Skip to content

MichaelKoczwara/Awesome-CobaltStrike-Defence

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
2 branches 0 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
LICENSE
Create LICENSE
January 1, 2021 20:04
README.md
Update README.md
July 14, 2022 09:15
Awesome-CobaltStrike-Defence Defences against Cobalt Strike Hunting & Detection Tools Yara rules Sigma rules Indicators of compromise Hunting & Detection Research Articles Trainings Videos

README.md

Awesome-CobaltStrike-Defence

Defences against Cobalt Strike

Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors". Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.

Cobalt Strike MITRE TTPs
https://attack.mitre.org/software/S0154/

Cobalt Strike MITRE ATT&CK Navigator
https://mitre-attack.github.io/attack-navigator//#layerURL=https%3A%2F%2Fattack.mitre.org%2Fsoftware%2FS0154%2FS0154-enterprise-layer.json

Hunting & Detection Tools

Hunt-Sleeping-Beacons
https://github.com/thefLink/Hunt-Sleeping-Beacons

Pointer - Cobalt Strike Hunting
https://github.com/shabarkin/pointer

BeaconEye
https://github.com/CCob/BeaconEye

Beacon Hunter
https://github.com/3lp4tr0n/BeaconHunter

Cobalt Spam
https://github.com/hariomenkel/CobaltSpam

Cobalt Strike Team Server Password Brute Forcer
https://github.com/isafe/cobaltstrike_brute

CobaltStrikeScan Scan files or process memory for Cobalt Strike beacons and parse their configuration
https://github.com/Apr4h/CobaltStrikeScan

Cobalt Strike beacon scan
https://github.com/whickey-r7/grab_beacon_config

Cobalt Strike decrypt
https://github.com/WBGlIl/CS_Decrypt

Detecting CobaltStrike for Volatility
https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py

JARM fingerprints scanner
https://github.com/salesforce/jarm

Cobalt Strike Forensic
https://github.com/RomanEmelyanov/CobaltStrikeForensic

Cobalt Strike resources
https://github.com/Te-k/cobaltstrike

List of C2 JARM including Cobalt Strike
https://github.com/cedowens/C2-JARM

SilasCutler_JARM_Scan_CobaltStrike_Beacon_Config.json
https://pastebin.com/DzsPgH9w

Detection Cobalt Strike stomp
https://github.com/slaeryan/DetectCobaltStomp

Cobalt Strike Built-In Lateral Movement Capabilities Based On CONTI Leak Mind Map https://github.com/AndrewRathbun/DFIRMindMaps/tree/main/OSArtifacts/Windows/Cobalt%20Strike%20Lateral%20Movement%20Artifact%20-%20Based%20on%20CONTI%20Leak

ThreatHunting Jupyter Notebooks - Notes on Detecting Cobalt Strike Activity
https://github.com/BinaryDefense/ThreatHuntingJupyterNotebooks/blob/main/Cobalt-Strike-detection-notes.md

Random C2 Profile Generator
https://github.com/threatexpress/random_c2_profile

Python parser for CobaltStrike Beacon's configuration
https://github.com/Sentinel-One/CobaltStrikeParser

Yara rules

Cobalt Strike Yara
https://github.com/Neo23x0/signature-base/blob/master/yara/apt_cobaltstrike.yar
https://github.com/Neo23x0/signature-base/blob/master/yara/apt_cobaltstrike_evasive.yar
https://github.com/Te-k/cobaltstrike/blob/master/rules.yar

Sigma rules

Cobalt Strike sigma rules
Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner.
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry_event/sysmon_cobaltstrike_service_installs.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_access/sysmon_direct_syscall_ntopenprocess.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_rundll32_no_params.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/sysmon_susp_clr_logs.yml
(check in the future for updates or new rules)

