Cobalt Strike – A Defender's Perspective

[Music] [Applause] [Music] uh welcome back hope you all have fueled up and now with that now let's look for the next session we have rashaan maski is with us uh who will be talking on cobalt style our defensive perspective hi roshan nice to meet you welcome to besides islamabad and you have 45 minutes to go and then five minutes for questions and answers so yep stage two eu okay thank you okay good afternoon everyone um good afternoon everyone i'm roshan maskey i'm a senior consultant at a security firm where i do my role is basically incident responders so as part of my day-to-day activity i do investigation of compromise organization security assessment uh assume bridged

and also uh purple teaming with uh red team um with consultants so and today's top topic i'm going to talk about a cobalt strike defenders perspective so let's start um with that

so who am i this who am i is not a vmi as me as the person but who am i as a malware so if you read at this screen there are a lot of names that it looks very generic name but uh if you know about what this particular sample is this sample is from uh one of the kobold strike binary that i collected last year so the problem with this one is when the security analysts investigate malware detection based on what i can see on this screen and what you can see on the screen it is not apparently clear to security analyst what they are dealing with and this can lead into a closing ticket as a

normal standard malware whereas if it's a non-covalent strike sample the response for that particular detection might be different as it is more interactive and hands-on keyword um action so in this talk we'll be talking more about what we can know about kobold uh beacon and how we can detect that activity so the outline of this uh session is first we'll have a quick uh introduction about global strike um uh some of the components there then i'll discuss the study that i've been uh conducting over the last couple of months and some of the observations i have uh discovered during my study some of the characteristics uh beacon characteristics that i have discovered and some analysis technique for that

so let's start with koble stride so the birth and the rise of gold strikes so cobalt strike from what i can uh what i know started as a part of red team are offensive training codes and started uh somewhere uh in 2011 and officially i think the first release was in 2012 and then since then uh the functions and features have been added by the author and in most recent version there are a lot of features that are really impressive and gives red teamer advantage over some of the executions and some of those will discuss uh as we go through now who uses uh uh called strike so it was uh generally uh used by red teams but then also

in last few years where i have done investigation i have also found nasa and state actors using uh cobalt strike now they generally don't use just cobalt strike they use a cobalt strike as in additional access mechanism to the environment in addition to their their other malware other bactos and other utilities and as we go through the course we'll understand why most recently at least my first experience with the ransomware actor was late um 2018 uh where um 2019 i guess where we saw uh organization with the ransomware and where they had called strike as a mechanisms to encrypt the drive so the way it was uh the threat actor had uh compromise was using uh cobble strike beacon as

persistence mechanism at later as a lateral movement uh mechanism and selectively targeting the key systems where it did encrypt um the systems using uh um um in memory modules so that uh there's nothing there was no crypto uh dropped to the disk so why cobalt strikes so this is taken from uh cobblestack website it is uh adversary simulation and return operation tool and it does have a lot of capability so mainly focused on post exploration capabilities so that once the red teamer has access to the environment can perform post exploitation activities uh including internal recon uh credential dumps lateral movement very easily and swiftly with leaving less traces to the operating system the other cool feature that uh

callstrike provides is a c2 profile now this particular profile gives uh opportunity for uh writing a consultant to modify some of the configs in how the implant communicates the c2 and some of the features if you look at cobble strike um the author's github pays their various config so it can mimic traffic like google it can mimic traffic like uh amazon and there are also options uh how you can uh how you can encrypt the traffic or encode the traffic that is between uh the implant and the c2 server it also gives a configuration option for a team consultant to modify to change the behavior of the implant on when it performs certain activity on the target system

in addition to that it has capability to uh built in capability to run credential dumping activities for internal recons and most of the tools that call strike has as a built-in module are in memory so they don't actually get returned to disk that's uh and for that reason most of your anti-virus software would not be able to pick um the evidence of these tools being run in addition to that starting with version 3.3 i guess they had added another capability which is uh in memory execution of um user uh bot binaries now this particular feature is very interesting because prior to this feature was introduced with global strike beacon uh the only thing that beacon

