{ "id": "fbd0f518-d1d5-4eaa-ad0b-4b1021a1a03a", "created_at": "2026-04-06T00:16:51.919502Z", "updated_at": "2026-04-10T03:22:10.45322Z", "deleted_at": null, "sha1_hash": "09b2280ea7c555a6756e99bd3d4a0c7aef3f5fa4", "title": "Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2 | Cyb3rSn0rlax", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 164020, "plain_text": "Detecting CONTI CobaltStrike Lateral Movement Techniques -\r\nPart 2 | Cyb3rSn0rlax\r\nPublished: 2021-11-01 · Archived: 2026-04-05 22:08:54 UTC\r\n⌘Ctrlk\r\n1. ☢️ DEATH : Detection Engineering And Threat Hunting\r\n2. 🦘TA0008 : Lateral Movement\r\nDetecting CONTI CobaltStrike Lateral Movement Techniques - Part 2\r\nDetection opportunities on lateral movement techniques used by CONTI ransomware group using CobaltStrike.\r\nIn this second and last part of detecting CONTI lateral movement techniques I will go through the rest of\r\nCobaltStrike's built-in capabilities documented in the CONTI leak.\r\nIn the first blog post I tried to cover the jump command capabilities and detection opportunities where we\r\ncompared them to some built-in windows utilities.\r\nFor the first part, please visit : Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1\r\nWMI is Microsoft's implementation of Web-Based Enterprise Management (WBEM) which is an industry\r\ninitiative to develop a standard technology for accessing management information in an enterprise environment\r\nand CIM (Common Information Model) which is an open standard from the Distributed Management Task Force\r\n(DMTF). CIM provides a common definition of management information for systems, networks, applications,\r\nand services.\r\nhttps://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2\r\nPage 1 of 7\n\nWMI can be used over RPC/WinRM protocol or RPC/DCOM . In this introduction I will be focusing on\r\nRPC/DCOM.\r\nData in WMI is grouped into WMI classes. WMI classes are then grouped into WMI namespaces. Most of the\r\nWMI classes exist under the root\\cimv2 WMI namespace.\r\nIn summary each Namespace contains Classes which have:\r\nMethods : Actions that can be taken.\r\nProperties : Information that can be retrieved.\r\nInstances : Instances of the class objects (services, Processes, Disks) each instance with Methods and\r\nProperties.\r\nEvents : Actions that WMI can monitor for and take action when they happen.\r\nWMI leverages DCOM server and client interfaces to communicate over the network between Windows\r\nManagement Instrumentation Remote Protocol clients and servers.\r\nWhen it comes to lateral movement one of my favorite data sources to check first is Zeek. Upon running the\r\nsimulated lateral movement attack using CobaltStrike built-in command remote-exec wmi , the following\r\ntelemetry was generated by Zeek.\r\nzeek.dce_rpc.endpoint column values are the interfaces while zeek.dce_rpc.operation are the methods\r\ndefined in WMI and DCOM documentations. This is very helpful in order to understand how WMI looks like\r\nfrom a network perspective. Zeek can identify these GUIDs related to IWbem interfaces. A full list is documented\r\nin GitHub source code here .\r\nIObjectExporter::ServerAlive : First we can see RPC binding information calls to the IObjectExporter\r\ninterface using methods ServerAlive or ServerAlive2 to determine server aliveness. Deciding the\r\nmethod is related to the COMVERSION in use.\r\nIRemoteSCMActivator::RemoteCreateInstance : The DCOM client MUST support the Activation\r\nand OXID Resolution DCOM mechanisms for creating and resolving object references. Activation\r\nmechanism can be achieved through two interfaces and three different methods,\r\nIActivation::RemoteActivation , IRemoteSCMActivator::RemoteCreateInstance , or\r\nIRemoteSCMActivator::RemoteGetClassObject .\r\nIRemUnknown2::RemQueryInterface : Every object can be bound to one or multiple interfaces. An\r\nObject reference counter is used to keep track of a Component Object Model (COM) objects. For acquiring\r\nhttps://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2\r\nPage 2 of 7\n\nadditional interfaces on the object IRemUnknown::RemQueryInterface and\r\nIRemUnknown2::RemQueryInterface calls are used.\r\nAn object reference is represented on the wire by a marshaled form called OBJREF .\r\nIWbemLevel1Login::NTLMLogin : According to MS-WMI documentation, during protocol\r\ninitialization, The client MUST call the IWbemLevel1Login::NTLMLogin method.\r\nIWbemServices::ExecMethod : This call will return an interface pointer to IWbemServices management\r\nservices where methods like GetObject which retrieves a CIM class or a CIM instance and ExecMethod\r\nwhich executes a CIM method that is implemented by a CIM class or a CIM instance, can be used.\r\nIRemUnknown2::RemRelease : The release sequence is then called to decrement the reference counter\r\nBellow is a mind-map where I tried to summarize the different interfaces and method used during WMI remote\r\ncalls. This will help understand the telemetry recorded by Zeek in order to identify the best calls to focus our\r\ndetections on.\r\nAs stated in the MS-WMI documentation, during protocol initialization, the client MUST call the\r\nIWbemLevel1Login::NTLMLogin method. This is a good indication of WMI usage over the network. However, a\r\ngood baseline of users and assets with authorization to use WMI accompanied with a well defined change\r\nmanagement process will significantly improve your detection success rate. IWbemServices::ExecMethod and\r\nIWbemServices::GetObject calls are also good indications of WMI accessing web-based management services.\r\nZeek Telemetry:\r\nCobaltStrike has a built-in lateral movement module called remote-exec which supports three commands :\r\nwmi , winrm , and psexec . Remote-Exec module is used to execute a command on a host remotely and doesn't\r\npop a beacon unless it is used for that particular purpose by first uploading a script or a beacon file then execute it\r\nvia remote-exec commands and use link or connect commands to assume control of the target.\r\nIn this section I will be exploring some generated telemetries from the endpoint perspective using wmi\r\ncommand.\r\nwmiprvse.exe process is spawned with the command line C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\r\n-secured -Embedding and parent command line C:\\\\Windows\\\\system32\\\\svchost.exe -k DcomLaunch .\r\nEID 5857 was generated to report the start of WMI provider cimwin32.dll . There are several WMI\r\nproviders. This is not very useful because WMI usage can be verbose.\r\nThe command is executed within the context of *WmiPrvSE.exe* .\r\nBy default, WMI uses a randomly selected dynamic port range for TCP between 49152 and 65535 .\r\nDetecting malicious usage of WMI relies heavily on WmiPrvse.exe abnormal child processes behavior. However,\r\nsome approaches can be taken to improve your detections. For example if you have a SCCM server, you might\r\nhttps://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2\r\nPage 3 of 7\n\nconsider whitelisting the following paths in your process command arguments (Reference\r\n):\r\nC:\\\\Windows\\\\CCM\\\\SystemTemp\\\\\r\nC:\\\\Windows\\\\CCMCache\\\\\r\nC:\\\\CCM\\\\\\\\Cache\\\\\r\nKeep in mind that attackers might still abuse these paths to evade detections so baselining your assets, source IPs\r\nand users that are allowed to use WMI remotely is recommended to increase detection resilience.\r\nBy default only Local Administrators or Domain Admins can read WMI class information so in order to further\r\nrefine your access control policies you can limit regular users permissions by adding them to the Distributed COM\r\nUsers group and the Performance Monitor Users group.\r\nIn the leaked CONTI documentation, we noticed a lot of wmic.exe usage for remote command execution across\r\nmultiple assets. For example, they use a batch file called WMI.BAT with the following command to spread a\r\nbinary file across multiple hosts.\r\nstart wmic /node:@C:\\\\share$\\\\comps1.txt /user:\"DOMAIN\\\\Administrator\" /password:\"PASSWORD\" process call create\r\nOr interact with beacon through shell command to dump credentials :\r\nshell wmic /node:[target] process call create \"cmd /c rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump\r\nWMIC.EXE is one of the Windows built-in utilities that leverages WMI protocol for command execution. For\r\ndetection opportunities we can look for :\r\nEID 4648 A logon was attempted using explicit credentials where the process name is svchost.EXE\r\nand service class RPCSS* . This event is a good DFIR artifact for differentiating between the original\r\naccount and the account specified in the wmic command (In my case I didn't specify any credentials).\r\nA service principal name (SPN) is the name by which a Kerberos client uniquely identifies an instance of a service\r\nfor a given Kerberos target computer. There are multiple SPN registrations :\r\nHTTP/hostname.contoso.com like when using PowerShell Remoting via Enter-PSSession\r\nhttps://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2\r\nPage 4 of 7\n\nWSMAN/hostname.contoso.com like when using WinRM for Remoting\r\nCIFS/hostname.contoso.com like when using PsExec\r\nHOST/hostname.contoso.com for any service running on the computer with hostname HOSTNAME\r\nThe RPCSS service is the Service Control Manager for COM and DCOM servers. It performs object activations\r\nrequests, object exporter resolutions and distributed garbage collection for COM and DCOM servers (source\r\n). HOST service can also be used for remotely executing\r\ncommands on the target system via WMI (source ).\r\nOn the destination, as previously explained, looking for abnormal behavior of WmiPvSE.exe like spawning\r\nPowerShell.exe and Cmd.exe with suspicious arguments would be effective. (see previous table\r\nEndpoint for more details)\r\nThe table bellow displays WMIC related telemetry generated from the source host :\r\nThe following rules present some ideas about detecting malicious WMI behavior.