ioc[.]one - OSINT Cyber Threat Intelligence Database

Cobalt Strike, a Defender’s Guide – Part 2

Tags

cmtmf-attack-pattern:	Masquerading
country:	China
attack-pattern:	Data Bidirectional Communication - T1102.002 Bidirectional Communication - T1481.002 Cdns - T1596.004 Dns - T1071.004 Dns - T1590.002 Dns Server - T1583.002 Dns Server - T1584.002 Domain Fronting - T1090.004 Domains - T1583.001 Domains - T1584.001 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Powershell - T1059.001 Python - T1059.006 Server - T1583.004 Server - T1584.004 Ssh - T1021.004 Web Services - T1583.006 Web Services - T1584.006 Tool - T1588.002 Connection Proxy - T1090 Domain Fronting - T1172 Graphical User Interface - T1061 Masquerading - T1036 Powershell - T1086 Graphical User Interface Masquerading

Show in Graph

Common Information

Type	Value
UUID	79ee14b1-6b02-4f7d-92ef-96469d6f6644
Fingerprint	b630b39971103ec3
Analysis status	DONE
Considered CTI value	-2
Text language
Published	Jan. 24, 2022, 3:03 a.m.
Added to db	Sept. 26, 2022, 9:34 a.m.
Last updated	Nov. 17, 2024, 11:40 p.m.
Headline	Cobalt Strike, a Defender’s Guide – Part 2
Title	Cobalt Strike, a Defender’s Guide – Part 2
Detected Hints/Tags/Attributes	97/3/50

Source URLs

	Redirection	Url
Details	Source	https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/

URL Provider

Details	Provider	Source level domain
Details	thedfirreport.com	thedfirreport.com

Attributes

Details	Type	#Events	Value
Details	Domain	3	whatever.com
Details	Domain	1	local.org
Details	Domain	1	gawocag.com
Details	Domain	2	kaslose.com
Details	Domain	3	yawero.com
Details	Domain	2	sazoya.com
Details	Domain	1	sammitng.com
Details	Domain	2	securityupdateav.com
Details	Domain	2	windowsupdatesc.com
Details	Domain	2	defenderupdateav.com
Details	Domain	1	onlineworkercz.com
Details	Domain	2	checkauj.com
Details	Domain	1	infosecppl.store
Details	Domain	17	cloudfront.net
Details	Domain	1	l33th4x0r.cloudfront.net
Details	Domain	6	cobaltstrike.com
Details	Domain	4128	github.com
Details	Domain	2	jarm.py
Details	File	218	min.js
Details	File	17	__utm.gif
Details	File	2	skin.js
Details	File	2	styles.html
Details	File	2	tab_shop_active.html
Details	File	3	copyright.css
Details	File	4	default.css
Details	File	2	jarm.py
Details	Github username	8	salesforce
Details	Github username	3	cedowens
Details	md5	23	72a589da586844d7f0818ce684948eea
Details	md5	26	a0e9f5d64349fb13191bc781f81f42e1
Details	md5	1	b742b407517bac9536a77a7b0fee28e9
Details	md5	14	ae4edc6faf64d08308082ad26be60767
Details	md5	1	6734f37431670b3ab4292b8f60f29984
Details	md5	2	fc54e0d16d9764783542f0146a98b300
Details	md5	6	51c64c77e60f3980eea90869b68c58a8
Details	md5	1	db42e3017c8b6d160751ef3a04f695e7
Details	md5	1	e7d705a3286e19ea42f587b344ee6865
Details	IPv4	3	190.114.254.116
Details	IPv4	3	192.198.86.130
Details	IPv4	1	162.244.83.216
Details	IPv4	2	23.19.227.147
Details	IPv4	2	108.62.118.247
Details	IPv4	2	212.114.52.180
Details	IPv4	1441	127.0.0.1
Details	IPv4	1	192.168.88.179
Details	IPv4	4	192.168.88.2
Details	IPv4	1	192.168.38.102
Details	IPv4	2	192.168.38.104
Details	Url	1	https://github.com/salesforce/ja3.
Details	Url	1	https://github.com/cedowens/c2-jarm.