{
	"id": "7f9fdbb9-9314-4ac1-8743-25d1bbce9061",
	"created_at": "2026-04-06T00:19:39.206456Z",
	"updated_at": "2026-04-10T03:24:23.62441Z",
	"deleted_at": null,
	"sha1_hash": "141913080f2afd32c62226c958d63933f5dc5905",
	"title": "New Snort, ClamAV coverage strikes back against Cobalt Strike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 99737,
	"plain_text": "New Snort, ClamAV coverage strikes back against Cobalt Strike\r\nBy Jonathan Munshaw\r\nPublished: 2020-09-21 · Archived: 2026-04-05 14:48:52 UTC\r\nMonday, September 21, 2020 00:01\r\nBy Nick Mavis. Editing by Joe Marshall and Jon Munshaw.\r\nCisco Talos is releasing a new research paper called “The Art and Science of Detecting Cobalt Strike.”\r\nWe recently released a more granular set of updated SNORTⓇ and ClamAVⓇ detection signatures to detect\r\nattempted obfuscation and exfiltration of data via Cobalt Strike, a common toolkit often used by adversaries.\r\nCobalt Strike is a “paid software platform for adversary simulations and red team operations.” It is used by\r\nprofessional security penetration testers and malicious actors to gain access and control infected hosts on a victim\r\nnetwork. Cobalt Strike has been utilized in APT campaigns and most recently observed in the IndigoDrop\r\ncampaign and in numerous ransomware attacks.\r\nWhat’s New?\r\nThis paper is a coverage narrative, discussing and sharing the challenges and solutions to creating coverage for\r\nCobalt Strike attacks. We decided it wasn’t simply enough to provide coverage — we wanted to use this as an\r\nopportunity to show our readers what Cobalt Strike is, how it operates, and the mindset it takes to craft effective\r\nSnort and ClamAV signatures. This was a tough but worthy journey for Talos. More than 50 new signatures\r\nbetween Snort and ClamAV were created, and combined with prior coverage, covers the following core set of\r\nCobalt Strike modules:\r\nhttps://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html\r\nPage 1 of 2\n\nRaw shellcode generator\r\nStaged/stageless executable generator\r\nHTML application attack generator\r\nScripted web delivery\r\nSigned java applet attack\r\nSmart java applet attack\r\nSystem profiler\r\nSo what?\r\nCobalt Strike is notorious and often synonymous with cyber attacks. As noted in Talos’ Quarterly Report: Incident\r\nResponse trends in Summer 2020, Cobalt Strike accounted for 66 percent of all ransomware attacks Cisco Talos\r\nIncident Response responded to this quarter. It’s a prolific platform for both red teams and malicious actors.\r\nCobalt Strike’s strength comes from the many answers it offers to difficult questions an attacker might have.\r\nDeploy listeners and beacons? No problem. Need to create some shellcode? Easy. Create staged/stagless\r\nexecutables? Done. Given Cobalt Strike’s versatility, it’s no wonder why Talos is noticing a trend for attackers to\r\nlean more upon Cobalt Strike and less upon commodity malware.\r\nReady to jump in?\r\nThere’s a lot to learn in this paper. We delve deep into how Cobalt Strike operates. This is vital to a security\r\nresearcher, as we focused on specific elements to craft effective coverage. As you read, you’ll see our thought\r\nprocesses as we created our Cobalt Strike coverage.\r\nIt’s important to understand the technical aspects of the threat you’re addressing. However, crafting coverage is a\r\nnuanced art. Keying in on the specific technical condition is vital, but coverage should be broad enough to catch\r\nthe threat along with preventing evasion tactics and catch other attacks. To make matters worse, coverage needs to\r\nbe effective, but also humane to sensors that will be doing all of the inspection while minimizing false positives. It\r\ncan be a very difficult balance to strike. This is why we created  “The art and science of detecting Cobalt Strike”\r\n— not only to highlight Cisco Talos’ Cobalt Strike coverage, but to give back to our security community. We’re\r\nproud of our coverage, but we also hope to assist readers in understanding the art of effective detection. By\r\nunveiling the details of Cobalt Strike detection, we hope our journey to coverage helps you craft your own when\r\nthinking about how to address threats.\r\nSource: https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html\r\nhttps://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html"
	],
	"report_names": [
		"coverage-strikes-back-cobalt-strike-paper.html"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434779,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/141913080f2afd32c62226c958d63933f5dc5905.pdf",
		"text": "https://archive.orkl.eu/141913080f2afd32c62226c958d63933f5dc5905.txt",
		"img": "https://archive.orkl.eu/141913080f2afd32c62226c958d63933f5dc5905.jpg"
	}
}