cyber_threat_intelligence/campaigns/Cobalt Strike/README.md
2022-07-23 08:39:44 +02:00

15 KiB

Cobalt Strike - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the campaign known as Cobalt Strike. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Cobalt Strike:

There are 16 more country items available. Please use our online service to access the data.

Actors

These actors are associated with Cobalt Strike or other actors linked to the campaign.

ID Actor Confidence
1 Cobalt Strike High
2 Conti High
3 Hancitor High
4 ... ...

There are 4 more actor items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of Cobalt Strike.

ID IP address Hostname Actor Confidence
1 5.199.162.14 - Wizard Spider High
2 5.252.177.199 5-252-177-199.mivocloud.com Cobalt Strike High
3 5.255.98.144 - Cobalt Strike High
4 23.19.227.147 - Cobalt Strike High
5 23.81.246.32 - Cobalt Strike High
6 23.82.140.91 - Cobalt Strike High
7 23.108.57.39 - Cobalt Strike High
8 23.108.57.108 - Cobalt Strike High
9 23.160.193.55 unknown.ip-xfer.net Cobalt Strike High
10 23.227.194.86 23-227-194-86.static.hvvc.us Cobalt Strike High
11 23.227.199.10 23-227-199-10.static.hvvc.us Cobalt Strike High
12 23.229.36.43 bet5jn-day-43.bettertisholiday.com Cobalt Strike High
13 23.236.174.190 - Cobalt Strike High
14 37.0.8.252 - Cobalt Strike High
15 37.120.198.225 - Cobalt Strike High
16 45.15.131.96 - Cobalt Strike High
17 45.58.124.98 - Wizard Spider High
18 45.66.158.14 14.158-66-45.rdns.scalabledns.com Cobalt Strike High
19 45.84.0.116 n5336.md Cobalt Strike High
20 45.134.26.174 - Cobalt Strike High
21 45.144.29.185 master.pisyandriy.com Cobalt Strike High
22 45.197.132.72 - Cobalt Strike High
23 46.165.254.166 - Cobalt Strike High
24 51.15.76.60 60-76-15-51.instances.scw.cloud Cobalt Strike High
25 51.68.91.152 - Cobalt Strike High
26 51.68.93.185 - Cobalt Strike High
27 51.81.13.141 ip141.ip-51-81-13.us Cobalt Strike High
28 51.83.15.56 - Cobalt Strike High
29 52.18.235.51 ec2-52-18-235-51.eu-west-1.compute.amazonaws.com Cobalt Strike Medium
30 62.102.148.68 - Cobalt Strike High
31 62.128.111.176 - Cobalt Strike High
32 65.60.35.141 duwaer.presembling.vip Cobalt Strike High
33 69.49.230.29 69-49-230-29.unifiedlayer.com Cobalt Strike High
34 69.49.245.148 69-49-245-148.unifiedlayer.com Cobalt Strike High
35 77.83.159.15 - Cobalt Strike High
36 ... ... ... ...

There are 140 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used within Cobalt Strike. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1006 CWE-21, CWE-22, CWE-23, CWE-24, CWE-36 Pathname Traversal High
2 T1040 CWE-294 Authentication Bypass by Capture-replay High
3 T1055 CWE-74 Injection High
4 T1059 CWE-94 Cross Site Scripting High
5 T1059.007 CWE-79, CWE-80 Cross Site Scripting High
6 ... ... ... ...

There are 18 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration during Cobalt Strike. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File .forward Medium
2 File .htaccess Medium
3 File /.dbus-keyrings High
4 File //proc/kcore Medium
5 File /admin/conferences/list/ High
6 File /admin/curltest.cgi High
7 File /admin/dl_sendmail.php High
8 File /admin/edit_admin_details.php?id=admin High
9 File /admin/generalsettings.php High
10 File /admin/payment.php High
11 File /admin/reports.php High
12 File /AgilePointServer/Extension/FetchUsingEncodedData High
13 File /api/part_categories High
14 File /api/user/userData?userCode=admin High
15 File /app/options.py High
16 File /bsms/?page=manage_account High
17 File /cgi-bin/kerbynet High
18 File /ci_hms/massage_room/edit/1 High
19 File /ci_spms/admin/category High
20 File /ci_spms/admin/search/searching/ High
21 File /ci_ssms/index.php/orders/create High
22 File /classes/Master.php?f=delete_reservation High
23 File /classes/Master.php?f=delete_schedule High
24 File /classes/Master.php?f=delete_train High
25 File /company Medium
26 File /company/service/increment/add/im High
27 File /dashboard/menu-list.php High
28 File /dashboard/system/express/entities/forms/save_control/[GUID] High
29 File /ffos/classes/Master.php?f=save_category High
30 File /forum/away.php High
31 File /goform/aspForm High
32 File /home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf High
33 ... ... ...

There are 286 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the campaign and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2022 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!