Since its inception, the Cobalt strike has become one of the most popular threat emulation software used by cybersecurity red teams. With cobalt strike using multiple sophisticated exploitation techniques, it has also grabbed the attention of cybercriminals.
Slowly but surely, these cobalt strikes are becoming more and more common. From targeting military and government installations to allowing advanced persistent threat groups to move laterally through the network, it is becoming a far serious threat that most businesses might think.
In this article, you will learn about seven effective ways to identify and block cobalt strike from impacting your network.
What is a Cobalt Strike and How Does it Work?
Cobalt Strike is a penetration testing tool tailor-made to launch targeted cybersecurity attacks. By adding a social engineering element to cyberattacks, it tries to get a foothold into your network. Additionally, it also runs hidden commends, leverage VPN pivoting as well as take advantage of team collaboration and reporting capabilities.
Based on the client-server model, a red team member connects to the team server by using a cobalt strike client. Since all the connections both to and from are managed by the HOSTNOC VPS server, it gives the red team member complete control. Cobalt strike is usually used to launch spear-phishing attacks or gain unauthorized access to systems. It is also capable of emulating different types of malware and other advanced threats.
How to Detect Cobalt Strike on Your Network?
Here are seven ways you can use to identify cobalt strike on your network.
1.Keep an Eye on Popular Services
After exploiting a vulnerability, Cobalt Strike usually emulates a frequently used service so it can never be detected. Since it uses malleable C2, it enables cyber attackers to modify command and control traffic according to their liking. Cyber attackers convert the C2 traffic to appear as legitimate traffic from these popular services and applications, so it is much harder to detect.
2.Hidden Code
Most antivirus software use sandboxing to identify executable files. Sandboxing gives a separate environment for antivirus so they can run and test executable files. If the executable file is malicious, it won’t impact other systems. The problem with Cobalt Strike is that it hides shellcode over a named pipe. If a sandbox is not capable of emulating named pipes, this malicious shellcode can easily get through the cracks without getting noticed. What’s more, the attacker can also tweak and create their own new techniques by using Cobalt Strike Artifact Kit.
3.Monitor Key Network Indicator
Cobalt Strike can hide its shellcode and can also mimic popular services so how can a business identify Cobalt Strike on its network? By analyzing the network traffic. Most Cobalt Strike bypass security solutions by using fake HTTPS traffic to prevent detection. Due to this, you will have to use a transport-layer security inspection. This will help you to distinguish bot traffic from legitimate traffic. If that does not work, you can also identify malicious traffic by critically analyzing data inside HTTPS requests.
4.Track Network Communications
The best way to differentiate bot-based traffic from legitimate human traffic, look at the frequency of communication to a target. One of the main difference between bot-generated traffic and human-generated traffic is that bot-based traffic is uniform and consistent while legitimate human traffic usually varies over the course of time. You should also remember that just because traffic is coming from a bot does not always make it malicious. Dig deeper into traffic flow and you can easily tell the difference between malicious and legitimate bot traffic.
5.Control User Agents
There are instances when the origin of bot traffic might not be clear. When you analyze user agents producing TLS traffic, they might look legitimate because it might come from web browser user agents. The problem is that hackers can easily create fake user agent packet flow by leveraging sophisticated machine learning algorithms. Whenever your system flags a user agent as “unspecified”, you should be alert as it is considered a warning sign and a red flag that you can not afford to ignore.
6.Observe Destination Domain
Virus Total tested 93 antivirus engines and only 7 antivirus engines managed to tag the domain as malicious. This is alarming considering the rise in the number of malicious domains. This clearly shows that businesses should solely rely on antivirus software to protect them from the latest threats and use them in conjunction with other security tools. Despite this, we can still detect it thanks to vendor reputation models because it can classify as a malicious domain. It gives you another indicator of compromise or network artifact, informing you about a network intrusion.
7.Check Host Header and URI
When analyzing packet data, dig deeper to see the HTTP host header. You might think that you will be taken to a legitimate website, but you will be directed to a malicious website. When this happens, it is a clear indication that Cobalt Strike is creating a fake host header. Check the uniform resource identifier of the flow. You might see a URI matching with a Cobalt Strike Malleable C2. Blocking that URI is not the solution as it would block all the traffic to that domain, even those which is legitimate. Make sure you follow the steps in order to protect against Cobalt Strike attacks on your network.
Conclusion
The growing number of cobalt strikes and the diversified targets it strikes makes them difficult to track but if you know where to look at, you can not only identify these strikes early but also react to them in a timely manner. Closely monitor sensitive network indicators, hidden and malicious code and popular services. Don’t forget to check the host header and uniform resource identifier and user agents. By keeping a close eye on all these elements, you can easily detect cobalt strike on your network and minimize the damage by acting quickly.
How do you protect your network from cobalt strike? Let us know in the comments section below.
