Blog Post
2 Comments
- TillyCorless
Community Manager
Nice work BenMcCarthy
- JoeCosentino
Immerser
Thanks, BenMcCarthy - this is outstanding and timely work!
Cobalt Strike is an adversary simulation tool developed by Fortra. Cobalt Strike was designed to be used by professional red teams to perform post-exploitation actions such as enumerating file systems, elevating privileges, and deploying malware. Despite being designed for red teams, threat actors often use both licensed and unlicensed (cracked) versions of Cobalt Strike for malicious intentions.
\nWhy have we created this content?
A recent report again stated that Cobalt Strike is the C2 framework of choice by hackers around the world. We previously had no labs covering how to identify and defend against this C2 framework. Therefore, as we have with Havoc and Sliver, we have released labs based on analysis of its activities in networks and on a host and created and released volatility plugins to help defensive teams in their own analysis.
What are we publishing?
All customers on a CyberPro License have immediate access to two new labs.
Who is this content for?
These labs are focused on upskilling and increasing the defensive capabilities of the following roles:
Cobalt Strike is an adversary simulation tool developed by Fortra. Cobalt Strike was designed to be used by professional red teams to perform post-exploitation actions such as enumerating file systems, elevating privileges, and deploying malware. Despite being designed for red teams, threat actors often use both licensed and unlicensed (cracked) versions of Cobalt Strike for malicious intentions.
\nWhy have we created this content?
A recent report again stated that Cobalt Strike is the C2 framework of choice by hackers around the world. We previously had no labs covering how to identify and defend against this C2 framework. Therefore, as we have with Havoc and Sliver, we have released labs based on analysis of its activities in networks and on a host and created and released volatility plugins to help defensive teams in their own analysis.
What are we publishing?
All customers on a CyberPro License have immediate access to two new labs.
Who is this content for?
These labs are focused on upskilling and increasing the defensive capabilities of the following roles:
Nice work BenMcCarthy
","body@stripHtml({\"removeProcessingText\":false,\"removeSpoilerMarkup\":false,\"removeTocMarkup\":false,\"truncateLength\":200})@stringLength":"23","kudosSumWeight":0,"repliesCount":0,"postTime":"2024-10-24T06:47:08.415-07:00","lastPublishTime":"2024-10-24T06:47:31.611-07:00","metrics":{"__typename":"MessageMetrics","views":34},"visibilityScope":"PUBLIC","placeholder":false,"originalMessageForPlaceholder":null,"entityType":"BLOG_REPLY","eventPath":"category:blogs/community:dnvaw96485board:the-human-connection-blog/message:768/message:769","replies":{"__typename":"MessageConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"customFields":[],"attachments":{"__typename":"AttachmentConnection","edges":[],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"User:user:229":{"__typename":"User","id":"user:229","uid":229,"login":"JoeCosentino","biography":null,"registrationData":{"__typename":"RegistrationData","status":null,"registrationTime":"2024-09-25T09:37:28.186-07:00"},"deleted":false,"email":"","avatar":{"__typename":"UserAvatar","url":"https://community.immersivelabs.com/t5/s/dnvaw96485/images/dS0yMjktdlB2QWth?image-coordinates=11%2C0%2C231%2C220"},"rank":{"__ref":"Rank:rank:25"},"entityType":"USER","eventPath":"community:dnvaw96485/user:229"},"ModerationData:moderation_data:794":{"__typename":"ModerationData","id":"moderation_data:794","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":"member"},"BlogReplyMessage:message:794":{"__typename":"BlogReplyMessage","author":{"__ref":"User:user:229"},"id":"message:794","revisionNum":1,"uid":794,"depth":1,"hasGivenKudo":false,"subscribed":false,"board":{"__ref":"Blog:board:the-human-connection-blog"},"parent":{"__ref":"BlogTopicMessage:message:768"},"conversation":{"__ref":"Conversation:conversation:768"},"subject":"Re: New CTI Labs: Cobalt Strike Host Forensics and SIEM Analysis","moderationData":{"__ref":"ModerationData:moderation_data:794"},"body":"Thanks, BenMcCarthy - this is outstanding and timely work!
