Hunting Cobalt Strike
Common Information
| Type | Value |
|---|---|
| UUID | d049ba3a-424a-42a1-b4b4-ca6efe1b4973 |
| Fingerprint | a888a3c110879a161bb24fb7b0ea15318bbd1c95ad4f436457ba1079aeffa731 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | July 15, 2021, 4:49 p.m. |
| Added to db | March 21, 2024, 12:43 p.m. |
| Last updated | Aug. 31, 2024, 6:06 a.m. |
| Headline | Hunting Cobalt Strike |
| Title | Hunting Cobalt Strike |
| Detected Hints/Tags/Attributes | 59/3/22 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://sansorg.egnyte.com/dd/s10dVsRSKo/ |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 55 | creativecommons.org |
|
| Details | Domain | 74 | blog.didierstevens.com |
|
| Details | Domain | 281 | docs.microsoft.com |
|
| Details | Domain | 2 | for508.com |
|
| Details | Domain | 2 | bad.com |
|
| Details | File | 1018 | rundll32.exe |
|
| Details | File | 5 | %windir%\\syswow64\\svchost.exe |
|
| Details | File | 5 | %windir%\\sysnative\\svchost.exe |
|
| Details | File | 1 | a54c81.dll |
|
| Details | File | 1208 | powershell.exe |
|
| Details | File | 1 | bad.ps1 |
|
| Details | IPv4 | 1441 | 127.0.0.1 |
|
| Details | Threat Actor Identifier - APT | 665 | APT29 |
|
| Details | Url | 1 | https://creativecommons.org/licenses/by-nc/4.0 |
|
| Details | Url | 37 | http://127.0.0.1 |
|
| Details | Url | 1 | https://blog.didierstevens.com |
|
| Details | Url | 1 | https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes |
|
| Details | Url | 1 | https://for508.com/gdt4j |
|
| Details | Url | 1 | http://bad.com/bad.ps1 |
|
| Details | Url | 1 | https://for508.com/cobalt |
|
| Details | Yara rule | 1 | rule Leviathan_CobaltStrike_Sample_1 {
meta:
description = "Detects Cobalt Strike sample from Leviathan report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
strings:
$x1 = "a54c81.dll" ascii fullword
$x2 = "%d is an x64 process (can't inject x86 content)" ascii fullword
$x3 = "Failed to impersonate logged on user %d (%u)" ascii fullword
$s1 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" ascii fullword
$s2 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" ascii fullword
$s3 = "could not run command (w/ token) because of its length of %d bytes!" ascii fullword
$s4 = "could not write to process memory: %d" ascii fullword
$s5 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%
08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
$s6 = "Could not connect to pipe (%s): %d" ascii fullword
condition:
uint16(0) == 0x5a4d and filesize < 600KB and (1 of ($x*) or 3 of them)
} |
|
| Details | Yara rule | 2 | rule cs_job_pipe {
meta:
description = "Detects CobaltStrike Post Exploitation Named Pipes"
author = "Riccardo Ancarani & Jon Cave"
date = "2020-10-04"
strings:
$pipe = /\\\\\.\\pipe\\[0-9a-f]{7,10}/ ascii wide fullword
$guidPipe = /\\\\\.\\pipe\\[0-9a-f]{8}\-/ ascii wide
condition:
$pipe and not ($guidPipe)
} |