In this post we will explore the use of direct system calls within Cobalt Strike Beacon Object Files (BOF). Preview Taegis XDR to learn more about the tool.Author Archives: Cornelis de Plaa Direct Syscalls in Beacon Object Files Cornelis de Plaa | December 26, 2020 Secureworks Taegis™ XDR countermeasures incorporate this type of intelligence, allowing organizations to rapidly detect and contain intrusions before threat actors can achieve their goals. Accounting for every possible scenario of Cobalt Strike deployment enables network defenders to respond to these incidents. It is possible to detect deployment attempts regardless of a threat actor's level of access. This engagement illustrates how Cobalt Strike can be deployed without dropper malware and reveals that insecure development practices could add to an attack surface. MITRE ATT&CK techniques used by penetration testers. Remote Services: SMB/Windows Admin Shares
#COBALT STRIKE BEACON WHAT IS IT WINDOWS#
Process Injection: Proc Memory Native APIĬommand and Scripting Interpreter: PowerShellĬreate or Modify System Process: Windows Service
Trusted Developer Utilities Proxy Execution: MSBuild Table 1 maps the observed penetration testing techniques to the MITRE ATT&CK® framework. These anomalous behaviors enable CTU™ researchers to develop countermeasures that can reliably detect the abuse of legitimate Windows utilities for nefarious purposes. Nor is it common for developers to compile and execute binaries over the network using WMI. For example, it is not typical developer behavior to compile binaries as a service that are executed every time a user logs in. These techniques are not common in enterprise environments. This action immediately provided the penetration testers with widespread access to the network. They used WMI to create persistence via a Microsoft Build Engine service that compiles and executes Cobalt Strike Beacon on these hosts.
#COBALT STRIKE BEACON WHAT IS IT CODE#
This technique enabled them to perform remote code execution on the systems via the Windows Management Instrumentation (WMI) service. They then used the Rundll32 execution utility to inject shellcode into the svchost.exe service host process on those systems. The penetration testers deployed Cobalt Strike Beacon to other hosts in the environment. The observed PowerShell commands used the "-nop -exec bypass -EncodedCommand" parameters followed by a Base64-encoded command, which revealed that they were launched from Cobalt Strike Beacon. The penetration testers then used Cobalt Strike Beacon to execute the PowerSploit exploitation scripting tool's "Install-ServiceBinary" function to obtain SYSTEM-level privileges. This process runs every time a user logs onto the system, injecting the Cobalt Strike Beacon payload into the userinit.exe user initialization process. In one engagement, Secureworks® Counter Threat Unit™ (CTU) researchers observed penetration testers leveraging local administrator access and the Microsoft Build Engine process to compile and execute a Cobalt Strike Beacon payload directly on the host. Legitimate testing typically assumes that the organization has already been breached. As a result, the penetration testers can bypass endpoint countermeasures and security controls that typically detect phishing or malware activity that threat actors use for initial access. Penetration testers are often granted access to internal networks and systems so they can test the security and response of the enterprise. Threat actors typically use malware to gain initial access to the network and subsequently deploy Cobalt Strike. However, the methods used to access the environment often differ. The Cobalt Strike threat emulation framework lets legitimate penetration testers emulate threat actors.