Default Cobalt Strike Team Server Certificate
This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module configuration.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/10/05"
3integration = ["network_traffic"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for
11Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques
12of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and
13SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module
14configuration.
15"""
16from = "now-9m"
17index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Default Cobalt Strike Team Server Certificate"
21note = """## Triage and analysis
22
23> **Disclaimer**:
24> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
25
26### Investigating Default Cobalt Strike Team Server Certificate
27
28Cobalt Strike is a tool used for simulating advanced cyber threats, often employed by security teams to test defenses. However, adversaries can exploit its default server certificate to establish covert command and control channels. The detection rule identifies this misuse by monitoring network traffic for specific cryptographic hashes associated with the default certificate, flagging potential unauthorized Cobalt Strike activity.
29
30### Possible investigation steps
31
32- Review the network traffic logs to identify any connections associated with the specific cryptographic hashes: MD5 (950098276A495286EB2A2556FBAB6D83), SHA1 (6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C), or SHA256 (87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C).
33- Identify the source and destination IP addresses involved in the flagged network traffic to determine the potential origin and target of the Cobalt Strike activity.
34- Correlate the identified IP addresses with known assets in the network to assess if any internal systems are potentially compromised.
35- Check for any other suspicious or anomalous network activities around the same time as the alert to identify potential lateral movement or additional command and control channels.
36- Investigate any associated processes or user accounts on the involved systems to determine if there are signs of compromise or unauthorized access.
37- Review historical data to see if there have been previous alerts or similar activities involving the same cryptographic hashes or IP addresses, which might indicate a persistent threat.
38
39### False positive analysis
40
41- Legitimate security testing activities by internal teams using Cobalt Strike may trigger the rule. Coordinate with security teams to whitelist known testing IP addresses or certificate hashes.
42- Some commercial penetration testing services may use Cobalt Strike with default certificates. Verify the legitimacy of such services and exclude their traffic from detection by adding their certificate hashes to an exception list.
43- Network appliances or security tools that simulate adversary behavior for training purposes might use similar certificates. Identify these tools and configure exceptions for their specific network traffic patterns.
44- In environments where Cobalt Strike is used for authorized red team exercises, ensure that the default certificate is replaced with a custom one to avoid false positives.
45
46### Response and remediation
47
48- Immediately isolate the affected system from the network to prevent further communication with the potential Cobalt Strike server.
49- Conduct a thorough forensic analysis of the isolated system to identify any malicious payloads or additional indicators of compromise.
50- Revoke any compromised credentials and enforce a password reset for affected accounts to prevent unauthorized access.
51- Update and patch all systems to the latest security standards to mitigate vulnerabilities that could be exploited by similar threats.
52- Implement network segmentation to limit the lateral movement of threats within the network.
53- Enhance monitoring and logging to capture detailed network traffic and endpoint activity, focusing on the identified cryptographic hashes.
54- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and coordination with external threat intelligence sources if necessary.
55
56## Threat intel
57
58While Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, so alerts should be investigated rapidly."""
59references = [
60 "https://attack.mitre.org/software/S0154/",
61 "https://www.cobaltstrike.com/help-setup-collaboration",
62 "https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html",
63 "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html",
64 "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html",
65 "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack",
66]
67risk_score = 99
68rule_id = "e7075e8d-a966-458e-a183-85cd331af255"
69severity = "critical"
70tags = [
71 "Tactic: Command and Control",
72 "Threat: Cobalt Strike",
73 "Use Case: Threat Detection",
74 "Domain: Endpoint",
75 "Resources: Investigation Guide",
76]
77timestamp_override = "event.ingested"
78type = "query"
79
80query = '''
81(event.dataset: network_traffic.tls or event.category: (network or network_traffic))
82 and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83
83 or tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C
84 or tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)
85'''
86
87
88[[rule.threat]]
89framework = "MITRE ATT&CK"
90[[rule.threat.technique]]
91id = "T1071"
92name = "Application Layer Protocol"
93reference = "https://attack.mitre.org/techniques/T1071/"
94[[rule.threat.technique.subtechnique]]
95id = "T1071.001"
96name = "Web Protocols"
97reference = "https://attack.mitre.org/techniques/T1071/001/"
98
99
100
101[rule.threat.tactic]
102id = "TA0011"
103name = "Command and Control"
104reference = "https://attack.mitre.org/tactics/TA0011/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Default Cobalt Strike Team Server Certificate
Cobalt Strike is a tool used for simulating advanced cyber threats, often employed by security teams to test defenses. However, adversaries can exploit its default server certificate to establish covert command and control channels. The detection rule identifies this misuse by monitoring network traffic for specific cryptographic hashes associated with the default certificate, flagging potential unauthorized Cobalt Strike activity.
Possible investigation steps
- Review the network traffic logs to identify any connections associated with the specific cryptographic hashes: MD5 (950098276A495286EB2A2556FBAB6D83), SHA1 (6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C), or SHA256 (87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C).
- Identify the source and destination IP addresses involved in the flagged network traffic to determine the potential origin and target of the Cobalt Strike activity.
- Correlate the identified IP addresses with known assets in the network to assess if any internal systems are potentially compromised.
- Check for any other suspicious or anomalous network activities around the same time as the alert to identify potential lateral movement or additional command and control channels.
- Investigate any associated processes or user accounts on the involved systems to determine if there are signs of compromise or unauthorized access.
- Review historical data to see if there have been previous alerts or similar activities involving the same cryptographic hashes or IP addresses, which might indicate a persistent threat.
False positive analysis
- Legitimate security testing activities by internal teams using Cobalt Strike may trigger the rule. Coordinate with security teams to whitelist known testing IP addresses or certificate hashes.
- Some commercial penetration testing services may use Cobalt Strike with default certificates. Verify the legitimacy of such services and exclude their traffic from detection by adding their certificate hashes to an exception list.
- Network appliances or security tools that simulate adversary behavior for training purposes might use similar certificates. Identify these tools and configure exceptions for their specific network traffic patterns.
- In environments where Cobalt Strike is used for authorized red team exercises, ensure that the default certificate is replaced with a custom one to avoid false positives.
Response and remediation
- Immediately isolate the affected system from the network to prevent further communication with the potential Cobalt Strike server.
- Conduct a thorough forensic analysis of the isolated system to identify any malicious payloads or additional indicators of compromise.
- Revoke any compromised credentials and enforce a password reset for affected accounts to prevent unauthorized access.
- Update and patch all systems to the latest security standards to mitigate vulnerabilities that could be exploited by similar threats.
- Implement network segmentation to limit the lateral movement of threats within the network.
- Enhance monitoring and logging to capture detailed network traffic and endpoint activity, focusing on the identified cryptographic hashes.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and coordination with external threat intelligence sources if necessary.
Threat intel
While Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, so alerts should be investigated rapidly.
References
Related rules
- AWS CLI Command with Custom Endpoint URL
- Accepted Default Telnet Port Connection
- Apple Script Execution followed by Network Connection
- Attempt to Establish VScode Remote Tunnel
- Cobalt Strike Command and Control Beacon