Adversaries may be using Cobalt Strike to establish command and control over compromised systems, indicating potential ransomware activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage malware infections before they escalate to data exfiltration or ransomware deployment.
KQL Query
// Check for specific alerts
AlertInfo
// Attempts to clear security event logs.
| where Title in("Event log was cleared",
// List alerts flagging attempts to delete backup files.
"File backups were deleted",
// Potential Cobalt Strike activity - Note that other threat activity can also
//trigger alerts for suspicious decoded content
"Suspicious decoded content",
// Cobalt Strike activity
"\'Atosev\' malware was detected",
"\'Ploty\' malware was detected",
"\'Bynoco\' malware was detected")
| extend AlertTime = Timestamp
| join AlertEvidence on AlertId
| distinct DeviceName, AlertTime, AlertId, Title
| join DeviceLogonEvents on $left.DeviceName == $right.DeviceName
// Creating 10 day Window surrounding alert activity
| where Timestamp < AlertTime +5d and Timestamp > AlertTime - 5d
// Projecting specific columns
| project Title, DeviceName, DeviceId, Timestamp, LogonType, AccountDomain,
AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName
id: 0a6e58fa-0689-418e-b05c-758c41664081
name: cobalt-strike
description: |
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog.
In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques. The attackers would compromise a web-facing endpoint and employ tools such as Cobalt Strike to steal users' credentials.
Cobalt Strike is commercial software used to conduct simulated threat campaigns against a target; however, malicious actors also use Cobalt Strike in real attacks. The software has a large range of capabilities, including credential theft.
The following query identifies accounts that have logged on to compromised endpoints and have potentially had their credentials stolen.
References:
https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
https://www.cobaltstrike.com/
https://attack.mitre.org/software/S0154/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- AlertInfo
- AlertEvidence
- DeviceLogonEvents
tactics:
- Initial access
- Credential Access
- Malware, component
query: |
// Check for specific alerts
AlertInfo
// Attempts to clear security event logs.
| where Title in("Event log was cleared",
// List alerts flagging attempts to delete backup files.
"File backups were deleted",
// Potential Cobalt Strike activity - Note that other threat activity can also
//trigger alerts for suspicious decoded content
"Suspicious decoded content",
// Cobalt Strike activity
"\'Atosev\' malware was detected",
"\'Ploty\' malware was detected",
"\'Bynoco\' malware was detected")
| extend AlertTime = Timestamp
| join AlertEvidence on AlertId
| distinct DeviceName, AlertTime, AlertId, Title
| join DeviceLogonEvents on $left.DeviceName == $right.DeviceName
// Creating 10 day Window surrounding alert activity
| where Timestamp < AlertTime +5d and Timestamp > AlertTime - 5d
// Projecting specific columns
| project Title, DeviceName, DeviceId, Timestamp, LogonType, AccountDomain,
AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName
| Sentinel Table | Notes |
|---|---|
AlertEvidence | Ensure this data connector is enabled |
DeviceLogonEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as a Windows Task Scheduler job that runs cobalt-strike.exe as part of a patching or configuration update.
Filter/Exclusion: Exclude processes executed by the Task Scheduler service or processes with a command line containing schtasks.exe or scheduling keywords.
Scenario: Admin Debugging or Forensic Analysis
Description: A security administrator or incident responder using Cobalt Strike for red teaming, penetration testing, or forensic analysis.
Filter/Exclusion: Exclude processes initiated from known security tools or user accounts with elevated privileges (e.g., root, admin, securityadmin) or those running from a known red teaming directory (e.g., C:\RedTeam).
Scenario: Legitimate Software Installation or Update
Description: A legitimate software update or installation process that includes a file named cobalt-strike.exe due to a naming conflict or misconfiguration.
Filter/Exclusion: Exclude processes where the file path contains known legitimate software names (e.g., setup.exe, install.exe) or where the parent process is a known installer (e.g., msiexec.exe, setup.exe).
Scenario: PowerShell Script Execution
Description: A PowerShell script or command-line tool that dynamically generates or executes a file named cobalt-strike.exe as part of a legitimate automation process.
Filter/Exclusion: Exclude processes where the parent process is powershell.exe and the command line includes Invoke-Expression, IEX, or Start-Process with a known legitimate script path.
Scenario: Legacy or Obsolete Tool Usage
Description: An old or obsolete tool that shares the same name as Cobalt Strike