Cobalt Strike is a legitimate, commercial penetration testing tool mostly used by red teams and for security trainings. However, it is widely used as cracked by threat actors for intrusion and lateral movement in their victims’ networks.
Google Cloud has released some open source YARA rules for detecting Cobalt Strike components dating back to 2012. This Yara rules set is including 165 detection signatures to scan more than 300 different Cobalt Strike binaries.
“We are releasing to the community a set of open-source YARA Rules and their integration as a VirusTotal Collection to help the community flag and identify Cobalt Strike’s components and its respective versions. Since many threat actors rely on cracked versions of Cobalt Strike to advance their cyberattacks, we hope that by disrupting its use we can help protect organizations, their employees, and their customers around the globe” Google Cloud said in their post.
Cobalt Strike includes several features like discovery, payload creation, MS Office macro creation, website cloning, and so on. Many threat actors in the field have been observed using Cobalt Strike.