{
	"id": "9062da8a-dd4c-422a-b8fd-0455d8ca0874",
	"created_at": "2026-04-06T00:20:05.789391Z",
	"updated_at": "2026-04-10T03:21:47.717026Z",
	"deleted_at": null,
	"sha1_hash": "c0393872503ae1635cd0914f1a12604ef97b03dc",
	"title": "Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1 | Cyb3rSn0rlax",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 174489,
	"plain_text": "Detecting CONTI CobaltStrike Lateral Movement Techniques -\r\nPart 1 | Cyb3rSn0rlax\r\nPublished: 2021-11-08 · Archived: 2026-04-05 19:57:51 UTC\r\n1. ☢️ DEATH : Detection Engineering And Threat Hunting\r\n2. 🦘TA0008 : Lateral Movement\r\nDetecting CONTI CobaltStrike Lateral Movement Techniques - Part 1\r\nDetection opportunities on lateral movement techniques used by CONTI ransomware group using CobaltStrike.\r\nIn an attempt to contribute to the defensive capabilities of security teams regarding the increase of CobaltStrike\r\nusage by threat actors (TA) and in a joined effort with @MichalKoczwara\r\n, a series of articles will be released on CobaltStrike's TTP\r\ndetections related to the CONTI leak.\r\nFor the first part of this blog post, I will cover detection opportunities for lateral movement (LM) techniques used\r\nby the TA CONTI via CobaltStrike. Keep in mind that I tried to boil it down to analytics that can be used for other\r\nlateral movements variation and not just specific to CONTI Group or CobaltStrike (CS).\r\nMITRE ATT\u0026CK defines lateral movement as :\r\nLateral Movement consists of techniques that adversaries use to enter and control remote systems on a\r\nnetwork. Following through on their primary objective often requires exploring the network to find their\r\ntarget and subsequently gaining access to it. Reaching their objective often involves pivoting through\r\nmultiple systems and accounts to gain. Adversaries might install their own remote access tools to\r\naccomplish Lateral Movement or use legitimate credentials with native network and operating system\r\ntools, which may be stealthier.\r\nhttps://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1\r\nPage 1 of 10\n\nLooking in the CobaltStrike documentation we can find some built-in modules for Lateral Movement defined in\r\nthe table bellow which were included in the leaked documentation:\r\nOther capabilities are used by the group like Remote-Exec command, PTH module, RDP and SHELL command\r\nto remotely execute commands using WMIC.EXE utility. I will go through these TTPs in the second part.\r\nElastic Stack (Winlogbeat + Filebeat)\r\nVICTIM Windows 10 user machine (Initial Access)\r\nDC_ATLAS Domain Controller Windows Server 2016 (Lateral Movement Target)\r\nT1021.006 Remote Services: Windows Remote Management\r\nWinRM is the Microsoft implementation of WS-Management protocol which is an open source standard for\r\nconstructing XML messages following the standards of Simple Object Access Protocol (SOAP) messages.\r\nThis great blog explain in simple steps a typical WinRM\r\nbased conversation for invoking commands:\r\n1.\r\n2.\r\n3.\r\n4. Keep requesting output until the command state is done and examine the exit code.\r\n5.\r\n6.\r\nI will go more in depth about WinRM from a defensive perspective during lateral movement in a separate blog but\r\nfor more details I recommend checking the official documentation [MS-WSMV\r\nhttps://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1\r\nPage 2 of 10\n\n]. However, a couple of things we should keep in mind when\r\nit come to the limitations of WinRM and why PowerShell Remoting Protocol (PSRP) is much better choice to go\r\nwith.\r\nThe default value of a SOAP message size 512KB and a maximum of 8192KB. This attribute can be modified\r\nwith the following command : winrm set winrm/config/winrs '@{\u003cQuota\u003e=\"\u003cValue\u003e\"}' .\r\nWinRM also doesn't have a built-in functionality for file transfer. We will learn in the next section that PowerShell\r\nRemoting Protocol (PSRP) is much better alternative.