Recently, a customer provided feedback that some EDR tools were beginning to detect Cobalt Strike. Historically, Cobalt Strike effectively evaded all EDR tooling with its evasive techniques, but as a result of Cobalt Strike becoming the software of choice for Red Teams [and threat actors], EDR vendors have “upped their game.”
I thought this was an interesting comment. As the world catches on to the power of Cobalt Strike, this escalation was inevitable in the continual “cat and mouse” game that red teams and blue teams play.
So, I took this comment to Fortra’s Cobalt Strike product manager and got the following [lightly edited] response.
Fortra’s Product Manager
Thanks for sharing that feedback. We’re aware that evasion is one of the biggest issues we’re having with the current version of Cobalt Strike, and we’re tackling it in the next releases, as stated in our strategy blog post.
Besides that, with the new research team, we’re working on providing tips, tricks and tools to improve the Cobalt Strike Beacon evasiveness, the blogs below provide some techniques and insights.
Blogs:
Behind the Mask: Spoofing Call Stacks Dynamically with Timers
Revisiting the User-Defined Reflective Loader Part 1: Simplifying Development
Cobalt Strike and YARA: Can I Have Your Signature?
And we’re committed to doing more, with Cobalt Strike + OST (Outflank Security Tooling) Fortra has now probaly the most complete red-teaming toolkit in the world, and it provides not only evasion for Cobalt Beacon, but also an evasive stage 1 C2 framework and many other tools the red team operators can benefit from to improve their efficiency and reduce the time they spend on R&D.
If you have any more comments to add, questions, or feedback on Cobalt Strike, OST or any other Fortra products, please use the “Contact” form, and we would be happy to hear your thoughts or challenges.
Other Resources
Since the above was put together, several other blog posts of interest have been published:
- https://www.cobaltstrike.com/blog/revisiting-the-udrl-part-2-obfuscation-masking
- https://www.cobaltstrike.com/blog/introducing-the-mutator-kit-creating-object-file-monstrosities-with-sleep-mask-and-llvm
- https://www.cobaltstrike.com/blog/cobalt-strike-410-through-the-beacongate
- https://www.cobaltstrike.com/blog/introducing-the-mutator-kit-creating-object-file-monstrosities-with-sleep-mask-and-llvm
- https://www.cobaltstrike.com/blog/cobalt-strike-49-take-me-to-your-loader
It is also worth considering the OST toolkit. This contains tools specifically designed to evade EDR tools and a minimal C2 framework that may address your needs.