Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


CobaltStrike – Hiding in plain sight

CobaltStrike, a well-known red-team framework used by pentesters and threat actors alike, is most notably identified by its use of shellcode injected into running processes.  A researcher discovered a new variant of Cobalt Strike that uses a new method to evade detection.  As noted by the researcher tccontre, CobaltStrike has begun using a particularly interesting technique of embedding shellcode inside of the MZ header, which is located at the start of the executable file.  As the MZ takes up a set amount of space, embedding shellcode in the header allows actors to take advantage of unused sections of the header to save on space. Additionally, many anti-virus companies may miss the shellcode, as they don’t always parse the MZ header fully.

Analyst Notes

Tccontre wrote a great yara rule for detecting these shellcode payloads. With this, you can detect the beacon.dll used by Cobaltstrike to communicate back to the threat actor which can be found here: