Adversaries may be using Cobalt Strike to establish command and control for ransomware operations, indicating potential lateral movement and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate ransomware threats before encryption impacts critical assets.
KQL Query
// Look for sc.exe disabling services
AlertInfo
// Attempts to clear security event logs.
| where Title in("Event log was cleared",
// List alerts flagging attempts to delete backup files.
"File backups were deleted",
// Potential Cobalt Strike activity - Note that other threat activity can also
// trigger alerts for suspicious decoded content
"Suspicious decoded content",
// Cobalt Strike activity
"\'Atosev\' malware was detected",
"\'Ploty\' malware was detected",
"\'Bynoco\' malware was detected",
"\'Cobaltstrike\' malware was detected",
"Echo command over pipe on localhost",
"Known attack framework activity was observed",
"An active \'Cobaltstrike\' malware was detected",
"Suspicious \'CobaltStrike\' behavior was prevented",
"Suspicious process launch by Rundll32.exe")
| extend AlertTime = Timestamp | distinct AlertTime, AlertId, Title
| join AlertEvidence on $left.AlertId == $right.AlertId
| summarize by DeviceId, AlertTime, Title, AlertId
// Get device IDs
| join DeviceLogonEvents on $left.DeviceId == $right.DeviceId
// Creating 10 day Window surrounding alert activity
| where Timestamp < AlertTime +5d and Timestamp > AlertTime - 5d // Projecting specific columns
| project Title, DeviceName, DeviceId, Timestamp, LogonType, AccountDomain, AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName
id: 95db9b9c-7a12-4c0b-85c8-1c54f67c5ac7
name: Potential ransomware activity related to Cobalt Strike
description: |
Use this query to look for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- AlertInfo
- AlertEvidence
- DeviceLogonEvents
tactics:
- Ransomware
query: |
// Look for sc.exe disabling services
AlertInfo
// Attempts to clear security event logs.
| where Title in("Event log was cleared",
// List alerts flagging attempts to delete backup files.
"File backups were deleted",
// Potential Cobalt Strike activity - Note that other threat activity can also
// trigger alerts for suspicious decoded content
"Suspicious decoded content",
// Cobalt Strike activity
"\'Atosev\' malware was detected",
"\'Ploty\' malware was detected",
"\'Bynoco\' malware was detected",
"\'Cobaltstrike\' malware was detected",
"Echo command over pipe on localhost",
"Known attack framework activity was observed",
"An active \'Cobaltstrike\' malware was detected",
"Suspicious \'CobaltStrike\' behavior was prevented",
"Suspicious process launch by Rundll32.exe")
| extend AlertTime = Timestamp | distinct AlertTime, AlertId, Title
| join AlertEvidence on $left.AlertId == $right.AlertId
| summarize by DeviceId, AlertTime, Title, AlertId
// Get device IDs
| join DeviceLogonEvents on $left.DeviceId == $right.DeviceId
// Creating 10 day Window surrounding alert activity
| where Timestamp < AlertTime +5d and Timestamp > AlertTime - 5d // Projecting specific columns
| project Title, DeviceName, DeviceId, Timestamp, LogonType, AccountDomain, AccountName, AccountSid, AlertTime, AlertId, RemoteIP, RemoteDeviceName
| Sentinel Table | Notes |
|---|---|
AlertEvidence | Ensure this data connector is enabled |
DeviceLogonEvents | Ensure this data connector is enabled |
Scenario: Legitimate Cobalt Strike usage for red team exercises
Filter/Exclusion: Exclude events where the process is associated with known red team tools (e.g., cobaltstrike.exe, cobaltstrike64.exe) and where the user is a red team or security operations team member.
Example Filter: process.name != "cobaltstrike.exe" OR user.account IN ("redteam", "secops")
Scenario: Scheduled system maintenance or patching tasks
Filter/Exclusion: Exclude events related to scheduled maintenance tasks or patching jobs (e.g., schtasks.exe, Windows Update, Task Scheduler).
Example Filter: process.name != "schtasks.exe" OR event.description NOT LIKE "%patch%"
Scenario: Administrative tasks such as remote desktop sessions or remote management
Filter/Exclusion: Exclude events involving legitimate remote administration tools (e.g., mstsc.exe, Remote Desktop Services, PsExec).
Example Filter: process.name != "mstsc.exe" OR process.name != "psexec.exe"
Scenario: Use of Cobalt Strike for internal security testing
Filter/Exclusion: Exclude events where Cobalt Strike is used in a controlled environment for security testing (e.g., Cobalt Strike Test Environment, Internal Security Lab).
Example Filter: process.name != "cobaltstrike.exe" OR event.description LIKE "%security testing%"
Scenario: Legitimate software deployment or configuration management
Filter/Exclusion: Exclude events related to software deployment tools (e.g., Chocolatey, Ansible, Puppet, Chef) or configuration management tasks.
Example Filter: process.name != "choco.exe" OR process.name != "ansible.exe"