uh cobblestrike was able to run was the built-in modules that the author has created but with now in memory execution any dot net compile binary can be executed in memory without dropping to disk and this gives a return operator a really good advantage over um defender beginning x and this is just a screenshot to describe how console looks like it talks about this is the host that has implant and it has on the bottom section uh console where the thread actor or even the red team operator can write commands that will be executed on the target system it does also have some of additional um capability ui gui based uh capability to do file transfer or review the process uh and

things like that but these those functions are limited whereas the command line based executions is is the primary way to use this particle tool in terms of payload so html application this is uh most of the times a red team has favorite uh payload that they use for phishing so this is uh generally um used for phishing and when uh the vtml sends this as an email and any user receives this particular file and executes it the html application will establish a cd communication uh to the c2 server now in addition to that uh there is a lot of way uh and options for payload generation some of the common one that i have seen during uh

investigation and compromise are powershell based uh the powershell the vva code uh we have also seen um the cell code itself um the dll files um also executable at times but i think dll is more commonly seen in most of the engagement that's being used in terms of execution so this is um how this execution is how a beacon um executes uh when we run certain commands using the console so it has three different ways it can execute any instruction you provide it to the beacon to execute some of they are built in using windows api for example ls or diir or chains directory it is written with windows api so when that particular activity

occurs on the target system there is lesser evidence of the execution recorded by your eda software or any other software the inline execution also leaves lesser trace in the environment because what it does is it will inject into its own process memory and execute the code that it's supposed to execute now the last one fork and run is the very common and that i've observed during my um study uh used for most of the execution that which is really interesting one and meaningful one a used fork and run mechanism so what it does is uh if there is a beacon process example bacon.e weekend.exe executing as a sample when you run some of these uh

commands like hashtamp or logon password it will spawn a child process and by default the child process is on dll32.exe and then round32dll.exe will execute the task that was instructed by the teamer or thread actor now the run 32.dll is the default one but most of the times what i have seen with working with the atm guys they tend to change it because it is very obvious for them and they want to be a bit more sneaky and have the successful compromise in the environment they tend to change it a lot however in uh in my experience and working with some of this compromise in the real world threat actors did not care about changing the dll

or the spawn child process um it still ran on 32.dll which was a lot easier to track and detect so now i'll go in section where i'll quickly talk about the study uh what are the settings so in this particular study my objective was to identify as much as beacon's characteristics when it runs on the end point and a develop detection rule which is mainly focused on elastic search for me for in order to achieve my goal uh there were some of the roadblocks like there were some of the constant that i had so i had to remove all those constraints so i did not use a multiple city profile uh to customize anything i just wanted

to run as a default one at this stage i required admin access to perform some activities for domain creates or doing dc sync with the domain controller so i used that one without having to escalate privilege and also defender was giving me a lot of problems so i had to turn it off so that i could just focus on the runtime behavior of beacon so this was the setup that i use for my study so everything was in the virtual machines uh without going to the internet uh the the domain that actually i used uh is google but i had extra or xero on that one this actually results to google but this is something i use internally so

it did not actually go to the internet now uh some of the components i required for my study one was the idr like feature where i can get a lot of telemetry for data collection so i use for that particular component i use this one because it was freely available anyone for anyone to use and some of the data collection and telemetry systems provides is better than some of the commercial offering as well so that's the two reasons i use this one now i needed um sysmont configuration so i use uh swift on security system config which was really good i had to modify a few settings uh for some of the common processes uh i used

because the default config did not capture um some of uh the the components of sysmon uh events so i had to modify that um to capture everything for this process especially the process access uh dll email loading those events were not uh captured by swift on security config in terms of data collection storing and running query i chose elasticsearch and kibana which is again free for use and to ship data from the endpoints to elasticsearch i chose uh win log on bit and it was simple to use so the only thing that i had to modify uh in the switch on security config was to add those parameters which is shown in yellow to the components for each and every events

where it was not included and for the process access i had to use the one that's in orange that says any uh source image if there is a process access activity or activity from these processes just track that one this was just to reduce the amount of logs generated by a cis phone now when logan beat uh i use version 7.8 as far as i remember and the section on the left is the default one i did not have to modify anything which was easy the only section i modified was in the right which was to point to my elasticsearch server so that was all uh was needed for uh in logan beat configuration now after doing that what i did was i

