- #COBALT STRIKE BEACON FULL#
- #COBALT STRIKE BEACON CODE#
- #COBALT STRIKE BEACON PASSWORD#
- #COBALT STRIKE BEACON WINDOWS#
The batch file contained the commands to dump the NTDS (and other registry files needed to parse it) and delete the scheduled task: But instead of running the task on demand, it was timed so it would run shortly after: To do so, using the Beacon they connected to the Domain Controller’s C$ share and uploaded update.bat, and to run it they created a remote scheduled task. One of their first actions in the network was to dump credentials via copying the NTDS. To verify these domains we base64-decoded the Beacon’s PowerShell stager and analyzed that shellcode using the great scdbg tool:
We can tell that at least some of the commands aren’t as part of an automated recon script by their occasional typo for example, these commands were ran one after the other:īy looking at that explorer’s DNS requests and PowerShell HTTP requests we were able to obtain their C2 domains. It’s easy to see from the Attack Storyline that after the beacon was up and running, they first ran quser to verify they’re running as SYSTEM and then migrated themselves into explorer.exe for masquerading as a benign process.įrom explorer.exe, they ran multiple recon commands (the IPs in this post were changed for privacy):
#COBALT STRIKE BEACON CODE#
One of the Attack Storylines looked like this:įrom this, we could see how the attackers achieved lateral movement and what code they ran: a one-line PowerShell payload that we identified as a CobaltStrike Beacon stager: Lateral MovementĪt the beginning of our investigation, we reviewed the threats marked by the SentinelOne Agent in the Console. This hides their real IP address in the VPN’s logs and makes attribution more difficult. The attackers connected to the company’s VPN through a public PureVPN node.
#COBALT STRIKE BEACON PASSWORD#
Even though the customer has had multiple credential rotations since, implemented haveibeenpwned password lookups and aligned with NIST 800-63B, our assessment was that the actor had used intelligence gained from stolen credentials in their previous access to connect to the company’s VPN service. We learned from the customer that the same actor had accessed the company in August 2019 via their Citrix server. Hunting: Beacon configuration parsing tool and related SentinelOneQL hunting queries. Other than that, the group relied solely on LOLBins and mostly fileless methods for local execution and lateral movement.ģ.
Toolkit: The attackers used a CobaltStrike beacon with a then-unknown persistence method using DLL hijacking (detailed below).
#COBALT STRIKE BEACON WINDOWS#
Progression: The attack propogated initially through the company’s VPN to an inner Windows server, and then on to the Domain Controller and afterward to servers containing the sought-after data.Ģ. In this post, we’ll describe the procedure of how we did that by using SentinelOne features as well as other tools and methods we developed along the way.
#COBALT STRIKE BEACON FULL#
We were contacted shortly after the malicious activity was discovered and asked to find the attackers’ persistence methods as well as to ensure full remediation. In light of the Coronavirus lockdowns and subsequent understaffing at many businesses, we were contacted by the customer to help investigate an intrusion that was discovered in their network by threat alerts in their SentinelOne Console. We recently investigated such a state-sponsored attack on a SentinelOne customer, one of the leaders in their field of business. Even in these uncertain times, state-sponsored groups continue their hacking attempts and we must stay vigilant at all times.
0 kommentar(er)
