Default Cobalt Strike Team Server Certificate
editDefault Cobalt Strike Team Server Certificate
editThis rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. If using Filebeat, this rule requires the Suricata or Zeek modules. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1) - see the Reference section for additional information on module configuration.
Rule type: query
Rule indices:
- filebeat-*
- packetbeat-*
Severity: critical
Risk score: 100
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
- https://attack.mitre.org/software/S0154/
- https://www.cobaltstrike.com/help-setup-collaboration
- https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html
- https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html
- https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html
Tags:
- Command and Control
- Post-Execution
- Threat Detection, Prevention and Hunting
- Elastic
- Network
Version: 2 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.11.2
Rule authors: Elastic
Rule license: Elastic License
Investigation guide
editWhile Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, alerts should be investigated rapidly.
Rule query
editevent.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or tls.s erver.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D 3CF9D94D390C)
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Application Layer Protocol
- ID: T1071
- Reference URL: https://attack.mitre.org/techniques/T1071/
Rule version history
edit- Version 2 (7.11.2 release)
-
- Formatting only