FOR528 Workshop Ransomware for Incident Responders

Hands-on Malicious
Script Analysis for
Ransomware Response

© 2023 Ryan Chapman | All Rights Reserved

For workshop materials, please navigate to https://for528.com/workshop and access the “workshop” folder.

Most importantly, ensure to follow the “FOR528_WORKSHOP_SYSTEM_REQUIREMENTS_FINAL.pdf”

document for instructions on how to access and download the workshop VM.
Using Slack for SANS Workshops

• Join our Workshop Slack workspace from the

following link:
• https://sansurl.com/sans-workshop
• Register with any email address you can access
• It does not need to be a “work” or SANS portal address
• Once you click on the confirmation email,
you’ll be prompted to provide a name &
password
• Once in Slack, keep an eye out in the #general
channel for announcements. We are using
#discuss & #help for our main collaboration
channels. See you there!
FOR528 | Ransomware for Incident Responders 2

Hello all! Our preferred collaboration platform is Slack.

Please use the following link to join the SANS Workshop Slack workspace: https://sansurl.com/sans-workshop

1. From there, you will need to provide an email address to register. Any email address you have access to will
work (it does not need to be a work or SANS portal email address)
2. Once you click on the confirmation email, you will be prompted to provide a name and password.
3. Once in Slack, keep an eye out in the #general channel for announcements. We are using #discuss & #help for
our main collaboration channels. See you there!
This page intentionally left blank.
Cobalt Strike: The Affiliate’s Choice

FOR528 | Ransomware for Incident Responders 4

This page intentionally left blank.

Cobalt Strike Overview

• Cobalt Strike is an adversary simulation & red

team operations toolkit that:
• Began in 2010 as “Armitage,” a GUI for Metasploit.
• It has been included in BackTrack/Kali Linux ever since.
• Was created by Raphael Mudge.
• Sold to HelpSystems in 2020 (now Fortra).
• They also own Core Impact and Impacket.
• Tightly regulates licenses.
• Cracked/trial versions are available on the darknet.

• Cobalt Strike has become the tool of choice for

ransomware operators and affiliates alike.
Fortra

FOR528 | Ransomware for Incident Responders 5

Cobalt Strike is a fantastic adversary simulation and red team operations toolkit. The tool’s author, “Mudge,”
developed a phenomenal tool that not only does its job well, but even more so has become the gold standard of tools
in this category.

Unfortunately, ransomware operators and affiliates have claimed the tool as their own. We see CS used in at least
half the ransomware cases that we work as consulting groups. Our goal is not to train you to use CS from A to Z, let
alone make you a power user. Rather, we aim to describe just enough of the tool to you and provide enough
resources such that you can deal with the threat when you run across it in your ransomware incident(s). Because
chances are, you will see it. And if you are not familiar with it, your response efforts will suffer.

So, let’s get going and familiarize you with the general concepts associated with the tool and then jump into a
hands-on lab (Lab 3.2) in which you de-obfuscate various CS loaders to see how the payloads contained within are
configured. This way, when you do run across CS within an engagement, you’ll be prepared!
Cobalt Strike Architecture & Components

Beacons  Team Server C2  CS Client

• Team Server (TS)
• The core CS C2 server
• Provides payload generation, multiuser
coordination, and reporting features
• Usually set up in cloud/VPS space

• Client
• Allows the operator(s) to connect to the Team
Server

• Beacon
• Primary payload that runs on target host(s) and
communicates with TS C2
Fortra

FOR528 | Ransomware for Incident Responders 6

CS uses a client/server architecture. The server is called a Team Server (TS) and sits at the heart of everything. The
TS is the primary C2 server. When you hear people refer to CS’s C2, they are referring to the TS. The Java-based
TS can be installed on a multitude of systems, though you will see most TAs using Linux. Once the TS is running,
the CS Client, also written in Java, can be used to connect to the TS.

The CS payloads are called “Beacons.” Cute name, right? Beacons are usually what you will find in your victim
environment.

You can find the most recent version of the Cobalt Strike manual, a massive document outlining all system features
in detail, at the following link: https://for528.com/cs-guide.

Raphael Mudge, the creator of CS, recorded nine videos covering over 10 hours of CS training. You can find the
recordings in his YouTube playlist at https://for528.com/cs-training.
CS Client-to-Server Communications
• Listeners
• Listeners are the component within the
Team Server to which Beacons connect
• Similar to “handlers” in Metasploit.
• Types: HTTP/HTTPS, DNS, SMB, & Raw TCP
• Loaders
• The Team Server can generate various
types of loaders, which load the specified
Beacon payload into memory.

• Staged vs. Stageless

• A staged Beacon loader includes enough
code to download the full Beacon from the
Team Server, while a stageless loader
includes the full Beacon code.

