Default Cobalt Strike Team Server Certificateedit

This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module configuration.

Rule type: query

Rule indices:

  • auditbeat-*
  • filebeat-*
  • packetbeat-*
  • logs-endpoint.events.*

Severity: critical

Risk score: 99

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Command and Control
  • Post-Execution
  • Threat Detection
  • Elastic
  • Network
  • Host

Version: 7 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 8.4.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guideedit

## Threat intel

While Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, so alerts should be investigated rapidly.

Rule queryedit

event.category:(network or network_traffic) and
(tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or
tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or tls
.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD1
6D3CF9D94D390C)

Threat mappingedit

Framework: MITRE ATT&CKTM

Rule version historyedit

Version 7 (8.4.0 release)
  • Formatting only
Version 6 (7.15.0 release)
  • Formatting only
Version 5 (7.14.0 release)
  • Updated query, changed from:

    event.category:(network or network_traffic) and
    (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or
    tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or tls.s
    erver.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D
    3CF9D94D390C)
Version 4 (7.13.0 release)
  • Formatting only
Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only