{
	"id": "d0f02e13-82e9-4ae3-a46c-7c90ce07fe58",
	"created_at": "2026-04-06T00:16:35.918486Z",
	"updated_at": "2026-04-10T03:21:14.372614Z",
	"deleted_at": null,
	"sha1_hash": "288a29e0be4811baff8c1b2a8dcf9c2b84ff6499",
	"title": "The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3407560,
	"plain_text": "The Anatomy of an APT Attack and CobaltStrike Beacon’s\r\nEncoded Configuration - SentinelLabs\r\nBy Gal Kristal\r\nPublished: 2020-05-11 · Archived: 2026-04-05 17:15:20 UTC\r\nEven in these uncertain times, state-sponsored groups continue their hacking attempts and we must stay vigilant at\r\nall times. We recently investigated such a state-sponsored attack on a SentinelOne customer, one of the leaders in\r\ntheir field of business.\r\nIn light of the Coronavirus lockdowns and subsequent understaffing at many businesses, we were contacted by the\r\ncustomer to help investigate an intrusion that was discovered in their network by threat alerts in their SentinelOne\r\nConsole.\r\nWe were contacted shortly after the malicious activity was discovered and asked to find the attackers’ persistence\r\nmethods as well as to ensure full remediation.\r\nIn this post, we’ll describe the procedure of how we did that by using SentinelOne features as well as other tools\r\nand methods we developed along the way.\r\nKey Points\r\n1. Progression: The attack propogated initially through the company’s VPN to an inner Windows server, and then\r\non to the Domain Controller and afterward to servers containing the sought-after data.\r\n2. Toolkit: The attackers used a CobaltStrike beacon with a then-unknown persistence method using DLL\r\nhijacking (detailed below). Other than that, the group relied solely on LOLBins and mostly fileless methods for\r\nlocal execution and lateral movement.\r\n3. Hunting: Beacon configuration parsing tool and related SentinelOneQL hunting queries.\r\nEntry Point\r\nWe learned from the customer that the same actor had accessed the company in August 2019 via their Citrix\r\nserver. Even though the customer has had multiple credential rotations since, implemented haveibeenpwned\r\npassword lookups and aligned with NIST 800-63B, our assessment was that the actor had used intelligence gained\r\nfrom stolen credentials in their previous access to connect to the company’s VPN service.\r\nThe attackers connected to the company’s VPN through a public PureVPN node. This hides their real IP address in\r\nthe VPN’s logs and makes attribution more difficult.\r\nLateral Movement\r\nhttps://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/\r\nPage 1 of 11\n\nAt the beginning of our investigation, we reviewed the threats marked by the SentinelOne Agent in the Console.\r\nOne of the Attack Storylines looked like this:\r\nFrom this, we could see how the attackers achieved lateral movement and what code they ran: a one-line\r\nPowerShell payload that we identified as a CobaltStrike Beacon stager:\r\nIt’s easy to see from the Attack Storyline that after the beacon was up and running, they first ran quser to verify\r\nthey’re running as SYSTEM and then migrated themselves into explorer.exe for masquerading as a benign\r\nprocess.\r\nFrom explorer.exe , they ran multiple recon commands (the IPs in this post were changed for privacy):\r\nhttps://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/\r\nPage 2 of 11\n\nWe can tell that at least some of the commands aren’t as part of an automated recon script by their occasional\r\ntypo; for example, these commands were ran one after the other:\r\nBy looking at that explorer’s DNS requests and PowerShell HTTP requests we were able to obtain their C2\r\ndomains. To verify these domains we base64-decoded the Beacon’s PowerShell stager and analyzed that shellcode\r\nusing the great scdbg tool:\r\nOne of their first actions in the network was to dump credentials via copying the NTDS. To do so, using the\r\nBeacon they connected to the Domain Controller’s C$ share and uploaded update.bat , and to run it they