This blog written by: Matthew Tennis, Chris Navarrete, Durgesh Sangvikar, Yanhui Jia, Yu Fu, and Siddhart Shibiraj
Cobalt Strike is a commercial threat emulation platform designed to provide long-term, covert command-and-control (C2) communication between Beacon agents and the attacker-controlled Team Server. A domain-specific language called Malleable C2 is exposed to Cobalt Strike operators which allows them to create highly flexible and evasive network profiles.
The platform is popular among security engineers to test the defenses of the networks that they protect. However, Cobalt Strike is frequently abused for malicious ends. Threat actors leverage Cobalt Strike software and custom Malleable C2 profiles to maintain unauthorized access and sustain hostile cyber engagements.
Malleable C2 profiles allow the operator to encrypt, encode, and otherwise obfuscate network traffic in many different ways to mimic benign flows and even other malware communications. These profiles range from default or basic settings that are well known, to nearly limitless hand-crafted custom profiles. For known Cobalt Strike profiles, network security defenses such as signature-based detections trigger on anomalous data, mainly found in the HTTP URIs and headers of Cobalt Strike C2.
However, new Malleable C2 profiles can easily evade conventional detections with simple configuration changes in a text file, rendering defenses ineffective. Threat actors continue to abuse Cobalt Strike in their malware campaigns. Advanced persistent threat (APT) groups such as Jumper Taurus (also known as Leviathan or APT40) deploy Cobalt Strike to strengthen their foothold and persistence in their victims’ environments. Famous Trojans such as Qbot and Bokbot are known to rely on Cobalt Strike for resilient and stealthy C2 in their attack campaigns.
Palo Alto Networks customers receive protections from and mitigations for Cobalt Strike Beacon and Team Server C2 communication in the following ways:
Network security detections of threats, such as enumeration/reconnaissance, vulnerability exploitation, and command and control communication is one of the most vital components to comprehensive cyber and information security defenses. Virtually every modern organization with IT infrastructure is at risk of falling victim to a wide array of malicious cyber activity.
Active defenses are the only way to feasibly mitigate the seemingly unending stream of high-profile cyber attacks. Specifically, network security appliances and the detections they deploy secure an organization’s digital perimeter, as well as providing security to any manner of internal configurations.
The concept of deploying layer 3 and 4 firewalls is one such early mitigation technique. These appliances provide simple switching and routing functionality, as well as access-control lists or rules. Early firewalls are one of the first conventional detection technologies that date back decades to the first computer networks.
However, these devices lack the visibility and awareness that modern IT environments require. The advent of the stateful and application firewalls expanded defenses to session-level and layer 7 awareness, thereby providing more advanced security than early firewall devices. During this period, the first intrusion detection and intrusion prevention systems (IDS and IPS, respectively) were born, ushering in the next evolution of defenses.
The Next-Generation Firewall evolved from early IPS and stateful application firewalls to provide network defenses that are able to decrypt and inspect communications, provide user context in Active Directory environments, detect evasive attacks including DNS tunneling, malicious domains, phishing attacks, exploit kits, malware command-and-control (C2), and many others.
However, malicious threat actors continue to improve in turn, necessitating that new countermeasures be continually developed to prevent the next generation of cyber attacks.
In the following sections, we will detail traditional signature-based detections, our newest inline deep-learning models, as well as dynamic heuristic techniques that provide the most formidable network security detections to date.
Signature-based Detection Solution
The first line of defense is signature-based detections, also known as heuristic or static detections. In the realm of network security, a signature is a pattern of one or more digital artifacts which can be uniquely identified. Signatures typically define a rule or policy which is executed when a signature match is found, such as raising an alert or terminating a network session. For example, a file that defines an action in response to detecting a specific sequence of bytes within a network protocol flow is a network signature.
Signature-based detections are a fundamental component of host and network security defenses. They are the primary mechanisms used by intrusion detection systems (IDS) and intrusion prevention systems (IPS) to detect and prevent malicious behavior. Security researchers and engineers identify indicators of malicious behavior and encode them in a signature, which becomes a defense against that kind of attack.
The advantages of signature-based detections are numerous. As a literal static definition, a byte-for-byte match in a network flow against an IDS/IPS signature is computationally inexpensive compared to other detection schemes. Signature updates can be implemented and rolled out to customers quickly. When the signature corpus is actively curated and improved, intrusion detection and prevention systems provide a formidable line of defense against known attacks.
