Title
Common Information
| Type | Value |
|---|---|
| UUID | 0b3d78c5-2c09-4165-8934-ad05048c92f7 |
| Fingerprint | 00325359a0a7aa8c7df8d6958de10a8777d0c241b4b4bd77d9ebc4d4ee2027c4 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Nov. 4, 2021, 3:27 p.m. |
| Added to db | July 4, 2024, 3:44 p.m. |
| Last updated | Aug. 31, 2024, 7:31 a.m. |
| Headline | Title |
| Title | Title |
| Detected Hints/Tags/Attributes | 390/4/153 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.hhs.gov/sites/default/files/cobalt-strike-tlpwhite.pdf |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 30 | cve-2011-3544 |
|
| Details | CVE | 23 | cve-2013-2465 |
|
| Details | CVE | 10 | cve-2013-2460 |
|
| Details | CVE | 57 | cve-2017-8759 |
|
| Details | Domain | 768 | www.youtube.com |
|
| Details | Domain | 370 | www.proofpoint.com |
|
| Details | Domain | 360 | attack.mitre.org |
|
| Details | Domain | 3 | d3fend.mitre.org |
|
| Details | Domain | 47 | intel471.com |
|
| Details | Domain | 103 | www.mcafee.com |
|
| Details | Domain | 182 | www.mandiant.com |
|
| Details | Domain | 546 | www.recordedfuture.com |
|
| Details | Domain | 23 | www.intezer.com |
|
| Details | Domain | 4 | michaelkoczwara.medium.com |
|
| Details | Domain | 74 | thedfirreport.com |
|
| Details | Domain | 58 | redcanary.com |
|
| Details | Domain | 9 | www.databreachtoday.com |
|
| Details | Domain | 4 | blogs.quickheal.com |
|
| Details | Domain | 154 | us-cert.cisa.gov |
|
| Details | Domain | 43 | www.cyberscoop.com |
|
| Details | Domain | 224 | unit42.paloaltonetworks.com |
|
| Details | Domain | 7 | labs.f-secure.com |
|
| Details | Domain | 71 | news.sophos.com |
|
| Details | Domain | 16 | www.domaintools.com |
|
| Details | Domain | 403 | securelist.com |
|
| Details | Domain | 261 | blog.talosintelligence.com |
|
| Details | Domain | 425 | isc.sans.edu |
|
| Details | Domain | 604 | www.trendmicro.com |
|
| Details | Domain | 23 | hhs.gov |
|
| Details | Domain | 41 | www.hhs.gov |
|
| Details | 18 | hc3@hhs.gov |
||
| Details | File | 2125 | cmd.exe |
|
| Details | File | 1208 | powershell.exe |
|
| Details | File | 1018 | rundll32.exe |
|
| Details | File | 1 | rp-operation-dianxun.pdf |
|
| Details | File | 104 | www.dat |
|
| Details | File | 1 | cobalt-spam-runs-use-macros-cve-2017-8759-exploit.html |
|
| Details | File | 2 | coverage-strikes-back-cobalt-strike-paper.html |
|
| Details | File | 2 | compatibility.html |
|
| Details | IBM X-Force - Threat Group Enumeration | 9 | ITG08 |
|
| Details | Mandiant Temporary Group Assumption | 44 | TEMP.PERISCOPE |
|
| Details | Mandiant Temporary Group Assumption | 16 | TEMP.JUMPER |
|
| Details | Mandiant Uncategorized Groups | 27 | UNC1878 |
|
| Details | MITRE ATT&CK Techniques | 78 | T1548 |
|
| Details | MITRE ATT&CK Techniques | 116 | T1134 |
|
| Details | MITRE ATT&CK Techniques | 179 | T1087 |
|
| Details | MITRE ATT&CK Techniques | 444 | T1071 |
|
| Details | MITRE ATT&CK Techniques | 40 | T1197 |
|
| Details | MITRE ATT&CK Techniques | 27 | T1185 |
|
| Details | MITRE ATT&CK Techniques | 695 | T1059 |
|
| Details | MITRE ATT&CK Techniques | 122 | T1543 |
|
| Details | MITRE ATT&CK Techniques | 96 | T1132 |
|
| Details | MITRE ATT&CK Techniques | 75 | T1001 |
|
| Details | MITRE ATT&CK Techniques | 504 | T1140 |
|
| Details | MITRE ATT&CK Techniques | 534 | T1005 |
|
| Details | MITRE ATT&CK Techniques | 36 | T1030 |
|
| Details | MITRE ATT&CK Techniques | 163 | T1573 |
|
| Details | MITRE ATT&CK Techniques | 235 | T1562 |
|
| Details | MITRE ATT&CK Techniques | 247 | T1070 |
|
