Lesley Carhart Profile picture
Jul 12, 2021 23 tweets 4 min read Read on X
Sometimes instead of blogging I feel like making a big old Twitter thread, so let's talk about Cobalt Strike for people only vaguely familiar (or misinformed) with the concept. Maybe I'll blog it later.
Cobalt Strike is an adversary enumeration tool used to train teams how to do incident response and threat hunting. It was made by a genius I genuinely like and will not disparage, Raphael Mudge. The first time I met him he flew across the floor air-guitaring in his dress clothes.
A lot of you are familiar with the easy-button hacking tool, Metasploit. Well, he made this shnazzy GUI for Metasploit called Armitage.

But, he realized it was still tough for a lot of defenders to get highly skilled Red Teams to train them. Or sommat, I'm not in his head...
Ask him for his take.

Anyway, our pal made this genuinely incredible software suite called Cobalt Strike that not only does payloads & exploitation + shells, but also allows for team-based command and control and sophisticated scripting. Distributed hacking.
This means that a low-moderately skilled Red Team can run a really impressive, realistic intrusion scenario as a coordinated group with just a few experts to help out as needed.

All the C2 beacons are tidily managed and centralized. C2 profiles can be emulated. It's amazing.
Okay but here's the problem. Cobalt Strike works ... really, really well. It works so well at emulating adversaries that bad guys were like:

"Yo, this would make our skids' lives easier..."

So their real experts worked overtime to crack the (genuinely well-controlled) tool.
So now, for the last few years, we've seen Cobalt Strike pop up all over in real intrusions. It's really good at what it does, and it is tremendously customizable.

People and tools will tell you they can detect it but they just detect pieces, behaviors, and defaults.
So, that sounds really daunting. Like, how do you detect this really sophisticated tool? Well, part of it is understanding how it works. It's still facilitating an intrusion that traverses layers of the kill chain. There are good opportunities to catch it.
Cobalt Strike relies heavily on C2 beaconing. Yes, you can build fancy profiles that look like Amazon or Pandora. Yes, it can beacon at irregular intervals. However, C2 rules still apply, and a lot of adversaries use the defaults. Detecting HTTP, HTTPS, or DNS C2, that's a start.
Cobalt Strike has to be delivered to a system somehow. Yes, that could be hack-fu, but the defaults are old but effective nonsense like phishing with malicious links to stuff like HTAs. Always panic when you see HTAs, and do good phishing and watering hole detection.
Cobalt Strike can be memory-resident only when injected into a process. A novice may create a new process which will look quite anomalous in EDR, and can be killed. A more experienced person will rapidly migrate into a system process you can't kill. But it won't survive shutdown.
Volatility and EDR are solid bets to detect injected processes. But did you know there are several public PowerShell scripts which can find and carve injected process space, effectively killing Cobalt Strike? Not a promising tool for real life, but a fun, fun, fun one for games.
Cobalt Strike can, of course, establish persistence. Yes, there are a billion ways to do this, but a really simple easy button to click is just making a new auto-starting service. Always check your service creation and abnormalities. Sysmon is your friend. Use @SwiftOnSecurity's
Cobalt Strike can also abuse temporary services just to start itself up in a privileged process. Always be on the lookout for high entropy and unknown services starting then vanishing. It may also drop, then promptly delete high entropy executables.
Once credentials have been stolen from a system (or if there's credential reuse) an adversary can use Cobalt Strike to move laterally to one system to another without establishing internet beacons directly to it. Sneaky! It uses the first system as a relay.
That's not the worst case ever, because the default methods to do this tend to be familiar stuff like WMI or PS abuse. Cobalt Strike may also establish named pipes between systems. It has four default names. You can look at named pipes with many tools like OSQuery and PowerShell.
So, a couple places you can catch that lateral movement - at the host, and at the network. Unencrypted exfil of Stuff Cobalt Strike Encourages Stealing is also quite visible at the network. For instance, credential dumps. Look for contents and sizes.
So a summary:
- The creator of Cobalt Strike is a good dude!
- It seriously sucks it's been stolen and repurposed
- It's a cool framework!
- It's a huge sandbox and nobody can claim to detect every configuration,
- Some defaults and behaviors, you can catch.
- Coverage across the kill chain, host and network, is really important in catching more sophisticated attacks like this
- If you catch one small component of Cobalt Strike, like lateral movement or an injected process, or beacons using it's default profiles, pull the thread.
- PowerShell and Sysmon are underrated host analysis tools, even if you don't have the most advanced EDR deployed widely. They take care and feeding.
- PowerShell is just as powerful for adversaries. Log PowerShell. Everyone freaking abuses it.
- Network monitoring is a must.
- Consider dedicated threat hunt hypotheses for Cobalt Strike TTPs in your environment. It's not just a cheaty way to catch the red team anymore. It's really being abused by a lot of bad guys, often times very clumsily.
I first started using Cobalt Strike in 2015, and it has been incredible to see its capabilities and the libraries of Aggressor Scripts and C2 Profiles for it grow. If you have the opportunity to get hands on with it I highly recommend it. It can be tough and $$$ to get a license.
However, it is really invaluable as a defender to understand at some level how it works and how to manipulate it - and what the default "easy button" options are.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Lesley Carhart

