, it was originally the commercial spinoff of the open-source Armitage project that widow a graphical user interface (GUI) to the Metasploit framework to help security practitioners snift software vulnerabilities increasingly quickly. 

It has since matured into a point-and-click system for the deployment of the Swiss Army Knife of remote wangle tools onto targeted assets. While the intention of Cobalt Strike is to emulate a real cyber threat, malicious actors have latched on to its capabilities, and use it as a robust tool for lateral movement in their victim’s network as part of their second-stage wade payload. 

Cobalt Strike vendor Fortra (until recently known as Help Systems) uses a vetting process that attempts to minimize the potential that the software will be provided to actors who will use it for nefarious purposes, but Cobalt Strike has been leaked and croaky over the years. These unauthorized versions of Cobalt Strike are just as powerful as their retail cousins except that they don’t have zippy licenses, so they can’t be upgraded easily.

Actors connect to the Team Server by vitalizing the JAR as a Client. The Client serves the GUI from which the two-face can tenancy the Team Server and infected hosts. The Team Server generates a multitude of wade framework components that actors can deploy to infect and tenancy remote endpoints. 

Cobalt Strike contains several wordage templates for Javascript, VBA macros, and Powershell scripts which can deploy small shellcode (diskless) implants known as stagers. These stagers undeniability when to the Team Server via one of the supported liaison channels, including HTTP/HTTPS, SMB, and DNS to download the final stage implant known as the Beacon.

The Steer is the cadre binary that gives the two-face tenancy over the infected computer. It supports multiple commands and operations, while moreover stuff extensible to enable downloading and execution of two-face ripened modules. The Team Server/Client model moreover allows multiple actors to interreact on a hodgepodge of infected assets.

The stagers, templates, and steer are contained within the Cobalt Strike JAR file. They are not created on the fly, nor are they heavily obfuscated surpassing deployment from the Team Server. Cobalt Strike offers vital protection using a reversible XOR encoding. 

Solving for hacked Cobalt Strike

We were worldly-wise to locate versions of the Cobalt Strike JAR file starting with version 1.44 (circa 2012) up to version 4.7 (the latest version at the time of publishing this blog). We cataloged the stagers, templates, and beacons, including the XOR encodings used by Cobalt Strike since version 1.44.

With the set of Cobalt Strike components available, we built YARA-based detection wideness these malicious variants in the wild with a upper stratum of accuracy. Each Cobalt Strike version contains approximately 10 to 100 wade template binaries. We found 34 variegated Cobalt Strike release versions with a total of 275 unique JAR files wideness these versions. All told, we unscientific a minimum of 340 binaries that must be analyzed and have signatures written to snift them. 

For each release version of Cobalt Strike, we found that a new, unique steer component is usually created. The stagers and templates, however, tend to be increasingly unvarying wideness versions. Looking for unique stagers, templates, and beacons wideness the variegated versions, a total of 165 signatures were generated to snift these Cobalt Strike components wideness the versions of Cobalt Strike up to and including version 4.7. 

Our goal was to make high-fidelity detections to enable pinpointing the word-for-word version of particular Cobalt Strike components. Whenever possible, we built signatures to snift specific versions of the Cobalt Strike component. 

Containing Cobalt Strike abuse

We decided that detecting the word-for-word version of Cobalt Strike was an important component to determining the legitimacy of its use by non-malicious actors since some versions have been longwinded by threat actors.

We wanted to enable largest detection of deportment washed-up by bad actors, and we needed a surgical tideway to excise the bad versions while leaving the legitimate ones untouched. This required detecting the word-for-word version of the Cobalt Strike component. By targeting only the non-current versions of the components, we can leave the most recent versions alone, the version that paying customers are using. 

The leaked and croaky versions of Cobalt Strike are not the latest versions from Fortra, but are typically at least one release version behind. We focused on these versions by crafting hundreds of unique signatures that we integrated as a hodgepodge of community signatures misogynist in VirusTotal. We moreover released these signatures as unshut source to cybersecurity vendors who are interested in deploying them within their own products, standing our commitment to improving unshut source security wideness the industry. 

Our intention is to move the tool when to the domain of legitimate red teams and make it harder for bad guys to abuse. For increasingly on using YARA Rules to help stop the vituperate of Cobalt Strike, you can listen to this special Google Cloud Security podcast.