![]() "Cobalt Strike is chosen for the second stage of the attack as it offers enhanced post-exploitation capabilities. QakBot), Ursnif, Hancitor, Bazar and TrickBot," DFIR Report says in its Cobalt Strike Defender's Guide, published in August. "Some of the most common droppers we see are IcedID (a.k.a. "Cobalt Strike is used as a post-exploitation tool with various malware droppers responsible for the initial infection stage," says the digital forensics and incident response threat intelligence group DFIR Report. Cybersecurity and Infrastructure Security Agency) Other attackers regularly use Cobalt Strike for "lateral movement," meaning the endpoint becomes the beachhead in a lengthier attack, during which they'll typically attempt to escalate privileges, access Active Directory Domain Controller, and use that to steal sensitive data, infect systems with crypto-locking malware and more. Earlier this month, security researchers warned that Emotet malware was pushing Cobalt Strike implants - referred to in Cobalt Strike-speak as beacons - directly onto infected endpoints, so attackers could more quickly evaluate the endpoint and see if they wished to escalate the attack, for example, by pushing ransomware onto the endpoint. Such software gets wielded in standalone attacks, and sometimes also at scale. One increasingly used tool is Cobalt Strike, which is marketed by its makers as "software for adversary simulations and red team operations." But attackers regularly use cracked copies of the tool to build botnets.įor organizations that do not use Cobalt Strike, experts say the security message is simple: monitoring for the software inside a network can reveal an attack in progress. Red-Team Toolsīeyond using already installed tools or functionality to target organizations, attackers will sometimes use commercially available hacking tools for - you guessed it - criminal hacking purposes. government alert warned attackers were using living-off-the-land tactics to exploit a vulnerability in Zoho's single sign-on and password management tool. Take living off the land: In March, Microsoft warned that attackers were wielding Azure "LoLBins," aka "living off the land binaries" with an extra helping of hacker lulz - which refers to weaponizing preinstalled, legitimate binaries built to run on Windows or Linux. Neither type of threat is new, but both continue to bedevil organizations. "Most modern security software should have process and file-access control that can be configured for tools like PowerShell, but a lot of organizations might not be aware of this." The trouble with detecting and blocking such attacks, which are launched by both criminal and nation-state hackers, is that they're designed to look legitimate. See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense Accordingly, organizations must monitor for both, to better identify potential intrusions. ![]() The research paper on Lateral Movement from JPCERT, linked in the references below, is a definitive resource on this topic and covers many other techniques aside from PsExec.Attackers continue to use the legitimate Cobalt Strike tool set to target victims.Īttackers continue to employ commercial penetration testing tools as well as "living off the land" tactics - using legitimate tools or functionality already present in a network - to exploit victims. Many will be familiar with its use amongst system administrators, and many threat actors have used it as a means of lateral movement! In terms of detection opportunities, we’re going to be focusing largely on the event log entries that it produces, augmenting this with telemetry from Sysmon. In several cases, we’ve also taken a look at the code bases of our attacker tooling to identify opportunities to detect it.įor this lab, we’re going to be taking a look at the SysInternals tool, PsExec. We also used object access audit logs for the purposes of detecting share access and our use of an exposed share for pivoting using C3. ![]() In the previous labs ( here, here and here), we’ve looked at Discovery techniques for enumerating users and groups, and opportunities to detect this based on suspicious LDAP queries using telemetry from ETW. As with previous workshops, the following blog provides a fourth step-by-step guide to recreating the demos from that Discovery and Lateral Movement workshop, as well as exercises to further the reader's understanding of the concepts shown.Ī recording of the workshop can be found here. ![]() We also explored the detection strategies that can be employed to spot these using our own detection stacks. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |