Cobalt Strike is the most prolific “Red Team Operation'' command and control in the security industry today and is used in 66% of ransomware infections – even against children's hospitals during the pandemic! It is additionally leveraged by state actors like China's MSS, Russia's GRU and in compromises like SolarWinds. Michael Haag and Jose Hernandez from the Splunk Threat Research team will release a new scanning tool developed to identify publicly hosted Team Servers, named zoidbergstrike. The audience will learn how to find open Cobalt Strike Team Servers, extract their configuration, and index it in ELK or Splunk. We will share with the community a feed with newly discovered Cobalt Strike servers, malleable profiles, as well as detections we have authored. Finally, defenders will understand how to use this data to better protect their enterprise against actors using Cobalt Strike.Learning Objects:
What is Cobalt Strike and why is it important for us to defend against it
How to scan for open Cobalt Servers that are discovered by internet scanning services like Shodan, Security Trails and ZoomEye
How to generate security content to identify Cobalt Strike behaviors
Agenda:
What is Cobalt Strike and Why do we hunt it
Ways to catch a Team Server in the wild (approaches to hunting)
Scanning the entire internet
Use 3rd parties that scan the internet
Via JARM
Via Open Server ports
Via DNS responses
Architecture of our Scanning Tool
Demo
Splunking the collected data
Building detections
ELK or Splunk Cobalt Strike Feed
José Hernandez, Threat Research Manager, Splunk -
Michael Haag, Senior Threat Researcher, Splunk -
View upcoming Summits:
Download the presentation slides (SANS account required) at
#ThreatHuntingSummit #CobaltStrike
Музыка
Фильмы
ТВ Шоу
Категории видео