| Details | MITRE ATT&CK Techniques | 152 | T1056 |
|
| Details | MITRE ATT&CK Techniques | 239 | T1106 |
|
| Details | MITRE ATT&CK Techniques | 168 | T1046 |
|
| Details | MITRE ATT&CK Techniques | 176 | T1135 |
|
| Details | MITRE ATT&CK Techniques | 245 | T1203 |
|
| Details | MITRE ATT&CK Techniques | 208 | T1068 |
|
| Details | MITRE ATT&CK Techniques | 585 | T1083 |
|
| Details | MITRE ATT&CK Techniques | 492 | T1105 |
|
| Details | MITRE ATT&CK Techniques | 550 | T1112 |
|
| Details | MITRE ATT&CK Techniques | 29 | T1137 |
|
| Details | MITRE ATT&CK Techniques | 289 | T1003 |
|
| Details | MITRE ATT&CK Techniques | 65 | T1069 |
|
| Details | MITRE ATT&CK Techniques | 440 | T1055 |
|
| Details | MITRE ATT&CK Techniques | 159 | T1095 |
|
| Details | MITRE ATT&CK Techniques | 627 | T1027 |
|
| Details | MITRE ATT&CK Techniques | 433 | T1057 |
|
| Details | MITRE ATT&CK Techniques | 152 | T1090 |
|
| Details | MITRE ATT&CK Techniques | 159 | T1021 |
|
| Details | MITRE ATT&CK Techniques | 95 | T1572 |
|
| Details | MITRE ATT&CK Techniques | 501 | T1012 |
|
| Details | MITRE ATT&CK Techniques | 91 | T1620 |
|
| Details | MITRE ATT&CK Techniques | 121 | T1218 |
|
| Details | MITRE ATT&CK Techniques | 56 | T1553 |
|
| Details | MITRE ATT&CK Techniques | 78 | T1569 |
|
| Details | MITRE ATT&CK Techniques | 33 | T1550 |
|
| Details | MITRE ATT&CK Techniques | 306 | T1078 |
|
| Details | MITRE ATT&CK Techniques | 219 | T1113 |
|
| Details | MITRE ATT&CK Techniques | 185 | T1518 |
|
| Details | MITRE ATT&CK Techniques | 245 | T1016 |
|
| Details | MITRE ATT&CK Techniques | 119 | T1049 |
|
| Details | MITRE ATT&CK Techniques | 100 | T1007 |
|
| Details | MITRE ATT&CK Techniques | 310 | T1047 |
|
| Details | MITRE ATT&CK Techniques | 243 | T1018 |
|
| Details | MITRE ATT&CK Techniques | 22 | T1029 |
|
| Details | Threat Actor Identifier - APT-C | 44 | APT-C-00 |
|
| Details | Threat Actor Identifier - APT | 665 | APT29 |
|
| Details | Threat Actor Identifier - APT | 132 | APT32 |
|
| Details | Threat Actor Identifier - APT | 522 | APT41 |
|
| Details | Threat Actor Identifier - APT | 24 | APT19 |
|
| Details | Threat Actor Identifier - APT | 10 | APT26 |
|
| Details | Threat Actor Identifier - APT | 143 | APT40 |
|
| Details | Threat Actor Identifier - APT | 278 | APT10 |
|
| Details | Threat Actor Identifier - APT | 66 | APT17 |
|
| Details | Threat Actor Identifier - FIN | 377 | FIN7 |
|
| Details | Threat Actor Identifier - FIN | 42 | FIN12 |
|
| Details | Threat Actor Identifier - FIN | 73 | FIN6 |
|
| Details | Url | 1 | https://www.youtube.com/watch?v=isaz6swf2kw&t=2s |
|
| Details | Url | 5 | https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware |
|
| Details | Url | 7 | https://attack.mitre.org/software/s0154 |
|
| Details | Url | 2 | https://d3fend.mitre.org |
|
| Details | Url | 1 | https://intel471.com/resources/whitepapers/cobalt-strike-a-toolkit-for-pentesters |
|
| Details | Url | 1 | https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf |
|
| Details | Url | 3 | https://www.mandiant.com/resources/defining-cobalt-strike-components |
|
| Details | Url | 1 | https://www.recordedfuture.com/detect-cobalt-strike-inside-look |
|
| Details | Url | 2 | https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike |
|
| Details | Url | 1 | https://www.bleepingcomputer.com/news/security/hacker-made-linux-cobalt-strike-beacon-used-in-ongoing- |
|
| Details | Url | 1 | https://michaelkoczwara.medium.com/cobalt-strike-powershell-payload-analysis-eecf74b3c2f7 |
|
| Details | Url | 4 | https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide |
