With Vision One and the Trend Micro Investigation Toolkit (TMIK), we were able to identify potential Pass-the-Hash (PtH) attacks that extracts the password hash from the memory and then simply passes it through for authentication. Bloodhound and ADfind.exe in the logs of Endpoint-1 These tools can be used to extract information from the Active Directory.Ĭ:\WINDOWS\system32\cmd.exe /C del 20210526145501_BloodHound.zip YmNhMTJiMzAtYTgxZi00ZWRmLWE2ZjctZTc3MDFiZGM2ODBj.binĬ:\WINDOWS\system32\cmd.exe /C AdFind.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName >. We also identified Bloodhound and ADfind.exe hacking tools deployed in Endpoint-1.
A list of the commands executed by mobsync.exe Nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.Ĭ:\WINDOWS\system32\ping.exe -t 127.0.0.1Įsentutl.exe /r V01 /l”C:\Users\\AppData\Local\Microsoft\Windows\WebCache” /s”C:\Users\\AppData\Local\Microsoft\Windows\WebCache” /d”C:\Users\\AppData\Local\Microsoft\Windows\WebCache”Ĭ:\WINDOWS\system32\cmd.exe /C ping It also executed discovery/internal reconnaissance commands and spawned additional mobsync.exe processes, as shown in Table 1. It attempts a connection to the following IP addresses: We summarize the activities done by this injected tool. Going back to mobsync.exe revealed several other events, as shown in Figure 5. Figure 1 maps out the Cobalt Strike activity that we tracked it also indicates where we started, at Endpoint-1.
#ED COBALT STRIKE FULL#
These steps allowed us to retrace the actions taken by the variant from a single endpoint and revealing the full extent and its origins. Checking detections that occurred around the time range of the alerts.Collecting additional logs from the endpoint to correlate events.Examining the execution profile of the files related to the detection.Checking the context of the generated alerts.Creating an indicators of compromise (IOCs) list and observe for tactics, techniques, and procedures (TTPs) to check in the environment, which will be improved in the next items.It involved several interconnected steps that occurred simultaneously and repeatedly throughout the process. In fact, we published a report on a similar case wherein we used Cobalt Strike to track a Conti ransomware campaign.īefore we delve into the details we want to detail the process we followed in this investigation. In such cases, the initial detections usually point to something big: the distribution of ransomware. We first uncovered several detections related to Cobalt Strike, accompanied by a machine learning detection later verified as IcedID. However, this report focuses on the process of uncovering its tracks in order to fully contain and remove the malware. The Cobalt Strike variant used here follows its typical characteristics.
The alert from one endpoint led to the collection of further evidence and clues that pointed to other infected endpoints, eventually revealing the root of the attack.Ĭobalt Strike is a well-known beacon or post-exploitation tool that has been linked to ransomware families like Ryuk, DoppelPaymer, and Povlsomware. This blog will cover the tactics and steps we took during this investigation. What followed was a deeper investigation that involved searching for other similarly infected endpoints and the confirmation of a Cobalt Strike detection. In late May, Trend Micro Managed XDR alerted a customer to a noteworthy Vision One alert on one of their endpoints. All rights reserved.įor more detail about the structure of the KPMG global organization please visit. © 2023 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230. KPMG LLP does not provide legal services.
#ED COBALT STRIKE PROFESSIONAL#
No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity.
0 kommentar(er)
