It aims at mimicking threat actors’ tactics, techniques and procedures to test the defenses of the target. Well, as shown on the figure above, the answer is Cobalt Strike.Ĭobalt Strike is a commercial, post-exploitation agent, designed to allow pentesters to execute attacks and emulate post-exploitation actions of advanced threat actors. What do APT29, APT32, APT 41, APT19, UNC2452, FIN6, Wizard Spider and most of the cybercriminals have in common in their toolset?
Why should defenders focus on Cobalt Strike hunting and detection ?
We also describe ways to detect: (i) Cobalt Strike payloads such as the DNS beacon based on the nature and volume of Cobalt Strike DNS requests, (ii) Cobalt Strike privilege escalation with the Cobalt Strike built-in service svc-exe, (iii) Cobalt Strike lateral movement with the Cobalt Strike built-in service PsExec and (iv) Cobalt Strike beacons communication through named pipes.
Customize cobalt strike beacon how to#
We show examples of how to track Cobalt Strike command and control servers (C2) and Malleable profiles by focusing on their SSL certificates and HTTP responses. In this blogpost, we describe step by step how to ensure a proactive and defensive posture against Cobalt Strike, one of the most powerful pentesting tools hijacked by attackers in their numerous campaigns. Here, we are tackling a much bigger threat given the frequency it is abused by diverse threat actors. In the last SEKOIA.IO Threat & Detection Lab we dealt with a Man-in-the-middle (MITM) phishing attack leveraging Evilginx2, an offensive tool allowing two-factor authentication bypass.
0 kommentar(er)
