TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

A Morning with Cobalt Strike & Symantec

BHIS · 2017-12-04 · Read original ↗

ATT&CK techniques detected

10 predictions
T1055.001Dynamic-link Library Injection
96%
“of symantec endpoint protection responses. in these scenarios, i deliberately avoided both dll / exe content and any tls channels. i wanted to focus on the hips and memory - based detection functionality of the defenses. - cobalt strike team server with no custom http / https pro…”
T1055.001Dynamic-link Library Injection
77%
“. other parameters that could be dead giveaways included the host header, and certainly some fixed cookie values. the result? yes, you guessed right, one happy c2 session established. in conclusion, while i think that endpoint protection suites are getting better in general, ther…”
T1588.002Tool
73%
“a morning with cobalt strike & symantec a morning with cobalt strike & symantec joff thyer / / if you have been penetration testing a while, you likely have ended up in a red team situation or will be engaged in it soon enough. from a command channel perspective, the work that ra…”
T1059.001PowerShell
72%
“of symantec endpoint protection responses. in these scenarios, i deliberately avoided both dll / exe content and any tls channels. i wanted to focus on the hips and memory - based detection functionality of the defenses. - cobalt strike team server with no custom http / https pro…”
T1059.001PowerShell
62%
“towards powershell and / or executable content though i did need to be cognizant of endpoint protection solutions. some initial attempts at using executable content revealed that symantec endpoint protection was at play and that certain things would fire a signature on the endpoi…”
T1055.001Dynamic-link Library Injection
61%
“towards powershell and / or executable content though i did need to be cognizant of endpoint protection solutions. some initial attempts at using executable content revealed that symantec endpoint protection was at play and that certain things would fire a signature on the endpoi…”
T1071.001Web Protocols
59%
“ips alert and be blocked before any traffic reached the server. an example alert is shown above. in the case of 64 - bit payloads, a successful command channel session is established to the cobalt strike team server in two of the above use cases : - no specific / custom profile a…”
T1040Network Sniffing
53%
“packet sniffer and noted the payload delivery observation of the second stage, and then saw that connection requests were being immediately torn down with a tcp reset when the client - side attempted the get request above. so then i decided to break out the sniffer for the same p…”
T1583.001Domains
47%
“the setup such that the proper cobalt strike profile is created. this can be found from @ killswitch ’ s github repository https : / / github. com / killswitch - gui / cobaltstrike - toolkit / blob / master / httpsc2doneright. sh. on some recent red team activities, i leveraged a…”
T1620Reflective Code Loading
32%
“towards powershell and / or executable content though i did need to be cognizant of endpoint protection solutions. some initial attempts at using executable content revealed that symantec endpoint protection was at play and that certain things would fire a signature on the endpoi…”

Summary

Joff Thyer // If you have been penetration testing a while, you likely have ended up in a Red Team situation or will be engaged in it soon enough. From […]

The post A Morning with Cobalt Strike & Symantec appeared first on Black Hills Information Security, Inc..