Detecting Cobalt Strike by Fingerprinting Imageload Events

Background

Loaded DLLS

| tstats summariesonly=t dc(dest) as dc_dest dc(file_name) as dc_file where index=main
AND process_name IN (AdobeARMTaskConfig.exe,7z-config.exe,AdobeARMTask.exe,spinkitX64.exe,vccmd.exe,DeviceUpdates.exe,SSMConfig.exe,”Terms and Conditions.exe”,bmicalc.exe)
by process_name,process_id
| where isnotnull(process_name)
| sort — dc_dest dc_file
| stats values(process_name) dc(process_name) by dc_file
# of DLLs Loaded by Process Name
| tstats summariesonly=t dc(dest) as dc_dest where index=main sourcetype=imageload 
AND process_name IN (AdobeARMTaskConfig.exe,7z-config.exe,AdobeARMTask.exe,spinkitX64.exe,vccmd.exe,DeviceUpdates.exe,SSMConfig.exe,”Terms and Conditions.exe”,bmicalc.exe)
by process_name,process_id,file_name,event_time
| stats first(event_time) as event_time by process_name,file_name
| stats values(process_name) as process_name dc(process_name) as dc_proc by file_name
| where dc_proc = 9
| stats values(file_name) as file_name
“FWPUCLNT.DLL”,”IPHLPAPI.DLL”,”KernelBase.dll”,”NapiNSP.dll”,”OnDemandConnRouteHelper.dll”,”SHCore.dll”,”advapi32.dll”,”bcrypt.dll”,”bcryptprimitives.dll”,”cfgmgr32.dll”,”combase.dll”,”crypt32.dll”,”cryptbase.dll”,”cryptsp.dll”,”dnsapi.dll”,”dpapi.dll”,”gdi32.dll”,”gdi32full.dll”,”iertutil.dll”,”kernel.appcore.dll”,”kernel32.dll”,”msasn1.dll”,”mskeyprotect.dll”,”msvcp_win.dll”,”msvcrt.dll”,”mswsock.dll”,”ncrypt.dll”,”ncryptsslp.dll”,”nlaapi.dll”,”nsi.dll”,”ntasn1.dll”,”ntdll.dll”,”oleaut32.dll”,”pnrpnsp.dll”,”powrprof.dll”,”profapi.dll”,”rasadhlp.dll”,”rpcrt4.dll”,”rsaenh.dll”,”schannel.dll”,”sechost.dll”,”shlwapi.dll”,”sspicli.dll”,”ucrtbase.dll”,”urlmon.dll”,”user32.dll”,”win32u.dll”,”windows.storage.dll”,”winhttp.dll”,”wininet.dll”,”winmm.dll”,”winmmbase.dll”,”winnsi.dll”,”winrnr.dll”,”wintrust.dll”,”ws2_32.dll”
| tstats summariesonly=t dc(file_name) as dc_file where index=main sourcetype=imageload 
AND process_name IN (AdobeARMTaskConfig.exe,7z-config.exe,AdobeARMTask.exe,spinkitX64.exe,vccmd.exe,DeviceUpdates.exe,SSMConfig.exe,”Terms and Conditions.exe”,bmicalc.exe)
AND file_name IN (FWPUCLNT.DLL,IPHLPAPI.DLL,KernelBase.dll,NapiNSP.dll,OnDemandConnRouteHelper.dll,SHCore.dll,advapi32.dll,bcrypt.dll,bcryptprimitives.dll,cfgmgr32.dll,combase.dll,crypt32.dll,cryptbase.dll,cryptsp.dll,dnsapi.dll,dpapi.dll,gdi32.dll,gdi32full.dll,iertutil.dll,kernel.appcore.dll,kernel32.dll,msasn1.dll,mskeyprotect.dll,msvcp_win.dll,msvcrt.dll,mswsock.dll,ncrypt.dll,ncryptsslp.dll,nlaapi.dll,nsi.dll,ntasn1.dll,ntdll.dll,oleaut32.dll,pnrpnsp.dll,powrprof.dll,profapi.dll,rasadhlp.dll,rpcrt4.dll,rsaenh.dll,schannel.dll,sechost.dll,shlwapi.dll,sspicli.dll,ucrtbase.dll,urlmon.dll,user32.dll,win32u.dll,windows.storage.dll,winhttp.dll,wininet.dll,winmm.dll,winmmbase.dll,winnsi.dll,winrnr.dll,wintrust.dll,ws2_32.dll)
by process_name,process_id
| where dc_file = 56
| where dc_dest <= 3 AND dc_file >= 54 AND dc_md5 = 1