\r\nWindows Built-in WinRM tools\r\nIn order to understand CobaltStrike WinRM beacon capabilities, first, I tried to see normal behavior of some of the\r\ntools that can be used in a legitimate way. There are 3 main ways to execute command remotely using WinRM:\r\nWindows Remote Shell built-in tool is a pure implementation of remote command execution via WinRM. Upon\r\nexecuting a command using winrs.exe utility via the command winrs -r:dc_atlas \"ipconfig\" the following\r\ntelemetry was recorded on the destination:\r\nsvchost.exe spawns winrshost.exe with the parent command line\r\nC:\\\\Windows\\\\system32\\\\svchost.exe -k DcomLaunch\r\nThe winrshost.exe then invokes cmd.exe instance and execute the command within its context.\r\nAfter finishing the execution of the command these processes are terminated because winrs.exe doesn't support\r\npersistent sessions so every time you execute a command remotely this behavior repeats itself.\r\nInvoke-Command \u0026 Enter-PSSession :\r\nThese PowerShell cmdlets use the PowerShell Remoting Protocol [MS-PSRP\r\n] which is a separate protocol that runs over WinRM. PSRP\r\nsupports many message types to execute commands and retrieve their outputs and its main difference from\r\nhttps://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1\r\nPage 3 of 10\n\nWSMV specs is its message fragmentation handling process which makes it more reliable vis-à-vis WinRM\r\nmessage size limitations.\r\nWhile testing these cmdlets, the following telemetry was recorded on the destination:\r\nsvchost.exe spawns wsmprovhost.exe with the parent command line\r\nC:\\Windows\\system32\\svchost.exe -k DcomLaunch\r\nInvoke-Command \u0026 Enter-PSSession both run commands within the context of wsmprovhost.exe\r\nThe difference between these two cmdlets is that Invoke-Command will terminate wsmprovhost.exe process after\r\nreceiving the output while the Enter-PSSession will establish a persistent session.\r\nNow that we have established what telemetry can be left behind by using Windows built-in tools we can\r\ndistinguish suspicious process behavior. lets see in the following section how CS default configurations for lateral\r\nmovement behave.\r\nFirst, lets discover the telemetry that will be generated from source and destination for every attempt to use\r\nWinRM remotely:\r\nOther events are generated on the destination side but these in the previous table are the most relevant to remote\r\nWinRM activity. You can use them according to your collection and correlation strategy. Obviously, EID 1 ,\r\nEID 91 and EID 4656 have much higher event decisiveness than the rest. I will be releasing a Mindmap that\r\ngroups all this telemetry in one place at the end of this blog post series.\r\nNow jumping to jump winrm command and some first differences in process tree behavior were observed at\r\nexecution time:\r\njump winrm command generated the same telemetry as in previous observations except that the beacon\r\nruns under the context of a PowerShell instance invoked by wsmprovhost.exe . This is not something we\r\ncan normally observe by using winrs , Invoke-Command or Enter-PSSession except if the command\r\ninvoked powershell.exe itself then PowerShell cmdlets would produce this behavior.\r\nBy default the powershell.exe instance run via the command line :\r\n\"c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe\" -Version 5.1 -s -NoLogo -\r\nNoProfile\r\nCobalStrike provides a shell command to interact with the beacon and execute command. The shell\r\ncommand spawns a cmd.exe instance from the invoked powershell.exe process for every executed\r\ncommand\r\nA general diagram of process tree observed during the execution of this CS module is illustrated bellow:\r\nCobaltStrike jump winrm64\r\nhttps://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1\r\nPage 4 of 10\n\nHere are the main differences from jump winrm command :\r\nLike Enter-PSSession , jump winrm64 executes commands within the context of a wsmprovhost.exe\r\ninstance. The session is persistent no termination of the wsmprovhost.exe process was observed.\r\nIn the previous sections we have established some key observations regarding remote command execution via\r\nWinRM. However, during the demo, I used a stageless beacon. The script first decodes the Base64 encoded\r\npayload then it uses the .Net API to call Windows API function in memory using assemblies. The script then\r\nallocates some memory and copies the payload in the allocated memory space. The payload was a 64-bits DLL\r\nand technique used was DLL Reflective Loading.