Let's chat about how to unravel Cobalt Strike and deny the adversary further access
As ALWAYS, I am showing you data so fresh out the kitchen it hasn't even been cleared by ThreatOps Director @MaxRogers5 👀🧑🍳 🧵
Cobalt Strike can often trigger AMSI alerts in Defender. The frustrating thing about AMSI alerts is that they don't tell you what the offending activity WAS.
The alert here was PowerShell based....so let's dig a lil deeper
Go collect C:\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx , and go get my favourite tool - Chainsaw.
Take note your detection time (06:43).
Point chainsaw at your PwSh log, with this time
Cutting through the PowerShell evtx, we're shown the offending bit of PwSh that triggered the alert
It's the threat actor reaching out to a Chinese public IPv4, to download further tooling.
Our nefarious friend wanted to pull their tools down from http://101[.]132[.]112[.]124:88/Horizon
Why don't we help them with that?
Via whatever secure means you care to deploy, let's pull their tools down to our analysis machine
The results are huge. We're told incredibly useful information that we can immediately action - for example, let's add the server IP to our firewall deny list
I hope this has demystified any supposed complexities of Cobalt Strike.
It's just a tool. It comes with various obstacles that are a pain in the behind, but trivial to overcome; 161% tryna waste our time.
In a recent intrusion, we identified a threat actor had compromised the Windows login process, and siphoned cleartext credentials - using a technique known as NPPSPY
@0gtweet’s NPPSPY was fascinating to dissect and remediate.
Our article couldn’t show what this cleartext credential gathering looked like on the compromised machine, but we recreated the electrifying end product
IOCs and Behavior
- T1003
- Values under HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
◦For our case: logincontroll
- Unexplained entries in HKLM\SYSTEM\CurrentControlSet\Services\<here>\NetworkProvider
◦For our case: logincontroll
Inspired by a SANS poster, I wanted to look at a couple of security solutions and see if their logs provided any key insights an analyst could leverage.
The scenario : if given only product-relevant raw data & logs, would X security solution have data on the host that provides any security value and help with our investigation.
This is a specific use case I know. But it's something I find myself needing every day at work
Our conversation is about a singular machine, and the transparency, ease-of-access, and security-value of the logs and raw data of various security solutions. We’ll be staying in Windows world for this particular thread.