ran multiple uh commands and i spent time running multiple commands and reviewed some of our retinas commands they use for different um my senior years there are lots of commands that are in uh supported by cold strike i could not cover all of those uh in this talk so i chose the one that is uh very commonly used and for um various tumor as well as thread actor this is for program execution so the first thing generally when they get access to environment these are some of the commands they execute on the local system and call strike provides you various ways to run the same command and as i started running this command i observed some of

the unique behavior first one is a shell uh and you can see the one in the green is uh what you would actually run on beacon console and the one after that one is the it shows the process uh process creation uh line with the desk so if you see there in the first one it says sell who am i so the beacon will start a command cell with last c and run the pass that argument and then the command will start another child process which is my.exe but if you run uh execute the same command using execute or run function uh module uh the beacon itself will create a child processes now when you

run this as a single a binary or a single command it does not look that obvious but when you start when the third actor or red team starts running more and more commands using these mechanisms when you see a suspicious process or odd process starting all these command line utilities which you generally expect to be started by cmd.exe or powershell.exe and that would make you suspicious okay why am so example well if the beacon was injected in explorer wise explorer starting all these common line utilities the other thing i observed was in the first one if you see in the red one it says cmd uh dot exe c in uppercase um i'm pretty sure that generally when we

write the command it is lowercase and that's something hardcoded within the software so that is another interesting thing that we can uh track for uh potential beacon activity it is not a strong indicator however if you see more and more of same cmd.ea excessive slash c uppercase that would be a clear indication of a beacon activity in the environment this is very very common in beacon compromise so if if an environment is compromised with cobalt strike beacon you would see even id is like 47045 where you would see a service installed and that has service execution or binary something that looks like this now the one section in the red again this is uh defined in the software itself so this

is not changed you can customize i think but but the code is the use if you see the encoded base64 encoded content within your service that is most likely uh cover the strike beacon or a metasploit based on persistence mechanism now we'll quickly go through how uh if you ever discover something like this in your environment how we go decoding it and find more information about this so the first step is to take the base64 encoded content and use a tool called cybersafe it is really very good tool and using this particular tool you can almost get to the level where you can get the shell code from that particular base64 encoded content now at the first round you have to run

it at least three times with different settings so the first round you take the one that you see in the services put in as an input section and then use two recipe here first is to decode from base64 and the second uh as you decode it it actually is uh unicode character so it will appear one character dot one character dot so what you do is you use another uh recipe which is decode text and then set that as utf-16 a little indian and you bake it and that you and after you do that the content you get is in the output so it's more readable content now if you look at the variable content

there in the screen again you see a base64 encoded content there so now this is you take that basic for con encoded content and you run again second recipe to that so when you take that basically for content uh if i summarize the if you look at the text on the top that is the summarized version of output of first uh recipe so it will have a basics for encoded data there take that data and put into your next um cyber separation new cyber safe recipe and put that content there now in this case if you read the uh powershell script it is basically encoded and then there is compression now what we do is we decode the base64

content and we unzip it uh using gun jib after that you see another uh powershell script there which is more um as uh close to the cell code execution or loading of cell code so what you do is the content there is um section is um i think cut off but the most interesting part after this one is when you look at the content you see something like barcode system convert basics for you'll see and the round of base64 data there and immediately after that basically for uh content you would see a for loop where it is xoring with a value of 35. now you take that basically for content put in another cybersave put that content there decode it and

then you use xor mechanisms to xoring that with decimal value of 35 and then what you get as output is a cell code now you can click on the floppy icon there and save it so once you have this you save it you should be seeing i don't know if you use visual it's not basically visible here you would see some of the clear text content a user is in a string or sometimes you will see an ip address a domain for the c2 the content here is like cut off but here when i did this one you will see the domain name of my c2 server the hostname fkgn of the c2 server now you can take this particular cell