\r\nThe payload strings contained by default:\r\nThis yara rule can be effective in detecting default usage of\r\nCS stageless beacons.\r\nThe following PowerShell events were observed on the target:\r\nEID 4104 Script Block Logging:\r\nThis event can be considered noisy, so be careful during you detection engineering process and\r\nconsider its verbosity.\r\nScript blocks exceeding the maximum length of an event log message are fragmented into multiple\r\nentries.\r\nUnlike EID 4103 , this event doesn't record the output of the script\r\nEID 4103 Module Logging:\r\nGenerates a large volume of events\r\nRecords the output of the executed commands\r\nKeep in mind that these event are not enabled by default.\r\nIn order to validate your detection rules against WinRM being used for remote command execution, Atomic Red\r\nTeam provides a great guide bellow:\r\nhttps://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1\r\nPage 5 of 10\n\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md\r\nIn DFIR engagements these events can be good source of information to get the right attack attributions:\r\nEID 142 WSMan operation CreateShell failed (Helpful when WinRM is not enabled on the target host)\r\nEID 169 User Authenticated Successfully (The user who was connected remotely)\r\nEID 81 Processing Client Request for Operation CreateShell (Start of remoting activity)\r\nEID 134 Sending Response for Operation DeleteShell (End of remoting activity)\r\nEID 403 Engine state is changed from Available to Stopped (This event records the completion of a\r\nPowerShell activity)\r\nWinRM event logs lack simple attribution and traceability meaning you need multiple correlation layers in order\r\nto identify the user, source IP and the ID of the infected process.\r\nThe command Get-WSManInstance -ComputerName localhost -ResourceURI Shell -Enumerate lists all currently\r\nactive remote WinRM sessions and provides useful information :\r\nOwner : Username that opened the remote session\r\nClientIP: Source IP from where the attacker attempted to move laterally.\r\nProcessID: In this case it is wsmprovhost.exe where the executed commands will be invoked from.\r\nChildPocesses: Number of child processes it opened.\r\nMemoryUsed: Can be good indicator since winrm64 CS module used more than twice the memory used\r\nby Enter-PSSession for the same command.\r\nPS C:\\\\Users\\\\Administrator\u003e Get-WSManInstance -ComputerName localhost -ResourceURI Shell -Enumerate\r\nrsp : \u003chttp://schemas.microsoft.com/wbem/wsman/1/windows/shell\u003e\r\nlang : en-US\r\nhttps://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1\r\nPage 6 of 10\n\nShellId : 04E49AF8-1CA8-4ACC-9135-6A3269115F3E\r\nName : WinRM1\r\nResourceUri : \u003chttp://schemas.microsoft.com/powershell/Microsoft.PowerShell\u003e\r\nOwner : ATLAS\\\\Administrator\r\nClientIP : 10.10.10.30\r\nProcessId : 2844\r\nIdleTimeOut : PT7200.000S\r\nInputStreams : stdin pr\r\nOutputStreams : stdout\r\nMaxIdleTimeOut : PT2147483.647S\r\nLocale : en-US\r\nDataLocale : en-US\r\nCompressionMode : XpressCompression\r\nProfileLoaded : Yes\r\nEncoding : UTF8\r\nBufferMode : Block\r\nState : Connected\r\nShellRunTime : P0DT0H4M32S\r\nShellInactivity : P0DT0H1M28S\r\nMemoryUsed : 134MB\r\nChildProcesses : 2\r\nA good idea would be to generate an event with the output of this command every time the process\r\nwsmprovhost.exe is created using scheduled tasks.\r\nCobaltStrike jump psexec \u0026 psexec64\r\nI love going through ZEEK logs first and look for network related telemtery specially for lateral movement\r\ntechniques. When using CS psexec or psexec64 modules for lateral movement I observed remote service creation.\r\nThese modules use named pipes (RPC/NP) method to interact with the service control manager (SCM) RPC\r\nserver. The server interface is identified by UUID 367ABB81-9844-35F1-AD32-98F038001003 and uses RPC\r\nendpoint \\\\PIPE\\\\svcctl .