Anomali TIP Alert Details
Alert ID: ANOMALI-CAPABILITY-ACQ-7842
Alert Time: 2024-02-10 13:30:45 EST
Severity: HIGH (75/100)
Source: Anomali Threat Intelligence Platform
Rule: “Known Malware Framework Offered for Sale”
MITRE ATT&CK: T1588 – Obtain Capabilities
Alert Details:
Threat Intelligence Finding: Commercial access to Cobalt Strike licensed to new actor
Source: Dark Web Marketplace “exploit[.]market”
Listing Date: 2024-02-09
Seller: “license_king_84”
Product: “Cobalt Strike License + Cracked Versions”
Price: 0.25 BTC (~$12,000)
Listing Details:
“Offering legitimate Cobalt Strike license (will transfer ownership) plus all cracked versions 3.0-4.9. Also includes:
– Custom Malleable C2 profiles
– PowerShell obfuscation scripts
– EDR evasion techniques
– 50+ custom aggressor scripts
– Beacon object files for keylogging, screenshot capture
Perfect for red teaming or other purposes. No questions asked.
Delivery via encrypted DM. BTC only.”
Threat Intelligence Context:
– Seller “license_king_84” known for selling access to red team tools
– Previous sales to actors later linked to ransomware campaigns
– Cobalt Strike is legitimate tool but widely abused by threat actors
– Purchase would give attacker proven capability
Additional Intel:
– Same seller offering Empyre, Covenant, Sliver frameworks
– Also selling “crypter as a service” for bypassing AV
– Active in multiple dark web marketplaces
SOC Investigation Process
| Step | Action | Tools Used | Findings |
|---|---|---|---|
| 1. Alert Validation | Verify TIP findings | Anomali, Flashpoint | Confirmed legitimate listing |
| 2. Actor Monitoring | Watch for purchase activity | Dark Web Monitoring | No evidence of purchase by actors targeting us |
| 3. Defensive Preparation | Update detection for frameworks | CrowdStrike, Defender | Enhanced Cobalt Strike detection signatures |
| 4. Hunting | Check for framework usage | EDR Logs, Network Traffic | No Cobalt Strike beacons detected |
| 5. Information Sharing | Alert ISAC and peers | ISAC, Industry Partners | Shared intelligence on seller |
Jira Incident Report
Ticket: SOC-2024-055
Summary: T1588 – Cobalt Strike Framework Offered for Sale on Dark Web
Status: RESOLVED
Resolution: INTELLIGENCE – Monitoring Enhanced
Priority: P3 – LOW
Labels: T1588, obtain-capabilities, cobalt-strike, dark-web, anomali
Components: Threat-Intelligence, Detection-Engineering
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Detection Source: Anomali Threat Intelligence Platform.
- Alert: “Known Malware Framework Offered for Sale”.
- Platform: Dark Web marketplace “exploit[.]market”.
- Time: 2024-02-10 13:30 EST.
- Technique: MITRE ATT&CK T1588 – Obtain Capabilities.
2. Technical Analysis:
- Offering Details:
- Seller: “license_king_84” (established vendor)
- Product: Cobalt Strike license + cracked versions
- Price: 0.25 BTC (~$12,000)
- Includes: Custom profiles, evasion scripts, aggressor scripts
- Previous Sales: Linked to ransomware actors
- Capabilities Offered:
- Cobalt Strike Versions: 3.0 through 4.9 (cracked)
- Malleable C2 Profiles: Customizable traffic patterns
- EDR Evasion: Multiple bypass techniques
- Post-Exploitation: Keylogging, screenshot capture
- Persistence: Various methods included
- Risk Assessment:
- Cobalt Strike is most common C2 framework in attacks
- Purchase would give attacker mature capability
- Custom profiles evade signature-based detection
- Seller has history with malicious actors
3. Investigation Findings:
- Timeline:
2024-02-09: Listing posted on dark web
2024-02-10 13:30: Anomali detects and alerts
2024-02-10 13:45: SOC investigation begins
2024-02-10 14:30: Detection signatures updated
2024-02-10 15:00: Proactive hunting completed
- Hunting Results:
- Searched for Cobalt Strike beacons in network traffic (Zeek signatures)
- Searched for known Cobalt Strike process artifacts (EDR)
- Searched for Malleable C2 profile patterns (Network Analysis)
- No indicators found in environment
4. Containment Actions:
- Detection Enhancements:
- Updated Zeek signatures for Cobalt Strike detection.
- Enhanced CrowdStrike IOA rules for beacon behavior.
- Deployed YARA rules for Cobalt Strike artifacts.
- Added Cobalt Strike indicators to network blocklists.
- Proactive Hunting:
- Reviewed last 30 days of network traffic for C2 patterns.
- Analyzed endpoint logs for suspicious process behavior.
- Checked for unusual outbound connections.
- No evidence of framework usage found.
- Intelligence Sharing:
- Shared seller information with ISAC.
- Alerted peer organizations in industry.
- Contributed to shared blocklists.
5. Root Cause Analysis:
- Primary Cause: Threat actors acquiring proven capabilities through dark web.
- Contributing Factors: Cobalt Strike is legitimate tool with dual-use nature.
6. Business Impact:
- Current Impact: None.
- Potential Impact: If purchased by actor targeting us, could enable compromise.
- Risk Level: Elevated due to availability of mature framework.
7. Remediation & Prevention:
Completed Actions:
Detection signatures enhanced for Cobalt Strike.
Proactive hunting completed (no findings).
Intelligence shared with peers.
Monitoring enhanced.
8. Conclusion:
This incident involves the availability of Cobalt Strike framework for purchase on dark web markets. While no evidence of purchase by actors targeting us exists, the availability increases overall threat landscape. Detection signatures have been enhanced and proactive hunting completed.
Closure Rationale: Intelligence gathered; defenses enhanced; monitoring active.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-10 16:00 EST