code and then if you have your sandboxing utility or a sandboxing software you can chuck this uh to the sandbox and generally they are good on decoding everything and give you the c2 ip address and that will tell you okay this is where uh the city is connecting so you get an nbis and you can use that particular nvis to scope in your environment and see how many other systems are talking to the same c2 server and and you can use windows event id 7045 to hunt for similar services in the environment so then another topic of interest is uh lateral movement here so i did uh run a test on a lateral movement and this is something

that um come on that you execute so this particular command is psx and this particular command is built in not the psx from this internal but is uh the ps execs implementation by the author of code strike so you you pass the command remote exec and ps exec that is the command that you need to pass and after that is user provided parameters so what i'm telling here is there on a powershell.exe and download binary or some content from my c2 server and execute it now in order for this to be successful there needs to be firewalls would at least allow for for five communication between um the uh system that has the source system which

is running a beacon and the target system in this case is a zero zero two so the 445 communication uh is required for that to happen and um this is another you can take this as a interesting learning that if you don't allow 445 communication between workstation to workstation using your gpus it will block this uh lateral movement activity using um ps exec in my case i had it enabled so what i observed when i did psx uh is i observed that there are a few logons one is for 60 which is special logon that talks about special privileges were added to the user and most of the time the user is the same user that is running

uh the beacon and the solar system you also see network logon and the network login is type three logon uh from the source system to the target system uh for the same user uh sometimes uh it does capture uh source ip address and sometimes i don't see source ip address for various region now i don't know exactly which execution but i have noticed that sometimes i don't see a source ip address most of the time you when you see this activity psx the process what it does it it creates a service and now the service is very peculiar service it is hexadecimal characters a2f and zero to nine and it's only six character long so if you have uh mechanisms to monitor

even id seven zero four five or four six nine seven you would see at this particular service being created 7045 does not record user information whereas if you have enable 4697 that will record the user so it will tell you uh when you inspect on the system what was this user account that created that installed that particular service and this is important uh for your investigation because this will tell you the user account that the actor or a teamer has compromised and leveraging to perform lateral movement the other interesting characteristics i observed when a ps execs is used it installs a service the service and then it executes starts the install the service starts the service and within 30 seconds

when the execution is complete it will stop the service and while looking at sysmon events you can quickly check there is no system doesn't actually log in the same way as your service does so you will see uh service rail strip being changed from different values uh with the start with two two and then disabling it after 30 seconds uh one of the quick way to hunt for um some of these activities especially psx it's looking for service which is uh which is the with the pattern there uh a2f029 and up to six character long winner this is another mechanism uh for a lateral movement and i think earlier talk uh about apd38 they mentioned that they

they were using with wmi win rm and psx and these are the very common mechanisms um a red teamer arthritis generally used to uh pivot from one system to another system same command just just using a different mechanism in this case uh for win rm service needs to be running on the target system for this command to be successful and firewall should also allow communication to win our ports for this command to be successful and when you look at uh the command you would see on the source system you will see on the source system encoded powershell script used now look at the uh section on the red it is always the same and this is what i believe is something

configured in the software so it's not normally changed and it passes the encoded command so when you look at decode the power encoded command again using the same mechanism base64 encoding sorry decoding and then utf you see the command being invoke command being used and script block being provided to download the command now some other observations similar to you know um observation similar to the previous one you would see multiple log on activities um especially uh swiss log on that is uh specific privileges uh assigned to the user again this user will be the same user that is running beacon on the source system uh the logon network logon id which is type 3 so it's not always there

one other interesting thing i observed was um instead of just having one uh log on to the target system i did observe at least three to four uh uh log on activity so i would say uh four six uh seven two four six two four then i'll see another four six seven two another four sixty four within uh within the span of like thirty sec uh sorry 120 seconds i would see multiple logons from the source system to the target system uh i also observed that uh sysmon capture um that anonymous uh named pipe was created on the source system and connected by the beacon process so this is on the source system so beacon

will create this anonymous pipe and connect to itself uh in the source system you'll also see the powershell logs and for the powershell logs even id 400 403 and 600 you'll see multiple of 600 and in that you would see a field called host application and there you would see that again the same command captured by a powerful log and that's another avenue where you can look for if you're suspecting a call strike activity you can look into that particular um even log wmi again i'm executing a slightly different command here but the same process here is a target system is same in this case i did test use bits admin to execute command and get a cell to uh

