cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
urochsw
Level 7
Report Inappropriate Content
Message 1 of 7
‎03-06-2023 11:02 PM

Block execution of Cobalt Strike beacons

Jump to solution

Dear all.

As tests are showing that block of Cobalt Strike Beacon dooesn work, I really need to know f there is a straight forward way to configure ENS to block this.

We are runnng latest version of ENS and have otherwise a great configuration.

Tests also shows that other vendor actually block the beacons.

It has to be noted that the testers did some effort to evade static detection of the beacons but used the generic beacon shellcode generated by Cobalt Strike. The testers therefore assume that the McAfee solution is not configured to perform runtime scanning of processes.

All help would be very appreciated.

0 Kudos
Reply
2 Solutions

Accepted Solutions
ueno
Employee
Employee
Report Inappropriate Content
Message 2 of 7
‎03-06-2023 11:42 PM

Re: Block execution of Cobalt Strike beacons

Jump to solution

Hi @urochsw ,

 

There are no settings in ENS that are specifically designed to handle Cobalt Strike Beacon.

From what you have provided, it seems that a script-related scan is required, so please check if enabling the AMSI setting in the on-access scan will result in the expected behavior.

[How AMSI integration with Threat Prevention improves security]
https://docs.trellix.com/bundle/endpoint-security-10.7.x-product-guide-windows/page/GUID-56D530F2-C0...

You can set AMSI settings in the following policy.

[Endpoint Security Threat Prevention]
 - [On-Access Scan]
  - [Antimalware Scan Interface]
   - [Enable AMSI (provides enhanced script scanning)]
   
If you are also using Adaptive Threat Protection, you can also configure AMSI settings in the Adaptive Threat Protection, so please try this as well.

[Endpoint Security Adaptive Threat Protection]
 - [Options]
  - [Real Protect Scanning]
   - [Enable enhanced script scanning (includes AMSI integration)]

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 4 of 7
‎03-07-2023 08:26 AM

Re: Block execution of Cobalt Strike beacons

Jump to solution

Do you have Real Protect Cloud enabled (and validated it is working.. no proxy/fw  block, etc)?

What about ATD?  There is an awesome, amazing, wonderful detection in there that is really good for it... though I'm a bit partial to it perhaps because I wrote the underlying logic.  😉  

Additionally, there is an Exploit Prevention rule for common named pipes with CobaltStrike that you can enable.

Beyond that, leveraging DAC is a great way to reduce risk, but you'll want to do it with a TIE server. Leveraging the memory injection rules, you can also utilize the reputation to restrict untrusted processes from doing things like host discovery activities, executing OS processes with blank command lines, etc, which are common with malicious activity.  It takes a bit of work, but you can lock down a host better than anything else out there if you put the time into it. 

ENS has for some reason long struggled with CobaltStrike. I'm not sure why when it handles things like Sliver, Empire, and Brute Ratel so well.  

 

Dave

 

View solution in original post

0 Kudos
Reply
6 Replies
ueno
Employee
Employee
Report Inappropriate Content
Message 2 of 7
‎03-06-2023 11:42 PM

Re: Block execution of Cobalt Strike beacons

Jump to solution

Hi @urochsw ,

 

There are no settings in ENS that are specifically designed to handle Cobalt Strike Beacon.

From what you have provided, it seems that a script-related scan is required, so please check if enabling the AMSI setting in the on-access scan will result in the expected behavior.

[How AMSI integration with Threat Prevention improves security]
https://docs.trellix.com/bundle/endpoint-security-10.7.x-product-guide-windows/page/GUID-56D530F2-C0...

You can set AMSI settings in the following policy.

[Endpoint Security Threat Prevention]
 - [On-Access Scan]
  - [Antimalware Scan Interface]
   - [Enable AMSI (provides enhanced script scanning)]
   
If you are also using Adaptive Threat Protection, you can also configure AMSI settings in the Adaptive Threat Protection, so please try this as well.

[Endpoint Security Adaptive Threat Protection]
 - [Options]
  - [Real Protect Scanning]
   - [Enable enhanced script scanning (includes AMSI integration)]

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
0 Kudos
Reply
urochsw
Level 7
Report Inappropriate Content
Message 3 of 7
‎03-07-2023 03:22 AM

Re: Block execution of Cobalt Strike beacons

Jump to solution

Hi

Many thanks for the input.

I already have the suggested policy settings in use.

This is a tricky one I know, I was hoping for some miracle setting that could be set and then enforced.

I will leave this oen for some time, to see if I can come up with something or if I get some other ideas. 

Regards

0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 4 of 7
‎03-07-2023 08:26 AM

Re: Block execution of Cobalt Strike beacons

Jump to solution

Do you have Real Protect Cloud enabled (and validated it is working.. no proxy/fw  block, etc)?

What about ATD?  There is an awesome, amazing, wonderful detection in there that is really good for it... though I'm a bit partial to it perhaps because I wrote the underlying logic.  😉  

Additionally, there is an Exploit Prevention rule for common named pipes with CobaltStrike that you can enable.

Beyond that, leveraging DAC is a great way to reduce risk, but you'll want to do it with a TIE server. Leveraging the memory injection rules, you can also utilize the reputation to restrict untrusted processes from doing things like host discovery activities, executing OS processes with blank command lines, etc, which are common with malicious activity.  It takes a bit of work, but you can lock down a host better than anything else out there if you put the time into it. 

ENS has for some reason long struggled with CobaltStrike. I'm not sure why when it handles things like Sliver, Empire, and Brute Ratel so well.  

 

Dave

 

0 Kudos
Reply
urochsw
Level 7
Report Inappropriate Content
Message 5 of 7
‎03-08-2023 03:36 AM

Re: Block execution of Cobalt Strike beacons

Jump to solution

Hi Dave 

Great interesting reading.

This together with previous reply will help me.

Thanks

0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 6 of 7
‎03-08-2023 07:50 AM

Re: Block execution of Cobalt Strike beacons

Jump to solution

I DM'ed you some rules to play with that should generally crush CobaltStrike (and everything else) when used.  Just be sure to set DAC to contain at Unknown for them to work.  

0 Kudos
Reply
urochsw
Level 7
Report Inappropriate Content
Message 7 of 7
‎03-20-2023 07:11 AM

Re: Block execution of Cobalt Strike beacons

Jump to solution

Many thanks for this, and many times sorry for late replay.

I will run a test.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC