Detection of Cobalt Strike
Information
Summary: |
Detection of attacks using Cobalt Strike beacons |
Environment: |
Product: Flowmon ADS Version: Any Platform: Any |
Question/Problem Description: |
Is it possible to detect Cobalt Strike usage/attack? |
Steps to Reproduce: | |
Error Message: | |
Defect Number: | |
Enhancement Number: | |
Cause: | |
Resolution: | There is no specific method to detect Cobalt Strike. It is a highly customizable tool so every attacker can use it in a different way, with a different configuration, different C2 servers, etc. It might be possible to detect the suspicious behavior caused by Cobalt Strike usage via various methods: BLACKLIST, DICTATTACK, DNSANOMALY, HIGHTRANSF, UPLOAD, SSHDICT, RDPDICT, and others. There are also IDS (Suricata) signatures that might detect Cobalt Strike usage. Few examples: ET DELETED Possible Cobalt Strike Server Response ET HUNTING Suspicious Empty SSL Certificate - Observed in Cobalt Strike ET JA3 HASH - Possible Cobalt Strike Server ET MALWARE Cobalt Strike Activity (GET) |
Workaround: | |
Notes: |
Was this article helpful?
0 out of 0 found this helpful