my console in this case uh tcp 135 communication was required to the target machine and it company negotiated a dynamic ports and then happened the communication happened that transferred the file and executed uh the beacon in the target system a lateral movement in lateral moment um again wmi similar commands observed here anonymous name pipe similar pattern nothing different than what we have seen in uh winrm so a very easy and quick way to hunt for this particular activity if you sing interested in lateral movement is look at the partial commands that is specified in red which does not look like it changes and if you just capture monitor for that particular command line argument you will

potentially find the beacon activity in your environment with cis phone or any edr software so now let's talk to uh some of the beacon characteristics so those were very common that is specific to one particular common execution uh and the next section i'm going to talk about in general what i have seen uh during this um activity the 132.dll so the run32 dll is a default process uh for spawning child process and it typically uh runs uh with some dll name and a function but the way the beacon actually executes it does not provide any dln name you will just see it on dll32.exe without command line argument and that is abnormal for on 32.dll

and if you see that that is clear indication of the connectivity also as other actors run more and more commands already run more and more commands you will see more and more on dll32 without kamlan execution in the environment in your track by your sysmon or your eds software when i need.dll so this dll is used by beacon to establish communication with the c2 this is uh loaded by a lot of uh genuine application as well so it's very difficult to tell based on just by this if it's bad or not but what i have observed in my research was if you see this particular dll being loaded late that is the process started like two days ago

and now suddenly it loads this dll potentially it is a beacon activity named pipe so these are some of the default name pipes uh used for in inter process communication as we have uh learned that most of the commands are fork and run and the child process is created so to transfer the message between the beacon and the child process it uses named pipe and these are some of the common name pipes i have observed during my study now customization of these name pipes are possible and red teamers may do but in most of my experience with thread actors um that they haven't actually changed it i see the just the standard uh default name pipes uh during the

compromise dotnet libraries so this is another interesting one so this was uh with execute assembly as i mentioned in memory uh capability to execute uh dot net compile binaries and in order for that to happen uh it law has to load some of the dll.net framework dlls like clrdl ms dll there are around 20 25 dlls that it loads during the execution but the interesting part here is most of the time what i have seen even the red teamers especially with the vtms they change the child process from run dll32exe to like uh where fault search protocol host and all these service exes are a native image that is c plus plus code and they generally don't

need net libraries but if you while monitoring your dll image load if you see and observe native imageloading.net library it is most probably because it is executing some dotnet based code and that could be one of the ways we can track for the activity credential dump so when we performing credential dump especially with the default config if you see run dll32.exe accessing lts uh or creating a remote tray to lcs it is clear indication of process uh credential dumping using potentially cable strike beacon windows services so these are again we have touched on the windows services a bit earlier generally six to eight characters depending on different config uh the first one service part is uh

admin dollar sign i think it was also mentioned earlier in earlier talk where uh when they change tactic from wmi to uh psx you would sometimes see this particular part with admin dollar and random characters being referred in your service path and that is clearly an indication of either cobalt stack beacon or metasploit activity the second one is more more more or less global strike activity okay so we have learned a little bit of beacon's characteristics now how about going and investigating them so the ideally you know if there's there was a way i could just point and say okay this process looks suspicious i point to analyzer and say hey analyzer can you tell me if this is a beacon or

not a beacon that's my goal here and um this is what i actually wanted to uh get to the stage so in order to get to that as i have mentioned that we have i have used suspend for events and these are some of the events that i was tracking and have used to understand and determine if it's possible to identify a beacon activity this loosely maps to these uh um we can use it so process creation network image load remote thread creation these are some of the common things and based on my study what i found is at least for each and every post-exploit expedition execution at least one or more of these activities

are observed now this does not include windows event logs or even logs those are in addition to these event logs and these are some of the mappings uh i would not actually go in detail about this mapping for now but this is something you can later on refer when you get the slide now process 360. so i came with this idea because long time back uh during a different organizer i was working for uh there was a process annual process to review everyone's performance and the way they perform the performance review was a 360 evaluation so managers we will be including the dr's and its manager so i thought maybe i can use the same concept here to

