These tools can be used to extract information from the Active Directory.Ĭ:\WINDOWS\system32\cmd.exe /C del 20210526145501_BloodHound.zip YmNhMTJiMzAtYTgxZi00ZWRmLWE2ZjctZTc3MDFiZGM2ODBj.binĬ:\WINDOWS\system32\cmd.exe /C AdFind.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName >. We also identified Bloodhound and ADfind.exe hacking tools deployed in Endpoint-1. A list of the commands executed by mobsync.exe Nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.Ĭ:\WINDOWS\system32\ping.exe -t 127.0.0.1Įsentutl.exe /r V01 /l”C:\Users\\AppData\Local\Microsoft\Windows\WebCache” /s”C:\Users\\AppData\Local\Microsoft\Windows\WebCache” /d”C:\Users\\AppData\Local\Microsoft\Windows\WebCache”Ĭ:\WINDOWS\system32\cmd.exe /C ping It also executed discovery/internal reconnaissance commands and spawned additional mobsync.exe processes, as shown in Table 1. It attempts a connection to the following IP addresses: We summarise the activities done by this injected tool. Going back to mobsync.exe revealed several other events, as shown in Figure 5. Figure 1 maps out the Cobalt Strike activity that we tracked it also indicates where we started, at Endpoint-1.
#Cobalt strike crack full#
These steps allowed us to retrace the actions taken by the variant from a single endpoint and revealing the full extent and its origins. Checking detections that occurred around the time range of the alerts.Collecting additional logs from the endpoint to correlate events.Examining the execution profile of the files related to the detection.Checking the context of the generated alerts.Creating an indicators of compromise (IOCs) list and observe for tactics, techniques, and procedures (TTPs) to check in the environment, which will be improved in the next items.It involved several interconnected steps that occurred simultaneously and repeatedly throughout the process. In fact, we published a report on a similar case wherein we used Cobalt Strike to track a Conti ransomware campaign.īefore we delve into the details we want to detail the process we followed in this investigation. In such cases, the initial detections usually point to something big: the distribution of ransomware. We first uncovered several detections related to Cobalt Strike, accompanied by a machine learning detection later verified as IcedID.
However, this report focuses on the process of uncovering its tracks in order to fully contain and remove the malware. The Cobalt Strike variant used here follows its typical characteristics. The alert from one endpoint led to the collection of further evidence and clues that pointed to other infected endpoints, eventually revealing the root of the attack.Ĭobalt Strike is a well-known beacon or post-exploitation tool that has been linked to ransomware families like Ryuk, DoppelPaymer, and Povlsomware.
This blog will cover the tactics and steps we took during this investigation. What followed was a deeper investigation that involved searching for other similarly infected endpoints and the confirmation of a Cobalt Strike detection. In late May, Trend Micro Managed XDR alerted a customer to a noteworthy Vision One alert on one of their endpoints.
0 kommentar(er)
