Cracked versions of Cobalt Strike have rapidly become the attack tool of choice among enlightened global threat actors, making an appearance in almost every recent major hack, including SolarWinds, the massive Hafnium attacks targeting Microsoft Exchange servers, and a majority of recent ransomware attacks. The use of Cobalt Strike is unsurprising as it provides an all-in-one framework for mounting large-scale network penetrations with an unparalleled amount of flexibility. The bad news is Cobalt Strike can be extremely stealthy. However, the good news is a known threat inevitably provides detection opportunities for defenders, and, currently, there is no larger known threat. Using examples taken directly from an actual enterprise-wide attack used in the SANS FOR508 class, this presentation will demonstrate Cobalt Strike-based attacks from both the attacker and defender perspectives. Attendees will gain insight into how Cobalt Strike operates and artifacts left behind via many of its common attack techniques, leaving with a range of practical detections that can be immediately put to use during incident response and threat hunting.
View upcoming Summits: www.sans.org/u/DuS
Download the presentation slides (SANS account required) at www.sans.org/u/1h3C
#CobaltStrike #ThreatHunting #DigitalForensics