Introduction: Cobalt Strike
Nearly every major intrusion or compromise involves Cobalt Strike in one way or another. To name a few, HAFNIUM attack, SolarWinds breach, and many Ransomware attacks are good examples of using cobalt Strike. Picking Cobalt Strike as our subject was a natural choice, given that every Advanced Persistent Threat (APT) group uses Cobalt Strike in their Arsenal & toolkit. Threat Reports from MITRE Attack, CrowdStrike Threat Report, Microsoft, Talos and others show clear evidence that APT are using Cobalt Strike heavily. Cobalt Strike is an Adversary Simulation & Red Team operation suite, with very advanced capabilities. Cobalt Strike is heavily used because it includes everything an attacker dreams of, Stable platform, extremely customizable and designed to support long term exploitation at a very large scale.
As Creator of Cobalt Strike Raphael Mudge says: "A traditional Antivirus product might look at my payload when I touch disk or load content in a browser. If I defeat that, I win. Not so today! Now the battleground is the functions we use to get our payload in memory."
As Raphael Mudge mentioned earlier, Cobalt Strike primarily operates in memory when its initial loader is executed. This style of execution poses a challenge for security defenders for Cobalt Strike Detection. This is also a challenge for many security products as scanning memory is not easy. For this reason, we see a growing need for End Point Detection & Response EDR technologies because of its ability to scan memory in real time and the ability to detect such activities and behaviors.
The concept that memory serves as the last battleground in the fight against attackers is indeed accurate. It is accurate because, as we understand, code must be executed somewhere, and attackers are continually improving their methods to evade security controls, and detecting has become a daunting task. failing to identify attackers in this final area, memory, essentially means losing not the battle but the war. In this article, we will delve into techniques employed by Cobalt Strike, especially in memory. The article will shed light on what makes Cobalt Strike! Cobalt Strike. Memory Forensics: How I met your Beacon?
In the world of forensics, following a structured approach is essential, and memory forensics is no exception here. As a Digital Forensics and Incident response (DFIR) analyst, you need a starting point for your investigation. The same holds true for memory forensics – you require a clear reason or lead to delve deeper into your analysis. Without this initial direction, going directly to memory forensics is just like looking for a needle in a haystack – a challenging, time and effort consuming task. This pivot point serves a guiding light for analysts, leading them through the journey of uncovering critical evidence. This emphasizes on the necessity of systemic methodology for detecting malicious activities hidden in memory.
Before digging deep into memory analysis, searching for Cobalt Strike can be a difficult task, there are tools that can help speed up the process and spot Cobalt Strike. This can save a lot of time compared to sifting through memory dumps and examining processes to find your starting point. Even though it is possible and doable to choose the second approach and dive deep into memory analysis without running the tools, since Cobalt Strike has some signatures and behaviors that can be detected in memory. Our approach
is to use the tools available to confirm the presence of Cobalt Strike and then move to the second approach to manually inspect and analyze the memory dumps. Detecting Cobalt Strike can be achieved by keeping an eye out for the following:
1- Process list – Pslist module: to list all processes.
2- Process Tree – Pstree module: to find Parent-Child relationship between process.
3- DLL List – dlllist: to list DLLs associated with process.
4- Malicious code – Malfind: to find hidden injected code/DLLs based on some characteristics such as VADs Tags: Virtual Address Descriptors and page permissions. These characteristics can be summarized as the following:
a. What are the Page Permissions? Read_WriteExecute
b. Is the Memory section backed with file on disk?
c. Does the Memory section contain code?
5- Handles – handles: handles are pointers to an object in windows.
6- Named pipes can be found using handles command in volatility framework.
7- Command line – CmdLine: used to find the command line started the process.
8- Process Scan – Psscan: to display inactive and hidden processes that can be used by malware.
9- Cmd Scan – CmdScan: this module is used to search memory for commands the attackers used on the compromised system. Note that this plugin shows the most recent 50 commands by inspecting a structure called "COMMAND_HISTORY ".
As stated above, first let's confirm the presence of Cobalt Strike in our memory image and then move toward analyzing it using Volatility framework. One of the favorite tools I use is a tool written by Didier Stevens, 1768.py: https://didierstevens.com/files/software/1768_v0_0_18.zip
The tool is straightforward to use; you can initiate it by simply providing the relevant memory image as input: