Thursday, December 19, 2024
HomeComputer SecurityGoogle Released Over 165 YARA Rules to Detect Cobalt Strike Components in...

Google Released Over 165 YARA Rules to Detect Cobalt Strike Components in Their Networks

Published on

SIEM as a Service

There is a collection of IOCs from VirusTotal and YARA Rules that has been recently open-sourced by the Google Cloud Threat Intelligence team

As a result, Google has taken this step to make it easier for security researchers to catch Cobalt Strike components within their network.

While apart from this, using these detection signatures cybersecurity analysts will also be able to detect the deployed versions of Cobalt Strike in their environment.

- Advertisement - SIEM as a Service

165 YARA Rules to Detect Cobalt Strike

In order to test the resilience of red teams’ cyber defenses, Cobalt Strike is a popular tool that is used by red teams. Over the last decade, it has been subjected to many development changes and improvements in order to reach its current state.

By doing this, malicious activity can be detected more effectively by targeting potential leaked and cracked versions of the software. In this way, it is easier to distinguish between deployments controlled by threat actors versus those controlled by legitimate deployments.

By leveraging the Cobalt Strike set of components, Google has built a detection system that is capable of detecting these malicious variants in the wild at an extremely high degree of accuracy with YARA-based detection. 

There are approximately ten to one hundred attack template binaries included in each Cobalt Strike version. An important aspect of Cobalt Strike is that it incorporates multiple software tools into one jar file that functions as a single tool.

Cobalt Strike infrastructure setup

As a client, a JAR file is activated that connects the actors to the Team Server so that they can connect to it. Clients are used by actors to manage their teammates and infected hosts through a graphical user interface (GUI).

Moreover, a collection of detection signatures is also shared by Google for an open-source threat emulation framework, Sliver. While threat actors have also adopted this framework as an alternative to Cobalt Strike to conduct security testing.

It is therefore becoming increasingly common for Cobalt Strike to be used in cyberattacks that might lead to the theft of data and ransomware infections, as it is one of the most widely used tools. 

This method of attack is used by threat actors after they have deployed so-called beacons, which enable them to access compromised devices remotely and perform post-exploitation tasks after the attacks have been conducted. 

In order to harvest sensitive data from compromised servers or to deploy further malware, attackers access compromised networks through beacons that have been deployed on the networks of their victims.

VirusTotal customers have access to a collection of community signatures containing these YARA rules that have been formalized as the final YARA rules. In order to make the tool more difficult to abuse by threat actors, Google is moving it back to the domain of legitimate red teams.

Managed DDoS Attack Protection for Applications – Download Free Guide

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Beware Of Malicious SharePoint Notifications That Delivers Xloader Malware

Through the use of XLoader and impersonating SharePoint notifications, researchers were able to identify...

Malicious Supply Chain Attacking Moving From npm Community To VSCode Marketplace

Researchers have identified a rise in malicious activity on the VSCode Marketplace, highlighting the...

Hackers Weaponizing LNK Files To Create Scheduled Task And Deliver Malware Payload

TA397, also known as Bitter, targeted a Turkish defense organization with a spearphishing email...

BADBOX Botnet Hacked 74,000 Android Devices With Customizable Remote Codes

BADBOX is a cybercriminal operation infecting Android devices like TV boxes and smartphones with...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Beware Of Malicious SharePoint Notifications That Delivers Xloader Malware

Through the use of XLoader and impersonating SharePoint notifications, researchers were able to identify...

Malicious Supply Chain Attacking Moving From npm Community To VSCode Marketplace

Researchers have identified a rise in malicious activity on the VSCode Marketplace, highlighting the...

Hackers Weaponizing LNK Files To Create Scheduled Task And Deliver Malware Payload

TA397, also known as Bitter, targeted a Turkish defense organization with a spearphishing email...