Detecting maliciously used Cobalt Strike infrastructure

A few months ago, Google Cloud shared that it has identified 34 cracked versions of Cobalt Strike and released YARA Rules to detect specific versions of Cobalt Strike more likely to be leveraged by threat actors. The goal behind Google Cloud’s research is to make Cobalt Strike “harder for bad guys to abuse,” and IronNet believes a proactive approach to Cobalt Strike server detection is key in this community effort. 

Detecting the use of Cobalt Strike has become essential for network defenders, especially as this legitimate pentesting tool has become so popular among cyber adversaries in recent years. Among other C2 frameworks exploited by adversaries – such as Covenant, Sliver, Empire, and Metasploit – Cobalt Strike has remained a favorite of threat actors. While Cobalt Strike is still the most widely abused framework, however, threat actors are also pivoting to alternative frameworks – such as Sliver – that are easier to acquire, have more operational security, and are less likely to be detected. Accordingly, as Google Cloud provided YARA signatures for only specific versions of cracked Cobalt strike, detection gaps still remain. 

The need for threat intel to “shift left”

This shift toward alternative frameworks is likely in response to the cybersecurity community developing improved detection capabilities for identifying attacker infrastructure, especially in relation to Cobalt Strike. While these improvements have been significant, the majority of C2 detection capabilities and threat intel feeds are still reactive, meaning the intel is often shared only because someone else has experienced that attack before. As threat actors adopt more evasive tactics to bypass static C2 detections, it becomes increasingly important to proactively block such threats before they are used in an attack. 

Before using a C2 server in a malware attack, threat actors first have to acquire it either by purchasing it legitimately, obtaining a cracked version, or obtaining a free version if it is open source. They then must take steps such as install software; configure the server; register SSL certificates; add files to the server; access it via SSH, RDP, or panel login; and then expose it on a port to allow for commands and exfiltration. In conducting these actions, an attacker leaves behind fingerprints, which offer increased detection opportunities. 

Introducing proactive threat intelligence

By identifying C2 infrastructure as it is being set up (during the early stages of the kill chain), analysts have the invaluable opportunity to be proactive.

This is why IronNet has taken a focus on proactive threat intelligence (PTI) in addition to reactive threat intelligence (RTI). Proactive threat intelligence includes actively searching for threat infrastructure that has yet to be actioned and, in turn, producing intelligence before an attack occurs. This makes it much more difficult for threat actors to hide their infrastructure, as escaping detection is no longer as simple as discarding infrastructure after use in an attack, but would require fundamental changes in how threat actors stand up and weaponize their servers. 

In relation to the cyber attack kill chain of the MITRE ATT&CK® framework, PTI takes place at the resource development phase — that is, before the threat actor has gained initial access. RTI, on the other hand, is often generated at the execution or persistence phase — that is, well after the threat actor begins an intrusion into a victim network. 

A new weapon for thwarting cyber attacks: IronRadar proactive threat intelligence feed

Seeing the value in being proactive in C2 detection, IronNet’s world-class threat analysts have developed a proprietary process of fingerprinting a server to determine whether it is a C2 as those servers are being stood up and even before an attack is initiated. This intelligence is provided via a threat intelligence feed called IronRadarSM that can be directly integrated into an organization’s existing security tools, thus enabling cybersecurity teams to proactively block threats and improve detection by automatically ingesting data on the latest known — as well as new and unreported — attacker infrastructure. As such, IronRadar stands out as a proactive threat intelligence feed instead of a reactive one, allowing for increased capability to detect and block threats targeting your network. 

Indeed, IronRadar is able to fill the aforementioned gaps in detection by anticipating and responding ahead of the curve. This proactive approach improves any company’s risk posture — whether a less-resourced organization or a large enterprise company.

Beyond well-known post-exploitation frameworks like Cobalt Strike, IronRadar supports detection capabilities for more than 30 additional tools, including scanning engines, phishing frameworks, and popularly used loader malware. This proactive threat intel is provided via an open API for consumption by a firewall, a SIEM, a threat intel platform, or any other threat hunting tools. IronRadar’s ability to integrate with security tools, as well as block or query for IOCs to correlate with other threat alerts, enables threat hunting and provides situational awareness for hunt operations.  

Using the data from the feed, SOC analysts can query their SIEM data to find communication to adversary infrastructure or block it directly using their firewall, thus reducing alert fatigue and the mean time to threat detection. Our goal is to allow cyber defenders to proactively detect and block new adversary infrastructure during the critical, incipient stage — before follow-on activity such as the deployment of ransomware or the theft of data that can cause damage to the organization and result in millions of dollars in losses.

In summary

While the YARA Rules Google Cloud released are a great open-source resource for identifying the use of Cobalt Strike, we believe there is a greater need to be proactive in detecting adversary infrastructure — especially as newer versions of Cobalt Strike get adopted and exploited. Through IronRadar, we closely track how threat actors are staging infrastructure for use in attacks and enable organizations to proactively block a range of malicious infrastructure. 

IronRadar is available on the AWS Marketplace. You can try it free for 14 days.



About Ironnet
IronNet is dedicated to delivering the power of collective cybersecurity to defend companies, sectors, and nations. By uniting advanced technology with a team of experienced professionals, IronNet is committed to providing peace of mind in the digital world.