Cobalt Strike Detection Guide
Behavioral Indicators
Cobalt Strike exhibits several distinct runtime behaviors that can be detected through process monitoring and API call analysis. The malware typically injects its beacon payload into a legitimate process, often using techniques like Process Hollowing or Reflective DLL Injection. Common target processes include explorer.exe, svchost.exe, or rundll32.exe. Monitor for processes spawning unusual child processes, particularly if the parent process is not typically associated with network activity or code injection.
Key API calls to monitor include VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread when used in combination, especially when the target process is not a known installer or updater. Cobalt Strike beacons also frequently call GetSystemDirectory, GetTempPath, and GetUsername during initial execution. Credential access patterns often involve dumping LSASS memory via MiniDumpWriteDump or using in-memory techniques to extract credentials. Look for unexpected read operations on the LSASS process handle from non-system processes. The malware may also attempt to extract browser credentials by accessing SQLite database files in user profile directories.
Network Indicators
Cobalt Strike’s network traffic is characterized by its command and control (C2) communication, which typically uses HTTP, HTTPS, or DNS tunneling. Beaconing intervals are often configurable but commonly follow a pattern of initial rapid check-ins followed by longer intervals. Look for regular outgoing HTTP/HTTPS requests to domains with high entropy names or to IP addresses in suspicious geographic locations. The requests often use specific User-Agent strings that may be default values like “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)” or customized strings set by the operator.
DNS beaconing may involve TXT record queries or requests for subdomains with high entropy. The malware supports various C2 protocols including SMB beacons for peer-to-peer communication, which can be detected by unusual SMB traffic between workstations. Data exfiltration often occurs through the same C2 channels, with data potentially encoded in cookies, POST parameters, or HTTP headers. SSL/TLS certificates used by Cobalt Strike servers may have self-signed certificates or certificates with unusual attributes when compared to legitimate services.
File System Artifacts
Cobalt Strike payloads are often dropped in temporary directories or user profile locations. Common paths include %TEMP%, %APPDATA%, and %LOCALAPPDATA% with filenames that mimic legitimate system files or use random alphanumeric strings. Look for DLL or EXE files with recent timestamps in these locations, particularly if they have no digital signature or have invalid signatures. File sizes typically range from 100KB to 300KB for the beacon payload, though this can vary based on configuration and packing.
The malware may create additional files for staging or configuration purposes. These can include configuration files with .cobaltstrike extensions or data files used for logging and task output. In some deployments, Cobalt Strike creates named pipes for inter-process communication, which can be found in the \\.\pipe\ namespace with names like MSSE- followed by numbers. Also check for unexpected files in system directories, particularly if they have creation dates that don’t match other system files.
Registry and Persistence Mechanisms
Cobalt Strike employs various persistence mechanisms depending on the operator’s preferences and the target environment. Common registry persistence locations include:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Microsoft\Windows\CurrentVersion\RunHKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceHKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
The malware may also use service creation for persistence, adding entries under HKLM\System\CurrentControlSet\Services. Scheduled tasks are another common method, with tasks created via the Windows Task Scheduler using XML files or direct registry entries under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks. Look for tasks with random names or names that mimic legitimate system tasks.
Cobalt Strike also utilizes COM hijacking by modifying registry keys under HKCR\CLSID or HKLM\SOFTWARE\Classes\CLSID to load malicious DLLs. WMI event subscriptions can be used for persistence through entries in ROOT\Subscription. Some variants create startup folder shortcuts or modify file associations to maintain persistence across reboots.
YARA Rule Guidance
When creating YARA rules for Cobalt Strike detection, focus on both static strings and structural characteristics. Look for hardcoded strings related to Cobalt Strike functionality such as “beacon”, “cobaltstrike”, or specific API function names commonly used by the malware. The configuration block within the binary often contains encrypted or encoded data with specific patterns - look for repetitive byte sequences that may indicate configuration data.
Target the unique import address table (IAT) patterns - Cobalt Strike payloads often import specific Windows API functions in particular combinations for process injection and network communication. Pay attention to section names and characteristics; some variants use non-standard section names or have sections with unusual permissions combinations. The reflective loading stub has identifiable code patterns, particularly around the resolution of API functions and the decryption of subsequent payload stages.
Consider writing rules that detect specific Cobalt Strike artifact characteristics like the MZ header manipulation sometimes present in generated payloads, or the specific patterns in the DOS stub. Also target the unique string encryption routines that may leave identifiable byte patterns even when the strings themselves are encrypted. Remember that Cobalt Strike is frequently obfuscated or packed, so include patterns that survive common packing techniques or target the unpacking routines themselves.
For current samples and indicators of compromise, refer to: