Catch Threat Actors Using Cobalt Strike

Cobalt Strike is a legitimate, commercial penetration testing tool mostly used by red teams and for security trainings. However, it is widely used as cracked by threat actors for intrusion and lateral movement in their victims’ networks.

Google Cloud has released some open source YARA rules for detecting Cobalt Strike components dating back to 2012. This Yara rules set is including 165 detection signatures to scan more than 300 different Cobalt Strike binaries.

We are releasing to the community a set of open-source YARA Rules and their integration as a VirusTotal Collection to help the community flag and identify Cobalt Strike’s components and its respective versions. Since many threat actors rely on cracked versions of Cobalt Strike to advance their cyberattacks, we hope that by disrupting its use we can help protect organizations, their employees, and their customers around the globe” Google Cloud said in their post.

Cobalt Strike includes several features like discovery, payload creation, MS Office macro creation, website cloning, and so on. Many threat actors in the field have been observed using Cobalt Strike.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s