|
| 1 | +# Find user accounts potentially affected by Cobalt Strike |
| 2 | + |
| 3 | +This query was originally published in the threat analytics report, *Ransomware continues to hit healthcare, critical services*. There is also a related [blog](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/). |
| 4 | + |
| 5 | +In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques. The attackers would compromise a web-facing endpoint and employ tools such as Cobalt Strike to steal users' credentials. |
| 6 | + |
| 7 | +[Cobalt Strike](https://www.cobaltstrike.com/) is commercial software used to conduct simulated threat campaigns against a target; however, malicious actors also use Cobalt Strike in real attacks. The software has a large range of [capabilities](https://attack.mitre.org/software/S0154/), including credential theft. |
| 8 | + |
| 9 | +The following query identifies accounts that have logged on to compromised endpoints and have potentially had their credentials stolen. |
| 10 | + |
| 11 | +> [!IMPORTANT] |
| 12 | +> This query can only check endpoints onboarded to Microsoft Defender ATP. |
| 13 | +> |
| 14 | +> If you've identified affected endpoints that have not onboarded to Microsoft Defender ATP, check the Windows Event Log for post-compromise logons—those that occur during or after the earliest suspected breach activity—with event ID *4624* and logon type *2* or *10*. For any other timeframe, check for logon type *4* or *5*. |
| 15 | +
|
| 16 | +## Query |
| 17 | + |
| 18 | +```Kusto |
| 19 | +// Check for specific alerts |
| 20 | +AlertInfo |
| 21 | +// Attempts to clear security event logs. |
| 22 | +| where Title in("Event log was cleared", |
| 23 | +// List alerts flagging attempts to delete backup files. |
| 24 | +"File backups were deleted", |
| 25 | +// Potential Cobalt Strike activity - Note that other threat activity can also |
| 26 | +//trigger alerts for suspicious decoded content |
| 27 | +"Suspicious decoded content", |
| 28 | +// Cobalt Strike activity |
| 29 | +"\'Atosev\' malware was detected", |
| 30 | +"\'Ploty\' malware was detected", |
| 31 | +"\'Bynoco\' malware was detected") |
| 32 | +| extend AlertTime = Timestamp |
| 33 | +| distinct DeviceName, AlertTime, AlertId, Title |
| 34 | +| join DeviceLogonEvents on $left.DeviceName == $right.DeviceName |
| 35 | +// Creating 10 day Window surrounding alert activity |
| 36 | +| where Timestamp < AlertTime +5d and Timestamp > AlertTime - 5d |
| 37 | +// Projecting specific columns |
| 38 | +| project Title, DeviceName, DeviceId, Timestamp, LogonType, AccountDomain, |
| 39 | +AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName |
| 40 | +``` |
| 41 | + |
| 42 | +## Category |
| 43 | + |
| 44 | +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. |
| 45 | + |
| 46 | +| Technique, tactic, or state | Covered? (v=yes) | Notes | |
| 47 | +|-|-|-| |
| 48 | +| Initial access | v | | |
| 49 | +| Execution | | | |
| 50 | +| Persistence | | | |
| 51 | +| Privilege escalation | | | |
| 52 | +| Defense evasion | | | |
| 53 | +| Credential Access | v | Attackers will not only dump credentials for accounts that have logged on to interactive or RDP sessions, but will also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry. | |
| 54 | +| Discovery | | | |
| 55 | +| Lateral movement | | | |
| 56 | +| Collection | | | |
| 57 | +| Command and control | | | |
| 58 | +| Exfiltration | | | |
| 59 | +| Impact | | | |
| 60 | +| Vulnerability | | | |
| 61 | +| Misconfiguration | | | |
| 62 | +| Malware, component | v | | |
| 63 | + |
| 64 | +## Contributor info |
| 65 | + |
| 66 | +**Contributor:** Microsoft Threat Protection team |
0 commit comments