![]() Instead of mimicking what a CobaltStrike beacon could look like in a lab, we’re going to use live CobaltStrike beacon payloads from Elastic’s telemetry. Now that we’ve made a collection policy and applied it to a Windows machine you can target it with a CobaltStrike campaign. For specific instructions on how to deploy the Elastic Agent, refer to the official Elastic documentation. Once you have created this specific Fleet policy, you can apply this policy to an endpoint running the Elastic Agent. Click on “Show advanced settings”.Īt the very bottom of the advanced settings page, type “true” for the _protection.shellcode_collect_sample and _mory_scan_collect_sample settings, and then click “Save integration”. If you are enabling this feature for a production environment, leave the Protection levels as “Prevent”Īt the bottom of the integration configuration page, you can toggle “Register as antivirus” so that the Elastic Agent is registered as the Antivirus solution, and disable Windows Defender. There are several types of Protections (Malware, Memory, etc.), select “Detect” for each type that has Windows as an available “Operating system” you can uncheck Mac and Linux Operating Systems. ![]() This will allow malware to continue to run to allow for more rich event collection. Under “Protections”, leave the different protection types selected, but change the Protection level from “Prevent” to “Detect”. Click on the integration name (“Endpoint Security”). Next, click on your new policy and click the “Add integration button.įinally, we’re going to add the memory and shellcode collection options. Optionally, you can disable “System monitoring” and “Agent monitoring” to reduce the amount of system and agent metadata collected from your endpoints. To create a new policy, in Kibana, navigate to Fleet → Agent Policies → Create agent policy. You can add this to an existing policy or create a new policy. It should be noted that this collection may significantly increase the amount of data stored in Elasticsearch. This will collect 4MB of data from memory surrounding shellcode and malicious memory events. Integrations are added to policies, and Elastic Agents are added to policies.įirst, we need to configure the collection of shellcode and malicious memory regions in a Fleet policy. Fleet uses integrations, which are unified plugins that allow data to be collected from apps and services, and then stored in Elasticsearch. The Fleet Policyįleet is an app in Kibana that provides a central place to configure and monitor your Elastic Agents. This will all be taken from the memory of targeted Windows endpoints that we’ve collected from our telemetry. This blog will focus on using the Elastic Stack to collect Cobalt Strike beacon payloads, extract and parse the beacon configurations, and an analysis of the metadata within the configurations. ![]() A Malleable C2 profile contains a tremendous number of options to configure the beacon’s functionality, please see Cobalt Strike’s official documentation for specifics on configuring Malleable C2 beacons. ![]() To manage command and control, Cobalt Strike leverages an implant that uses beacon configuration known as a Malleable Command and Control (Malleable C2) profile. While Cobalt Strike is a legitimate tool, it is often abused by actual threat actors as a way to gain and maintain persistence into targeted networks. The goal is to validate security detection capabilities and processes replicating a real-world intrusion. Cobalt Strike is a premium offensive security tool leveraged by penetration testers and red team members as a way to emulate adversary behavior. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |