The Google Cloud Threat Intelligence team has open-sourced YARA Rules and a VirusTotal Collection of indicators of compromise (IOCs) to help defenders detect Cobalt Strike components in their networks.
Security teams will also be able to identify Cobalt Strike versions deployed in their environment using these detection signatures.
“We are releasing to the community a set of open-source YARA Rules and their integration as a VirusTotal Collection to help the community flag and identify Cobalt Strike’s components and its respective versions,” said Google Cloud Threat Intelligence security engineer Greg Sinclair.
“We decided that detecting the exact version of Cobalt Strike was an important component to determining the legitimacy of its use by non-malicious actors since some versions have been abused by threat actors.”
This enables improved detection of malicious activity by targeting non-current Cobalt Strike releases (potentially leaked and cracked versions) since it helps differentiate easier between legitimate deployments and those controlled by threat actors.
As Google explained, cracked and leaked releases of Cobalt Strike are, in most cases, at least one version behind, which allowed the company to collect hundreds of stagers, templates, and beacon samples used in the wild to build YARA-based detection rules with a high degree of accuracy.
“Our goal was to make high-fidelity detections to enable pinpointing the exact version of particular Cobalt Strike components. Whenever possible, we built signatures to detect specific versions of the Cobalt Strike component,” Sinclair added.
Google has also shared a collection of detection signatures for Sliver, a legitimate and open-source adversary emulation framework designed for security testing that has also been adopted by malicious actors as a Cobalt Strike alternative.
Cobalt Strike (made by Fortra, previously known as Help Systems) is a legitimate penetration testing tool under development since 2012. It has been designed as an attack framework for red teams who scan their organizations’ infrastructure to find vulnerabilities and security gaps.
While the developer is attempting to vet customers and will only sell licenses for legitimate uses, cracked copies of Cobalt Strike have also been obtained and shared by threat actors over time.
This has led to Cobalt Strike becoming one of the most common tools used in cyberattacks that could lead to data theft and ransomware.
In such attacks, it is used by threat actors for post-exploitation tasks after deploying so-called beacons that provide them with persistent remote access to compromised devices.
With the help of beacons deployed on the victims’ networks, the attackers can access compromised servers to harvest sensitive data or deploy further malware payloads.
Researchers with security firm Intezer have also revealed that threat actors have also developed and have been using (since August 2021) their own Linux beacon (Vermilion Strike), compatible with Cobalt Strike, to gain persistence and remote command execution on both Windows and Linux devices.