By: Durgesh Sangvikar, Matthew Tennis, Chris Navarrete, Yanhui Jia, Nina Smith, Yu Fu
The Unit42 team has developed a Cobalt strike threat intelligence gathering system that scans the internet to locate Team servers hosting the Beacon binary. Earlier, it was difficult to discover the team server until a Beacon binary made an active connection to it. Our novel method enables us to find team servers, download the beacon binary, extract the configuration and generate a fully functional malleable C2 profile.
Our system has successfully tracked & documented a huge amount of team servers and malleable profiles. The upcoming sections present various statistics about these Team servers and malleable profiles. The statistics include the common URI, the encrypted data placement in http headers, Geolocation of the Team servers.
Palo Alto Networks customers receive protections from and mitigations for Cobalt Strike Beacon and Team Server C2 communication in the following ways:
- Next-Generation Firewalls with a Threat Prevention subscription can identify and block Cobalt Strike HTTP C2 requests as well as responses that are masked with the base64 encoding settings of the default profile (signatures 86445 and 86446).
- Next-Generation Firewalls with an Advanced Threat Prevention subscription can identify and block Cobalt Strike HTTP C2 requests generated by custom profiles.
- WildFire and Cortex XDR can identify and block Cobalt Strike Beacon binaries.
- Cortex XSOAR response pack and playbook can automate the mitigation process.
- Cortex XDR will report related exploitation attempts.
- Malicious URLs and IPs have been added to Advanced URL Filtering.
- If you think you may have been compromised or have an urgent matter, the Unit 42 Incident Response team can provide personalized assistance.
Cobalt Strike Profile Statistic
We have observed that most of the profiles are modified versions of the default profile, which is included in the Cobalt Strike package. Modifications may include adding extra request headers, reducing the number of URIs, and adding a cookie parameter. Figure 1 shows an example of modifications made to the default profile. The left side shows the default profile, while the right side shows the modified default profile. In the modified default profile, the author reduced the number of GET URIs and added HTTP request headers.
Figure 1. Default profiles (left side) and a modified default profile (right side)
Figure 2 shows the statistics of the modified default profile with custom profiles. Every 3rd profile we discovered is a custom profile. The custom profiles have different URIs, the encrypted data is placed in Referrer header or appended to URI etc.
Figure 2: Statistics of the modified default profile and custom profiles.
Cobalt Strike Team Server Statistic
In the blog, we have explained how to identify the Team Server in-the-wild. Based on those different identification tactics, we have located the Team Servers on the internet. We have located those Team Servers in various countries.
Figure 3 shows percentages of the Team servers found in different countries. We discovered the maximum number of Team servers hosted on 2 countries namely, China and USA.
Figure 3: Geo Location of the Team servers
Domain vs IP address
We have examined the profiles for the usage of various domains to evade the Network detections. If profiles are using domains in their host header, they are more likely to be analyzed by the network security devices. We have also concluded that almost all the time, the host header data is different in GET and POST transactions. Majority of the time, the Host header has the dotted quad representation of the IP address and they are different for GET and POST transactions. When that is the same, it is certain that the Host header is a domain and most likely a well known like www.amazon.com, www.bing.com etc.
Figure 4: Host header
Cobalt Strike Team Server Infrastructure Statistics
We wanted to understand the infrastructure details that hosted the team servers, so we collected the Whois information of the IP addresses. We found that many of the team servers were hosted on popular hosting services like Tencent, Alibaba, and Amazon. We identified that every fourth team server was hosted on Tencent Cloud.
Figure 5 shows the infrastructure hosting server that hosted the Team servers.
Figure 5: Infrastructure Hosting
Cobalt Strike Request URI Statistic
We have parsed the profiles to extract the threat intelligence information.
Figure 6 shows the common URI used in the profiles. These are GET or POST transaction URI. Most of the profiles are derived from the default profiles, top common URI are also from default profiles.
Figure 6: List of the Commonly used URI in Cobalt strike profiles.
Cobalt Strike Encrypted data in HTTP header
We have analyzed the common places where the attackers are placing the encrypted metadata. There are a number of places where an attacker can place the encrypted metadata in http header like append to URI, place it as a URI parameter value, Cookie header value, add a custom header value, put it in Cookie header with param.
After the profiles analysis, we found that the majority of the profiles have encrypted metadata in Cookie header. Some of the profiles are putting the metadata in plain cookie header value while others are placing it as a Cookie param value. Figure 7 shows the Encrypted Metadata placement in the HTTP request body.
Figure 7: Encrypted Metadata placement
In recent years, there has been a rise in the use of Cobalt Strike by advanced persistent threat (APT) groups, especially those with ties to nation-states. These groups have used Cobalt Strike in various cyber espionage campaigns, such as the ones targeting the US government and its allies.
Overall, the use of Cobalt Strike is expected to continue in malicious contexts, and organizations should take necessary precautions to protect their networks from potential threats associated with this tool.
Palo Alto Networks customers receive protection from the attack above by the following:
- Next-Generation Firewalls with Threat Prevention signatures 86445 and 86446 can identify HTTP C2 requests with the base64 metadata encoding in default profiles.
- Next-Generation Firewalls with Advanced Threat Prevention subscription can identify and block the Cobalt Strike HTTP C2 request in non default profiles.
- WildFire, an NGFW security subscription, and Cortex XDR identify and block CobaltStrike Beacon.
Palo Alto Networks will continue to collect more Cobalt Strike related threat intelligence and publish the threat trend report in the future, please stay tuned.
Cobalt Strike Training
Cobalt Strike Malleable C2 Profile
Cobalt Strike Decryption with Known Private Key
Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detec...
Cobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding
Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption
Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild
Cobalt Strike Attack Detection & Defense Technology Overview