Trend Micro -
Tracking Cobalt Strike: A trend micro Vision One Investigation
Cobalt Strike is a well-known beacon or post-exploitation tool that has been linked to several ransomware campaigns. This report focuses on the process of uncovering its tracks in order to fully contain and remove a malware infection.
In late May, Trend Micro Managed XDR alerted a customer to a noteworthy Vision One alert on one of their endpoints. What followed was a deeper investigation that involved searching for other similarly infected endpoints and the confirmation of a Cobalt Strike detection.
This blog will cover the tactics and steps we took during this investigation. The alert from one endpoint led to the collection of further evidence and clues that pointed to other infected endpoints, eventually revealing the root of the attack.
Cobalt Strike is a well-known beacon or post-exploitation tool that has been linked to ransomware families like Ryuk, DoppelPaymer, and Povlsomware. The Cobalt Strike variant used here follows its typical characteristics. However, this