MichaelKoczwara / Awesome Cobaltstrike Defence
Projects that are alternatives of or similar to Awesome Cobaltstrike Defence
Awesome-CobaltStrike-Defence
Defences against Cobalt Strike
Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors". Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.
Cobalt Strike MITRE TTPs https://attack.mitre.org/software/S0154/
Cobalt Strike MITRE ATT&CK Navigator https://mitre-attack.github.io/attack-navigator//#layerURL=https%3A%2F%2Fattack.mitre.org%2Fsoftware%2FS0154%2FS0154-enterprise-layer.json
Hunting & Detection Tools
Cobalt Strike Team Server Password Brute Forcer https://github.com/isafe/cobaltstrike_brute
CobaltStrikeScan Scan files or process memory for Cobalt Strike beacons and parse their configuration https://github.com/Apr4h/CobaltStrikeScan
Cobalt Strike beacon scan https://github.com/whickey-r7/grab_beacon_config
Cobalt Strike decrypt https://github.com/WBGlIl/CS_Decrypt
Detecting CobaltStrike for Volatility
https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py
JARM fingerprints scanner https://github.com/salesforce/jarm
Cobalt Strike Forensic https://github.com/RomanEmelyanov/CobaltStrikeForensic
Cobalt Strike resources https://github.com/Te-k/cobaltstrike
List of C2 JARM including Cobalt Strike https://github.com/cedowens/C2-JARM
SilasCutler_JARM_Scan_CobaltStrike_Beacon_Config.json https://pastebin.com/DzsPgH9w
Detection Cobalt Strike stomp https://github.com/slaeryan/DetectCobaltStomp
Yara rules
Cobalt Strike Yara https://github.com/Neo23x0/signature-base/blob/master/yara/apt_cobaltstrike.yar https://github.com/Neo23x0/signature-base/blob/master/yara/apt_cobaltstrike_evasive.yar https://github.com/Te-k/cobaltstrike/blob/master/rules.yarIndicators of compromise
Cobalt Strike hashes https://bazaar.abuse.ch/browse/yara/CobaltStrike/
https://bazaar.abuse.ch/browse/tag/CobaltStrike/
https://bazaar.abuse.ch/browse/tag/CobaltStrike%20beacon%20implant%20Zoom%20Meetings/
https://tria.ge/s?q=family%3Acobaltstrike
Possible Cobalt Strike Stager IOCs https://pastebin.com/54zE6cSj
List of Cobalt Strike servers https://docs.google.com/spreadsheets/d/1bYvBh6NkNYGstfQWnT5n7cSxdhjSn1mduX8cziWSGrw/edit#gid=766378683
Additional Cobalt Strike ioc's https://pastebin.com/u/cobaltstrikemonitor
Cobalt Strike Trevor Profiles https://pastebin.com/yB6RJ63F
Hunting & Detection Research Articles
Analysing Cobalt Strike for fun and profit https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
Cobalt Strike Remote Threads detection https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml
The art and science of detecting Cobalt Strike https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf
Detecting Cobalt Strike Default Modules via Named Pipe Analysis https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/
A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers https://go.recordedfuture.com/hubfs/reports/cta-2019-0618.pdf
How to detect Cobalt Strike activities in memory forensics https://www.andreafortuna.org/2020/11/22/how-to-detect-cobalt-strike-activity-in-memory-forensics/
Detecting Cobalt Strike by Fingerprinting Imageload Events https://redhead0ntherun.medium.com/detecting-cobalt-strike-by-fingerprinting-imageload-events-6c932185d67c
The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/
CobaltStrike - beacon.dll : Your No Ordinary MZ Header https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html
GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic https://www.bleepingcomputer.com/news/security/github-hosted-malware-calculates-cobalt-strike-payload-from-imgur-pic/
Detecting Cobalt Strike beacons in NetFlow data https://delaat.net/rp/2019-2020/p29/report.pdf
Volatility Plugin for Detecting Cobalt Strike Beacon https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html
Easily Identify Malicious Servers on the Internet with JARM https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a
Cobalt Strike Beacon Analysis https://isc.sans.edu/forums/diary/Quick+Tip+Cobalt+Strike+Beacon+Analysis/26818/
Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike https://isc.sans.edu/forums/diary/Hancitor+infection+with+Pony+Evil+Pony+Ursnif+and+Cobalt+Strike/25532/
Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike https://isc.sans.edu/forums/diary/Attackers+Exploiting+WebLogic+Servers+via+CVE202014882+to+install+Cobalt+Strike/26752/
Hiding in the Cloud: Cobalt Strike Beacon C2 using Amazon APIs https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/
Identifying Cobalt Strike team servers in the wild https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/
Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/
Operation Cobalt Kitty http://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf
Detecting and Advancing In-Memory .NET Tradecraft https://www.mdsec.co.uk/2020/06/detecting-and-advancing-in-memory-net-tradecraft/
Analysing Fileless Malware: Cobalt Strike Beacon https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/ CobaltStrike samples pass=infected https://www.dropbox.com/s/o5493msqarg3iyu/Cobalt%20Strike.7z?dl=0
IndigoDrop spreads via military-themed lures to deliver Cobalt Strike https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html
Cobalt Group Returns To Kazakhstan https://research.checkpoint.com/2019/cobalt-group-returns-to-kazakhstan/
Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/
Azure Sentinel Quick-Deploy with Cyb3rWard0g’s Sentinel To-Go – Let’s Catch Cobalt Strike! https://www.blackhillsinfosec.com/azure-sentinel-quick-deploy-with-cyb3rward0gs-sentinel-to-go-lets-catch-cobalt-strike/
Cobalt Strike stagers used by FIN6 https://malwarelab.eu/posts/fin6-cobalt-strike/
Malleable C2 Profiles and You https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929 List of spawns from exposed Cobalt Strike C2 https://gist.github.com/MHaggis/bdcd0e6d5c727e5b297a3e69e6c52286
C2 Traffic patterns including Cobalt Strike https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
CobaltStrike Threat Hunting via named Pipes https://www.linkedin.com/feed/update/urn:li:activity:6763777992985518081/
Hunting for GetSystem in offensive security tools https://redcanary.com/blog/getsystem-offsec/
malleable_c2_profiles https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
pipes https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752#gistcomment-3624664
spawnto https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752#gistcomment-3624663
Trainings
Attack detection fundamentals including also Cobalt Strike detection https://labs.f-secure.com/blog/attack-detection-fundamentals-initial-access-lab-1 https://labs.f-secure.com/blog/attack-detection-fundamentals-initial-access-lab-2 https://labs.f-secure.com/blog/attack-detection-fundamentals-initial-access-lab-3 https://labs.f-secure.com/blog/attack-detection-fundamentals-initial-access-lab-4 https://www.youtube.com/watch?v=DDK_hC90kR8&feature=youtu.behVideos
Malleable Memory Indicators with Cobalt Strike's Beacon Payload https://www.youtube.com/watch?v=93GyP-mEUAw&feature=emb_title
STAR Webcast: Spooky RYUKy: The Return of UNC1878 https://www.youtube.com/watch?v=BhjQ6zsCVSc
Excel 4.0 Macros Analysis - Cobalt Strike Shellcode Injection https://www.youtube.com/watch?v=XnN_UWfHlNM
Profiling And Detecting All Things SSL With JA3
https://www.youtube.com/watch?v=oprPu7UIEuk