However, static detections suffer from an inherent weakness. Some simple byte match signatures can be evaded by single bit differences. Specifically crafted traffic can cause protocol decoding and application identification checks to miss the necessary context for a signature match. Malicious actors and malware authors understand this well, and frequently obfuscate, encode, and encrypt their code and communications to evade and defeat static detections.
|
Pros |
Cons |
|
Computationally inexpensive for exact match |
Computationally expensive for regex match |
|
Made available via over the air updates |
Depends on subscription/user update schedule |
|
Easy to develop known patterns |
Can be evaded by single-bit difference |
|
Pairs well with AppID |
Protocol/app confusion can cause signature failure |
|
Simple to diagnose efficacy and performance |
Requires domain expertise to continually innovate |
|
Limited to the output of detection engineers |
Table 1. Pros and cons of signature-based detections
A prominent feature of Cobalt Strike is its Malleable C2 framework, which enables Cobalt Strike operators to craft a custom, covert network channel designed specifically to evade static detections, such as IDS/IPS signatures. Much like the name implies, the Malleable C2 profile system provides a domain-specific language for attackers to define flexible network communication schemes called profiles which facilitate undetected command-and-control (C2).
Profiles are designed to mimic benign and popular traffic in order to evade detection and make countermeasures costly or risky to deploy. This enables the threat actor to persist within a victim network environment and remain undetected for long periods of time. More information about our protections against Cobalt Strike Malleable C2 profiles can be found in our post "Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detec...."
Signature-based detection engineers mitigate evasive profiles with fuzzy matching, regular expressions, wildcard rules, and more advanced techniques. However, each carries a performance overhead or additional complexity. Enterprise intrusion prevention systems are strictly limited by performance requirements, namely network availability and throughput. For coverage of complex threat traffic, computationally expensive operations such as regular expression matching, decoding and decryption routines, and periods of looping or iteration are inherently constrained by the business logic requirements of the network appliance itself. As a result, a perpetual cyber arms race between threat actors and defenders rages eternally as each party tries to outsmart the other with constant improvements in evasion and defenses, respectively.
Cobalt Strike and its Team Server communications are a product of this arms race. Cobalt Strike C2 is so popular and pervasive among threat actors because it is simple to extend or create a custom Malleable C2 profile that will bypass the static defenses of many security vendors.
Threat researchers at Palo Alto Networks have a long history and a deep catalog of defenses against Cobalt Strike attacks. The newest known Malleable C2 profiles are continually captured and parsed by Palo Alto Networks automation, and low-cost and efficient IPS signatures are rapidly pushed over the air to customer environments.
These static defenses are robust and reliable for known attacks. However, for unknown and novel Cobalt Strike attacks, signature-based detections alone are ill-suited to provide complete protection against advanced cyber attacks.
In the following sections, we will detail machine learning and heuristic detection techniques that provide additional protection on top of signature-based detections.
Machine Learning-based Detection Solution
The release of PAN-OS Nebula introduced a powerful new feature of the Palo Alto Networks network security stack, namely combining the speed and power of cloud computing with best-in-class network security detection. The Advanced Threat Prevention product provides new inline machine learning defenses that add upon traditional defensive countermeasures.
Threat researchers at Palo Alto Networks have combined years of experience as both users of and defenders against Cobalt Strike to create large datasets comprised of Beacon and Team Server instances captured from live attacks, real-world and fuzzed Malleable C2 profiles, and malicious network sessions from a variety of security teams and threat actors. This data was used to train machine learning models designed to predictively detect Cobalt Strike network sessions that would evade signature-based detections.
The machine learning detection engine targets the configurations and limitations of the network sessions typically created by Team Server and Beacon. By including real-world evasive profiles in the training data, the detection engine is able to reliably filter and classify malicious traffic patterns from the large volume of benign data in which it was hiding.
This data-driven approach uses and builds upon signature-based IPS to provide a robust secondary line of defense in the cloud to detect variations and permutations of known Cobalt Strike attacks that would otherwise be undetected by most traditional defenses.
These machine-learning-based detections are validated with a robust series of tests, most notable of which are live probes to suspected attacker infrastructure that reliably confirm the existence of a listening Team Server.
Deep and machine learning detections are powerful inline solutions that are constantly learning from new threats as they are discovered. However, machine learning detections may not have been exposed to completely new and different Cobalt Strike traffic. For these scenarios, we provide another line of defense - behavioral heuristics. When conventional and advanced detections are unaware of a novel threat, we are able to blend a combination of behavioral heuristics in a way that reliably determines if a remote server is running Cobalt Strike Team Server.