Indicators of compromise

Cobalt Strike hashes
https://bazaar.abuse.ch/browse/yara/CobaltStrike/

https://bazaar.abuse.ch/browse/tag/CobaltStrike/

https://bazaar.abuse.ch/browse/tag/CobaltStrike%20beacon%20implant%20Zoom%20Meetings/

https://tria.ge/s?q=family%3Acobaltstrike

Possible Cobalt Strike Stager IOCs
https://pastebin.com/54zE6cSj

List of Cobalt Strike servers https://docs.google.com/spreadsheets/d/1bYvBh6NkNYGstfQWnT5n7cSxdhjSn1mduX8cziWSGrw/edit#gid=766378683

Possible Cobalt Strike ioc's
https://pastebin.com/u/cobaltstrikemonitor

Cobalt Strike Trevor Profiles
https://pastebin.com/yB6RJ63F

https://pastebin.com/7QnLN5u0

Cobalt Strike & Metasploit servers
https://gist.github.com/MichaelKoczwara

ThreatFox Database(Cobalt Strike)by abuse.ch
https://threatfox.abuse.ch/browse/malware/win.cobalt_strike/

Hunting & Detection Research Articles

Cobalt Strike Metadata Encoding and Decoding
https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/

Cobalt Strike Metadata Encryption and Decryption
https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decryption/

Cobalt Strike Malleable C2 Profile
https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/

Hunting Cobalt Strike Servers
https://bank-security.medium.com/hunting-cobalt-strike-servers-385c5bedda7b

Extracting Cobalt Strike from Windows Error Reporting
https://bmcder.com/blog/extracting-cobalt-strike-from-windows-error-reporting

Mining data from Cobalt Strike beacons
Report
https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/

Data
https://github.com/fox-it/cobaltstrike-beacon-data

Cobalt Strike as a Threat to Healthcare from U.S. Department of Health & Human Services - Health Sector Cybersecurity Coordination Center (HC3)
https://www.hhs.gov/sites/default/files/cobalt-strike-tlpwhite.pdf

Detecting Conti Cobalt Strike Lateral Movement Techniques Part 1
https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1

Detecting Conti Cobalt Strike Lateral Movement Techniques Part 2
https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2

CobaltStrike Beacon Config Parsing with CyberChef — Malware Mondays #2
https://medium.com/@whickey000/cobaltstrike-beacon-config-parsing-with-cyberchef-malware-mondays-2-86d759b9a031

Cobalt Strike Hunting – Key items to look for
https://www.vanimpe.eu/2021/09/12/cobalt-strike-hunting-key-items-to-look-for/

Identify malicious servers / Cobalt Strike servers with JARM
https://www.vanimpe.eu/2021/09/14/identify-malicious-servers-cobalt-strike-servers-with-jarm/

Full-Spectrum Cobalt Strike Detection
https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf

Cobalt Strike, a Defender’s Guide
https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/

Cobalt Strike, a Defender’s Guide – Part 2
https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/

BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/

Cobalt Strike and Tradecraft
https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/

Analysing Cobalt Strike for fun and profit
https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/

Cobalt Strike Remote Threads detection
https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml

The art and science of detecting Cobalt Strike
https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf

Detecting Cobalt Strike Default Modules via Named Pipe Analysis
https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/

A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers
https://go.recordedfuture.com/hubfs/reports/cta-2019-0618.pdf

How to detect Cobalt Strike activities in memory forensics
https://www.andreafortuna.org/2020/11/22/how-to-detect-cobalt-strike-activity-in-memory-forensics/

Detecting Cobalt Strike by Fingerprinting Imageload Events
https://redhead0ntherun.medium.com/detecting-cobalt-strike-by-fingerprinting-imageload-events-6c932185d67c

The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration
https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/

CobaltStrike - beacon.dll : Your No Ordinary MZ Header
https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html

GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic
https://www.bleepingcomputer.com/news/security/github-hosted-malware-calculates-cobalt-strike-payload-from-imgur-pic/

Detecting Cobalt Strike beacons in NetFlow data
https://delaat.net/rp/2019-2020/p29/report.pdf