identify if i can tell during process 360 review if a process is a beacon or not so in this process i'll unders i'll evaluate everything a process does its child process does its parent process does and his sibling process does and will that be will that tell me if this up process is a beacon or uh loosely linked to beacon activity so to do that uh as you see there are almost uh 10 to 15 different events captured by cismond and for each those query i had to manually run query review the content and mark them as related to beacon characteristics or not and it was easy for me to do when i started with uh

one commands or two commands but as i started running more and more commands it was not feasible for me to manually review them so i had to have some automation in place so i started writing a small code to help myself and um this is what i actually ended up getting into i ended up building a tool called go hunt beacon where what it does it automatically runs the queries maps the relationship uh applies the rules to check um some of those detections that i have uh observed like run dll32 is it running with um comline argument is it loading clr dot dll or we need dll so all those things that i have learned during my

study i put into this particular code and it uh looks for those activity now it's not complete yet so there are sections where it's missing which is einer for a fact is a beacon behavior but i have not actually gone and implemented that in a code so this is a very simple uh command line just point it to your uh elasticsearch server and uh the preferred method here is to hunt for specific one process it does give you options to hunt for based on other v98 or crt which is great remote thread but it's not as perfect as targeting specific process now this is the first command so this is a purely a first implant in the target system i ran the

first command which is vmi to understand what i'm doing after i ran that command i executed the my tool that i developed the go hunt beacon with the parameter i passed and wanted to know what do i observe when i run this wmi command using a shell shell mechanism so when i run that particular output i did observe few things here it talks about uh beacon related name pipe detected which is ms msse uh and it talks about uh anonymous name pi being created and connected i did not actually know that for even just um one command i would observe that but these are some of the things uh it not talked about uh it identified

now it also talks about uh loading we need dll and it says it's loaded within five seconds so typically when your um your process starts uh everything that's mentioned in iit are generally loaded in like five to ten seconds of process starting so there was nothing suspicious about that at this stage however looking at the name pipe uh it will be very clear that this is a beacon activity now in regards to the child process uh it spawn a common uh cmd.exe and that did not exhibit anything like beacon-like characteristics uh then i spent around running like 10-15 different commands uh and uh after running 10 15 different commands when i look at uh the process parent

process i ran the same command so it was the same command executed again from the gohan beacon with same parameter but after running 10 15 different uh call strike command you will see this report on the left generated for the parent process which is beacon.exe and you see a number of anonymous name pipe created a number of i think one mssc name pipe created you see another randomly uh character um alpha alpha numeric uh named pi being created which is again another beacon um characteristics when it uh wants to communicate with the child process and if you look at the bottom it says as i see more than one um child process created till it says that there is a run dll32.exe

without command line argument and it also gives you the number of times the same child it has seen in the environment on the right you see when you use beacon has stomp command which dumps uh hesses it tells you that the beacon run dll32.exe so it's supposed to say win inet but i think it's missing there uh and also says it access lcs is injected to lcs it also created uh anonymous name pi for communication between the child process and the parent process which is again an indication of b connectivity when i ran this particular one ipconfig there was no such activity detected when i ran again a log on password there again similar characteristics detected through

that particular child process so what's that we have a couple of questions as well before we're running out of time so yeah sir um i'll wrap it up yep quickly go and then i'll cook up a couple of questions sure uh so this this is again when you move uh migrate one a process from one process to another one this is what you would normally see and this is uh what i was referring to you see virtualbox uh loading win98dll after this many seconds which is again indicator of uh cobblestrike beacon uh in conclusion uh what i like to say is uh cobblestrike beacon is really popular and very powerful team uh tool for red teamers lots of features

antivirus may detect the binary but may not actually have name so analysts would not have clear indication with edr telemetry hunting for beacon's characteristics is really possible and and that's the conclusion of my small study about beacon i'd like to thank luke for providing me guidance and help with the process uh the author of a team for providing awesome video youtube video and the guys from switzerland security to um for having awesome suspend config this is some of the references and thank you thank you sean