How to Detect Cobalt Strike: An Inside Look at the Popular Commercial Post-Exploitation Tool

Posted: 14th September 2021

Throughout history there are many examples of inventions created with good intentions (and maybe still are used for the right purposes) but when in the wrong hands, are used for something more malicious than their original intent.

The commercially available adversary emulation software called Cobalt Strike is a perfect example. It was created in 2012 with the intention of aiding pentesters and red teams. Its purpose was to help these teams become more advanced in their work to conduct intrusions where they were allowed to carry out an authorized cyber attack on their company or in a consultative role. It quickly gained popularity in the community because of its full suite of functionality from payloads and exploitation to command & control. This allowed (and still allows) red teams to conduct an incredibly advanced and wide-ranging attack scenario that wasn’t possible—or as easy—prior to Cobalt Strike.

Cobalt Strike’s parent company, HelpSystems, describes the product’s intention and capabilities on their website: “Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer’s network. Malleable C2 lets you change your network indicators to look like different malware each time. These tools complement Cobalt Strike’s solid social engineering process, its robust collaboration capability, and unique reports designed to aid blue team training.”

However, if Cobalt Strike could be used to carry out very sophisticated authorized attacks, it could also be used to carry out very sophisticated unauthorized attacks by various threat actors. Today, we see a wide range of state-sponsored and financially-motivated threat actors leveraging Cobalt Strike capabilities to carry out advanced cyber attacks. Reporting from Cisco Talos confirms the popularity—they saw that in the fourth quarter of 2020, 66% of all ransomware attacks involved Cobalt Strike.

One of the key selling points of Cobalt Strike on both the red team/pentesting market and the criminal market are the robust evasion features. To make detection incredibly difficult, the creators added Artifact Kit and Malleable C2 Profiles. Artifact Kit enables Cobalt Strike operators to customize the creation of payloads to avoid known signatures for the tool. Malleable C2 Profiles enable operators to customize the details of the command and control protocol used.

To take a deeper look at the features and the various ways that detecting Cobalt Strike is possible even with the embedded advanced evasion features, the Recorded Future Insikt Group purchased Cobalt Strike and tried to detect it themselves. They found that using full-spectrum detection techniques, there are actually multiple ways and times to detect Cobalt Strike.

After conducting the deep technical analysis to create their report the Insikt Group walked away with the following key judgements:

  • Effective detection of Cobalt Strike activity requires a full spectrum of detections, including host-based monitoring, network-based monitoring, and threat intelligence to identify Cobalt Strike C2s.
  • Cobalt Strike is highly configurable, but many actors use default settings, such as SSL certs, Beacon URLs, and profiles that offer defenders detection opportunities.
  • Advanced threat actors will customize Cobalt Strike payloads to avoid detection better using built-in tools like Artifact Kit, Malleable C2 Profiles, and Resource Kit. Detection opportunities exist when threat actors customize one component but leave defaults in others.
  • Based on continued official and third-party development on Cobalt Strike features and capabilities, and the ability of any actor to obtain some version of it, Cobalt Strike will continue to be a threat for the foreseeable future.

To learn more, join the Insikt Group analysts who conducted this research on an upcoming webinar as they talk about the history of Cobalt Strike, its technical specifications, detection and response strategies, and their research methodology.

Additionally, take a deeper look at all of the report findings by downloading the full version here.