|
| Details | Url | 1 | https://redcanary.com/blog/grief-ransomware |
|
| Details | Url | 4 | https://isc.sans.edu/forums/diary/ta551 |
|
| Details | Url | 1 | https://arstechnica.com/gadgets/2021/08/critical-cobalt-strike-bug-leaves-botnet-servers-vulnerable-to- |
|
| Details | Url | 2 | https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike |
|
| Details | Url | 2 | https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus |
|
| Details | Url | 1 | https://www.bleepingcomputer.com/news/security/fake-kaseya-vsa-security-update-backdoors-networks-with- |
|
| Details | Url | 1 | https://www.databreachtoday.com/attackers-increasingly-using-cobalt-strike-a-16959 |
|
| Details | Url | 1 | https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike |
|
| Details | Url | 1 | https://www.techrepublic.com/article/how-legitimate-security-tool-cobalt-strike-is-being-used-in-cyberattacks |
|
| Details | Url | 1 | https://blogs.quickheal.com/cobalt-strike-2021-analysis-of-malicious-powershell-attack-framework |
|
| Details | Url | 1 | https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise |
|
| Details | Url | 1 | https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a |
|
| Details | Url | 1 | https://www.cyberscoop.com/cybercriminals-cobalt-strike-proofpoint |
|
| Details | Url | 1 | https://unit42.paloaltonetworks.com/bazarloader-malware |
|
| Details | Url | 2 | https://intel471.com/blog/cobalt-strike-cybercriminals-trickbot-qbot-hancitor |
|
| Details | Url | 1 | https://thedfirreport.com/2021/05/12/conti-ransomware |
|
| Details | Url | 3 | https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors |
|
| Details | Url | 2 | https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team |
|
| Details | Url | 2 | https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike |
|
| Details | Url | 2 | https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike |
|
| Details | Url | 1 | https://www.trendmicro.com/en_us/research/17/k/cobalt-spam-runs-use-macros-cve-2017-8759-exploit.html |
|
| Details | Url | 1 | https://securelist.com/loncom-packer-from-backdoors-to-cobalt-strike/96465 |
|
| Details | Url | 2 | https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html |
|
| Details | Url | 1 | https://www.bleepingcomputer.com/news/security/evilnum-hackers-use-the-same-malware-supplier-as-fin6- |
|
| Details | Url | 3 | https://thedfirreport.com/2020/10/08/ryuks-return |
|
| Details | Url | 3 | https://thedfirreport.com/2020/10/18/ryuk-in-5-hours |
|
| Details | Url | 1 | https://thedfirreport.com/2021/01/31/bazar-no-ryuk |
|
| Details | Url | 1 | https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-atp-scars-admins-with-false-cobalt- |
|
| Details | Url | 1 | https://www.bleepingcomputer.com/news/security/alleged-source-code-of-cobalt-strike-toolkit-shared-online |
|
| Details | Url | 4 | https://isc.sans.edu/forums/diary/quick |
|
| Details | Url | 1 | https://www.bleepingcomputer.com/news/security/github-hosted-malware-calculates-cobalt-strike-payload- |
|
| Details | Url | 1 | https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware |
|
| Details | Url | 1 | https://www.trendmicro.com/en_us/research/21/c/povlsomware-ransomware-features-cobalt-strike- |
|
| Details | Url | 1 | https://blog.malwarebytes.com/researchers-corner/2021/06/cobalt-strike-a-penetration-testing-tool-popular- |
|
| Details | Url | 1 | https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer- |
|
| Details | Windows Registry Key | 1 | HKEY_CURRENT_USER\Software\Microsoft\Office\Excel |