Striking Back: Hunting Cobalt Strike using Sysmon and Sentinel
Come see how you can better detect threat actors using Cobalt Strike and other often observed techniques by following along with Binary Defense’s recent investigation of a UNC1878 intrusion that was heading toward ransomware. Cobalt Strike is a powerful adversary emulation tool suite that is used by professional red teams, but also by threat actors behind some of the most prolific and damaging ransomware incidents. Pirated versions of Cobalt Strike have even become available to low-skilled threat groups on criminal forums. Although a red team operator or APT will most likely use Cobalt Strike with a high degree of skill and stealth, practical research has shown that many threat groups go with the default options and are quite successful because defenders don’t have alerts set up to catch that behavior.
Building upon the overview and core concepts defined in Continuous Threat Hunting: A Practical Webinar, this presentation will provide attendees with a first-hand look at the practical steps conducting a successful threat hunting exercise to find evidence of threat actors using Cobalt Strike. We took a Cobalt Strike stager from an active UNC1878 campaign that was targeting the medical sector and executed it in an AD environment instrumented with Sysmon, Azure Sentinel, Suricata, Zeek and other tools to gather raw event information. We’ll walk through what happened and some of the ways that we detected the threat activity with KQL queries, which you can apply in your own threat hunts.
Randy Pargman, VP of Threat Hunting & Counterintelligence at Binary Defense will present insights and useful techniques for hunting the threat actors’ behavior and tactics as they used Cobalt Strike to move between processes and attempt to remain undetected.
Topics to be covered during the webinar include:
- Detecting misconfigured Cobalt Strike Team Servers in the wild
- Research results from extracting staged Cobalt Strike Beacon configurations
- Detecting process injection activity
- Detecting elevation of privileges
- Detecting network communication patterns
- How to apply strategies for gathering data and isolating low frequency, abnormal behavior
Join Pargman in this webinar and incident walkthrough to gain an understanding of the process used to gather and interpret data valuable to threat hunters.
About the Presenters
Randy Pargman is the Vice President of Threat Hunting and Counterintelligence at Binary Defense. In this role, he leads the teams responsible for advanced analysis of malware, development of technology to detect threat actor activity, threat intelligence research of criminal forums, and monitoring of Darknet, Clearnet and Social Media platforms for threat indicators. Randy previously worked for the FBI, where he served for 15 years, most recently as a Senior Computer Scientist on the Cyber Task Force in Seattle. Randy is now frequently covered by national media outlets for his cybersecurity expertise.