Professional Documents
Culture Documents
webcast-124880
webcast-124880
Hands-on Malicious
Script Analysis for
Ransomware Response
For workshop materials, please navigate to https://for528.com/workshop and access the “workshop” folder.
1. From there, you will need to provide an email address to register. Any email address you have access to will
work (it does not need to be a work or SANS portal email address)
2. Once you click on the confirmation email, you will be prompted to provide a name and password.
3. Once in Slack, keep an eye out in the #general channel for announcements. We are using #discuss & #help for
our main collaboration channels. See you there!
This page intentionally left blank.
Cobalt Strike: The Affiliate’s Choice
Cobalt Strike is a fantastic adversary simulation and red team operations toolkit. The tool’s author, “Mudge,”
developed a phenomenal tool that not only does its job well, but even more so has become the gold standard of tools
in this category.
Unfortunately, ransomware operators and affiliates have claimed the tool as their own. We see CS used in at least
half the ransomware cases that we work as consulting groups. Our goal is not to train you to use CS from A to Z, let
alone make you a power user. Rather, we aim to describe just enough of the tool to you and provide enough
resources such that you can deal with the threat when you run across it in your ransomware incident(s). Because
chances are, you will see it. And if you are not familiar with it, your response efforts will suffer.
So, let’s get going and familiarize you with the general concepts associated with the tool and then jump into a
hands-on lab (Lab 3.2) in which you de-obfuscate various CS loaders to see how the payloads contained within are
configured. This way, when you do run across CS within an engagement, you’ll be prepared!
Cobalt Strike Architecture & Components
• Client
• Allows the operator(s) to connect to the Team
Server
• Beacon
• Primary payload that runs on target host(s) and
communicates with TS C2
Fortra
CS uses a client/server architecture. The server is called a Team Server (TS) and sits at the heart of everything. The
TS is the primary C2 server. When you hear people refer to CS’s C2, they are referring to the TS. The Java-based
TS can be installed on a multitude of systems, though you will see most TAs using Linux. Once the TS is running,
the CS Client, also written in Java, can be used to connect to the TS.
The CS payloads are called “Beacons.” Cute name, right? Beacons are usually what you will find in your victim
environment.
You can find the most recent version of the Cobalt Strike manual, a massive document outlining all system features
in detail, at the following link: https://for528.com/cs-guide.
Raphael Mudge, the creator of CS, recorded nine videos covering over 10 hours of CS training. You can find the
recordings in his YouTube playlist at https://for528.com/cs-training.
CS Client-to-Server Communications
• Listeners • Loaders
• Listeners are the component within the • The Team Server can generate various
Team Server to which Beacons connect types of loaders, which load the specified
• Similar to “handlers” in Metasploit. Beacon payload into memory.
• Types: HTTP/HTTPS, DNS, SMB, & Raw TCP
Beacons connect to “Listeners” running on the TS C2 server. If you are familiar with Metasploit, the CS Beacon is
like the Meterpreter. Metasploit uses “handlers” to handle the incoming connections, while CS uses Listeners.
They’re the same concept.
When you create a Listener in CS, you can choose the protocol type. Ransomware actors most commonly use
HTTP or HTTPS. You can change the ports used, but often they are not changed so that they blend in with your
environment.
Beacons can be either staged or stageless. A “staged” beacon loader is just enough code to reach out the TS to
request and receive a full Beacon to inject into memory. These act as downloaders for the full Beacon. A
“stageless” Beacon contains the entire Beacon code. Because these are full Beacons and not just downloaders, they
are larger than the staged binaries.
The Payload Generator in CS allows you to create payloads. We commonly see the “PowerShell Command”
payload. More on this coming up in Lab 3.2.
Alyssa Rahman with Mandiant wrote a wonderful blog article titled “Defining Cobalt Strike Components So You
Can BEA-CONfident in Your Analysis” that details the various components of Cobalt Strike. You can read
Alyssa’s article at https://for528.com/cs-components.
Malleable C2 Profiles
The concept behind Malleable C2 profiles is customization. You can make your Beacon resemble legitimate things
within your environment. For example, if you were red teaming, you might enumerate clients in the environment
and then write a custom profile to mimic some of these services.
Malleable profiles allow you to configure things like jitter, which is a deviation in the callback times the Beacon
uses. The value provided to sleeptime denotes how many seconds the Beacon sleeps between beaconing attempts.
Jitter and sleep times can be used to avoid typical Beacon detection methods. Profiles also allow for customization
of user agent strings, DNS options, named pipe names, and much more.
Check out Jeff “bluescreenofjeff” Dimmock’s article “How to Write Malleable C2 Profiles for Cobalt Strike,”
which details how to write a Malleable C2 profile from scratch: https://for528.com/writemalleablec2.
For one of the better GitHub repos consisting of many profiles, see BC Security’s “Malleable-C2-Profiles” repo:
https://for528.com/cs-profiles
For another large list of Malleable C2 profiles, see Michael Haag’s “malleable_c2_profiles” GitHub Gist:
https://for528.com/cs-profiles2
Palo Alto’s Unit42 wrote an article titled “Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make
Cobalt Strike Difficult to Detect” that denotes all the ways in which the Malleable C2 options make detecting CS
difficult. You can find this article at https://for528.com/cs-profiles3.
The screenshot on this page is from a profile named “Amazon browsing traffic profile,” the full version of which
you can find on GitHub at https://for528.com/cs-profile-amazon.
CS Default Profile
The default profile values for Cobalt Strike 4.5 intend to be “noisy” on purpose. The following is the default profile
for this version of Cobalt Strike.
• Note: The default profile does not designate a “SpawnTo” process. The default process is rundll32.exe.
# this is the default profile. Make sure we look like Cobalt Strike's
Beacon payload. (that's what we are, right?)
stage {
set stomppe "false";
set name "beacon.dll";
string "%d.%s";
string "post";
string "%s%s";
string "cdn.%x%x.%s";
[134 string values stripped – These are included so that the default
beacon can be detected]
}
client {
# base64 encode session metadata and store it in the Cookie header.
metadata {
base64;
header "Cookie";
}
}
server {
# server should send output with no changes
header "Content-Type" "application/octet-stream";
output {
print;
}
}
}
The two BEST resources available are both from The DFIR Report team. Kudos (as usual) to the amazing
volunteers for their amazing work. You can find their work here:
• “Cobalt Strike, a Defender’s Guide”: https://for528.com/dfirreport-cs1
• “Cobalt Strike, a Defender’s Guide – Part 2”: https://for528.com/dfirreport-cs2
SANS author and instructor Chad Tilbury’s SANS DFIR Summit 2021 presentation is also an amazing resource:
https://for528.com/cs-tilbury
Some important items for you to review in Chad’s talk:
• WmiPrvSE spawning PowerShell
• PowerShell spawning PowerShell
• PowerShell > multiple rundll32.exe processes
• Rundll32 with no command-line options
• Relevance of SysWow64 use
• Common named pipes @ 24:44 (including "set pipename" @ 26:00)
• Named pipe naming schemes @ 27:00
• Cracked, older versions of CS @ 31:40
You can extract CS Beacons from memory! Blake M’s article “Extracting Cobalt Strike from Windows Error
Reporting” shows you how to perform this process: https://for528.com/cs-extract.
Threat actors who want to be more stealthy use Microsoft’s MSBuild to build Beacons in memory (hint, hint!). You
can learn more about this process via the following articles:
• Anomali’s “Threat Actors Use MSBuild to Deliver RATs Filelessly” article: https://for528.com/msbuild-chain
• Red Teaming Experiments’ “Using MSBuild to Execute Shellcode in C#” article: https://for528.com/msbuild-
chain2
If you want to learn even more about Cobalt Strike, Google these resources:
• Full-Spectrum Cobalt Strike Detection (Recorded Future)
• Detecting Cobalt Strike with Memory Signatures (Elastic)
• Open Source Cobalt Strike Parser (Sentinel One)
• Strike Back at Retired Cobalt Strike (NCCGroup)
• Understanding Cobalt Strike Profiles (ZeroSec)
• Deep Dive into Malleable C2 (Specter Ops)
The BlackBerry Research and Intelligence team released a book titled Finding Beacons in the Dark: A Guide to
Cyber Threat Intelligence. This book covers Cobalt Strike, with specific focus on hunting and identifying
Beacons. You can find a free digital copy of this book at https://for528.com/cs-book.
It’s Dangerous to Go Alone! Take These CS Payload Parsers!
Tool Notes
Stroz’s “Cobaltstrike-
Easy pip-based install with very strong analysis capabilities.
config-extractor”
Etienne Maynier’s “Cobalt Multiple scripts for analyzing & extracting CS Beacons, along with
Strike Resources” scanners to generate/review Yara rules.
Avast Cobaltstrike Tools & A multitude of tools for CS payload analysis, including tools for assisting
Yara Rules with API hashing, checksum generation, analysis in IDA Pro, and more.
Please see the workshop PDF on the desktop of your FOR528 Workshop VM.