Beacon Harvest: Conquering Cobalt Strike At Scale

Thank you very much. Awesome. Um, so yeah, I'm going to be giving my talk, Beacon Harvest, Conquering Cobalt Strike at Scale. Before I get started, just want to say thank you all for coming to see me talk. It is a privilege um being a B size extra for the second year on a row. It's fantastic day so far. So many great talks. So I hope I live up to the standard of the rest. So yeah, without further ado, let's get on with it. So quick agenda. I'm going to start with an obligatory who am I. Um, and at the core of this talk is gathering threat intelligence and looking at sort of threat data. Um, so we're going to go

through the the foundations of what threat intelligence is, why it's important, um, and how we can gather it. And then we're going to be looking at cobalt strike. Cobalt strike is what we call a C2 framework. We're going to get into this later. Um, and then we're going to look at the configurations of cobalt strike and look at the how we can sort of automate the extraction of these configurations from data online from malware samples online. Um, and we're going to have a quick look at this data and see if we can see any interesting insights and we're going to wrap up. Um, before I get started, I just want to understand um, are there any red teamers

in this room? Any pen testers? Okay, there's one or two. Has any of you anybody used cold water strike at all? >> Just on training. >> Just on training. Okay, cool. Just interested. That's good. Um, we'll go for it right from the beginning. So, um, who am I? I'm Ben. I go by the online handle Polygon Ben. I currently work as a analyst at one of Accentra's security operations centers. Um, I've got a blog, a YouTube, I post content relating to CTF uh writeups walkthroughs MA analysis. Um I really enjoy um defa digital forensics in response. I enjoy mar analysis and threat hunting. Um but yeah let's get to the interesting part. Um what is threat intelligence? Right? I

mentioned this whole talk is about gathering threat intelligence and gathering this threat data. Um, the UK National Cyber Security Center define threat intelligence as evidence-based knowledge including context, mechanisms, indicators, implications, and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard. So, it's a big definition. Let's break this down a little bit. The first part of the the definition is evidence-based knowledge, including context, mechanisms, and indicators. This is the actual intelligence that we're we're talking about. It's the intelligence relating to a particular threat group, threat actor, whether this is an AP, a cyber criminal, whoever. This is the the the data we've got on a

on a threat group. And that data can come in various different formats. And it's important to uh to mention this is evidence-based knowledge. So, we're not just making up random data and guessing, right? We've got uh we're getting this data and it's evidence back. So whether this is a past intrusion or from a sample of malware um it can be trusted and it can be sort of attributed to a to a threat actor. And then the second part of this definition is about an existing or emerging menace or hazard. This is the threat. This is the cyber criminal. Um and then finally um that can be used to inform decisions regarding the subset response to that menace hazard. This is

the threat informed defense. This is the reason we do threat intelligence. So we can tailor our defense strategy to a particular threat or from some intelligence on a on a threat. So um this is the reason why we do it like we if we couldn't get anything out of threat intelligence um we wouldn't be practicing it. Um and it can really help our defenses having knowledge of threats. Um so yeah that is threat intelligence. I want to go over why it's important and I'm going to take some an analogies from sort of military. So, by the way, threat intelligence, cyber threat intelligence, CTI is just a subset of threat intelligence, which involves threats on the internet, cyber

threats, cyber criminals. Um, in military, if you're you're in the battlefield, let's say, and you're at war, you want as much information as possible on your adversary. You want to know what weapons they're using. You want to know how they're transferring, how they're transporting uh whatever, how they're moving. Um, and you get this via intelligence. Um, and in the same thing in the cyber threat intelligence world, we want to know what threat actors are out there. We want to know what tools they use. We want to know how they move around networks. Um, and um, so on and so forth. It's super important in military and it's really important in the CGI world if you're in a sock or

you're in an IO team. Having that sort of threat intelligence capability, having that data