The Cobalt Strike Trial’s Evil BitOctober 14, 2015
RFC 3514 proposes an IPv4 flag to allow traffic to flag itself as malicious or not. This RFC’s authors reason that if malicious programs opt into this standard, it will become easier for IDS and other security products to distinguish between packets with good and evil intent. Naturally, this RFC was written in jest.
If the evil bit were real, the Cobalt Strike 3.0 trial would set it. In this post, I’d like to clarify some things about the trial that I’ve already had a few email exchanges about.
The Cobalt Strike 3.0 trial is the full Cobalt Strike product with one [significant] difference. The Cobalt Strike 3.0 trial inserts several “tells” to get caught by standard security products. This change is made possible by Cobalt Strike’s flexibility to change its indicators and artifacts.
What are the “tells”?
Cobalt Strike generates its executables and DLLs with the help of the Artifact Kit. The Artifact Kit is a source code framework to generate executables and DLLs that smuggle payloads past some anti-virus products. The Cobalt Strike 3.0 trial ships with the template Artifact Kit build. The template build embeds Cobalt Strike’s stager shellcode into executables and DLLs with no steps to disrupt an anti-virus sandbox.
The Cobalt Strike trial loads and uses Malleable C2 profiles. This is a feature that allows users to change the network indicators in the Beacon payload. Each HTTP GET transaction, from the trial, includes an X-Malware header with the EICAR string as its content.
The Java Signed Applet Attack in the Cobalt Strike trial has some differences too. This attack ships with an EICAR file inside of the JAR.
Finally, the trial removes Cobalt Strike’s primary payload encoder. Many security products flag traffic as malicious if they see a PE header in it. I use a Cobalt Strike-specific encoder to obfuscate the Beacon stage as it goes over the wire. This gets Beacon’s stage past many scenarios. Without an encoder, the staging process is much more likely to get caught.
As of Cobalt Strike 3.6, the trial removes task and response encryption from Beacon’s protocol. This means there is no confidentiality, over the network, for the actions you perform or the data you pull back.
What does this mean for me?
If you have a valid Cobalt Strike license key, you should always use the licensed version of the product in your production infrastructure. This means running the update program with your license key to get the licensed product.
The licensed version of the Cobalt Strike product does not have these deliberate tells. I’ve taken steps to make sure the trial team server can’t talk to a licensed client and vice versa. I did this to make sure customers don’t accidentally use a trial component in their production infrastructure.
If you’re a trial user, you should be aware that the Cobalt Strike 3.0 trial has these deliberate tells. I would use the trial as a first-pass of the product. Try it out in a lab. Go through the videos. Make a good decision about whether or not the product does something you need. If you have questions about Cobalt Strike while evaluating the trial, email me, and we can discuss them.