Threat Watch

Stay informed of cybersecurity news & events

CobaltStrike – Hiding in plain sight

Share on facebook
Share on twitter
Share on linkedin

CobaltStrike, a well-known red-team framework used by pentesters and threat actors alike, is most notably identified by its use of shellcode injected into running processes.  A researcher discovered a new variant of Cobalt Strike that uses a new method to evade detection.  As noted by the researcher tccontre, CobaltStrike has begun using a particularly interesting technique of embedding shellcode inside of the MZ header, which is located at the start of the executable file.  As the MZ takes up a set amount of space, embedding shellcode in the header allows actors to take advantage of unused sections of the header to save on space. Additionally, many anti-virus companies may miss the shellcode, as they don’t always parse the MZ header fully.

ANALYST NOTES

Tccontre wrote a great yara rule for detecting these shellcode payloads. With this, you can detect the beacon.dll used by Cobaltstrike to communicate back to the threat actor which can be found here: https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html , https://webserver2.tecgraf.puc-rio.br/~ismael/Cursos/YC++/apostilas/win32_xcoff_pe/tyne-example/Tiny%20PE.htm

Contact Support

Please complete the form below and a member of our support team will respond as quickly as possible.