Google seeks to make Cobalt Strike useless to attackers
Google Cloud’s intelligence research and applications team has created and released a collection of 165 YARA rules to help defenders flag Cobalt Strike components deployed by attackers.
“Our intention is to move the tool back to the domain of legitimate red teams and make it harder for bad guys to abuse,” says Greg Sinclair, a security engineer with Google Cloud Threat Intelligence.
The problem with Cobalt Strike
Cobalt Strike, a legitimate adversary simulation tool used by pentesters and cyber red teams, has also become threat actors’ preferred post-exploitation tool.
While some attackers have switched to using Brute Ratel, DeimosC2, and similar tools, Cobalt Strike is still a very popular option.
Creating the detection rules
“Cobalt Strike vendor Fortra (until recently known as Help Systems) uses a vetting process that attempts to minimize the potential that the software will be provided to actors who will use it for nefarious purposes, but Cobalt Strike has been leaked and cracked over the years. These unauthorized versions of Cobalt Strike are just as powerful as their retail cousins except that they don’t have active licenses, so they can’t be upgraded easily,” Sinclair explained.
So the team analyzed every cracked version of the tool it could find – 34 in all – and looked for unique stagers, attack templates, and beacons so they could create precise detection rules.
“We decided that detecting the exact version of Cobalt Strike was an important component to determining the legitimacy of its use by non-malicious actors since some versions have been abused by threat actors. By targeting only the non-current versions of the components, we can leave the most recent versions alone, the version that paying customers are using,” Sinclair noted.
Vicente Diaz, a threat intelligence strategist at VirusTotal, said that the Cobalt Strike samples used to create the signatures were gathered via that platform, and explained the process of creating and testing the detection rules.
The final YARA rules are available to VirusTotal customers as a collection of community signatures and have been open-sourced so that cybersecurity vendors can use them within their own products.