Note that the list of named pipes can provide you hints of other machines most likely also affected by the intrusion (for example if the named pipe has references to machine names/IPs for post exploitation or SMB beacons).įor an initial triage and to reduce the volume of results it makes sense to look only In Volatility you can list the named pipes via the handles command and specify the process PID. The configuration of these named pipes can be changed, but in a lot of cases attackers will just stick to the default settings.
CROWDSTRIKE COBALT STRIKE CODE
Cobalt Strike can will not inject its code in the first page but you’ll be able to find the injected code after the set of zeros. Don’t be confused if the first page only contains zeros. Pay special attention to the memory pages that are marked both as executable and writable. You can find injected code with malfind which allows you to find ‘hidden’ or injected DLLs in user memory. If it includes syswow64 (take note of different forms of capitalisation) then it’s using the 32-bit version. You can detect this by looking at the startup path (via cmdline) of the command. Review if a 32-bit version of PowerShell was used to launch the subprocesses. If you observe multiple rundll32.exe processes (or for example svchost.exe) spawned with the same command line parameters or all without command line arguments then there’s a high chance it’s Cobalt Strike.
By default Cobalt Strike spawns rundll32.exe without arguments but this is also customisable. If you notice a rundll32.exe process spawned from PowerShell without any DLL supplied as an argument then there is a high chance that something is wrong. The next item to look for are the command line arguments that are used for starting rundll32.exe from PowerShell. The take-away is to look for multiple, similar, processes all spawned from PowerShell. This is customisable and can as well be svchost.exe or any other process. By default, Cobalt Strike will spawn rundll32.exe.
Rundll32.exe is spawned as a sacrificial process in which Cobalt Strike injects its malicious code. PowerShell spawning (multiple) rundll32.exe processes.Look at running processes and the process tree via pstree. Some of the logs sources that are valuable during IR such as network traffic (detect beaconing, traffic frequency), PowerShell logs and Sysmon logs were unfortunately not available. This post includes references to commands of the Volatility memory forensics platform but you can use any platform of your choice.
The YouTube video provides much more details but below you can find those findings that were relevant for me during an IR case. In this post I summarise the findings from a SANS Digital Forensics and Incident Response keynote by Chad Tilbury : Cobalt Strike Threat Hunting. Cobalt Strike (S0154) is a commercial penetration testing platform which is used by many red teams and, unfortunately, also by many criminal threat actors.
0 kommentar(er)
