Cobalt Strike Hunting, Red Teams/Threat Actors TTP’s

Red Teams/Threat Actors methods in order to bypass web proxy filtering/categorization

Well, so Red Teams/Threat Actors sometimes are buying categorized/expired domains from various sources in order to bypass a company enterprise proxy filtering/categorization.

Expired Domain Name Search Engine is a very good example.

and there are few other very handy tools available on GitHub from where expired/categorized domains can be acquired.

domainhunter

Domain name selection is an important aspect of preparation for penetration tests and especially Red Team engagements. Commonly, domains that were used previously for benign purposes and were properly categorized can be purchased for only a few dollars. Such domains can allow a team to bypass reputation-based web filters and network egress restrictions for phishing and C2 related tasks.

or CatMyPhish

Search for the categorized domains that can be used during the red teaming engagement. Perfect to set up the whitelisted domain for your Cobalt Strike beacon C&C.

Let's have a look how this looks like in a real-life scenario.

This is actually a very cool-looking website!

https://burdine-health[.]com

Looks very new and legitimate!

Footer has no address, phone number, and about us section is not completed?

No social media as well?

Well, maybe a developer was in a hurry!

Random pictures in Gallery.

and hmm.. random office address?

Looks like nothing malicious right?

Anyway because I am always very curious let's dig here a bit more and investigate when and where the domain was registered.

https://whois.domaintools.com/burdine-health.com

Created on 2021–03–08 and registered on Gandi.

Now let's perform a few other checks and start with the categorization of this domain.

I am using Cisco Talos

https://talosintelligence.com

and Zvelo as an example:

and we can see that burdine-health[.]com is categorized as Health and Medicine.

Again everything looks fine!

The next check is to a quick Shodan search in order to find out about the hosting webservers.

Looks like the website is hosted on 66.235.200.29 and it is behind Cloudflare!

Again everything looks fine!

But I haven’t finished yet and now is the subdomain time!

I am using Virus Total for a quick win — passive subdomain enumeration!

I am interested here only in the subdomains section and we can see this interesting one dev. burdine-health[.]com

So it looks like that dev.burdine-health.com is hosted on a different IP address which is 139.177.196.191

Let’s have a look!

Looks there is nothing to see here!

Let's check the server using Shodan

We can see two ports opened 80 and 443

Let's investigate!

Both ports 80 and 443 and responses HTTP/1.1 404 Not Found/content-type: text/plain and Content-Length:0, are actually very interesting and definitely should raise a red flag as this could be something!

HTTP 404 Not Found/Content-Type: text/plain and Content-Length:0 is actually a default Cobalt Strike Malleable profile

(important note and bear in mind that HTTP/1.1 404 Not Found/content-type: text/plain could be a false-positive as well!)

Now in order to verify if this is a Cobalt Strike or not, I used this Nmap to grab a beacon configuration.

and looks like we got something!

Well, that means that we have spotted Cobalt Strike/C2 hiding in a subdomain categorized as Health & Medicine, and a legitimate-looking website!

IOC’s

C2 Servers and beacons running on port 80 and 443

dev.burdine-health[.]com/g.pixel

dev.burdine-health[.]com/match

dev.burdine-health[.]com/j.ad

dev.burdine-health[.]com/ca

Blue Team tips when investigating suspicious websites/domains when dealing with Red Team/Threat Actors.

check the history.

check when and where the domain was registered.

check the social media (Twitter, Linkedin, Facebook).

check the webservers using beta Shodan (ports, history, certs, headers, responses)

check all subdomains.

References:

Red Team Infrastructure

Nmap beacon scan

Security Researcher [RED&BLUE]