While the comprehensive attack framework Cobalt Strike has proven invaluable to legitimate red teams and pen test efforts over the years, it has also become a favorite tool of threat actors seeking to deploy malware and ransomeware.
In recent weeks, Microsoft and Google and have spearheaded efforts to mitigate the threat from malicious Cobalt Strike usage by providing resources to help block associated domains and hunt potential persistent infections. These include known Indicators of Compromise, file hashes, and associated domains.
It’s recommended that administrators and threat hunters utilize these free resources to build a better defense against Cobalt Strike-enabled threats.
What is Cobalt Strike?
Cobalt Strike is a commercial adversary simulation software package that consists of multiple components for deploying post-exploitation activity and long-term embedded resident malware on target systems:
- Cobalt Strike is the command and control (C2) application itself. This has two primary components: the team server and the client.
- BEACON is the default malware payload used to create a connection to the team server. Active callback sessions from a target are also called “beacons” and can include a Stager and/or a backdoor that runs in memory to assist in making persistent connections to the C2.
The framework is extremely customizable with additional packages that seemingly make malware and ransomware deployment terrifyingly simple.
While Cobalt Strike was developed specifically to facilitate legitimate red teaming operations, cracked versions are what have been weaponized by threat actors.
What Can I Do To Defend Against Cobalt Strike?
That fact that Cobalt Strike is a commonly used framework to develop malware should in theory it a little easier to detect and block. However, many common endpoint protection and EDR vendors still don’t have confirmed detections. These include Crowdstrike, Microsoft Defender, Malwarebytes, TrendMicro, and Symantec.
There are three main tactics you can utilize to implement a defense:
- Utilize known detection data in your endpoint protection tooling
Collect IoCs and any other available definitions to aid detection. Examples include: Google’s repository of YARA files (GCTI) that allow hex inspection, known files hashes, IP addresses, etc.
- Block associated malicious domains
Since Cobalt Strike utilizes a C2 architecture, it will rely on host domains to connect to its server for control and updates. By blocking these at the firewall or with a web proxy, it can severe or prevent the connection. Microsoft has launched a lawsuit to facilitate takedowns of illicit cracked versions of Cobalt Strike.
- Hunt for known malicious files used by Cobalt Strike
Many of the extended kits for Cobalt Strike are packaged into DLLs that may persist on an infected host’s file system.
Domains & IPs
Below is a table of known domains associated with malicious Cobalt Strike usage. Block them at the firewall or proxy level.
|Cobalt Strike Domains|
For the full list of IP addresses and domains, download our XLSX file compiled by our threat hunting team.
- Mandiant article on Cobalt Strike architecure
- Google GCTI repository for Cobalt Strike
- Microsoft Takes Legal Action
- Novacoast TOPS list of Cobalt Strike domains and IPs