created\r\na remote scheduled task. But instead of running the task on demand, it was timed so it would run shortly after:\r\nThe batch file contained the commands to dump the NTDS (and other registry files needed to parse it) and delete\r\nthe scheduled task:\r\nhttps://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/\r\nPage 3 of 11\n\nTo exfiltrate the NTDS the attackers used rar.exe that was already present on the system (validating the target has\r\nWinRAR installed first):\r\nIn our searches, the usage of WinRAR’s CLI tool with password encryption was found to be pretty indicative of\r\nmalicious actions.\r\nBy taking the NTDS from the network the attackers can freely move laterally as any user using pass-the-hash or\r\ngolden/silver tickets.\r\nRemedial actions taken at this point:\r\n1. Changing credentials across the domain\r\n2. Replacing the VPN product with one supporting MFA\r\n3. Initiating a full rollback to all reported threats in the SentinelOne console\r\n4. Restarting infected systems\r\nPersistence\r\nSoon after these actions, we saw in the SentinelOne Console that after a user logs in to the infected systems the\r\nbeacon starts signalling again. Not surprisingly, the adversary had used some kind of persistence here.\r\nWe found an interesting file drop they had made very early in this operation – a DLL file to\r\nC:Windowswlanapi.dll that was uploaded remotely to several systems.\r\nThe dropped DLL contains an encoded Beacon payload and a custom-made unpacker. It masquerades by name to\r\na legitimate wlanapi.dll , which is part of the Wireless LAN service ( wlansvc ) responsible for exporting\r\nfunctions for tasks such as listing nearby wireless networks and connecting to them. In our research, we found that\r\nthis file does not always exist by default and is probably downloaded automatically by the OS when there is a\r\nwireless adapter.\r\nThis DLL is loaded by explorer.exe when a user logs in, as explained in in this detailed post, which was\r\nreleased just as we finished our research.\r\nhttps://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/\r\nPage 4 of 11\n\nThis is how the exports of the normal wlanapi.dll look:\r\nBut the dropped DLL has no exports, and the DllMain looks like this:\r\nThe beacon_init is a simple function that decodes the Beacon payload and runs it in a new thread.\r\nIt starts with a check of whether it’s running in svchost.exe , but then totally ignores that check.\r\nAs pseudocode:\r\nIt then creates a mutex named GlobalexampleMutex . It builds the mutex name using a float for the first 16 chars\r\nand an int for the remaining three characters:\r\nhttps://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/\r\nPage 5 of 11\n\nThis means the string \"GlobalexampleMutex\" won’t be found in a string search on this binary, only\r\n\"GlobalexampleMu\" .\r\nThen it copies the encoded Beacon buffer to a newly allocated memory, from where it XORs it using a hardcoded\r\n10-byte key:\r\nWe dumped to file the decoded Beacon from memory and parsed it using a script we wrote to extract the Beacon’s\r\nconfiguration.\r\nBeacon Configuration Parsing\r\nDuring our investigation, we wanted to make sure we had extracted every bit of information from the memory\r\ndumps we had and the persistence we that we had found so we can use that data to search for the same actor\r\nacross all our customers and in VirusTotal.\r\nTo this end, we wrote a Python script that parses CobaltStrike Beacon configuration from a PE file or a memory\r\ndump. The Beacon’s configuration is usually XOR-encoded using a single hardcoded byte, which is 0x69 in\r\nBeacon version 3 and 0x2e in Beacon version 4, and is in a TLV (Type-length-value) format.\r\nIn our searches we found good scripts (thanks JPCERT and CAPE!), but they lacked support for Beacon version 4\r\nand didn’t parse every field there is in the configuration, so we chose to rewrite and improve them.