Cobalt Strike

T1588: Obtain Capabilities T1588.002: Obtain Capabilities: Tool APT29/Nobelium Cobalt Strike C2 setup with custom certificates and redirections

SolarWinds had published their update server username and password to Github... So effectively they published the update server credentials online, albeit unintentionally. This is PRIMITIVE #1, we have access to the update server to deliver our malicious version of the software.

The DragonForce ransomware group initially infiltrated the victim system network via a remote desktop server and attempted persistent logins using valid domain accounts (Domain Accounts, T1078.002).

Attack chains involve the two initial access pathways: the exploitation of known Exchange Server flaws, such as CVE-2021-26855 (aka ProxyLogon)... or through a path traversal vulnerability impacting Openfire (CVE-2023-32315)... or a critical remote code execution bug in GeoServer (CVE-2024-36401)... Other remote code execution and authentication bypass vulnerabilities weaponized by the threat actor are listed below...

DHS, FireEye, US Treasury and others were hit by a malicious SolarWinds application that was delivered via the official update server... multiple trojanzied updates were digitally signed from March — May 2020 and posted to the SolarWinds updates website.

We know 100% it was deployed from this server because multiple trojanzied updates were digitally signed from March — May 2020 and posted to the SolarWinds updates website.

TA577, are a Russia-based threat group that have been reported to deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike in ongoing phishing campaigns since 2020. More recently, they have delivered Pikabot and DarkGate malware.

MITRE ATT&CK Mapping | Initial Access | T1566.001 | Spearphishing attachment, the HTML file

最初的投放路徑通常是透過 Cobalt Strike 來達成。

After successfully logging in, they executed a PowerShell command (PowerShell, T1059.001) to download additional payloads from a remote location using a Cobalt Strike Beacon, maintaining persistence throughout this process using SystemBC.

The following CommandLine Conhost.exe 0xffffffff -ForceV1 was often used to detect Cobalt Strike. It was seen being spawned by cmd.exe during Coblat Strike payload execution.

Execute-assembly runs .NET executable within memory of sacrificial process by loading the CLR.

Follina (CVE-2022–30190) & Cobalt Strike C2 -Simple Analysis ... Initial Access Follina Exploit CVE-2022–30190 ... Weaponized doc file

Malicious software has the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services.

SolarWinds had published their update server username and password to Github... So effectively they published the update server credentials online, albeit unintentionally. This is PRIMITIVE #1, we have access to the update server to deliver our malicious version of the software.

The DragonForce ransomware group initially infiltrated the victim system network via a remote desktop server and attempted persistent logins using valid domain accounts (Domain Accounts, T1078.002).

Specifically, it's engineered to decrypt and load "DscCoreR.mui," which is then used to decompress and load Cobalt Strike in a new thread created in a suspended state... Finally... the malware calls the ResumeThread API to resume the suspended thread and begin execution of the beacon.

SolarWinds had published their update server username and password to Github... So effectively they published the update server credentials online, albeit unintentionally. This is PRIMITIVE #1, we have access to the update server to deliver our malicious version of the software.

The DragonForce ransomware group initially infiltrated the victim system network via a remote desktop server and attempted persistent logins using valid domain accounts (Domain Accounts, T1078.002).

Creates a new thread that executes the process creation routine responsible for PPID spoofing... As a result, any new process created by the current process (primarily from the Cobalt Strike beacon) is spawned under svchost.exe instead of the current module process.

MITRE ATT&CK Mapping | Defense Evasion | T1027.006 | HTML smuggling, payload assembled client-side

Specifically, it's engineered to decrypt and load "DscCoreR.mui," which is then used to decompress and load Cobalt Strike in a new thread created in a suspended state... Finally... the malware calls the ResumeThread API to resume the suspended thread and begin execution of the beacon.

Suppose we have example.exe file, which at first is on the disc, and then it will be gone: it will disappear and remain only in RAM. Such technique is called Self-Deletion.

SolarWinds had published their update server username and password to Github... So effectively they published the update server credentials online, albeit unintentionally. This is PRIMITIVE #1, we have access to the update server to deliver our malicious version of the software.

The DragonForce ransomware group initially infiltrated the victim system network via a remote desktop server and attempted persistent logins using valid domain accounts (Domain Accounts, T1078.002).

Creates a new thread that executes the process creation routine responsible for PPID spoofing... As a result, any new process created by the current process (primarily from the Cobalt Strike beacon) is spawned under svchost.exe instead of the current module process.

One of those modules, DscCoreR.mui, is decrypted using a Blowfish cipher and contains the Cobalt Strike Beacon shellcode. Another module, SyncRes.dat, uses AES-128 encryption

The second hook, on the Sleep API, is used when Cobalt Strike Beacon calls Sleep... It temporarily modifies the memory protection of the tracked allocation regions... before invoking the original Sleep function. After the sleep period ends, the malware restores the memory protection... This behavior suggests that the malware developer implemented this mechanism to evade memory scanning techniques

In this blog post, we’ll delve into one such technique employed by these threat groups: Reflective Code Loading (T1620).

including dumping credentials from Windows memory and from Active Directory

Procdump64.exe -accepteula -ma lsass.exe $temp\lsass.dmp

ntdsutil "ac i ntds" "ifm" "create full $temp" q q

including dumping credentials from Windows memory and from Active Directory

The threat actor conducted extensive reconnaissance

Directory listing : dir \\c$ dir \\c$\inetpub dir \\c$\inetpub\custerr dir \\c$\inetpub\wwwroot\

The attacker used both Cobalt Strike and a webshell to enumerate the internal Active Directory environment... net group "Domain Controllers" /domain net group "Enterprise Admins" /domain net group "Organization Management" /domain net group "domain admins" /domain

The second hook, on the Sleep API, is used when Cobalt Strike Beacon calls Sleep... It temporarily modifies the memory protection of the tracked allocation regions... before invoking the original Sleep function. After the sleep period ends, the malware restores the memory protection... This behavior suggests that the malware developer implemented this mechanism to evade memory scanning techniques

Once SharkLoader is running, it installs a Cobalt Strike beacon, a commercial penetration-testing tool that’s used for maintaining remote access and moving through networks.

The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications... Malicious software communicated via HTTP to third party servers.

A hidden feature of Metasploit, is the ability to add SMB Named Pipe listeners in a meterpreter session to pivot on an internal network.

Once SharkLoader is running, it installs a Cobalt Strike beacon