Security News > 2022 > November > Google seeks to make Cobalt Strike useless to attackers

Google Cloud's intelligence research and applications team has created and released a collection of 165 YARA rules to help defenders flag Cobalt Strike components deployed by attackers.

Cobalt Strike, a legitimate adversary simulation tool used by pentesters and cyber red teams, has also become threat actors' preferred post-exploitation tool.

While some attackers have switched to using Brute Ratel, DeimosC2, and similar tools, Cobalt Strike is still a very popular option.

"Cobalt Strike vendor Fortra uses a vetting process that attempts to minimize the potential that the software will be provided to actors who will use it for nefarious purposes, but Cobalt Strike has been leaked and cracked over the years. These unauthorized versions of Cobalt Strike are just as powerful as their retail cousins except that they don't have active licenses, so they can't be upgraded easily," Sinclair explained.

"We decided that detecting the exact version of Cobalt Strike was an important component to determining the legitimacy of its use by non-malicious actors since some versions have been abused by threat actors. By targeting only the non-current versions of the components, we can leave the most recent versions alone, the version that paying customers are using," Sinclair noted.

Vicente Diaz, a threat intelligence strategist at VirusTotal, said that the Cobalt Strike samples used to create the signatures were gathered via that platform, and explained the process of creating and testing the detection rules.

News URL

https://www.helpnetsecurity.com/2022/11/21/cobalt-strike-attackers-detection-rules/