Detection of Cobalt Strike
Detection of attacks using Cobalt Strike beacons
Product: Flowmon ADS
Is it possible to detect Cobalt Strike usage/attack?
|Steps to Reproduce:|
|Resolution:||There is no specific method to detect Cobalt Strike. It is a highly customizable tool so every attacker can use it in a different way, with a different configuration, different C2 servers, etc.
It might be possible to detect the suspicious behavior caused by Cobalt Strike usage via various methods:
BLACKLIST, DICTATTACK, DNSANOMALY, HIGHTRANSF, UPLOAD, SSHDICT, RDPDICT, and others.
There are also IDS (Suricata) signatures that might detect Cobalt Strike usage. Few examples:
ET DELETED Possible Cobalt Strike Server Response
ET HUNTING Suspicious Empty SSL Certificate - Observed in Cobalt Strike
ET JA3 HASH - Possible Cobalt Strike Server
ET MALWARE Cobalt Strike Activity (GET)
Was this article helpful?0 out of 0 found this helpful