\r\nThe script is available here and its usage is simple:\r\nhttps://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/\r\nPage 6 of 11\n\nParsing the Beacon encoded inside the wlanapi.dll gives this (cleaned a bit for brevity):\r\nhttps://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/\r\nPage 7 of 11\n\nUsing this information it’s possible to create Yara rules that match the exact configuration of the Beacon you want.\r\nLet’s say you want to find Beacons version 3 with Host: officeasiaupdate.appspot.com as header parameter\r\nand a combination of parameters DNS_Idle=0.0.0.0 and SleepTime=3000 :\r\nhttps://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/\r\nPage 8 of 11\n\nThen in a Yara rule:\r\nAny feedback and pull requests are welcomed.\r\nIOCs\r\nMD5: 87E00060C8AB33E876BC553C320B37D4\r\nSHA1: BDF9679524C78E49DD3FFDF9C5D2DC8980A58090\r\nDescription: wlanapi.dll (Persistence)\r\nMC2 Domains and DNS queries\r\neustylejssync.appspot[.]com\r\n*.asiasyncdb[.]com\r\nofficeasiaupdate.appspot[.]com (as HOST header)\r\nYara Rules\r\nrule custom_packer\r\n{ \r\nmeta:   \r\n description = \"Detects the beginning of the actors packer\"\r\nstrings:   \r\nhttps://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/\r\nPage 9 of 11\n\n$b1 = {C7 44 24 38 53 56 43 48}\r\n$b2 = {C7 44 24 3C 4F 53 54 2E}\r\n    $b3 = \"exampleMu\"\r\ncondition:\r\n  (uint16(0) == 0x5a4d) and all of ($b*)\r\n}\r\nRelated Queries for Hunting with SentinelOneQL\r\nHere are some queries that can be used in the ‘Visibility’ page in the SentinelOne Console. These queries can help\r\nfind some of the actions that were described above but as for any hunting query – they might need fine-tuning for\r\nsome environments.\r\nSuspicious Folders in Use\r\nUnsigned DLL being dropped straight into windows, system32 or syswow64 folders:\r\nEventType in ( \"File Modification\" , \"File Creation\" , \"File Deletion\" , \"File Rename\" ) AND FileType\r\nDLL being moved into windows, system32 or syswow64 folders:\r\nEventType = \"File Rename\" AND FileType ContainsCIS \"dll\" AND FileFullName ContainsCIS \"windows\" AND\r\nSuspicious BAT / CMD files being dropped into temp folder:\r\nEventType IN ( \"File Modification\" , \"File Creation\" , \"File Deletion\" , \"File Rename\" ) AND FileFull\r\nSuspicious Processes / Command Lines in Use\r\nUsing too many cmd /c with RCE Living off the land binaries\r\nProcessCmd ContainsCIS \"cmd\" AND ProcessCmd ContainsCIS \"/c\" AND ProcessCmd RegExp \"cmd.*s/cs.*cmd.*s\r\nor\r\nProcessCmd ContainsCIS \"cmd\" AND ProcessCmd ContainsCIS \"/c\" AND ProcessCmd RegExp \"(at|sc|schtasks|w\r\nRar with password or with a specific compression level (our research suggests it’s rare to see it used legitimately\r\nwith the RAR CLI tool).\r\nhttps://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/\r\nPage 10 of 11\n\n(ProcessCmd ContainsCIS \"-hp\" AND ProcessCmd RegExp \"sas.*s-hp[^s]+s\") OR (ProcessCmd ContainsCIS \"-m\r\nExecuting scheduled task once on a specific time \r\nProcessCmd ContainsCIS \"/sc\" AND ProcessCmd RegExp \"(-|/)sc\" AND ProcessCmd RegExp \"(-|/)st\" AND Proc\r\nSuspicious Behavioral Indicators\r\nLoading a wlanapi.dll or wlanhlp.dll that was dropped from a different process.\r\nIndicatorName = \"LoadUnreleatedLibrary\" AND IndicatorMetadata ContainsCIS \"wlanapi.dll\" OR IndicatorM\r\nIn this case, the Unknown file is referenced to lateral movements groups.\r\nIndicatorName = \"LoadUnreleatedLibrary\" AND ProcessName = \"Unknown file\"\r\nSource: https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/\r\nhttps://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/"
	],
	"report_names": [
		"the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration"
	],
	"threat_actors": [],
	"ts_created_at": 1775434595,
	"ts_updated_at": 1775791274,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/288a29e0be4811baff8c1b2a8dcf9c2b84ff6499.pdf",
		"text": "https://archive.orkl.eu/288a29e0be4811baff8c1b2a8dcf9c2b84ff6499.txt",
		"img": "https://archive.orkl.eu/288a29e0be4811baff8c1b2a8dcf9c2b84ff6499.jpg"
	}
}