Behavioral heuristics are a class of detections based on certain parameters found in network traffic. In the context of detecting Cobalt Strike attacks, our heuristic detections concentrate on the run-time behavior of the communication between Beacon implants and Team Server listeners, which are defined at build-time by their configured Malleable C2 profile.
Certain configuration options are designed to aid in evasion, such as sleeptime and jitter, which determine the frequency of Beacon’s check-ins with Team Server. When these behavioral characteristics are paired with Malleable C2’s wide variety of obfuscation techniques, they create many possible combinations that cause signature-based detections to fail and reach the limit of what machine learning can properly classify as malicious. In certain cases, timing effects can prevent machine learning solutions from receiving data over the required time interval, which in turn can cause identification to fail.
In these cases, we augment our static and deep learning detections with behavioral heuristics. This solution is subdivided further into three sub-detectors:
Much like the machine learning detection solution, decoder pre-filters determine what traffic requires advanced handling and forwarding to cloud detectors. Decoder pre-filters operate on a different set of rules and patterns that are not strong enough to constitute a reset decision on their own, but instead raise enough suspicion to invoke additional detection engines.
The single-session heuristic detection focuses on the inspection of decrypted elements of Cobalt Strike HTTP request and response headers and payload body. Certain behavioral patterns in HTTP POST requests, such as Content-Length and specific byte patterns at exact offsets are very strong indicators of Cobalt Strike traffic, even when decrypting the actual tunneled data is impractical. This methodology covers default profile Beacon HTTP GET and POST requests on the default Malleable C2 profiles and Beacon stager download requests.
The single-session heuristic engine pre-filters on a combination of known HTTP URIs, User-Agent, and Cookie length.
The machine learning single session detector runs concurrently with its heuristic partner and covers cases that evade heuristic identification. This detector identifies encoding algorithms used in Cobalt Strike in the URI, Cookie, Authorization, and Referer (sic) fields.
The pre-filter and some of the detection logic specifically looks for the following encoding types:
For more information about Cobalt Strike’s metadata encoding and decoding, please refer to our earlier publication Cobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding.
Our newest heuristic detector provides functionality that usually presents issues for most stateful and next generation firewalls - cross session detection. This engine stitches packets from multiple pre-filtered sessions together to identify longer-term Cobalt Strike C2 communications. The detection focuses on elements of network traffic that span across multiple sessions.
The engine constructs network six-tuple identifiers comprised of the following information:
After the engine has pre-filtered and identified cross-session communication, certain features are extracted for identification in the ML model. Network metadata information such as timing jitter, session count, and layer 7 artifacts similar to those used in other detectors are used to compute network signatures which are in turn used for detection.
If the number of positive indicators reach a certain threshold, several cross-reference checks are performed on previously flagged sessions to determine a final verdict across all relevant sessions.
Cobalt Strike ships with a default Malleable C2 profile which is stored in the resource section of the source JAR file. If the Team Server instance runs without another specific profile, it will run with that default profile. Figure 1 below shows the default Malleable C2 profile.
Figure 1: Malleable C2 default profile
Team Server randomly chooses one of the URIs in the http-get transaction field before generating the Beacon payload. Figure 2 below shows the network traffic generated by the Beacon implant on the victim machine that communicates with Team Server.
Figure 2: Network traffic generated by the default profile.
Network security applications use the information from the default profile to create static signature detections that alert defenders of Cobalt Strike traffic. Palo Alto Networks Threat Prevention (TP) deploys multiple signatures such as TID 86445 to detect this traffic by combining URIs and various HTTP structures. In this instance, Beacon encrypts and encodes the target data in the Cookie field for the attacker to decrypt and decode.
Researchers at Palo Alto Networks continue to crawl the Internet and acquire real-world profiles to create an extensive repository of known Cobalt Strike configurations. That data continues to be expanded and utilized to create hundreds of Threat Prevention signatures to provide defenses against many variations of Cobalt Strike C2.
Static detections like those listed in Case Study 1 have several indispensable advantages but also come with significant drawbacks. Threat Prevention signatures are very performant, are inexpensive to develop, and can easily be validated. However, they are limited by rigid performance requirements that hobble the ability of wildcard and regular expression patterns to cover variations of the target detection, dependence on user content update schedules, and the relative ease of evading static patterns.
