Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Detection of Cobalt Strike

 

Information

 

Summary:

Detection of attacks using Cobalt Strike beacons

Environment:

Product: Flowmon ADS

Version: Any

Platform: Any 

Question/Problem Description:

Is it possible to detect Cobalt Strike usage/attack?

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:  
Resolution: There is no specific method to detect Cobalt Strike. It is a highly customizable tool so every attacker can use it in a different way, with a different configuration, different C2 servers, etc.
 
It might be possible to detect the suspicious behavior caused by Cobalt Strike usage via various methods:
BLACKLIST, DICTATTACK, DNSANOMALY, HIGHTRANSF, UPLOAD, SSHDICT, RDPDICT, and others. 
 
There are also IDS (Suricata) signatures that might detect Cobalt Strike usage. Few examples:
ET DELETED Possible Cobalt Strike Server Response
ET HUNTING Suspicious Empty SSL Certificate - Observed in Cobalt Strike
ET JA3 HASH - Possible Cobalt Strike Server
ET MALWARE Cobalt Strike Activity (GET)
Workaround:  
Notes:  

Was this article helpful?
0 out of 0 found this helpful

Comments