8. 8
RELATIONSHIP TO
RANSOMWARE
• FIN6 and Revil have used Cobalt
Strike as part of their intrusion
sets in numerous campaigns
• Part of a wave of “Human-operated
ransomware attacks”
9. 9
WHO USES COBALT STRIKE ( A
PARTIAL LIST)
ID Name
G0073 APT19
G0079 DarkHydrus
G0052 CopyKittens
G0050 APT32
G0080 Cobalt Group
G0016 APT29
G0065 Leviathan
G0037 FIN6
10. 10
FIN6 IN 2016
• Ransomware: CryptoWall
• Deployment: Logon scripts
• Whitelisting of payloads in AV
• Domain compromise: Golden
ticket
• C2: Cobalt Strike
• C2: Method HTTP Beaconing
11. 11
FIN6 IN 2019/2020
• Ransomware: Ryuk
• Deployment: PSExec
• Whitelisting of payloads in AV
• Domain compromise: DCSync
• C2: Cobalt Strike
• C2: Method HTTP Beaconing
• Anti-forensics: USNJrnl Nerfing
• Sounds very familiar
20. 20
FINDING NEEDLES IN THE
NETWORK NEEDLESTACK
• Generic beaconing
• Ngrok
• DNS entropy
• HTTP URI Entropy
• Bad sigs (AKA dumb luck)
• Palo Alto sometimes classifies as China
Chopper
28. 28
NAMED PIPES – SYSMON/EDR
• Some additional common named
pipes:
%spipesrvservice
%spipespoolsvc.<chars>%x
%spipemsagent_%x<chars>
%spipemojo.<chars>%x
%spipeinterprocess_%x
%spipeeventlog_%x