Anomali TIP Alert Details
Alert ID: ANOMALI-CAPABILITY-ACQ-7842
Alert Time: 2024-02-10 13:30:45 EST
Severity: HIGH (75/100)
Source: Anomali Threat Intelligence Platform
Rule: “Known Malware Framework Offered for Sale”
MITRE ATT&CK: T1588 – Obtain Capabilities
Alert Details:
Threat Intelligence Finding: Commercial access to Cobalt Strike licensed to new actor
Source: Dark Web Marketplace “exploit[.]market”
Listing Date: 2024-02-09
Seller: “license_king_84”
Product: “Cobalt Strike License + Cracked Versions”
Price: 0.25 BTC (~$12,000)
Listing Details:
“Offering legitimate Cobalt Strike license (will transfer ownership) plus all cracked versions 3.0-4.9. Also includes:
– Custom Malleable C2 profiles
– PowerShell obfuscation scripts
– EDR evasion techniques
– 50+ custom aggressor scripts
– Beacon object files for keylogging, screenshot capture
Perfect for red teaming or other purposes. No questions asked.
Delivery via encrypted DM. BTC only.”
Threat Intelligence Context:
– Seller “license_king_84” known for selling access to red team tools
– Previous sales to actors later linked to ransomware campaigns
– Cobalt Strike is legitimate tool but widely abused by threat actors
– Purchase would give attacker proven capability
Additional Intel:
– Same seller offering Empyre, Covenant, Sliver frameworks
– Also selling “crypter as a service” for bypassing AV
– Active in multiple dark web marketplaces
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify TIP findings
Anomali, Flashpoint
Confirmed legitimate listing
2. Actor Monitoring
Watch for purchase activity
Dark Web Monitoring
No evidence of purchase by actors targeting us
3. Defensive Preparation
Update detection for frameworks
CrowdStrike, Defender
Enhanced Cobalt Strike detection signatures
4. Hunting
Check for framework usage
EDR Logs, Network Traffic
No Cobalt Strike beacons detected
5. Information Sharing
Alert ISAC and peers
ISAC, Industry Partners
Shared intelligence on seller
Jira Incident Report
Ticket: SOC-2024-055
Summary: T1588 – Cobalt Strike Framework Offered for Sale on Dark Web
Status: RESOLVED
Resolution: INTELLIGENCE – Monitoring Enhanced
Priority: P3 – LOW
Labels: T1588, obtain-capabilities, cobalt-strike, dark-web, anomali
Components: Threat-Intelligence, Detection-Engineering
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Anomali Threat Intelligence Platform.
Alert: “Known Malware Framework Offered for Sale”.
Platform: Dark Web marketplace “exploit[.]market”.
Time: 2024-02-10 13:30 EST.
Technique: MITRE ATT&CK T1588 – Obtain Capabilities.
2. Technical Analysis:
Offering Details:
Seller: “license_king_84” (established vendor)
Product: Cobalt Strike license + cracked versions
Price: 0.25 BTC (~$12,000)
Includes: Custom profiles, evasion scripts, aggressor scripts
Previous Sales: Linked to ransomware actors
Capabilities Offered:
Cobalt Strike Versions: 3.0 through 4.9 (cracked)
Malleable C2 Profiles: Customizable traffic patterns
EDR Evasion: Multiple bypass techniques
Post-Exploitation: Keylogging, screenshot capture
Persistence: Various methods included
Risk Assessment:
Cobalt Strike is most common C2 framework in attacks
Purchase would give attacker mature capability
Custom profiles evade signature-based detection
Seller has history with malicious actors
3. Investigation Findings:
Timeline:
2024-02-09: Listing posted on dark web
2024-02-10 13:30: Anomali detects and alerts
2024-02-10 13:45: SOC investigation begins
2024-02-10 14:30: Detection signatures updated
2024-02-10 15:00: Proactive hunting completed
Hunting Results:
Searched for Cobalt Strike beacons in network traffic (Zeek signatures)
Searched for known Cobalt Strike process artifacts (EDR)
Searched for Malleable C2 profile patterns (Network Analysis)
No indicators found in environment
4. Containment Actions:
Detection Enhancements:
Updated Zeek signatures for Cobalt Strike detection.
Enhanced CrowdStrike IOA rules for beacon behavior.
Deployed YARA rules for Cobalt Strike artifacts.
Added Cobalt Strike indicators to network blocklists.
Proactive Hunting:
Reviewed last 30 days of network traffic for C2 patterns.
Analyzed endpoint logs for suspicious process behavior.
Checked for unusual outbound connections.
No evidence of framework usage found.
Intelligence Sharing:
Shared seller information with ISAC.
Alerted peer organizations in industry.
Contributed to shared blocklists.
5. Root Cause Analysis:
Primary Cause: Threat actors acquiring proven capabilities through dark web.
Contributing Factors: Cobalt Strike is legitimate tool with dual-use nature.
6. Business Impact:
Current Impact: None.
Potential Impact: If purchased by actor targeting us, could enable compromise.
Risk Level: Elevated due to availability of mature framework.
7. Remediation & Prevention:
Completed Actions:
Detection signatures enhanced for Cobalt Strike.
Proactive hunting completed (no findings).
Intelligence shared with peers.
Monitoring enhanced.
8. Conclusion:
This incident involves the availability of Cobalt Strike framework for purchase on dark web markets. While no evidence of purchase by actors targeting us exists, the availability increases overall threat landscape. Detection signatures have been enhanced and proactive hunting completed.
Closure Rationale: Intelligence gathered; defenses enhanced; monitoring active.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-10 16:00 EST
End of Batch 3
Ready for your next batch of prompts whenever you are.
Batch 4: Initial Access & Resource Development Incident Reports
Here are the next 5 detailed SOC incident reports.