Google has announced the release of YARA rules and a VirusTotal Collection to help detect Cobalt Strike and disrupt its malicious use.
谷歌发布YARA规则和VirusTotal Collection,以帮助检测CobaltStrike
原文如下
Released in 2012, Cobalt Strike is a legitimate red teaming tool that consists of a collection of utilities in a JAR file that can emulate real cyberthreats. It uses a server/client approach to provide the attacker with control over infected systems, from a single interface.
Cobalt Strike has evolved into a point-and-click system for deploying remote access tools on targeted systems, with threat actors abusing its capabilities for lateral movement into victim environments.
The tool’s vendor has in place a vetting system to prevent selling the software to malicious entities, but cracked versions of Cobalt Strike have been available for years.
“These unauthorized versions of Cobalt Strike are just as powerful as their retail cousins except that they don’t have active licenses, so they can’t be upgraded easily,” Google notes.
By releasing open-source YARA rules and a VirusTotal Collection that integrates them, Google aims to help organizations flag and identify Cobalt Strike’s components, to improve protections.
The targeted components include templates for JavaScript, VBA macros, and PowerShell scripts that can be used to deploy shellcode implants in memory, to serve as stagers that deploy the final payload, a Beacon offering control over the infected system and support for deploying additional payloads.
“The stagers, templates, and beacon are contained within the Cobalt Strike JAR file. They are not created on the fly, nor are they heavily obfuscated before deployment from the […] server. Cobalt Strike offers basic protection using a reversible XOR encoding,” Google explains.
The internet giant says it has located Cobalt Strike JAR files starting with version 1.44 (released around 2012), up to version 4.7, and used its components to build YARA-based detection.
“Each Cobalt Strike version contains approximately 10 to 100 attack template binaries. We found 34 different Cobalt Strike release versions with a total of 275 unique JAR files across these versions. All told, we estimated a minimum of 340 binaries that must be analyzed and have signatures written to detect them,” Google notes.
While the stagers and templates appear to remain constant across versions, a new, unique beacon component is typically created with each new Cobalt Strike release. Overall, Google has generated 165 signatures to detect these Cobalt Strike components across the identified versions.
“We decided that detecting the exact version of Cobalt Strike was an important component to determining the legitimacy of its use by non-malicious actors since some versions have been abused by threat actors,” Google notes.
The newly released detection tools target only non-current versions of Cobalt Strike components, so that the most recent ones, which are used by paying customers, remain untouched. Google warns that the cracked versions are typically at least one iteration behind.
“We focused on these versions by crafting hundreds of unique signatures that we integrated as a collection of community signatures available in VirusTotal. We also released these signatures as open source to cybersecurity vendors who are interested in deploying them within their own products, continuing our commitment to improving open source security across the industry,” Google says.
Related: Cobalt Strike Beacon Reimplementation ‘Vermilion Strike’ Targets Windows, Linux
Related: Threat Actors Abuse MSBuild for Cobalt Strike Beacon Execution
Related: PoS Clients Targeted with Cobalt Strike, Card Scraping Malware
机翻:
Cobalt Strike发布于2012年,是一个合法的红队工具,它在一个JAR文件中包含一组实用程序,可以模拟真实的网络威胁。它使用服务器/客户端方法,从单个接口向攻击者提供对受感染系统的控制。
Cobalt Strike已经发展成为一种指向点击系统,用于在目标系统上部署远程访问工具,威胁行为者滥用其横向移动到受害者环境的能力。
该工具的供应商建立了一个审查系统,以防止向恶意实体出售该软件,但Cobalt Strike的破解版本多年来一直存在。
谷歌指出:“这些未经授权的Cobalt Strike版本和零售版本一样强大,只是它们没有有效的许可证,所以不容易升级。”
通过发布开源的YARA规则和整合这些规则的VirusTotal Collection,谷歌旨在帮助组织标记和识别Cobalt Strike的组件,以提高保护。
目标组件包括JavaScript模板、VBA宏和PowerShell脚本,这些脚本可用于在内存中部署shell代码植入,作为部署最终有效负载的阶段,提供对受感染系统的控制和对部署额外有效负载的支持的Beacon。
阶段、模板和信标都包含在Cobalt Strike JAR文件中。它们不是动态创建的,在从[…]服务器部署之前也没有被严重混淆。Cobalt Strike使用可逆的XOR编码提供基本保护,”谷歌解释道。
这家互联网巨头表示,它已经定位了Cobalt Strike JAR文件,从1.44版本(2012年左右发布)到4.7版本,并使用其组件构建了基于yara的检测。
“每个Cobalt Strike版本包含大约10到100个攻击模板二进制文件。我们发现了34个不同的Cobalt Strike版本,这些版本中总共有275个惟一的JAR文件。总的来说,我们估计至少需要分析340个二进制文件,并编写签名来检测它们,”谷歌指出。
虽然各个版本之间的阶段和模板似乎保持不变,但每个新的Cobalt Strike版本通常都会创建一个新的、独特的信标组件。总的来说,谷歌已经生成了165个签名,用于在识别的版本中检测这些Cobalt Strike组件。
谷歌指出:“我们认为,检测Cobalt Strike的确切版本是确定非恶意行为者使用它的合法性的一个重要组成部分,因为一些版本已经被威胁行为者滥用。”
新发布的检测工具只针对Cobalt Strike组件的非最新版本,因此付费客户使用的最新版本不会受到影响。谷歌警告说,被破解的版本通常至少落后了一个迭代。
“我们通过制作数百个独特的签名来专注于这些版本,我们将这些签名集成为VirusTotal中可用的社区签名集合。我们还将这些签名作为开源发布给有兴趣在自己的产品中部署它们的网络安全供应商,继续我们对提高整个行业的开源安全的承诺,”谷歌说。
来源:https://www.securityweek.com/google-making-cobalt-strike-pentesting-tool-harder-abuse
1.本站上传的源码,均为平台购买,作者提供,网友推荐,互联网平台整理而来,请下载后24小时内删除。如有需要,请购买正版.
2.请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,作者不为此承担任何责任。
3.站内资源若侵犯了您的合法权益,请指出本站立即改正。
4.上述内容仅供学习参考及技术交流之用,未经相关的知识产权权利人同意,用户不得进行商业使用。
5.保姆式服务,百分百售后!
