Google’s Cloud Threat Intelligence team has released a set of open-source YARA rules and a VirusTotal Collection of indicators of compromise (IoCs) to help defenders spot Cobalt Strike’s components in their works and disrupt its malicious use.
“We are releasing to the community a set of open-source YARA Rules and their integration as a VirusTotal Collection to help the community flag and identify Cobalt Strike’s components and its respective versions. Since many threat actors rely on cracked versions of Cobalt Strike to advance their cyberattacks, we hope that by disrupting its use we can help protect organizations, their employees, and their customers around the globe,” Google Cloud Threat Intelligence security engineer Greg Sinclair wrote in a blog post.
First released in 2012, Cobalt Strike is a popular tool that security teams use to emulate cyber threats, but over the years it evolved into a point-and-click system for deploying remote access tools on targeted systems, with cyber criminals abusing Cobalt Strike’s capabilities for lateral movement within victim networks.
Although Cobalt Strike vendor Fortra has implemented a vetting process to minimize the risk of malicious use, leaked and cracked versions of Cobalt Strike have been available for years. These pirated versions have all capabilities of the legitimate software, but usually they can’t be easily upgraded, and are typically one release version behind.
“For each release version of Cobalt Strike, we found that a new, unique beacon component is usually created. The stagers and templates, however, tend to be more constant across versions. Looking for unique stagers, templates, and beacons across the different versions, a total of 165 signatures were generated to detect these Cobalt Strike components across the versions of Cobalt Strike up to and including version 4.7,” Sinclair said.
Earlier this month, Google shared a similar set of signatures for Sliver, an open-source adversary emulation framework for security testing, which has also been observed being used by threat actors as an alternative for Cobalt Strike.