Introduction to the Framework
Cobalt Strike (CS) is a paid penetration testing toolkit that allows an attacker to deploy a component named Beacon on a victim’s machine. The simplicity, reliability, and versatility of CS make it very popular among threat actors—and there are plenty of cracked versions of CS available on the dark web. Given this reality, it’s been used frequently in recent cyber-attacks.
CS provides a wealth of functionality to the attacker, including command execution, key logging, file transfer, privilege escalation, port scanning, lateral movement, and more. The framework is split into two components: client and server. The server module, aka team server, is the controller of the Beacon payload. By using this module the attacker can track and execute commands on an infected host and utilize all of the framework capabilities.
Cobalt Strike Beacon
The Beacon, which is the main component being used to target accounts, allows its operators to execute commands, log keystrokes, drop files, and communicate with targeted systems. CS is primarily used as a post-exploitation tool; leveraged by attackers after they have a foothold in a system and want to remain hidden.
Deploying a Beacon and making sure its communication will stay hidden from cybersecurity products and teams is a critical task for adversaries. The Beacon has several communication methods to make this happen, including HTTP, HTTPS, DNS, and SMB. By default, the Beacon will reach out to its C2 periodically, sending meta-data back and gathering any commands issued by the operator. The Beacon console allows the attacker to monitor which tasks were issued to a Beacon and track their status, check the output of commands, and find additional information on targets.
How Attackers Use Cobalt Strike
Even though CS is a paid penetration testing product, it is incredibly popular due to its wealth of capabilities and its ability to add new features and modify existing ones. This flexibility allows attackers to implement their own tools, use built-in tools, or integrate other penetration testing tools such as the Metasploit framework and Mimikatz. By design the main use of CS is to act as a post-exploitation tool that allows attackers to gather information, harvest credentials, and deploy other payloads on an infected host. That also means that is not designed to gain initial access to a system, even though it does have components that can help to gain access such as its VBA macros and Windows-executable generators.
Privilege Escalation and Lateral Movement
Command and Control Communication
Protection from Cobalt Strike
Deep Instinct prevents the CS framework and its components at all attack stages. The first possible attack vector is loaders. Whether they are Windows executables or Office documents, we prevent them and stop the attack chain at the earliest possible stage by using Deep-Learning based static analysis.
In the event that an attacker has already gained access into a victim’s system and is trying to deploy a Beacon, our behavioral capabilities can spot in-memory actions such as DLL injection and shellcode execution and prevent these post-exploitation attempts from running. In addition, our PowerShell Deep Learning-based static analysis and behavioral analysis will prevent all malicious PowerShell activities.
Cobalt Strike is a paid penetration testing product that is in continual development and its team builds the framework with the most advanced and up-to-date security features and capabilities. Since CS is being used by both security teams and threat actors for the same purposes it poses a serious and ongoing threat for security products, organizations, and individuals.
Using our advanced Deep Learning-based static analysis and behavioral capabilities, customers of Deep Instinct can be rest assured that they have protection against Cobalt Strike and its capabilities as the attack is detected and prevented in a matter of milliseconds.
To see our capabilities for yourself, request a demo via our contact us form.