CobaltStrike Overview

Executive Summary

This report is about the use of the well-known tool CobaltStrike in adversarial campaigns. The tool’s framework is designed for command & control operations with an established capacity and extreme ease of use. The tool can be integrated into the attacker lifecycle easily with minimal development time.

CobaltStrike Tactics, Techniques, and Procedures

CobaltStrike has a long history of being used by various threat actor groups dating back to 2016. Sometimes the tool has been modified to perform C2 functions with a customized payload or a set of protocols to avoid detection by blue team operators. The beacon functionality is the most common way the software is utilized by threat actors. The beacon menu allows the bad actor to manipulate files, remote desktop, access a system’s command line, manipulate system processes, perform a port scan, take screenshots, and much more!

The main way attackers may engage CobaltStrike is through the delivery of custom payloads. The program is engineered to deliver malicious payloads through a variety of attack packages such as Java applet attacks, Microsoft Office documents, legitimate programs, and website cloning. You can also use the platform to create phishing links or text for spear-phishing campaigns.

Strategic Impact of CobaltStrike

• May lead to the loss of sensitive data via illegitimate data transfers.
• Could lead to illicit network traffic using legitimate protocols such as HTTP, HTTPS, or DNS.
• May lead to regulatory fines if a successful compromise occurs, such as GDPR or PCI DSS penalties. This will be the case if gross negligence is discovered.

Our Recommendations

It is highly encouraged that you discuss ways to increase visibility in your environment with your security service provider. Consider implementing endpoint detection tools such as SentinelOne to bolster your defensive posture. Look into performing regular user training to help spot and report phishing emails in your environment.

Sources

https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware

Supporting Documentation

• https://www.cobaltstrike.com/help-beacon
• https://www.thec2matrix.com/matrix
• https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf?1600694964

MITRE Mapping(s)

• https://attack.mitre.org/software/S0154/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.