Default Cobalt Strike Team Server Certificate
This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module configuration.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/10/05"
3integration = ["network_traffic"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/08/01"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for
13Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques
14of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and
15SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module
16configuration.
17"""
18from = "now-9m"
19index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "Default Cobalt Strike Team Server Certificate"
23note = """## Threat intel
24
25While Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, so alerts should be investigated rapidly."""
26references = [
27 "https://attack.mitre.org/software/S0154/",
28 "https://www.cobaltstrike.com/help-setup-collaboration",
29 "https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html",
30 "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html",
31 "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html",
32 "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack",
33]
34risk_score = 99
35rule_id = "e7075e8d-a966-458e-a183-85cd331af255"
36severity = "critical"
37tags = [
38 "Tactic: Command and Control",
39 "Threat: Cobalt Strike",
40 "Use Case: Threat Detection",
41 "Domain: Endpoint",
42]
43timestamp_override = "event.ingested"
44type = "query"
45
46query = '''
47(event.dataset: network_traffic.tls or event.category: (network or network_traffic))
48 and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83
49 or tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C
50 or tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1071"
58name = "Application Layer Protocol"
59reference = "https://attack.mitre.org/techniques/T1071/"
60[[rule.threat.technique.subtechnique]]
61id = "T1071.001"
62name = "Web Protocols"
63reference = "https://attack.mitre.org/techniques/T1071/001/"
64
65
66
67[rule.threat.tactic]
68id = "TA0011"
69name = "Command and Control"
70reference = "https://attack.mitre.org/tactics/TA0011/"
Threat intel
While Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, so alerts should be investigated rapidly.
References
-
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control Cobalt Strike can use a number of known techniques to bypass Windows UAC.[1][2] .003 Abuse Elevation Control Mec...
Read More -
Distributed and Team Operations Use Cobalt Strike to coordinate a distributed red team effort. Stage Cobalt Strike on one or more remote hosts. Start your team servers and have your team connect. f...
Read More -
TLS is a cryptographic protocol that provides secure communications on top of an existing application protocol, like HTTP or MySQL. Packetbeat intercepts the initial handshake in a TLS connection a...
Read More -
This is a module to the Suricata IDS/IPS/NSM log. It parses logs that are in the Suricata Eve JSON format. When you run the module, it performs a few tasks under the hood: Sets the default paths to...
Read More -
This is a module for Zeek, which used to be called Bro. It parses logs that are in the Zeek JSON format. Read the quick start to learn how to configure and run modules. Compatibilityedit This modul...
Read More -
Related rules
- Accepted Default Telnet Port Connection
- IPSEC NAT Traversal Port Activity
- RDP (Remote Desktop Protocol) from the Internet
- Roshal Archive (RAR) or PowerShell File Downloaded from the Internet
- VNC (Virtual Network Computing) from the Internet