"Google Seeks to Make Cobalt Strike Useless to Attackers"

The intelligence research and applications team at Google Cloud has developed and released a set of 165 YARA rules to help defenders in identifying Cobalt Strike components deployed by attackers. According to Greg Sinclair, a security engineer with the Google Cloud Threat Intelligence (GCTI) team, the goal is to return the tool to the domain of legitimate red teams while making it more difficult for bad actors to abuse. Cobalt Strike, which is a legitimate adversary simulation tool used by penetration testers and cyber red teams, has also become the post-exploitation tool of choice for threat actors. Although some attackers have shifted to using Brute Ratel, DeimosC2, and other similar tools, Cobalt Strike remains a popular choice. The Cobalt Strike vendor employs a vetting process to reduce the possibility of the software being provided to actors who will use it for malicious purposes, but Cobalt Strike has been leaked and cracked over the years. According to Sinclair, these unauthorized versions of Cobalt Strike are just as powerful as their retail counterparts, except they do not have active licenses and thus cannot be easily upgraded. The team examined every cracked version of the tool it could find, looking for unique stagers, attack templates, and beacons that could be used to create precise detection rules. The final YARA rules are available as a collection of community signatures to VirusTotal customers and have been open-sourced so that cybersecurity vendors can use them in their products. This article continues to discuss Google's creation and release of a collection of YARA rules to help defenders flag Cobalt Strike components used by attackers.

Help Net Security reports "Google Seeks to Make Cobalt Strike Useless to Attackers"