\r\nAtomic Red Team provides a good resource to test your WMI detections\r\nEDR Testing Script :\r\nTest the accuracy of Endpoint Detection and Response (EDR) software with simple script which\r\nexecutes various ATT\u0026CK/LOLBAS/Invoke-CradleCrafter/Invoke-DOSfuscation payloads\r\nTo provide more details about the WMI activity for your DFIR engagements, you can use ETW. To enable the\r\nevent tracing of WMI, you can use the command line:\r\nPS C:\\\u003e wevtutil.exe sl Microsoft-Windows-WMI-Activity/Trace /e:true\r\nBe aware that ETW was made for debugging and enabling WMI event tracing features might generate a lot of data\r\nwhich will be stopped after reaching a certain size/duration limit.\r\nhttps://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2\r\nPage 5 of 7\n\nremote-exec winrm command is similar to jump winrm64 in command execution under the context of\r\nwmsprovhost.exe except that it was not made for creating and maintaining a remote session hence\r\nwsmprovhost.exe terminates after execution.\r\nGenerated telemetry on the destination :\r\nremote-exec psexec command creates and start a service remotely with random Service Name and the passed\r\non command as Service File Name. The main difference between this feature and jump psexec or jump\r\npsexec64 is that remote-exec psexec does not generate a service executable and upload it to the target. As\r\nnoticed before, CobaltStrike's service file spawns rundll32.exe with no arguments which is suspicious.\r\nMonitoring services.exe child process for malicious behavior like spawning system shells cmd.exe and\r\npowershell.exe or other discovery binaries like whoami.exe , systeminfo.exe , net.exe ,...etc would be\r\neffective against this type of attack.\r\nIn the CONTI leaked documentation, the playbook shows the usage of this module to dump lsass.exe memory\r\nvia comsvcs.dll\r\nremote-exec psexec [target] cmd /c rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump PID C:\\\\ProgramDat\r\nThis detection rule from Elastic should be enough to detect such behavior.\r\nSee previous blog for more details on CobaltStrike psexec\r\nbuilt-in capabilities detection.\r\nAs defined by MITRE in ATT\u0026CK framework:\r\nAdversaries may \"pass the hash\" using stolen password hashes to move laterally within an\r\nenvironment, bypassing normal system access controls. Pass the hash (PtH) is a method of\r\nauthenticating as a user without having access to the user's cleartext password. This method bypasses\r\nstandard authentication steps that require a cleartext password, moving directly into the portion of the\r\nauthentication that uses the password hash.\r\nCobaltStrike has a built-in module called pth to perform pass-the-hash attack using Mimikatz's sekurlsa:pth\r\nmodule. As stated by CobaltStrike creator himself this is not OpSec safe since it presents low hanging detection\r\nopportunities for defenders.\r\nPTH module has a hardcoded command that contains suspicious sequence of arguments such as *cmd.exe /c\r\necho \u003e \\\\.\\\\pipe\\* . Monitoring process creation events with such arguments would be effective against\r\nhttps://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2\r\nPage 6 of 7\n\nCobaltStrike's way of implementing and automating pass-the-hash attack. Keep in mind attackers can always use\r\nMimikatz PTH module where they can change these properties.\r\nAnother key event for detecting pass the hash is EID 4624 with logon type 9 (NewCredentials), logon process\r\nseclogo and Authentication Package Negotiate .\r\nPTH detection observations :\r\nThe CONTI leaked documentation shows RDP being used several time for manual access whether to dump\r\nlsass process memory using task manager or export credentials from users profiles and keyloggers data. This is\r\nnot an exploitation of the RDP service itself since the attacker already got their hands on user's credentials, so in\r\nthis case maintaining a good RDP users policy will help creating a baseline and detecting related violations. EID\r\n4825 A user was denied the access to Remote Desktop can be helpful in this matter.\r\nI previously created this mind map for RDP DFIR Authentication event logs that can be observed in your\r\nenvironment when using RDP with and without NLA enabled.\r\nThe mind map was pushed to a great GitHub project started by Andrew Rathbun (@bunsofwrath12\r\n) here .\r\nThe RDP mind map can be found following this link :\r\nGitHub Project Repository\r\nRDP DFIR Authentication Event Logs PDF\r\nLast updated 4 years ago\r\nThis site uses cookies to deliver its service and to analyze traffic. By browsing this site, you accept the privacy\r\npolicy.\r\nSource: https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-te\r\nchniques-part-2\r\nhttps://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2" ], "report_names": [ "detecting-conti-cobaltstrike-lateral-movement-techniques-part-2" ], "threat_actors": [], "ts_created_at": 1775434611, "ts_updated_at": 1775791330, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/09b2280ea7c555a6756e99bd3d4a0c7aef3f5fa4.pdf", "text": "https://archive.orkl.eu/09b2280ea7c555a6756e99bd3d4a0c7aef3f5fa4.txt", "img": "https://archive.orkl.eu/09b2280ea7c555a6756e99bd3d4a0c7aef3f5fa4.jpg" } }