Cobalt Strike and Endpoint Detection & Response (EDR) solutions
Recently a customer provided feedback that some EDR tools were beginning to detect Cobalt Strike. Historically, Cobalt Strike managed to effectively evade all EDR tooling with its evasive techniques, but as a result of Cobalt Strike becoming the software of choice for Red Teams [and threat actors], EDR vendors have “upped their game.”
I thought this was an interesting comment, and as the world catches on to the power of Cobalt Strike, this escalation was inevitable in the continual “cat & mouse” game that red-teams and blue-teams play.
So, I took this comment to Fortra’s Cobalt Strike product manager and got the following [lightly edited] response.
Thanks for sharing that feedback. We’re aware that evasion is one of the biggest issues we’re having with the current version of Cobalt Strike, and we’re tackling it in the next releases, as stated in our strategy blog post.
Besides that, with the new research team, we’re working on providing tips, tricks and tools to improve the Cobalt Strike Beacon evasiveness, the blogs below provide some techniques and insights.
Blogs:
Behind the Mask: Spoofing Call Stacks Dynamically with Timers
Revisiting the User-Defined Reflective Loader Part 1: Simplifying Development
Cobalt Strike and YARA: Can I Have Your Signature?
And we’re committed to doing more, with Cobalt Strike + OST (Outflank Security Tooling) Forta has now probaly the most complete red-teaming toolkit in the world, and it provides not only evasion for Cobalt Beacon, but also an evasive stage 1 C2 framework and many other tools the red team operators can benefit from to improve their efficiency and reduce the time they spend on R&D.
If you have any more comments to add, questions, or feedback on Cobalt Strike, OST or any other Fortra products, please use the “Contact” form, and we would be happy to hear your thoughts or challenges.
