As you know, Cobalt Strike is a commercial tool. Like most things it can be used for positive or negative purposes. When it comes to detection logic, signatures, and alert–we’re not here to talk about the “good uses”. Cobalt Strike is a tool that out-of-the-box supports covert channels for data exfiltration. This means it’ll purposefully mask whatever traffic it wants as another type of traffic to try to slip-up detection and monitoring efforts.
We often see Cobalt Strike as the interim step between droppers and ransomware. So how do we detect this on the network as part of defense in depth? Of course at Proofpoint we work every day to prevent this happening at all. But what if some customers only have ETPRO/IDS?
When deployed Cobalt Strike beacons out. It can be made to attempt exfiltration. Since it has the ability to obfuscate its traffic to appear as legitimate, we have the ability to create detections based on known profiles that are used for those purposes. Cobalt Strike has a feature to use different command and control profiles mimicking legitimate traffic. Plainly, that gives the ability to change the beacon information to look like just about anything. As a commercial tool that’s supposed to be for legitimate purposes some of this capability is publicly available.
In practice, we find these profiles, we examine these profiles, we model these profiles, and then we write detections against them. Multiple profiles like this can be found on github. Analysis of that code gives us some good artifacts to write signatures on proactively.
Here’s a sampling of some of our ET Open Cobalt Strike Malleable C2 signatures:
2032748: Cobalt Strike Malleable C2 Webbug Profile
2032749: Cobalt Strike Malleable C2 Amazon Profile
2032750: Cobalt Strike Malleable C2 OCSP Profile
2028588: [TGI] Cobalt Strike Malleable C2 Request (O365 Profile)
2028589: [TGI] Cobalt Strike Malleable C2 Response (O365 Profile) M2
2028590: [TGI] Cobalt Strike Malleable C2 Response (YouTube Profile)
2028591: [TGI] Cobalt Strike Malleable C2 Request (YouTube Profile)
2029381: Cobalt Strike Malleable C2 Request (Stackoverflow Profile)
2029740: Cobalt Strike Malleable C2 (Havex APT)
2029741: Cobalt Strike Malleable C2 (Magnitude EK)
2029742: Cobalt Strike Malleable C2 (Meterpreter)
2029743: Cobalt Strike Malleable C2 (OneDrive)
2029744: Cobalt Strike Malleable C2 (Adobe RTMP)
2032751: Cobalt Strike Malleable C2 (jquery Profile)
2030347: Cobalt Strike Malleable C2 (Safebrowse Profile) GET
2030344: Cobalt Strike Malleable C2 (Safebrowse Profile) POST
2030349: Observed Malicious SSL Cert (Cobalt Strike Malleable C2 Domain)
2032746: Cobalt Strike Malleable C2 (QiHoo Profile)
2032752: Cobalt Strike Malleable C2 (Microsoft Update GET)
2033658: Cobalt Strike Malleable C2 JQuery Custom Profile M2
2032747: Cobalt Strike Malleable C2 (MSDN Query Profile)
2028831: Hash - Suspected Cobalt Strike Malleable C2 M1 (set)
2028832: Hash - Suspected Cobalt Strike Malleable C2 (ja3s) M1
2029977: Cobalt Strike Malleable C2 (Custom)
2029978: Cobalt Strike Malleable C2 (Custom)
2032754: Cobalt Strike Malleable C2 (TrevorForget Profile)
2032953: Cobalt Strike Malleable C2 (Unknown Profile)
2032956: Cobalt Strike Malleable C2 (Unknown Profile)
2032957: Cobalt Strike Malleable C2 (Unknown Profile)
2032964: Cobalt Strike Malleable C2 Profile (btn_bg)
2032965: Cobalt Strike Malleable C2 Profile (__session__id Cookie)
2032966: Cobalt Strike Malleable C2 Profile (bg)
2032975: Cobalt Strike Malleable C2 Profile (Teams) M1
2032976: Cobalt Strike Malleable C2 Profile (Teams) M2
2033008: Cobalt Strike Malleable C2 JQuery Custom Profile M3
2033009: Cobalt Strike Malleable C2 JQuery Custom Profile Response
2034868: NOBELIUM - Cobalt Strike Malleable Profile M1
2035216: NOBELIUM - Cobalt Strike Malleable Profile M2
2032756: Cobalt Strike Malleable C2 (WooCommerce Profile)
2032757: Cobalt Strike Malleable C2 (WooCommerce Profile)
2032755: Cobalt Strike Malleable C2 (Wordpress Profile)
2033141: Cobalt Strike Malleable C2 (WooCommerce Profile)
2033148: Cobalt Strike Malleable C2 Profile (extension.css)
2033158: Cobalt Strike Malleable C2 Profile wordpress_ Cookie Test
2033796: Cobalt Strike Malleable C2 (Custom Profile)
2034463: Cobalt Strike Malleable C2 JQuery Custom Profile M5
2037096: Cobalt Strike Malleable C2 Amazon Profile Variant (GET)
2037154: Cobalt Strike Malleable C2 JQuery Custom Profile M6
2034084: Cobalt Strike Malleable C2 Amazon Profile POST (JPEG)
2034085: Cobalt Strike Malleable C2 Amazon Profile POST (PNG)
2034086: Cobalt Strike Malleable C2 Amazon Profile POST (RIFF)
2037844: Cobalt Strike Malleable C2 Beacon (Custom)