Euro Security Watch with Mathew J. Schwartz

Application Security , Cybercrime , Cybercrime as-a-service

Block This Now: Cobalt Strike and Other Red-Team Tools

Attackers Keep Wielding Legitimate Tools and 'Living Off the Land' Tactics
Block This Now: Cobalt Strike and Other Red-Team Tools
Attackers continue to use the legitimate Cobalt Strike tool set to target victims.

Attackers continue to employ commercial penetration testing tools as well as "living off the land" tactics - using legitimate tools or functionality already present in a network - to exploit victims. Accordingly, organizations must monitor for both, to better identify potential intrusions.

See Also: 5 Requirements for Modern DLP

The trouble with detecting and blocking such attacks, which are launched by both criminal and nation-state hackers, is that they're designed to look legitimate.

Neither type of threat is new, but both continue to bedevil organizations. Take living off the land: In March, Microsoft warned that attackers were wielding Azure "LoLBins," aka "living off the land binaries" with an extra helping of hacker lulz - which refers to weaponizing preinstalled, legitimate binaries built to run on Windows or Linux.

In September, a joint U.S. government alert warned attackers were using living-off-the-land tactics to exploit a vulnerability in Zoho's single sign-on and password management tool.

Red-Team Tools

Beyond using already installed tools or functionality to target organizations, attackers will sometimes use commercially available hacking tools for - you guessed it - criminal hacking purposes. One increasingly used tool is Cobalt Strike, which is marketed by its makers as "software for adversary simulations and red team operations." But attackers regularly use cracked copies of the tool to build botnets.

For organizations that do not use Cobalt Strike, experts say the security message is simple: monitoring for the software inside a network can reveal an attack in progress.

Such software gets wielded in standalone attacks, and sometimes also at scale. Earlier this month, security researchers warned that Emotet malware was pushing Cobalt Strike implants - referred to in Cobalt Strike-speak as beacons - directly onto infected endpoints, so attackers could more quickly evaluate the endpoint and see if they wished to escalate the attack, for example, by pushing ransomware onto the endpoint. Other attackers regularly use Cobalt Strike for "lateral movement," meaning the endpoint becomes the beachhead in a lengthier attack, during which they'll typically attempt to escalate privileges, access Active Directory Domain Controller, and use that to steal sensitive data, infect systems with crypto-locking malware and more.

Emotet infection process (Source: U.S. Cybersecurity and Infrastructure Security Agency)

"Cobalt Strike is used as a post-exploitation tool with various malware droppers responsible for the initial infection stage," says the digital forensics and incident response threat intelligence group DFIR Report.

"Some of the most common droppers we see are IcedID (a.k.a. BokBot), ZLoader, Qbot (a.k.a. QakBot), Ursnif, Hancitor, Bazar and TrickBot," DFIR Report says in its Cobalt Strike Defender's Guide, published in August. "Cobalt Strike is chosen for the second stage of the attack as it offers enhanced post-exploitation capabilities. Threat actors turn to Cobalt Strike for its ease of use and extensibility."

Client/Server Approach

Cobalt Strike employs a client/server approach, using the aforementioned beacon - a payload that gets installed on a target system - which communicates with a command-and-control server via DNS, HTTP or HTTPS, according to a teardown published by European cybersecurity firm Sekoia. Beacons get controlled remotely by an administrator, using a Cobalt Strike client - aka the Aggressor - which connects to command-and-control Team servers that run on Linux OS.

By connecting to the Team server that manages a particular endpoint via its beacon, an administrator can remotely configure the beacon as well as receive "all information from the infected hosts," Sekoia says.

"Cobalt Strike is unique in that its built-in capabilities enable it to be quickly deployed and operationalized regardless of actor sophistication or access to human or financial resources," security firm Proofpoint said in a report released earlier this year. (But then again, the same can be said about a number of other penetration testing or red-team tools, both legitimate and otherwise.)

How quick is quick? Earlier this month, threat intelligence firm Active Intelligence warned in the wake of the Log4j vulnerability becoming public knowledge that the Conti ransomware group appeared to be scanning for the vulnerability, using endpoints it had already infected with Cobalt Strike. In particular, Conti appeared to be attempting to exploit the Log4j functionality built into VMware vCenter server management software. A successful exploit, Advanced Intelligence warned, would give the attackers the ability to move laterally in a victim's network.

'Ban Hacking and Enumeration Tools'

The propensity of both criminals and nation-state attackers to employ Cobalt Strike for unhealthy purposes - not least in the SolarWinds supply chain attack - has led Bob McArdle, director of Trend Micro's Forward-Looking Threat Research team in Europe, to dub Cobalt Strike "the Big Tobacco" of the cybersecurity field.

Given the risk posed by Cobalt Strike and its ilk, McArdle - in a presentation at last month's Irish Reporting and Information Security Service conference IRISSCON in Dublin - recommended that all organizations "ban hacking and enumeration tools from the network," including Cobalt Strike.

Bob McArdle details attacker tactics at the IRISSCON conference in Dublin on Nov. 18.

Not all penetration-testing tools are bad. Ditto the types of functionality on which many administrators rely; it's there precisely because IT and operations teams rely on it. The challenge, however, especially with the latter, is differentiating legitimate from illicit use of the functionality.

"In general for those tools - a lot of them fall into 'dual usage,' including PowerShell, PSExec, or even tools like AdFind," McArdle tells me, referring to the powerful scripting language built into Windows (PowerShell), a lightweight replacement for telnet (PSExec), and a command line Active Directory query tool (AdFind).

Watch for Malicious Use

Again, that doesn't mean the use of these and other such tools - also including the Metasploit open-source penetration testing framework, Cobalt Strike, and other "potentially unwanted applications" - is always bad; it's not. But unless organizations are monitoring for such tools with an eye to their being used maliciously, how can they tell?

"A lot of security products detect them as Hacktool_ or PUA_ instead of more fully malicious ones like TROJ_," McArdle says. "So it's important for companies to be aware of this and to treat those sort of detections just as dangerously, especially when they're running outside of any machines tagged as being in the admin group."

In other words, in theory, detecting the malicious use of such tools isn't difficult. But in practice, don't expect such capabilities to be active by default.

"Most modern security software should have process and file-access control that can be configured for tools like PowerShell, but a lot of organizations might not be aware of this," McArdle says. "A modern security suite does, after all, have a lot of options. So educating people to go look into those and enable them is a good first step."

Can your organization tell when or if PowerShell is being used legitimately, and has it taken steps to enforce that? Is an alarm set to sound in the security operations center if a Cobalt Strike beacon shows up on an endpoint, or starts phoning home to a command-and-control server? If not, it's time to task your security team hone your defenses, to better safeguard against off-the-shelf red-team tools and living-off-land functionality being used against you.

Update (Jan. 11, 2022): Added information from DFIR Report.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.