","body@stripHtml({\"removeProcessingText\":false,\"removeSpoilerMarkup\":false,\"removeTocMarkup\":false,\"truncateLength\":200})@stringLength":"60","kudosSumWeight":0,"repliesCount":0,"postTime":"2024-10-27T05:13:44.586-07:00","lastPublishTime":"2024-10-27T05:13:44.586-07:00","metrics":{"__typename":"MessageMetrics","views":32},"visibilityScope":"PUBLIC","placeholder":false,"originalMessageForPlaceholder":null,"entityType":"BLOG_REPLY","eventPath":"category:blogs/community:dnvaw96485board:the-human-connection-blog/message:768/message:794","replies":{"__typename":"MessageConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"customFields":[],"attachments":{"__typename":"AttachmentConnection","edges":[],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1740587331000":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarDropdownToggle-1740587331000","value":{"ariaLabelClosed":"Press the down arrow to open the menu"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageCoverImage-1740587331000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageCoverImage-1740587331000","value":{"coverImageTitle":"Cover Image"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeTitle-1740587331000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeTitle-1740587331000","value":{"nodeTitle":"{nodeTitle, select, community {Community} other {{nodeTitle}}} "},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTimeToRead-1740587331000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTimeToRead-1740587331000","value":{"minReadText":"{min} MIN READ"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageSubject-1740587331000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageSubject-1740587331000","value":{"noSubject":"(no subject)"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserLink-1740587331000":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserLink-1740587331000","value":{"authorName":"View Profile: {author}","anonymous":"Anonymous"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserRank-1740587331000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserRank-1740587331000","value":{"rankName":"{rankName}","userRank":"Author rank {rankName}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTime-1740587331000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTime-1740587331000","value":{"postTime":"Published: {time}","lastPublishTime":"Last Update: {time}","conversation.lastPostingActivityTime":"Last posting activity time: {time}","conversation.lastPostTime":"Last post time: {time}","moderationData.rejectTime":"Rejected time: {time}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBody-1740587331000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBody-1740587331000","value":{"showMessageBody":"Show More","mentionsErrorTitle":"{mentionsType, select, board {Board} user {User} message {Message} other {}} No Longer Available","mentionsErrorMessage":"The {mentionsType} you are trying to view has been removed from the community.","videoProcessing":"Video is being processed. Please try again in a few minutes.","bannerTitle":"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the provider's site.","buttonTitle":"Accept","urlText":"watch"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageCustomFields-1740587331000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageCustomFields-1740587331000","value":{"CustomField.default.label":"Value of {name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageRevision-1740587331000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageRevision-1740587331000","value":{"lastUpdatedDatePublished":"{publishCount, plural, one{Published} other{Updated}} {date}","lastUpdatedDateDraft":"Created {date}","version":"Version {major}.{minor}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1740587331000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/QueryHandler-1740587331000","value":{"title":"Query Handler"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyButton-1740587331000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyButton-1740587331000","value":{"repliesCount":"{count}","title":"Reply","title@board:BLOG@message:root":"Comment","title@board:TKB@message:root":"Comment","title@board:IDEA@message:root":"Comment","title@board:OCCASION@message:root":"Comment"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageAuthorBio-1740587331000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageAuthorBio-1740587331000","value":{"sendMessage":"Send Message","actionMessage":"Follow this blog board to get notified when there's new activity","coAuthor":"CO-PUBLISHER","contributor":"CONTRIBUTOR","userProfile":"View Profile","iconlink":"Go to {name} {type}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1740587331000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserAvatar-1740587331000","value":{"altText":"{login}'s avatar","altTextGeneric":"User's avatar"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1740587331000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/ranks/UserRankLabel-1740587331000","value":{"altTitle":"Icon for {rankName} rank"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserRegistrationDate-1740587331000":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserRegistrationDate-1740587331000","value":{"noPrefix":"{date}","withPrefix":"Joined {date}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1740587331000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeAvatar-1740587331000","value":{"altTitle":"Node avatar for {nodeTitle}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1740587331000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeDescription-1740587331000","value":{"description":"{description}"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1740587331000":{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagView/TagViewChip-1740587331000","value":{"tagLabelName":"Tag name {tagName}"},"localOverride":false}}}},"page":"/blogs/BlogMessagePage/BlogMessagePage","query":{"boardId":"the-human-connection-blog","messageSubject":"new-cti-labs-cobalt-strike-host-forensics-and-siem-analysis","messageId":"768"},"buildId":"q_bLpq2mflH0BeZigxpj6","runtimeConfig":{"buildInformationVisible":false,"logLevelApp":"info","logLevelMetrics":"info","openTelemetryClientEnabled":false,"openTelemetryConfigName":"immersivelabs","openTelemetryServiceVersion":"25.2.0","openTelemetryUniverse":"prod","openTelemetryCollector":"http://localhost:4318","openTelemetryRouteChangeAllowedTime":"5000","apolloDevToolsEnabled":false,"inboxMuteWipFeatureEnabled":false},"isFallback":false,"isExperimentalCompile":false,"dynamicIds":["./components/community/Navbar/NavbarWidget.tsx","./components/community/Breadcrumb/BreadcrumbWidget.tsx","./components/blogs/BlogArticleWidget/BlogArticleWidget.tsx","./components/community/FooterWidget/FooterWidget.tsx","./components/customComponent/CustomComponent/CustomComponent.tsx","./components/messages/MessageView/MessageViewStandard/MessageViewStandard.tsx","./components/messages/ThreadedReplyList/ThreadedReplyList.tsx","./components/community/FooterWidgetHelpLink/FooterWidgetHelpLink.tsx","./components/community/KhorosLogo/KhorosLogo.tsx","../shared/client/components/common/List/UnstyledList/UnstyledList.tsx","./components/messages/MessageView/MessageView.tsx","./components/customComponent/CustomComponentContent/TemplateContent.tsx","../shared/client/components/common/List/UnwrappedList/UnwrappedList.tsx","./components/tags/TagView/TagView.tsx","./components/tags/TagView/TagViewChip/TagViewChip.tsx"],"appGip":true,"scriptLoader":[]}