FOR528 | Ransomware for Incident Responders 7

Beacons connect to “Listeners” running on the TS C2 server. If you are familiar with Metasploit, the CS Beacon is
like the Meterpreter. Metasploit uses “handlers” to handle the incoming connections, while CS uses Listeners.
They’re the same concept.

When you create a Listener in CS, you can choose the protocol type. Ransomware actors most commonly use
HTTP or HTTPS. You can change the ports used, but often they are not changed so that they blend in with your
environment.

Beacons can be either staged or stageless. A “staged” beacon loader is just enough code to reach out the TS to
request and receive a full Beacon to inject into memory. These act as downloaders for the full Beacon. A
“stageless” Beacon contains the entire Beacon code. Because these are full Beacons and not just downloaders, they
are larger than the staged binaries.

The Payload Generator in CS allows you to create payloads. We commonly see the “PowerShell Command”
payload. More on this coming up in Lab 3.2.

Alyssa Rahman with Mandiant wrote a wonderful blog article titled “Defining Cobalt Strike Components So You
Can BEA-CONfident in Your Analysis” that details the various components of Cobalt Strike. You can read
Alyssa’s article at https://for528.com/cs-components.
Malleable C2 Profiles

• Malleable C2 profiles allow users to differentiate the manner in which Beacons

communicate with the Team Server.
• Profiles are highly customizable and should be customized per campaign.
• One of the most important options is the “SpawnTo” process.
• It designates the process to spawn and then replace with the Beacon’s code.
• You’ll see this process running in memory when the Beacon is doing its dirty work and thus
is important for detection and analysis.

FOR528 | Ransomware for Incident Responders 8

The concept behind Malleable C2 profiles is customization. You can make your Beacon resemble legitimate things
within your environment. For example, if you were red teaming, you might enumerate clients in the environment
and then write a custom profile to mimic some of these services.

Malleable profiles allow you to configure things like jitter, which is a deviation in the callback times the Beacon
uses. The value provided to sleeptime denotes how many seconds the Beacon sleeps between beaconing attempts.
Jitter and sleep times can be used to avoid typical Beacon detection methods. Profiles also allow for customization
of user agent strings, DNS options, named pipe names, and much more.

Check out Jeff “bluescreenofjeff” Dimmock’s article “How to Write Malleable C2 Profiles for Cobalt Strike,”
which details how to write a Malleable C2 profile from scratch: https://for528.com/writemalleablec2.

For one of the better GitHub repos consisting of many profiles, see BC Security’s “Malleable-C2-Profiles” repo:
https://for528.com/cs-profiles

For another large list of Malleable C2 profiles, see Michael Haag’s “malleable_c2_profiles” GitHub Gist:
https://for528.com/cs-profiles2

Palo Alto’s Unit42 wrote an article titled “Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make
Cobalt Strike Difficult to Detect” that denotes all the ways in which the Malleable C2 options make detecting CS
difficult. You can find this article at https://for528.com/cs-profiles3.

The screenshot on this page is from a profile named “Amazon browsing traffic profile,” the full version of which
you can find on GitHub at https://for528.com/cs-profile-amazon.

CS Default Profile

The default profile values for Cobalt Strike 4.5 intend to be “noisy” on purpose. The following is the default profile
for this version of Cobalt Strike.
• Note: The default profile does not designate a “SpawnTo” process. The default process is rundll32.exe.

# default sleep time is 60s

set sleeptime "60000";

# jitter factor 0-99% [randomize callback times]

set jitter "0";

# indicate that this is the default Beacon profile

set sample_name "Cobalt Strike Beacon (Default)";

# this is the default profile. Make sure we look like Cobalt Strike's
Beacon payload. (that's what we are, right?)
stage {
set stomppe "false";
set name "beacon.dll";

string "%d.%s";
string "post";
string "%s%s";
string "cdn.%x%x.%s";
[134 string values stripped – These are included so that the default
beacon can be detected]
}

# define indicators for an HTTP GET

http-get {
# Beacon will randomly choose from this pool of URIs
set uri "/ca /dpixel /__utm.gif /pixel.gif /g.pixel /dot.gif
/updates.rss /fwlink /cm /cx /pixel /match /visit.js /load /push /ptj /j.ad
/ga.js /en_US/all.js /activity /IE9CompatViewList.xml";

client {
# base64 encode session metadata and store it in the Cookie header.
metadata {
base64;
header "Cookie";
}
}

server {
# server should send output with no changes
header "Content-Type" "application/octet-stream";

output {
print;
}
}
}

# define indicators for an HTTP POST

http-post {
# Same as above, Beacon will randomly choose from this pool of URIs [if
multiple URIs are provided]
set uri "/submit.php";
 client {
header "Content-Type" "application/octet-stream";

# transmit our session identifier as /submit.php?id=[identifier]

id {
parameter "id";
}

# post our output with no real changes

output {
print;
}
}

# The server's response to our HTTP POST

server {
header "Content-Type" "text/html";

# this will just print an empty string, meh...

output {
print;
}
}
}

# define indicators/attributes for a DNS Beacon

dns-beacon {
# maximum number of bytes to send in a DNS A record request
set maxdns "255";

set beacon "";

set get_A "cdn.";
set get_AAAA "www6.";
set get_TXT "api.";
set put_metadata "www.";
set put_output "post.";
}
Cobalt Strike Detection & Analysis Resources

We’ll digress here, but we have a ton of resources for you!

