22 November 2022

Google releases YARA rules to help detect Cobalt Strike abuse


Google releases YARA rules to help detect Cobalt Strike abuse

Google’s Cloud Threat Intelligence team has released a set of open-source YARA rules and a VirusTotal Collection of indicators of compromise (IoCs) to help defenders spot Cobalt Strike’s components in their works and disrupt its malicious use.

“We are releasing to the community a set of open-source YARA Rules and their integration as a VirusTotal Collection to help the community flag and identify Cobalt Strike’s components and its respective versions. Since many threat actors rely on cracked versions of Cobalt Strike to advance their cyberattacks, we hope that by disrupting its use we can help protect organizations, their employees, and their customers around the globe,” Google Cloud Threat Intelligence security engineer Greg Sinclair wrote in a blog post.

First released in 2012, Cobalt Strike is a popular tool that security teams use to emulate cyber threats, but over the years it evolved into a point-and-click system for deploying remote access tools on targeted systems, with cyber criminals abusing Cobalt Strike’s capabilities for lateral movement within victim networks.

Although Cobalt Strike vendor Fortra has implemented a vetting process to minimize the risk of malicious use, leaked and cracked versions of Cobalt Strike have been available for years. These pirated versions have all capabilities of the legitimate software, but usually they can’t be easily upgraded, and are typically one release version behind.

“For each release version of Cobalt Strike, we found that a new, unique beacon component is usually created. The stagers and templates, however, tend to be more constant across versions. Looking for unique stagers, templates, and beacons across the different versions, a total of 165 signatures were generated to detect these Cobalt Strike components across the versions of Cobalt Strike up to and including version 4.7,” Sinclair said.

Earlier this month, Google shared a similar set of signatures for Sliver, an open-source adversary emulation framework for security testing, which has also been observed being used by threat actors as an alternative for Cobalt Strike.

Back to the list

Latest Posts

ShadowSyndicate ransomware group targeting Aiohttp flaw

ShadowSyndicate ransomware group targeting Aiohttp flaw

Organizations are urged to update to Aiohttp v3.9.
18 March 2024
The International Monetary Fund discloses cyberattack affecting 11 email accounts

The International Monetary Fund discloses cyberattack affecting 11 email accounts

The organization did not share any additional details regarding the nature of the attack.
18 March 2024
E-Root Marketplace operator sentenced to 3.5 years in prison

E-Root Marketplace operator sentenced to 3.5 years in prison

It is estimated that over 350,000 compromised credentials were listed for sale on the E-Root Marketplace.
18 March 2024