Firstly, based on threat intelligence we recognized the cookie names and order: _gads, _gat, _ga, _u, _io and _gid to be reminiscent of IcedID. The key pieces of information that raised our suspicions of IcedID are highlighted in Figure 4.
The PCAP was also exported from the platform for evidence preservation.įigure 4: PCAP of Traffic to Suspect Domain Figure 4 is a screenshot of the PCAP data for that connection, as shown in the Awake platform. However, a connection to 217rotebenonline, another highly suspicious domain, closely preceded the connection to the “. We did not see beaconing to this domain during our investigation. We identified a prior connection towards lapoedjkeotop – which had the same certificate information and IP address. From the initial connection, we were able to quickly pivot by leveraging the pre-built +/- 1-minute search window within the Awake platform (Figure 3).įigure 3: Pivoting to Construct the Attack Timeline The next step was to perform timeline analysis and investigate what caused the initial connection.
We also identified ongoing connections to this domain every 5 minutes, a steady and clear beaconing pattern from the source device.
#COBALT STRIKE BEACON PORTFOWARD REGISTRATION#
When analyzing the domain within the Awake platform, we saw that it was first observed within this customer environment very recently, registered recently, and registered with Porkbun using Private by Design, LLC (Figure 2).įigure 2: Domain Registration Details for C2 domain Looking up the client JA3 hash indicated the connection may have been initiated from Microsoft Excel.įigure 1: TLS Characteristics of Initial Connection This, along with the recency of the certificate validation date raised our suspicions. Looking at the connection details, we identified that the self-signed certificate being used by the server had default values for the certificate attributes (Figure 1). The offending TLS connection was to the domain: mazaksaedr23space. The same activity also triggered a model that the MNDR team uses to trigger threat hunts – C2: Multiple Activities to Newly Seen Domain Created Within Last Year. Initial AlertĪn adversarial model in the Awake Security Platform alerted the Managed Network Detection and Response (MNDR) team to C2: TLS Characteristic of Cobalt Strike to Domain. In this blog, we provide details of a detection and investigation of Cobalt Strike Beacon using the Awake network detection and response platform, which ultimately uncovered an IcedID infection. Arista’s Awake Labs team encounters IcedID and Cobalt Strike Beacon both in our incident response and managed network detection and response (MNDR) engagements. Cobalt Strike Beacon is seen in a myriad of investigations, so security operations as well as incident response teams must be able to detect and effectively remediate this heavily utilized post exploitation tool. It has become something of an Internet meme that Cobalt Strike is everywhere.
0 kommentar(er)
