Default Cobalt Strike Team Server Certificate

This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module configuration.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/10/05"
 3integration = ["network_traffic"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for
11Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques
12of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and
13SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module
14configuration.
15"""
16from = "now-9m"
17index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Default Cobalt Strike Team Server Certificate"
21note = """## Threat intel
22
23While Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, so alerts should be investigated rapidly."""
24references = [
25    "https://attack.mitre.org/software/S0154/",
26    "https://www.cobaltstrike.com/help-setup-collaboration",
27    "https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html",
28    "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html",
29    "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html",
30    "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack",
31]
32risk_score = 99
33rule_id = "e7075e8d-a966-458e-a183-85cd331af255"
34severity = "critical"
35tags = [
36    "Tactic: Command and Control",
37    "Threat: Cobalt Strike",
38    "Use Case: Threat Detection",
39    "Domain: Endpoint",
40]
41timestamp_override = "event.ingested"
42type = "query"
43
44query = '''
45(event.dataset: network_traffic.tls or event.category: (network or network_traffic))
46  and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83
47  or tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C
48  or tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1071"
56name = "Application Layer Protocol"
57reference = "https://attack.mitre.org/techniques/T1071/"
58[[rule.threat.technique.subtechnique]]
59id = "T1071.001"
60name = "Web Protocols"
61reference = "https://attack.mitre.org/techniques/T1071/001/"
62
63
64
65[rule.threat.tactic]
66id = "TA0011"
67name = "Command and Control"
68reference = "https://attack.mitre.org/tactics/TA0011/"

Threat intel

While Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, so alerts should be investigated rapidly.

References

Related rules

to-top