Lesley Carhart Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @hacks4pancakes

Nov 9, 2022
The hacker / infosec Mastodon servers have really reached critical mass to contain useful community and information. If you haven't tried it out yet, I really recommend it. There's enough intel and news to be viable at this point.
This isn't a niche hobby thing anymore.
One of the things that was critical to me was seeing journalists like @lorenzofb and @campuscodi be on there, and they now are. Along with folks like @GossiTheDog, @Metacurity, @MalwareTechBlog, and @PatrickCMiller who have pretty solid info streams.
Read 5 tweets
Nov 5, 2022
I’m just the ornery retired military person who swaps stories with you, the military member who is drunk and I have never met, at the bar now. We have a great time.
Temporary friends are cool.
I’m dangerous, because I can talk about anything. Techno. Hunting. Archaeology.
Read 4 tweets
Oct 31, 2022
There's these threads from people laid off at Twitter and the *comments*.... trolls think they're witty, but they just look incredibly jealous of people who make good money in tech and are employable. They come off as devoid of tech knowledge and miserable with their lot in life.
Any of these engineers are just going to get immediately rehired for a deep six-figure salary, and the trolls with the incredibad takes about code reviews won't make that money no matter how much they take out their insecurities about their own shortcomings.
And then there's the "well, I'll take their job" clowns, from the people demonstrating hobbyist computer knowledge circa 2006, who have clearly never done a Silicon Valley whiteboard interview.
Read 4 tweets
Oct 28, 2022
Drop your handles on other social networks so that I can follow back?
(I use instagram for just dull personal stuff, not much of a video creator.)
Read 5 tweets
Oct 26, 2022
Yeah, it’s super bad that click-driven social media is a primary source of information and news for large numbers of Americans, but also incredibly depressing it took China being involved in it (naturally) for anyone to care, way too late.
“We can control the relatively unknown monster which driven by ultra wealthy corporations because it’s draped in an American flag” is a weird take.
Of course China would want a piece of that massively lucrative and influential pie. Of course it wouldn’t be American networks at the top of innovation forever. What hubris.
Read 5 tweets
Oct 25, 2022
I have always had wild dreams. However, 14-year-old me would be extremely confused at me fighting creeping fascism daily on the computer alongside Godwin, a bunch of annoyed military veterans, Michael Okuda, a few cDc folks, and somehow also George Takei.
“Sometimes you will even talk to these luminaries on the internet. Mostly about nazis, and breakfast foods. That’s what we do on the internet in the future”.
“Also you’ll never actually have a cool hacker handle. You will be forever known as Pancakes”.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(