Cobal Strike - Threat Detection Report
Posted by Insightz Technology, 19-01-2023
COBALT STRIKE
This type of malware is a full-featured, remote access tool. It is basically "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors." Cobalt Strike's interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. Aside from being used as a penetration testing tool, Cobalt Strike can also be used to create "malware" to infect systems and steal data and has the ability to allow an attacker to deploy an agent to an endpoint called a "beacon," simply because it becomes a beacon that creates loaders and payloads. Now, these payloads can be used to send back information about the system they’ve been installed on, receive commands, and communicate with the attackers over the internet, which can grant attackers access to expose and take control of an organization’s credentials and assets.
In the 10th of October 2022, Insightz Technology received alerts and verified that they were related to a Cobalt Strike PowerShell injection into one of its VIP clients. Insightz SOC promptly activated an incident report. Using Insightz MSSP and Insightz EDR, the team was able to halt the threat that may have compromised the organization’s Finance Department. In addition to this, Insightz EDR actively blocks all of the malicious IP address it was detecting during that time. All throughout the investigation, Insightz Technology observed the following suspicious events, which were at least common to most servers:
-
registries added for persistence
-
suspicious executable is registered as a service for
persistence
-
enumeration of all executable file paths, RDP session
details, and system info
-
There are several log-clearing events that indicate a threat actor.
-
removing the evidence of activity attempts to escalate to "System" privilege
-
new local admin users are created
Insightz SOC immediately recommended isolating the affected servers, while Insightz IOC still all hands on deck monitoring and investigating. Constant communication in the form of hourly advisories and critical incident notifications from Insightz Customer Service and the SOC Team was still in place. The Insightz SOC Team has also provided remediation for each affected server. The isolated servers have been released 7 days after being closely monitored by the team.
As part of Insightz's general recommendations, two that really helped with real time detection and swift response were Insightz EDR and Insightz MXDR. Insightz SOC Team highly suggests that since Insightz EDR detects and defuses file-less malware, if there are any other assets without it, it is recommended to onboard those assets to EDR, as well. As these kinds of incidents become inevitable, one of the best ways to prevent them from happening to your business, is to invest in a cybersecurity partner that can oversee your organization’s security posture through a 24/7 Managed Detection and Response Solution. Insightz Technology offers increased visibility, enhanced endpoint protection, and quicker response, which is truly ideal if any incident like Cobalt Strike happens. Protect your assets, save your business from all the hassles and predicaments. Security meets simplicity with Insightz Technology.