\r\nThe following ZEEK event logs were recorded :\r\nZEEK DCE-RPC event was generated with DCE-RPC endpoint SVCCTL and operation\r\nCreateServiceWoW64A\r\nOn the target EID 5145 A network share object was checked to see whether client can be granted desired\r\naccess will be generated with Relative Target Name defined as SVCCTL and Share Name \\*\\IPC$\r\nA service is then created with a random name and Image Path calling the process via the command\r\n\\\\127.0.0.1\\ADMIN$\\[SERVICE_RANDOM_NAME].exe . This will generate EID 7045 New Service Was\r\nInstalled and EID 4697 A Service Was Installed in the System\r\nhttps://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1\r\nPage 7 of 10\n\nThen \\\\127.0.0.1\\ADMIN$\\[SERVICE_RANDOM_NAME].exe is executed and it invokes a rundll32.exe\r\ninstance with no arguments which is very suspicious.\r\nInteracting with the beacon via SHELL command invokes a CMD instance\r\nThe following table is a summary of the observed telemetry relevant to this lateral movement technique.\r\nCobaltStrike jump psexec_psh\r\nCobaltStrike can laverage a PowerShell version of PsExec using the built-in module psexec_psh with everything\r\nbeing executed in memory via a one-liner.\r\nAs previously noticed an interaction with SCM RPC server in order to create a service remotely was\r\nobserved. Bellow are the ZEEK DCE-RPC event logs with the same operation as psexec \u0026 psexec64\r\nCreateServiceWOW64A\r\nFollowed by creation of a new service which generated EID 7045/4697 with %COMSPEC% and powershell\r\nin the Service File Name field.\r\nPowerShell's EID 400 can be used as a detection opportunity where HostApplication contains\r\npowershell -nop -w hidden -encodedcommand .\r\nPipe creation with regex pattern status_[0-9a-f]{2} was also observed. I provided bellow a gist with\r\nseveral regex pattern to detect hard coded named pipes in CobaltStrike modules. Bellow is a EID 5145 that\r\ncan be used for this purpose but I encourage you to sysmon instead for it high event traceability quality.\r\nCobalt Strike Named Pipe Regex.csv\r\nInteracting with the beacon via the CS shell command would invoke a cmd.exe instance.\r\nThis pattern alone is very suspicious and can be a good detection opportunity for default usage of psexec_psh\r\ncommand.\r\nThe following are the event logs I observed during the demos:\r\nAtomic Red Team provides a good start to validate your detection against some of these attack techniques:\r\nhttps://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1\r\nPage 8 of 10\n\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md\r\nYou can use the following CyberChef recipe to decode and extract shellcode information executed by\r\npsexec_psh command.\r\nhttps://github.com/SophosRapidResponse/CyberChef/blob/main/Cobalt%20Strike%20recipe%20for%20JABz.txt\r\nYou can list created pipes using Get-ChilIt em PowerShell cmdlets\r\nGet-ChildItem \\\\\\\\.\\\\pipe\\\\\r\nSystinternal has a dedicated tool that also can be leveraged for the same purpose.\r\nThis blog post series of Detecting CONTI CobaltStrike Lateral Movement Techniques is focused on default\r\nusage of CS built-in capabilities meaning that sophisticated attacker will be able to change these settings and\r\nevade detections based on them thanks to CobalStrike modularity. My hope is to increase awareness at least about\r\nthe telemetry that needs to be audited and qualified, how to correlate it and how to respond to relevant attacks in\r\norder to increase the time, effort and skills an APT has to invest in order to compromise your assets.\r\nhttps://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1\r\nPage 9 of 10\n\nYou can read my previous post on Detection Engineering Dimensions Analytics\r\n part where I discuss analytic resilience.\r\nThis site uses cookies to deliver its service and to analyze traffic. By browsing this site, you accept the privacy\r\npolicy.\r\nSource: https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-te\r\nchniques-part-1\r\nhttps://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1"
	],
	"report_names": [
		"detecting-conti-cobaltstrike-lateral-movement-techniques-part-1"
	],
	"threat_actors": [],
	"ts_created_at": 1775434805,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c0393872503ae1635cd0914f1a12604ef97b03dc.pdf",
		"text": "https://archive.orkl.eu/c0393872503ae1635cd0914f1a12604ef97b03dc.txt",
		"img": "https://archive.orkl.eu/c0393872503ae1635cd0914f1a12604ef97b03dc.jpg"
	}
}