| tstats summariesonly=t count latest(process_start_time) as process_start_time latest(parent_process_path) as parent_process_path latest(parent_process) as parent_process values(file_path) as file_path latest(process) as process latest(process_id) as process_id values(user) as user last(event_time) as ftime first(event_time) as ltime values(dest) as dest dc(dest) as dc_dest dc(http_user_agent) as dc_ua values(http_user_agent) as http_user_agent earliest(_time) as e_acq_time values(uri) as uri values(http_method) as http_method values(http_host) as http_host dc(http_host) as dc_http_host values(md5) as md5 dc(md5) as dc_md5 dc(file_name) as dc_file values(protocol) as protocol dc(dest_ip) as dc_dest_ip values(dest_ip) as dest_ip values(dest_port) as dest_port dc(sourcetype) as dc_sourcetype values(sourcetype) as sourcetype values(process_path) as process_path
where
((index=main sourcetype=imageload
file_name IN (FWPUCLNT.DLL,IPHLPAPI.DLL,KernelBase.dll,NapiNSP.dll,OnDemandConnRouteHelper.dll,SHCore.dll,advapi32.dll,bcrypt.dll,bcryptprimitives.dll,cfgmgr32.dll,combase.dll,crypt32.dll,cryptbase.dll,cryptsp.dll,dnsapi.dll,dpapi.dll,gdi32.dll,gdi32full.dll,iertutil.dll,kernel.appcore.dll,kernel32.dll,msasn1.dll,mskeyprotect.dll,msvcp_win.dll,msvcrt.dll,mswsock.dll,ncrypt.dll,ncryptsslp.dll,nlaapi.dll,nsi.dll,ntasn1.dll,ntdll.dll,oleaut32.dll,pnrpnsp.dll,powrprof.dll,profapi.dll,rasadhlp.dll,rpcrt4.dll,rsaenh.dll,schannel.dll,sechost.dll,shlwapi.dll,sspicli.dll,ucrtbase.dll,urlmon.dll,user32.dll,win32u.dll,windows.storage.dll,winhttp.dll,wininet.dll,winmm.dll,winmmbase.dll,winnsi.dll,winrnr.dll,wintrust.dll,ws2_32.dll)
process_path IN (“C:\\Program*”,”C:\\Users\\*”,”C:\\Windows\\*”))
OR (((index=main sourcetype=processes event_type=start earliest=-30d) OR (index=main sourcetype=url http_host=* NOT http_host IN (“crl.*.com”,”ocsp.*.com”))
OR (index=main sourcetype=tcp))
AND file_path IN (“C:\\Program*”,”C:\\Users\\*”,”C:\\Windows\\*”))
by process_name,index
| where if(isnull(http_host),(dc_sourcetype >= 3 AND dc_dest <= 3 AND dc_file >= 54 AND dc_md5 = 1 AND md5_len > 1),(dc_sourcetype >= 3 AND dc_dest <= 3 AND dc_file >= 54 AND dc_md5 = 1 AND dc_ua = 1 AND md5_len > 1))
| search sourcetype=imageload AND sourcetype=processes AND (sourcetype IN (tcp,url))
| lookup vt_file query as md5
| where isnull(sig_info)

--

--

--

Cyber Security enthusiast, detection developer and engineer, researcher, consultant.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Java OOPs Concepts

Google Cloud Platform

Battle of the Loops

How much is your website costing your users who use mobile data? 📱

Learning How I Learn

Why a new App?

Reinventing Yourself

MySQL —  Change password

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
redhead0ntherun

redhead0ntherun

Cyber Security enthusiast, detection developer and engineer, researcher, consultant.

More from Medium

100+ Best Quotes for gentlemen | quotes, and captions

gentlemen quotes

The Wanna Decryptor or Wanna Cryptor or WannaCry ransomware worm hit the world on the 12th of May…

Installing GDAL on Conda via Anaconda Prompt

How to Manage DNS Functions in WHM?