Adversaries may be using compromised user accounts to access endpoints already infected with Cobalt Strike, allowing them to pivot within the network undetected. SOC teams should proactively hunt for this behavior to identify potential lateral movement and early-stage ransomware activity in their Azure Sentinel environment.
KQL Query
// Check for specific alerts
AlertInfo
// This checks over the previous 7 days -- alter Timestamp value for other periods
| where Timestamp > ago(7d)
// Attempts to clear security event logs.
| where Title in("Event log was cleared",
// List alerts flagging attempts to delete backup files.
"File backups were deleted",
// Potential Cobalt Strike activity - Note that other threat activity can also trigger alerts for suspicious decoded content
"Suspicious decoded content",
// Cobalt Strike activity
"\'Atosev\' malware was detected",
"\'Bynoco\' malware was detected",
"\'Cosipor\' malware was detected")
| extend AlertTime = Timestamp
| join AlertEvidence on AlertId
| project DeviceId, AlertTime, AlertId, Title
| join DeviceLogonEvents on DeviceId
// Creating 10 day Window surrounding alert activity
| where Timestamp < AlertTime +5d and Timestamp > AlertTime - 5d
// Projecting specific columns
| project Title, DeviceName, DeviceId, Timestamp, LogonType, AccountDomain,
AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName
id: 28558a10-d431-443b-886d-543a5b5d1871
name: identify-accounts-logged-on-to-endpoints-affected-by-cobalt-strike
description: |
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services.
It finds all user accounts that have logged on to an endpoint affected by Cobalt Strike, a penetration tool.
Assume that all credentials on endpoints affected by Cobalt Strike were available to attackers and that all associated accounts are compromised. Note that attackers will not only dump credentials for accounts that have logged on to interactive or RDP sessions, but will also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry.
Reference - https://attack.mitre.org/software/S0154/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- AlertInfo
- AlertEvidence
- DeviceLogonEvents
tactics:
- Credential Access
query: |
// Check for specific alerts
AlertInfo
// This checks over the previous 7 days -- alter Timestamp value for other periods
| where Timestamp > ago(7d)
// Attempts to clear security event logs.
| where Title in("Event log was cleared",
// List alerts flagging attempts to delete backup files.
"File backups were deleted",
// Potential Cobalt Strike activity - Note that other threat activity can also trigger alerts for suspicious decoded content
"Suspicious decoded content",
// Cobalt Strike activity
"\'Atosev\' malware was detected",
"\'Bynoco\' malware was detected",
"\'Cosipor\' malware was detected")
| extend AlertTime = Timestamp
| join AlertEvidence on AlertId
| project DeviceId, AlertTime, AlertId, Title
| join DeviceLogonEvents on DeviceId
// Creating 10 day Window surrounding alert activity
| where Timestamp < AlertTime +5d and Timestamp > AlertTime - 5d
// Projecting specific columns
| project Title, DeviceName, DeviceId, Timestamp, LogonType, AccountDomain,
AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName
| Sentinel Table | Notes |
|---|---|
AlertEvidence | Ensure this data connector is enabled |
DeviceLogonEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job (e.g., Task Scheduler or cron job) runs under a service account (e.g., svc-vmbackup or adminsvc) and logs in to an endpoint for routine maintenance.
Filter/Exclusion: Exclude processes associated with known maintenance tools or scheduled tasks (e.g., schtasks.exe, crontab, or vmbackup.exe).
Scenario: Admin Task Using Cobalt Strike Emulation Tools
Description: A security team member uses a Cobalt Strike emulator (e.g., Cobalt Strike Beacon or Metasploit) for red teaming or penetration testing, which may trigger the same detection logic.
Filter/Exclusion: Exclude processes related to security testing tools (e.g., cobaltstrike.exe, msfconsole.exe, or beacon.exe) or users with specific roles (e.g., security-team or red-team).
Scenario: Patching or Update Process
Description: A patching tool (e.g., Microsoft Update, WSUS, or Ansible) logs in to an endpoint to apply updates, which may be misidentified as a Cobalt Strike activity.
Filter/Exclusion: Exclude processes associated with patching tools (e.g., wuauclt.exe, msiexec.exe, or ansible-playbook) or known update services.
Scenario: User Logging In for Remote Administration
Description: A system administrator logs in remotely using tools like Remote Desktop Protocol (RDP) or SSH to troubleshoot an endpoint, which could be flagged as suspicious.
Filter/Exclusion: Exclude logins from known admin accounts (e.g., admin, root, or svc-admin)