Cobalt Strike: Looking for the Beacon

01/12/2023
G DATA Blog

During an incident response, looking for malware is often akin to looking for a needle in a hay stack. To complicate matters further, in the case of Cobalt Strike you often have no idea what that needle even looks like. And time is not on your side.

Cobalt Strike is essentially a tool that is used for red teaming - an attack simulation that helps to closely simulate the processes of a real attack. The responsible departments within a company that has commissioned the simulation are informed and the use of the tool is authorized. However, since various versions of this tool have fallen into the hands of criminals, Cobalt Strike is also often used for real attacks by criminals.

Hidden signals

The tool works with so-called "beacons". These are stored on an attacked system. The task of this beacon is to regularly report to the Command & Control (C2) server in order to obtain new instructions. The advantage of this method from the attacker's point of view is that no external point establishes a connection to the network, but that the connection originates from the inside and goes outwards. And since in many cases outgoing connections are monitored less strictly than those established from the outside, compromised systems tend to remain inconspicuous for a long time.

The configuration is key

Cobalt Strike Beacons spend most of their time "sleeping" and are not active at all. They are only woken up at regular intervals for a few milliseconds, during which they perform their tasks. After that, the beacon falls back into a deep sleep. In this case, it was extremely difficult to find the beacon in the working memory - but not impossible. The objective is always to access the beacon's configuration, as this is where the really interesting information is stored, such as the address of the C2 server. However, the creators of Cobalt Strike have also made sure that analysts have their work cut out for them.

In a blog article on cyber.wtf (link opens in new window), our colleague Hendrik Eckardt describes how exactly Cobalt Strike can be tracked down, what obstacles there are and how to find the needle in the haystack when time is of the essence.