22 November 2022

Google releases YARA rules to help detect Cobalt Strike abuse


Google releases YARA rules to help detect Cobalt Strike abuse

Google’s Cloud Threat Intelligence team has released a set of open-source YARA rules and a VirusTotal Collection of indicators of compromise (IoCs) to help defenders spot Cobalt Strike’s components in their works and disrupt its malicious use.

“We are releasing to the community a set of open-source YARA Rules and their integration as a VirusTotal Collection to help the community flag and identify Cobalt Strike’s components and its respective versions. Since many threat actors rely on cracked versions of Cobalt Strike to advance their cyberattacks, we hope that by disrupting its use we can help protect organizations, their employees, and their customers around the globe,” Google Cloud Threat Intelligence security engineer Greg Sinclair wrote in a blog post.

First released in 2012, Cobalt Strike is a popular tool that security teams use to emulate cyber threats, but over the years it evolved into a point-and-click system for deploying remote access tools on targeted systems, with cyber criminals abusing Cobalt Strike’s capabilities for lateral movement within victim networks.

Although Cobalt Strike vendor Fortra has implemented a vetting process to minimize the risk of malicious use, leaked and cracked versions of Cobalt Strike have been available for years. These pirated versions have all capabilities of the legitimate software, but usually they can’t be easily upgraded, and are typically one release version behind.

“For each release version of Cobalt Strike, we found that a new, unique beacon component is usually created. The stagers and templates, however, tend to be more constant across versions. Looking for unique stagers, templates, and beacons across the different versions, a total of 165 signatures were generated to detect these Cobalt Strike components across the versions of Cobalt Strike up to and including version 4.7,” Sinclair said.

Earlier this month, Google shared a similar set of signatures for Sliver, an open-source adversary emulation framework for security testing, which has also been observed being used by threat actors as an alternative for Cobalt Strike.

Back to the list

Latest Posts

Microsoft: Russia combines missile and cyberattacks in Ukraine

Microsoft: Russia combines missile and cyberattacks in Ukraine

In parallel with cyber threat activity Russia would likely conduct influence operations targeting Europe to undermine military and humanitarian assistance to Ukraine.
5 December 2022
Spanish police dismantle 'Black Panthers' SIM swap group

Spanish police dismantle 'Black Panthers' SIM swap group

The scammers stole about €250,000 from nearly 100 victims.
5 December 2022
Google releases emergency security update to fix Chrome zero-day bug

Google releases emergency security update to fix Chrome zero-day bug

With the new update the tech giant fixed the ninth Chrome zero-day since the start of 2022.
5 December 2022