Mining The Shadows with ZoidbergStrike: A Scanner for Cobalt Strike - SANS Threat Hunting Summit
Cobalt Strike Notes and Resources
- Pipes: https://gist.github.com/MHaggis/a725aed9800bca40904822b8c89ed269
- Spawnto: https://gist.github.com/MHaggis/dc1f1c2ebbe884bb27065479321b06b8
- Compile_Time: https://gist.github.com/MHaggis/d81454df71b3ffc58145a8bb3ca9623e
- DNS Idle: https://gist.github.com/MHaggis/e848699e8481fae48eae4524cf0085e1
- Latest profile list: https://gist.github.com/MHaggis/921a4a47de1adab7eec938b4597f0be3
- Prior profile list: https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
Attack Data
- https://github.com/splunk/attack_data/blob/master/datasets/attack_techniques/T1055/cobalt_strike/cobalt_strike.yml
- https://github.com/splunk/attack_data/blob/master/datasets/attack_techniques/T1572/cobalt_strike/cobalt_strike.yml
Resources
- @MichalKoczwara
- Cobalt Strike Indicators | IronNet Threat Research
- Awesome CobaltStrike Defence | Michael Koczwara
- Pointer - Hunting and mapping Cobalt Strike
- Conti Leaks usage
- Keynote: Cobalt Strike Threat Hunting | Chad Tilbury
- https://github.com/shabarkin/pointer
- Cobalt Strike Profiles | Zsec
- Malleable C2 Help | Cobalt Strike
- Guide to Named Pipes and Hunting for Cobalt Strike Pipes | svch0st
- Cobalt Strike Defenders Guide | The DFIR Report
- Learn pipe fitting for all of your offense projects | Cobalt Strike
- Malleable C2 | ThreatExpress
- Detecting Cobalt Strike Default Modules via Named Pipe Analysis | F-Secure
- https://twitter.com/cyb3rops/status/1417434947779022863
- Knock, Knock, Neo. - Active C2 Discovery Using Protocol Emulation | @cci_forensics Takahiro Haruyama
System32 Baselining
$system32 = Get-ChildItem -Path C:\windows\System32\ -Include '*.exe' -Recurse -ErrorAction SilentlyContinue |
% {
[PSCustomObject] @{
file_name = $_.name
file_path = $_.FullName
InternalName = $_.VersionInfo.InternalName
fileDescription = $_.VersionInfo.FileDescription
}
}
$system32 | Export-Csv -Path ~\Desktop\data.csv
To see the objects, I just ran: $system32 | format-list
example output
...
file_name : UsoClient.exe
file_path : C:\windows\System32\UsoClient.exe
InternalName : UsoClient
fileDescription : UsoClient
Product :
...
UAC Elevate
The following are all auto-elevate binaries in System32 that could potentially be used to host a UAC bypass.
Get-ExecutableManifest is in the NtObjectManager PowerShell module.
Install-Module -Name NtObjectManager
The following PowerShell code was used to obtain these files:
ls C:\Windows\System32\*.exe | Get-ExecutableManifest | ? { $_.AutoElevate -and ($_.ExecutionLevel -eq 'requireAdministrator') }
If any of these require GUI interaction, then they are unlikely to be abused in the wild.
Additional references:
- https://gist.github.com/Hackscode/0fc0dc46e2e3d1253535e79ffd0d0f26
- https://gist.github.com/dezhub/c0fee68d1e06657a45ec39365362fca7
Git Search
from github import Github
ACCESS_TOKEN = 'TOKEN HERE'
g = Github(ACCESS_TOKEN)
def search_github(keyword):
rate_limit = g.get_rate_limit()
rate = rate_limit.search
if rate.remaining == 0:
print(f'You have 0/{rate.limit} API calls remaining. Reset time: {rate.reset}')
return
else:
print(f'You have {rate.remaining}/{rate.limit} API calls remaining')
query = f'"{keyword}" in:file'
result = g.search_code(query, order='desc')
max_size = 100
print(f'Found {result.totalCount} file(s)')
if result.totalCount > max_size:
result = result[:max_size]
for file in result:
print(f'{file.download_url}')
if __name__ == '__main__':
keyword = input('Enter keyword[spawnto_x86, spawnto_x64, pipename, dns_idle]: ')
search_github(keyword)
I use PowerShell to download the the files:
gc results.txt | % {iwr $_ -outf $(split-path $_ -leaf)}
Simple grep
$csprofiles=~\Desktop\profiles\*.profile
Get-ChildItem -Path $csprofiles -Recurse | Select-String -Pattern 'set uri' -CaseSensitive | sort | Get-Unique