the cobalt strike server of penetration test artifact has the feature of "space", which can identify in field tests (including rules)

Posted by trammel at 2020-03-20

Cobalt strike is a penetration test artifact, often called CS artifact by the industry. Cobalt strike is no longer using MSF but as a separate platform. It is divided into client and server. The server is one. The client can have multiple (beacons) and can be operated by the team in a distributed collaboration.

Cobalt strike integrates port forwarding, scanning multi-mode port listener, windows exe program generation, windows DLL Dynamic link library generation, Java program generation, office macro code generation, including site cloning to obtain browser related information.

Now the problem is cs server, which is called "team server" in the industry

It can be seen that this feature has existed for seven years

alert tcp any any - any any (msg:"FOX-IT - Trojan - Possible CobaltStrike C2 Server"; \

flow:to_client; \

content:"Date: "; \

threshold:type limit, track by_dst, count 1, seconds 600; \

classtype:trojan-activity; priority:2; \

sid:21002217; rev:3;)

Foreigners have grabbed more than 9K IPS through this rule, and more are expected

And the IP list also includes some famous attack gangs

At present, cobalt strike has fixed this error. However, because many people will use the cracked version or not update, the rule will continue to be effectively detected.