Rule of the Week: Cobalt Strike Delivered via Multi-Stage APT Attack

This month, researchers discovered a multi-stage attack conducted by an undefined APT group. During this attack, adversaries used the Malleable C2 feature in Cobalt Strike to perform C&C communications and deliver the final payload. Researchers note that attackers use advanced evasion techniques. They observed an intentional delay in executing the payload from the malicious Word macro. Also, attackers hide shellcode within the jQuery script returned in the HTTP response and load it into a buffer in memory without touching the disk to avoid detection by security solutions.

Cobalt Strike is a paid pentesting tool that can be used to load shellcode onto victim machines. It has a wealth of functionality including command execution, keylogging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning, and lateral movement. 

New community rule by Osman Demir enables security solutions to spot traces of this campaign and find Cobalt Strike in the organization’s network: https://tdm.socprime.com/tdm/info/GYbSaAgHMIKR/r2Rd23IBQAH5UgbBG7zA/?p=1

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, ELK Stack, RSA NetWitness, Sumo Logic, Graylog, Humio, LogPoint

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Initial Access

Techniques: Spearphishing Attachment (T1193)

More content to detect Cobalt Strike modifications: https://tdm.socprime.com/?searchValue=cobalt+strike