Cobalt Strike is one of the most popular red team tools to test cyber defenses for the past 10 years. But it has also been abused and repackaged by cybercriminals and hackers so frequently that Fortra (formerly Help Systems) now vets potential buyers. To assist, Google is releasing a set of open-source YARA rules and their integration as a VirusTotal Collection to help the cyber community flag and identify Cobalt Strike’s components and its versions.
Originally released in 2012, Cobalt Strike was a spinoff of the open-source Armitage project that added a graphical user interface to the Metasploit framework.
Metasploit remains a tool of choice for cyber red teams and security professionals to quickly detect vulnerabilities on a target.
Unfortunately, Cobalt Strike—which is a paid software application—has been leaked and cracked over the years. These unauthorized versions are on parity with the legal version, but do not have an active subscription and thus, cannot receive updates.
Google hopes that the published YARA rules and VirusTotal Collection will help the community by disrupting malicious cyber actors. “This will help protect organizations, employees, and customers around the globe,” according to Google.
Containing Cobalt Strike abuse
Cobalt Strike is a collection of multiple software tools wrapped within a single JAR file. Google was able to locate versions of Cobalt Strike JAR file starting with version 1.44 (2012) up to version 4.7 (today’s current release).
Google verified and cataloged the components—including the stagers, templates, beacons, and XOR encodings—back to its initial release. Whenever possible, Google built signatures for version detection of each Cobalt Strike component.
By detecting the exact version of Cobalt Strike, Google is essentially helping the community verify each component of Cobalt Strike while in use. This provides the mechanism to help verify the legitimacy and authenticity of the platform’s use.
In addition to the YARA Rules and VirusTotal submissions, Google also released the signatures as open-source to cybersecurity vendors who use portions of Cobalt Strike within their own products.
To learn more about YARA Rules and how Google is helping stop the abuse of Cobalt Strike, listen to their Google Cloud Security podcast.
Disclaimer: The author of this article is a current employee of Google. This article does not represent the views or opinions of his employer and is not meant to be an official statement for Google, or Google Cloud.
