Cobalt Strike Cyber Assessment Insights

UNCLASSIFIED Cobalt Strike: A Cyber Assessment Challenge Dr. Nathan R. Wray Sean Phipps Advanced Cyber Operations (ACO) Cyber Assessment Program (CAP) Director, Operational Test & Evaluation (DOT&E) UNCLASSIFIED

UNCLASSIFIED Background Cyber defenders are quick to upload suspected malware to commercial malware analysis websites (e.g., VirusTotal) Without proper deconfliction, the same can, and has, happened with Red Team exploits Uploaded samples can be downloaded and shared across multiple platforms Sensitive information can be obtained from these malware samples UNCLASSIFIED

UNCLASSIFIED Background (continued) Our team was tasked with evaluating Cobalt Strike for Operational Security (OPSEC) concerns Cobalt Strike is a tool commonly used by DoD Red Teams We performed in-depth analysis of the latest versions, 4.8+ Prompted the question, Are we doing enough to evaluate cyber tooling? UNCLASSIFIED

UNCLASSIFIED Assessment of Cyber Tooling DoD Certified and Accredited Red Teams are required to have policies in place for the testing of cyber tooling Each team has their own individual documented policies These policies can vary drastically among teams Tool Assessments The level of effort varies depending on the software (open-source vs. commercial) and the tool version/release (major vs. minor) Policies may dictate that new versions of a tool go through the entire assessment process again Well-known commercial tools may be authorized because they are well-known UNCLASSIFIED

UNCLASSIFIED Follow-On Cyber Assessments After a cyber tool is approved and purchased the first time, the reevaluation process can be less formal Repurchasing cyber tools is sometimes based on the tool s prior approval (i.e., blanket approval) Established and well-known tools go through the process, but the process may not be as stringent Limited technical evaluation of tool updates may be performed Minor revisions may be less stringent/less involved Major revisions may require completely retesting the tool UNCLASSIFIED

UNCLASSIFIED Cobalt Strike Cobalt Strike is an adversary emulation tool in use across the public and private sectors First released in 2012 and has become synonymous with red teaming It remains the primary red teaming tool to this day, especially across the government and military spaces Primary payload is called Beacon Cobalt Strike has received major updates over the years Red Teams evaluate these updates based upon their operational needs OPSEC is a concern, but new features usually take precedence Teams have only recently begun to put more effort into protecting their Beacons UNCLASSIFIED

UNCLASSIFIED Current State of Cobalt Strike Cobalt Strike licenses do include access to OPSEC protections Can be very cumbersome to set up correctly/properly Process takes time to complete which may take away from critical operational time If/when a Cobalt Strike Beacon is caught or submitted to malware analysis websites Reconfiguring Beacons and infrastructure is time consuming Uploaded Beacons are available to almost anyone for download and analysis Available protections may not be configured properly and can be operationally-dependent UNCLASSIFIED

UNCLASSIFIED Current State of Cobalt Strike (continued) Open-source tools exist to extend the functionality of Cobalt Strike Some tools can make protecting Beacons easier, but should be required to undergo proper assessment and related approval processes Commercially available tools are easier to acquire and utilize than open-source tools In most cases, open-source tools are scrutinized more and will often include in- depth source code reviews UNCLASSIFIED

UNCLASSIFIED Cobalt Strike 4.8+ Changes Cobalt Strike version 4.8 [1]: Guardrails Ensures Beacons will only execute within the configured parameters (e.g. IP, Domain, Hostname, etc.) Multi-Byte Obfuscation Prior to version 4.8, Beacon used a single, fixed-byte key (either 0x2E or 0x69) In versions 4.8+, Beacon implements a random 4-Byte Exclusive OR (XOR) key Cobalt Strike version 4.9 [2]: Updates to Beacon customizations and protections [1] https://www.cobaltstrike.com/blog/cobalt-strike-4-8-system-call-me-maybe [2] https://www.cobaltstrike.com/blog/cobalt-strike-49-take-me-to-your-loader UNCLASSIFIED

UNCLASSIFIED Our Research ACO performed a technical deep-dive into Cobalt Strike Focused on versions 4.8+ As of March 2024, open-source analysis tools only work up to versions 4.7 Identified several key pieces of information that can be extracted from Beacon executables Can include Command and Control (C2) addresses License key identifier Target-specific information such as domains, usernames, etc. Developed a Python script which can extract the configuration from versions 4.8+ UNCLASSIFIED

UNCLASSIFIED Identified OPSEC Concerns Co-opting of Red Team infrastructure Open-source tools exist which allow for connecting to Cobalt Strike servers Compromise of C2 infrastructure Operational tracking (via license key) Extractable from the Beacon configuration License key is not attributable to a customer by the public Can be tracked via Beacons across events/time Insight into Red Team operations Identify Red Team tooling and Tactics, Techniques, and Procedures (TTPs) related to Cobalt Strike Obtain malleable C2 details, emulated adversaries, etc. UNCLASSIFIED

UNCLASSIFIED Impactful Findings Pertinent information can be easily extracted from Cobalt Strike Beacons Untrained defenders may inadvertently expose red team tooling Current resourcing levels (manning/training/equipment) are inadequate to support full cyber assessments of internal tools UNCLASSIFIED

UNCLASSIFIED Impactful Findings (continued) UNCLASSIFIED

UNCLASSIFIED Impactful Findings (continued) Beacon configuration extracted from a Cobalt Strike SSH Beacon Exposes the username and password login information in the clear (cleartext) The license key identifier can be extracted The SSH Banner (previous slide) is also shown, but in this case has been modified UNCLASSIFIED

UNCLASSIFIED Follow-On Research Presented a technical deep dive at the Department of Defense (DoD) Certified & Accredited Red Team Huddle in December 2023 Since then, we have continued to engage with the Red Team community Have analyzed Beacons from several Red Teams to identify OPSEC concerns Various methods have been employed to obtain the Beacon configuration Successfully extracted the configuration from every Beacon thus far Continue to assist Red Teams in making informed risk/OPSEC decisions Currently working on generating a general set of recommendations for the Red Team community to use in further protecting Beacons Note: The Beacon configuration will always be obtainable in some capacity because the Beacon relies on this configuration to function properly UNCLASSIFIED

UNCLASSIFIED For More Information An in-depth technical report and presentation are available upon request. Please send requests to: Osvaldo Ozzie Perez ACO Director Email: osvaldo.l.perez.civ@mail.mil More than happy to work with your team Can meet with your technical team/operators to talk through technical specifics Can work through your Beacons and assess your level of risk/exposure We want this to be more than just words/pictures on a screen UNCLASSIFIED

UNCLASSIFIED Questions? UNCLASSIFIED