Volatility Plugin for Detecting Cobalt Strike Beacon
JPCERT/CC has observed some Japanese organisations being affected by cyber attacks leveraging “Cobalt Strike” since around July 2017. It is a commercial product that simulates targeted attacks , often used for incident handling exercises, and likewise it is an easy-to-use tool for attackers. Reports from LAC  and FireEye  describe details on Cobalt Strike and actors who conduct attacks using this tool.
Cobalt Strike is delivered via a decoy MS Word document embedding a downloader. This will download a payload (Cobalt Strike Beacon), which will be executed within the memory. Since Cobalt Strike Beacon is not saved on the filesystem, whether a device is infected cannot be confirmed just by looking for the file itself. There is a need to look into memory dump or network device logs.
This article is to introduce a tool that we developed to detect Cobalt Strike Beacon from the memory. It is available on GitHub - Feel free to try from the following webpage:
JPCERTCC/aa-tools · GitHub
This tool works as a plugin for The Volatility Framework (hereafter “Volatility”), a memory forensic tool. Here are the functions of cobaltstrikescan.py:
- cobaltstrikescan: Detect Cobalt Strike Beacon from memory image
- cobaltstrikeconfig: Detect Cobalt Strike Beacon from memory image and extract configuration
To run the tool, save cobaltstrikescan.py in ”contrib/plugins/malware” folder in Volatility, and execute the following command:
$python vol.py [cobaltstrikescan|cobaltstrikeconfig] –f <memory.image> ––profile=<profile>
Figure 1 shows an example output of cobaltstrikescan. You can see the detected process name (Name) and process ID (PID) indicating where the malware is injected to.
Figure 2 shows an example output of cobalrstrikeconfig. Please refer to Appendix A for configuration details for Cobalt Strike Beacon.
Actors using Cobalt Strike continue attacks against Japanese organisations. We hope this tool helps detecting the attack in an early stage.
- Takuya Endo
(Translated by Yukako Uchida)
 Strategic Cyber LLC:COBALT STRIKE ADVANCED THREAT TACTICS FOR PANETRATION TESTERS
 LAC: New attacks by APT actors menuPass (APT10) observed (Japanese)
 FireEye: Privileges and Credentials: Phished at the Request of Counsel
 Cybereason: Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group
|0x00||2||index (Refer to Table B)|
1 = 2 byte, 2 = 4 byte, 3 = as specified in 0x04
|0x06||As specified in 0x04||Data|
|0x01||BeaconType||0=HTTP, 1=Hybrid HTTP and DNS, 8=HTTPS|
|0x05||Jitter||Ratio of jitter in polling time (0-99%)|
|0x06||Maxdns||Maximum length of host name when using DNS (0-255)|
|0x0a||Path when communicating HTTP_Header2|
|0x10||Year||Stops operating after the specified date by Year, Month, Day|
|0x1d||Process to inject arbitrary shellcode (32bit)|
|0x1e||Process to inject arbitrary shellcode (64bit)|
|0x20||Proxy server name|
|0x21||Proxy user name|
1 = Do not use proxy server
2 = Use IE configuration in the registry
4 = Connect via proxy server
|0x24||create_remote_thread||Flag whether to allow creating threads in other processes|
|0x25||Not in use|