By Nick Mavis. Editing by Joe Marshall and Jon Munshaw.
Cisco Talos is releasing a new research paper called “The Art and Science of Detecting Cobalt Strike.”
We recently released a more granular set of updated SNORTⓇ and ClamAVⓇ detection signatures to detect attempted obfuscation and exfiltration of data via Cobalt Strike, a common toolkit often used by adversaries.
Cobalt Strike is a “paid software platform for adversary simulations and red team operations.” It is used by professional security penetration testers and malicious actors to gain access and control infected hosts on a victim network. Cobalt Strike has been utilized in APT campaigns and most recently observed in the IndigoDrop campaign and in numerous ransomware attacks.
What’s New?
This paper is a coverage narrative, discussing and sharing the challenges and solutions to creating coverage for Cobalt Strike attacks. We decided it wasn’t simply enough to provide coverage — we wanted to use this as an opportunity to show our readers what Cobalt Strike is, how it operates, and the mindset it takes to craft effective Snort and ClamAV signatures. This was a tough but worthy journey for Talos. More than 50 new signatures between Snort and ClamAV were created, and combined with prior coverage, covers the following core set of Cobalt Strike modules:
Raw shellcode generator
Staged/stageless executable generator
HTML application attack generator
Scripted web delivery
Signed java applet attack
Smart java applet attack
System profiler
So what?
Cobalt Strike is noto ..
Support the originator by clicking the read the rest link below.
