CobaltStrike防御相关工具规则文章视频资源

CobaltStrike防御相关工具规则文章视频资源

Cobalt Strike介绍

Cobalt Strike是一款功能齐全的商业化渗透测试工具,自称为“旨在执行有针对性的攻击并模仿高级威胁参与者的利用后行动的对手模拟软件”。Cobalt Strike的交互式爆炸后功能涵盖了ATT&CK的全部战术,所有这些战术都在一个集成的系统中执行。除自身功能外,Cobalt Strike还利用了其他知名工具(如Metasploit和Mimikatz)的功能。

Cobalt Strike MITER TTP
https://attack.mitre.org/software/S0154/

Cobalt Strike MITER ATT&CK导航器
https://mitre-attack.github.io/attack-navigator//#layerURL=https%3A%2F%2Fattack.mitre.org%2Fsoftware%2FS0154%2FS0154-enterprise-layer.json

狩猎和检测工具

Cobalt Strike Team Server密码Brute Forcer
https://github.com/isafe/cobaltstrike_brute

CobaltStrikeScan扫描文件或处理内存以查找Cobalt Strike信标并解析其配置
https://github.com/Apr4h/CobaltStrikeScan

Cobalt Strike信标扫描
https://github.com/whickey-r7/grab_beacon_config

Cobalt Strike解密
https://github.com/WBGlIl/CS_Decrypt

检测CobaltStrike的波动性
https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py

JARM指纹扫描仪
https://github.com/salesforce/jarm

Cobalt Strike法医
https://github.com/RomanEmelyanov/CobaltStrikeForensic

Cobalt Strike资源
https://github.com/Te-k/cobaltstrike

包括Cobalt Strike在内的C2 JARM列表
https://github.com/cedowens/C2-JARM

SilasCutler_JARM_Scan_CobaltStrike_Beacon_Config.json
https://pastebin.com/DzsPgH9w

侦测Cobalt Strike
https://github.com/slaeryan/DetectCobaltStomp

Yara规则

CobaltStrike防御相关工具规则文章视频资源

Cobalt Strike yara规则
https://github.com/Neo23x0/signature-base/blob/master/yara/apt_cobaltstrike.yar
https://github.com/Neo23x0/signature-base/blob/master/yara/apt_cobaltstrike_evasive.yar
https ://github.com/Te-k/cobaltstrike/blob/master/rules.yar

感染指标

Cobalt Strike哈希
https://bazaar.abuse.ch/browse/yara/CobaltStrike/

Cobalt Strike服务器列表

https://docs.google.com/spreadsheets/d/1bYvBh6NkNYGstfQWnT5n7cSxdhjSn1mduX8cziWSGrw/edit#gid=766378683

狩猎与侦查研究文章

分析Cobalt Strike的乐趣和利润
https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/

Cobalt Strike远程线程检测
https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f 

https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon/sysmon_cobaltstrike_process_injectionion .yml

检测Cobalt Strike袭击的艺术和科学
https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf

通过命名管道分析检测Cobalt Strike默认模块
https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/

识别恶意Cobalt Strike服务器的多种方法
https://go.recordedfuture.com/hubfs/reports/cta-2019-0618.pdf

如何在内存取证中检测Cobalt Strike活动
https://www.andreafortuna.org/2020/11/22/how-to-detect-cobalt-strike-activity-in-memory-forensics/

通过对Imageload事件进行指纹检测来检测Cobalt Strike袭击
https://redhead0ntherun.medium.com/detecting-cobalt-strike-by-fingerprinting-imageload-events-6c932185d67c

APT攻击和CobaltStrike信标的编码配置剖析
https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/

CobaltStrike-beacon.dll:您不常见的MZ标头
https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html

GitHub托管的恶意软件从Imgur图片
https://www.bleepingcomputer.com/news/security/github-hosted-malware-calculates-cobalt-strike-payload-from-imgur-pic/

