This process of deploying Cobalt Strike Beacon to additional servers from a compromised host lets network defenders detect the service established on the remote host, the admin share launching content, and the resulting command execution: One of these commands attempted to discover domain administrator accounts. The threat actor deployed Cobalt Strike Beacon on those targets and then executed arbitrary commands on those systems via the Rundll32 execution utility. Ping identified additional accessible servers within the network.
#INSTALL COBALT STRIKE 3.5 CODE#
The threat actor used Cobalt Strike Beacon's remote code execution capability to execute the ping utility. Qakbot profiled the infected host, sent the profiled data to its C2 servers, and then downloaded and executed Cobalt Strike Beacon. The attachment downloaded and installed Qakbot. In this second incident, a user opened an Excel 4.0 macro worksheet attached to a phishing email. In the second incident, Secureworks Taegis™ XDR countermeasures detected and alerted on the malicious Qakbot and Cobalt Strike activity in the environment, enabling network defenders to respond quickly to contain and mitigate the intrusion before ransomware was deployed. The organization did not have an endpoint detection and response (EDR) solution that identified the preceding Qakbot and Cobalt Strike activity, which enabled the threat actors to achieve their objectives. In the first incident, Secureworks incident responders helped the victim recover from a REvil ransomware attack. The value of early detection is highlighted by two similar incidents. GOLD LAGOON provides access to other threat groups that deploy various ransomware families in compromised environments. The threat actors then use Cobalt Strike to move laterally throughout the network, establish persistence, and ultimately facilitate damaging post-intrusion ransomware attacks. CTU™ researchers frequently observe GOLD LAGOON deploying Cobalt Strike to Qakbot-infected hosts that are identified as members of an Active Directory domain. For example, the financially motivated GOLD LAGOON threat group leverages the Qakbot botnet to deploy Cobalt Strike. Understanding a threat actor's end goal is important. This knowledge can help to secure organizations that may be targeted by threat actors with diverse motives. Secureworks® Counter Threat Unit™ (CTU) researchers conducted a focused investigation into malicious use of Cobalt Strike to gain insights about when and how the tool has been used. The robust use of Cobalt Strike lets threat actors perform intrusions with precision. Cobalt Strike is a commercially available and popular command and control (C2) framework used by the security community as well as a wide range of threat actors. The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.Many cybercriminals that operate malware use the ubiquitous Cobalt Strike tool to drop multiple payloads after profiling a compromised network.
Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP Beacons can be daisy-chained. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine.
0 kommentar(er)
