By: Owen Dubiel
June 15, 2021
Detecting CobaltStrike Process Injection with QRadar
By: Owen Dubiel
June 15, 2021
CobaltStrike is one of those tools that you shiver at the potential power it holds when you hear its name. Its original use was a penetration tool primarily used for spear-phishing tactics, access to systems, and various other testing methodologies. Security teams must have a reliable way to detect its presence within their environment. Whether it is a planned pentest or a malicious actor poking around, CobaltStrike should be directly and swiftly handled. We will discuss some of the different use cases, tactics, and exploits that come with CobaltStrike. More importantly, we will discuss how it can be effectively detected within QRadar, with minimal false positives.
Features of CobaltStrike
CobaltStrike is an attractive tool for both pen testers and malicious actors alike because of how easy and automated it makes scaling through the different attack stages. Whether you are trying to find vulnerable web hosts or deploy a PowerShell exploit, CobaltStrike has a little something for every situation. The following are some of the critical features that CobaltStrike offers to those that choose to pay the subscription price.
Reconnaissance Made Easy
- Its client-side profiling tool makes attackable detection applications a breeze with little forethought.
- CobaltStrike’s Beacon tool allows an attacker to disguise their communications over uncommon protocols and upload a completely different threat actor profile.
Phishing for Big Fish
- CobaltStrike’s autonomies spear-phishing by strategically placing clickable links and tracking the number of visits to these links.
- The ability to execute scripts, download files, and even take screenshots are only some of the advanced built-in features.
Building Attack Packs
- Offering the ability to create your custom attacks within links, files, or even in Macros.
Built-in Pivot Browser pivoting is a unique ability of CobaltStrike to attempt to bypass MFA (multi-factor authentication) solutions on websites quickly. Reporting and Logging
- CobaltStrike will report all activity performed within a given attack to allow for easy triage and remediation of gaps discovered.
- List of known affected vulnerabilities that this can exploit
Detecting Ryuk within QRadar
Since CobaltStrike is publically available, it can be pretty effective but also pretty noisy as well. Given that you are ingesting Microsoft security events, it is relatively simple to detect whenever CobaltStrike is used. The below search quarry can be directly used within QRadar as a dashboard or an alert for this activity. The search is actively looking for EventID 8, which creates a thread in another process (typical activity of CobaltStrike) and then a tiny regex script for common payload naming.
SELECT UTF8(payload) as search_payload from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and "EventID"='8' and search_payload ilike '%%0B80%'
Additional parameters could be added to enhance this search better, like providing a time threshold or even targeting a specific subset data source that you may be concerned with. Having this alert in place is better than not. Even if you regularly use CobaltStrike in your environment, setting this to a suppressed mode will still provide the visibility needed without the alerting.
CobaltStrike is an advanced pen testing tool kit that is available to the public for a price. Detection can be simple, by ensuring that you quickly respond to any alert triggered that could be crucial to the safety of your network. A best practice for handling CobaltStrike goes, “if you didn’t know about it, it is probably malicious.” To learn more about penetration testing techniques or just CobaltStrike in general, Check out what Cybrary offers as the primary source for cybersecurity training. Cybrary offers virtual classroom-style courses and hands-on learning sessions to help maximize your knowledge on any particular subject.