计算Cobalt Strike有效载荷在NetFlow数据中检测Cobalt Strike信标
https://delaat.net/rp/2019-2020/p29/report.pdf

用于检测Cobalt Strike信标的波动性插件
https://blogs.jpcert.or.jp/zh/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html

使用JARM轻松识别Internet上的恶意服务器
https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a

Cobalt Strike信标分析
https://isc.sans.edu/forums/diary/Quick+Tip+Cobalt+Strike+Beacon+Analysis/26818/

小马,邪恶小马,乌斯尼夫和Cobalt Strike的汉西多感染
https://isc.sans.edu/forums/diary/Hancitor+infection+with+Pony+Evil+Pony+Ursnif+and+Cobalt+Strike/25532/

攻击者通过CVE-2020-14882利用WebLogic Server安装Cobalt Strike
https://isc.sans.edu/forums/diary/Attackers+Exploiting+WebLogic+Servers+via+CVE202014882+to+install+Cobalt+Strike/26752/

隐藏在云端:使用Amazon API的Cobalt Strike Beacon C2
https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/

在野外识别Cobalt Strike团队服务器
https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/

多阶段APT攻击使用可锻C2功能降低了钴的打击
https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-特征/

Cobalt Strike猫行动
http://cdn2.hubspot.net/hubfs/3354902/Cyber​​eason%20Labs%20Analysis%20Operation%20Cobal%%20Kitty.pdf

检测并推进内存中.NET Tradecraft
https://www.mdsec.co.uk/2020/06/detecting-and-advancing-in-memory-net-tradecraft/

分析无文件恶意软件:Cobalt Strike Beacon
https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
CobaltStrike样本pass = infected
https://www.dropbox.com/s/o5493msqarg3iyu/Cobalt%20Strike。 7z?dl = 0

IndigoDrop通过以军事为主题的诱饵传播以提供钴打击
https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html

Cobalt Strike集团返回哈萨克斯坦
https://research.checkpoint.com/2019/cobalt-group-returns-to-kazakhstan/

Cobalt Strike:看一下旧漏洞
https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy -漏洞/

借助Cyb3rWard0g的Sentinel To-Go进行Azure Sentinel快速部署-让我们赶上Cobalt Strike
https://www.blackhillsinfosec.com/azure-sentinel-quick-deploy-with-cyb3rward0gs-sentinel-to-go-lets-catch-cobalt-strike/

FIN6使用的Cobalt Strike舞台游戏
https://malwarelab.eu/posts/fin6-cobalt-strike/

可锻C2配置文件和您
https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929
暴露的Cobalt Strike
C2生成的列表
https://gist.github.com/MHaggis/bdcd0e6d5c727e5b297a3e69e6c52286

培训课程

攻击检测基础知识还包括Cobalt Strike检测
https://labs.f-secure.com/blog/attack-detection-fundamentals-initial-access-lab-1
https://labs.f-secure.com/blog/attack -detection-fundamentals-initial-access-lab-2
https://labs.f-secure.com/blog/attack-detection-fundamentals-initial-access-lab-3
https://labs.f-secure.com / blog / attack-detection-fundamentals-initial-access-lab-4
https://www.youtube.com/watch?v=DDK_hC90kR8&feature=youtu.beh

视频{扶墙}

具有Cobalt Strike的信标有效负载的可延展内存指示器
https://www.youtube.com/watch?v=93GyP-mEUAw&feature=emb_title

STAR网络直播:怪异的RYUKy:UNC1878的回归
https://www.youtube.com/watch?v=BhjQ6zsCVSc

Excel 4.0宏分析-Cobalt Strike Shellcode注入
https://www.youtube.com/watch?v=XnN_UWfHlNM

使用JA3分析和检测SSL的所有事物
https://www.youtube.com/watch?v=oprPu7UIEuk

项目地址

GitHub: github.com/MichaelKoczwara/

Leave a Reply

您的电子邮箱地址不会被公开。 必填项已用*标注