• The DFIR Report

• Cobalt Strike, a Defender’s Guide Part 1
• Cobalt Strike, a Defender’s Guide Part 2

Meme credit to The DFIR Report

FOR528 | Ransomware for Incident Responders 9

The two BEST resources available are both from The DFIR Report team. Kudos (as usual) to the amazing
volunteers for their amazing work. You can find their work here:
• “Cobalt Strike, a Defender’s Guide”: https://for528.com/dfirreport-cs1
• “Cobalt Strike, a Defender’s Guide – Part 2”: https://for528.com/dfirreport-cs2

SANS author and instructor Chad Tilbury’s SANS DFIR Summit 2021 presentation is also an amazing resource:
https://for528.com/cs-tilbury
Some important items for you to review in Chad’s talk:
• WmiPrvSE spawning PowerShell
• PowerShell spawning PowerShell
• PowerShell > multiple rundll32.exe processes
• Rundll32 with no command-line options
• Relevance of SysWow64 use
• Common named pipes @ 24:44 (including "set pipename" @ 26:00)
• Named pipe naming schemes @ 27:00
• Cracked, older versions of CS @ 31:40

You can extract CS Beacons from memory! Blake M’s article “Extracting Cobalt Strike from Windows Error
Reporting” shows you how to perform this process: https://for528.com/cs-extract.

Threat actors who want to be more stealthy use Microsoft’s MSBuild to build Beacons in memory (hint, hint!). You
can learn more about this process via the following articles:
• Anomali’s “Threat Actors Use MSBuild to Deliver RATs Filelessly” article: https://for528.com/msbuild-chain
• Red Teaming Experiments’ “Using MSBuild to Execute Shellcode in C#” article: https://for528.com/msbuild-
chain2

If you want to learn even more about Cobalt Strike, Google these resources:
• Full-Spectrum Cobalt Strike Detection (Recorded Future)
• Detecting Cobalt Strike with Memory Signatures (Elastic)
• Open Source Cobalt Strike Parser (Sentinel One)
• Strike Back at Retired Cobalt Strike (NCCGroup)
• Understanding Cobalt Strike Profiles (ZeroSec)
• Deep Dive into Malleable C2 (Specter Ops)

The BlackBerry Research and Intelligence team released a book titled Finding Beacons in the Dark: A Guide to
Cyber Threat Intelligence. This book covers Cobalt Strike, with specific focus on hunting and identifying
Beacons. You can find a free digital copy of this book at https://for528.com/cs-book.
It’s Dangerous to Go Alone! Take These CS Payload Parsers!

Tool Notes

Stroz’s “Cobaltstrike-
Easy pip-based install with very strong analysis capabilities.
config-extractor”

Sentinel One’s One of the original parsers that became popular.

“CobaltStrikeParser” Scripts to both extract and analyze Beacon configs.

Capable of analyzing multiple payload types, including shellcode.

Didier Stevens’ “1768.py”
The best tool for CS shellcode analysis!

Etienne Maynier’s “Cobalt Multiple scripts for analyzing & extracting CS Beacons, along with
Strike Resources” scanners to generate/review Yara rules.

Avast Cobaltstrike Tools & A multitude of tools for CS payload analysis, including tools for assisting
Yara Rules with API hashing, checksum generation, analysis in IDA Pro, and more.

FOR528 | Ransomware for Incident Responders 10

Stroz Friedberg’s “cobaltstrike-config-extractor”

• https://for528.com/csce

Sentinel One’s “CobaltStrikeParser”

• https://for528.com/cobaltstrikeparser

Didier Stevens’ “1768.py” script

• https://for528.com/1768

Etienne “Te-k” Maynier’s “Cobalt Strike Resources”

• https://for528.com/cs-tek
• See Te-k’s “Analyzing Cobalt Strike for Fun and Profit” article at https://for528.com/cs-fun.

Avast’s “Cobaltstrike Tools & Yara Rules” repo

• https://for528.com/cs-avast
 Lab 3.2

Decoding Cobalt Strike Payloads

VM Required: FOR528 Workshop VM

FOR528 | Ransomware for Incident Responders 11

We now begin the hands-on portion of our workshop.

Please see the workshop PDF on the desktop of your FOR528 Workshop VM.