![]() We also describe how we discovered the malicious activity using ExtraHop Reveal(x), and we explain the benefits and impact of detecting this attack in its early stages. In this threat analysis report, we share our findings and detection methodology to help cybersecurity practitioners identify Cobalt Strike in their environments. The C2 communications that we detected in early November using the ExtraHop Reveal(x) network detection and response (NDR) platform, combined with other data and threat intelligence sources, strongly suggested that a malicious actor had breached the organization’s perimeter defenses and was potentially looking to take a number of actions, including network reconnaissance, lateral movement, and credential theft–with the possible intent to deploy ransomware and/or exfiltrate data. ![]() Attacks leveraging Cobalt Strike frequently foreshadow ransomware. Specifically, they deploy Cobalt Strike to establish communications with a C2 server once they’ve gained access to an organization’s environment. ![]() ![]() In November 2022, members of the ExtraHop Detections Research and Data Science teams picked up on a device in an organization’s network environment that was making suspicious outbound connections to a confirmed Cobalt Strike command and control (C2) server.Ĭobalt Strike is a legitimate penetration testing and attack simulation platform used by red teams, but over the past three to four years threat actors including Cozy Bear and the Conti, Black Basta, and Royal ransomware gangs have used it as a tool in their arsenal. ![]()
0 Comments
Leave a Reply. |