Volatility Plugin for Detecting Cobalt Strike Beacon
https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html

Easily Identify Malicious Servers on the Internet with JARM
https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a

Cobalt Strike Beacon Analysis
https://isc.sans.edu/forums/diary/Quick+Tip+Cobalt+Strike+Beacon+Analysis/26818/

Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike
https://isc.sans.edu/forums/diary/Hancitor+infection+with+Pony+Evil+Pony+Ursnif+and+Cobalt+Strike/25532/

Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike
https://isc.sans.edu/forums/diary/Attackers+Exploiting+WebLogic+Servers+via+CVE202014882+to+install+Cobalt+Strike/26752/

Hiding in the Cloud: Cobalt Strike Beacon C2 using Amazon APIs
https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/

Identifying Cobalt Strike team servers in the wild
https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/

Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature
https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/

Operation Cobalt Kitty
http://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf

Detecting and Advancing In-Memory .NET Tradecraft
https://www.mdsec.co.uk/2020/06/detecting-and-advancing-in-memory-net-tradecraft/

Analysing Fileless Malware: Cobalt Strike Beacon
https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
CobaltStrike samples pass=infected
https://www.dropbox.com/s/o5493msqarg3iyu/Cobalt%20Strike.7z?dl=0

IndigoDrop spreads via military-themed lures to deliver Cobalt Strike
https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html

Cobalt Group Returns To Kazakhstan
https://research.checkpoint.com/2019/cobalt-group-returns-to-kazakhstan/

Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/

Azure Sentinel Quick-Deploy with Cyb3rWard0g’s Sentinel To-Go – Let’s Catch Cobalt Strike!
https://www.blackhillsinfosec.com/azure-sentinel-quick-deploy-with-cyb3rward0gs-sentinel-to-go-lets-catch-cobalt-strike/

Cobalt Strike stagers used by FIN6
https://malwarelab.eu/posts/fin6-cobalt-strike/

Malleable C2 Profiles and You
https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929
List of spawns from exposed Cobalt Strike C2
https://gist.github.com/MHaggis/bdcd0e6d5c727e5b297a3e69e6c52286

C2 Traffic patterns including Cobalt Strike
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/

CobaltStrike Threat Hunting via named Pipes
https://www.linkedin.com/feed/update/urn:li:activity:6763777992985518081/

Hunting for GetSystem in offensive security tools
https://redcanary.com/blog/getsystem-offsec/

Hunting and Detecting Cobalt Strike
https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/

Detecting Cobalt Strike with memory signatures
https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures

How to detect CobaltStrike Command & Control communication
https://underdefense.com/how-to-detect-cobaltstrike-command-control-communication/

Red Canary Threat Detection Report 2021 - Cobalt Strike
https://redcanary.com/threat-detection-report/threats/cobalt-strike/

Detecting Exposed Cobalt Strike DNS Redirectors
https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors/

Decoding Cobalt Strike Traffic
https://isc.sans.edu/diary/27322

Anatomy of Cobalt Strike’s DLL Stager
https://blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/

malleable_c2_profiles
https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752

pipes
https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752#gistcomment-3624664

spawnto
https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752#gistcomment-3624663

Enterprise Scale Threat Hunting: C2 Beacon Detection with Unsupervised ML and KQL
Part 1
https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f
Part 2
https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-ml-and-kql-part-2-bff46cfc1e7e

Detecting network beacons via KQL using simple spread stats functions
https://ateixei.medium.com/detecting-network-beacons-via-kql-using-simple-spread-stats-functions-c2f031b0736b

Cobalt Strike Hunting — simple PCAP and Beacon Analysis
https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811

Guide to Named Pipes and Hunting for Cobalt Strike Pipes
https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575

Detecting C&C Malleable Profiles
https://community.rsa.com/t5/netwitness-blog/detecting-c-amp-c-malleable-profiles/ba-p/607072

FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets
The report itself is not about Cobalt Strike, but FIN12 makes heavy use of the CS. We have a whole section about it in the report: "Cobalt Strike / BEACON TTPs"
https://www.mandiant.com/media/12596/download

Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis
https://www.mandiant.com/resources/defining-cobalt-strike-components

Cobalt Strike: Using Known Private Keys To Decrypt Traffic
https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/ (part 1) https://blog.nviso.eu/2021/10/27/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-2/ (part 2)

Cobalt Strike: Using Process Memory To Decrypt Traffic
https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decrypt-traffic-part-3/

Cobalt Strike: Decrypting Obfuscated Traffic
https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/

Cobalt Strike: Decrypting DNS Traffic
https://blog.nviso.eu/2021/11/29/cobalt-strike-decrypting-dns-traffic-part-5/

Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
https://isc.sans.edu/diary/28006

Finding Beacons in the Dark: A Guide to Cyber Threat Intelligence
https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/sneak-peek-ch1-2-finding-beacons-in-the-dark.pdf

Collecting Cobalt Strike Beacons with the Elastic Stack
https://elastic.github.io/security-research/intelligence/2022/01/02.collecting-cobalt-strike-beacons/article/

Extracting Cobalt Strike Beacon Configurations
https://elastic.github.io/security-research/intelligence/2022/01/03.extracting-cobalt-strike-beacon/article/

Trainings

Attack detection fundamentals including also Cobalt Strike detection
https://labs.f-secure.com/blog/attack-detection-fundamentals-initial-access-lab-1
https://labs.f-secure.com/blog/attack-detection-fundamentals-initial-access-lab-2
https://labs.f-secure.com/blog/attack-detection-fundamentals-initial-access-lab-3
https://labs.f-secure.com/blog/attack-detection-fundamentals-initial-access-lab-4
https://www.youtube.com/watch?v=DDK_hC90kR8&feature=youtu.beh

Cobalt Strike Detection via Log Analysis Workshop
https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395/

Videos

Malleable Memory Indicators with Cobalt Strike's Beacon Payload
https://www.youtube.com/watch?v=93GyP-mEUAw&feature=emb_title

STAR Webcast: Spooky RYUKy: The Return of UNC1878
https://www.youtube.com/watch?v=BhjQ6zsCVSc

Excel 4.0 Macros Analysis - Cobalt Strike Shellcode Injection
https://www.youtube.com/watch?v=XnN_UWfHlNM

Profiling And Detecting All Things SSL With JA3
https://www.youtube.com/watch?v=oprPu7UIEuk

Hunting beacons by Bartosz Jerzman (x33fcon conf)
https://www.youtube.com/watch?v=QrSTnVlOIIA

Striking Back: Hunting Cobalt Strike Using Sysmon And Sentinel by Randy Pargman
https://www.binarydefense.com/striking-back-hunting-cobalt-strike-using-sysmon-and-sentinel-thank-you/?submissionGuid=5719f087-bfa5-4261-8b77-34541d8736d6

Making Sense Of Encrypted Cobalt Strike Traffic
https://isc.sans.edu/diary/27448

Cobalt Strike Threat Hunting | SANS DFIR Summit 2021 | Chad Tilbury
https://www.youtube.com/watch?v=borfuQGrB8g

SiegeCast "COBALT STRIKE BASICS" with Tim Medin and Joe Vest
https://www.youtube.com/watch?v=OtM6iegGYAQ

Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory by Didier Stevens
https://isc.sans.edu/diary/28008

Mining The Shadows with ZoidbergStrike: A Scanner for Cobalt Strike
https://www.youtube.com/watch?v=MWr6bvrrYHQ

About

Defences against Cobalt Strike

Topics

detection beacon cobalt-strike cobaltstrike-defence defences

Resources

Readme

License

MIT license
Activity

Stars

1.2k stars

Watchers

56 watching

Forks

192 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 6