Full Report
The Banner Pattern
Analysis Summary
# Tool/Technique: Cobalt Strike
## Overview
Cobalt Strike is a commercial penetration testing tool, often weaponized and used by threat actors for command and control (C2) communications, post-exploitation activities, and maintaining persistence in compromised environments. The analysis focuses on identifying and hunting for active Cobalt Strike C2 infrastructure using Censys data.
## Technical Details
- Type: Tool (Adversary Simulation/Command & Control Framework)
- Platform: Primarily Windows (Payloads/Beacons), but C2 infrastructure can be hosted on various server platforms (Linux/Windows).
- Capabilities: Command and Control (C2), post-exploitation, lateral movement, and persistence establishment via Beacons. This analysis specifically leverages banner and watermark information for identification.
- First Seen: Original release in 2012, widely adopted by threat actors since then.
## MITRE ATT&CK Mapping
Since Cobalt Strike is a comprehensive framework, its mapping spans multiple stages, depending on its use. Identifying the C2 server itself relates primarily to Command and Control:
- **TA0011 - Command and Control**
- **T1071.001 - Application Layer Protocol: Web Protocols** (Cobalt Strike often uses HTTP/S for communications)
- **T1573.002 - Encrypted Channel: Asymmetric Cryptography** (Implied, as C2 traffic is usually encrypted)
## Functionality
### Core Capabilities
- Establishing resilient Command and Control channels.
- Deploying Malleable C2 profiles to disguise traffic.
- Beacon payload management for compromised hosts.
### Advanced Features
- **Watermark Identification:** Cobalt Strike versions embed a specific "watermark" value in their configuration metadata, which can be queried via network traffic inspection (e.g., HTTP response headers or TLS artifacts). The article specifically mentions version 4.7 (watermark `987654321`) and cracked versions (watermark `0`).
- **Custom Banners:** Sharing common server response banners (e.g., specific HTTP 404 Not Found responses) across different ports can indicate infrastructure provisioned by the same actor.
- **SSH Host Fingerprint Correlation:** Grouping findings based on shared SSH host fingerprints helps identify infrastructure likely provisioned by a single threat actor group.
## Indicators of Compromise
The article focuses on *infrastructure* indicators related to C2 servers rather than specific malware hashes from victim machines.
- File Hashes: N/A (Focus on infrastructure detection)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Newly discovered infrastructure IPs hosting Cobalt Strike C2 services are listed in the IOC appendix (examples provided below, **though they are listed as specific infrastructure findings, not global patterns**):
- `47.92.77.57:443`
- `61.135.130.190:443`
- `1.94.97.56:4433`
- `45.145.229.234:443`
- `120.79.135.77:443`
- *... (80+ additional unique infrastructure IPs listed in the raw article data)*
- Behavioral Indicators: Hosts responding with specific Cobalt Strike watermarks or sharing uncommon service banners regardless of port.
## Associated Threat Actors
The summary does not name specific APTs but notes that shared SSH fingerprints (e.g., one set of 10 hosts in Russia sharing a fingerprint) suggest activity by specific threat actor clusters. Cobalt Strike is widely used by numerous financially motivated and state-sponsored groups.
## Detection Methods
- **Signature-based detection:** Targeting known Cobalt Strike C2 configuration patterns (e.g., specific HTTP headers or known Malleable C2 profiles).
- **Behavioral detection:** Monitoring for hosts responding with specific, known Cobalt Strike watermarks using service queries (e.g., via Censys).
- **Banner Analysis:** Pivoting on unusual or shared `services.banner` fields that correlate with known Cobalt Strike deployments that are otherwise low-Detections.
## Mitigation Strategies
- **Network Segmentation:** Limit outbound connections from internal networks to known infrastructure patterns associated with C2.
- **Service Hardening:** Review and secure non-standard ports that might be used for C2 if they traditionally serve benign content.
- **Threat Intelligence Integration:** Use threat feeds that track known Cobalt Strike infrastructure IPs and domains for proactive blocking.
## Related Tools/Techniques
- C2 frameworks with similar capabilities (e.g., Metasploit, Brute Ratel C4).
- Techniques leveraging public cloud infrastructure for C2 staging.