By design, Cobalt Strike is exceptionally malleable and resilient against static detections. An advanced attacker will have no problem creating completely novel Malleable C2 profiles designed specifically to thwart static defenses. If a Beacon implant with a custom profile evades sandbox analysis and endpoint detections, the resulting C2 can likely evade signature detections as well.
However, solutions such as WildFire, Cortex XDR, and other Palo Alto Networks products provide other methods of detection that are not considered when creating a pure network security solution. Customers are advised to pursue defense-in-depth strategies that include sandbox analysis and endpoint security to complement network security appliances.
Figure 3 below compares the default profile with one with a slight modification. Even simple URI changes can cause certain signatures to deliver a false negative (FN) verdict. In this case, Threat Prevention offers multiple layers of defense, but attackers are always improving their evasion.
Figure 3: Default profile (left) and a modified profile (right)
Figure 4 displays a simple example of network capture from traffic generated by the modified profile.
Figure 4: Network traffic generated with modified profile
The machine learning detection engine was created in response to these limitations. These models are not constrained to static values in the HTTP header such as URIs. The in-line learning models are trained on thousands of data points of malicious and benign samples.
Figure 5 displays an Advanced Threat Prevention-enabled virtual PA-3250 with this deep learning capability. The detection Inline Cloud Analyzed HTTP Command and Control Traffic Detection in the Threat display is an example of an ML-based detection on the same modified profile depicted in Figures 3 and 4.
Figure 5: ML-based detection on an ATP-enabled virtual PA-3250
These detections are validated against our repository of Cobalt Strike artifacts, as well as derived artifacts from fuzzers and randomizers to simulate attacker modifications. Our machine learning engines reliably detect against our entire profile repository, as well as generated variations.
Figure 6 below is a network capture of a request and response to a Cobalt Strike stager where the Beacon payload is transmitted (fd03a9145d89c102799e5719608a28da681c1289352eb1d40b557cc667ba2ad0). This capture is related to a real attack by the malware Hancitor. The implant was successfully detected by the single-session detection engine.
Figure 6: Cobalt Strike Beacon download detected by CS-HD-SS engine.
Figure 7 displays a network capture related to an in-the-wild Beacon sample that transmits to an attacker-controlled Team Server instance with the default Malleable C2 profile. The traffic was successfully detected by the cross-session detection engine.
Figure 7: Beacon traffic to Team Server detected by CS-HD-XS engine.
The following test results are based on the Advanced Threat Prevention Cobalt Strike datasets collected from crawled traffic, captured implants, IPS signatures and telemetry, generated profiles, and more, Threat Prevention combined with all of the AdvTP detection services listed below can reach ~100% coverage rate for Cobalt Strike C2.
Achieves 90%+ coverage rate for known profiles and variations for stager and stagerless Beacon C2s. This coverage rate is constantly improved by model retraining on new profiles found in the wild by our automated crawlers and threat intelligence sources.
Achieves 99%+ coverage rate for Beacon stager downloads across our dataset. In cases where the stager is used, the CS-HD-SS can provide 100% detection on an earlier stage than CS-ML-SS.
Achieves 90%+ coverage rate for all kinds of profiles for stager and stagerless Beacons.
These detections are particularly useful because they can provide protections even for new profiles used by attackers, while being resistant to small modifications that might evade traditional IPS signatures.
Cobalt Strike remains the premier post-exploitation adversary emulator that continues to evade conventional next-generation solutions, including signature-based detection. However, Advanced Threat Prevention’s inline deep-learning models and heuristic techniques can prevent Cobalt Strike Beacon and Team Server C2 sessions before exfiltrating a single byte.
The combination of pattern-based signatures, machine learning models, and behavioral heuristics technologies is an effective and reliable mechanism for identifying sanctioned as well as malicious Cobalt Strike with a very high degree of accuracy.
A single modern network security appliance is not sufficient to provide comprehensive coverage against complex, evasive attacks and tools such as Cobalt Strike. Only a combination of security solutions including next-generation firewalls, sandboxes, endpoint agents, and cloud-based machine learning can prevent advanced adversaries from mounting successful cyber attacks.
Palo Alto Networks customers receive protection from this kind of attack by the following:
Cobalt Strike Malleable C2 Profile
Cobalt Strike Decryption with Known Private Key
Cobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding
Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption
Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild
