They then used the Rundll32 execution utility to inject shellcode into the svchost.exe service host process on those systems. The penetration testers deployed Cobalt Strike Beacon to other hosts in the environment. The observed PowerShell commands used the "-nop -exec bypass -EncodedCommand" parameters followed by a Base64-encoded command, which revealed that they were launched from Cobalt Strike Beacon. The penetration testers then used Cobalt Strike Beacon to execute the PowerSploit exploitation scripting tool's "Install-ServiceBinary" function to obtain SYSTEM-level privileges. This process runs every time a user logs onto the system, injecting the Cobalt Strike Beacon payload into the userinit.exe user initialization process. In one engagement, Secureworks® Counter Threat Unit™ (CTU) researchers observed penetration testers leveraging local administrator access and the Microsoft Build Engine process to compile and execute a Cobalt Strike Beacon payload directly on the host. Legitimate testing typically assumes that the organization has already been breached. As a result, the penetration testers can bypass endpoint countermeasures and security controls that typically detect phishing or malware activity that threat actors use for initial access.
Penetration testers are often granted access to internal networks and systems so they can test the security and response of the enterprise.
Threat actors typically use malware to gain initial access to the network and subsequently deploy Cobalt Strike. However, the methods used to access the environment often differ. The Cobalt Strike threat emulation framework lets legitimate penetration testers emulate threat actors.
0 kommentar(er)
