This is great work by @MichalKoczwara! Maybe hidden to some, is the Beacon configuration. Specifically Spawnto_*.
This list provides insight to what actors are using to inject into with CobaltStrike --> 🧵 https://twitter.com/MichalKoczwara/status/1341659356866240517
spawnto... is actually two settings, that change the program Cobalt Strike opens and injects shellcode into. In other words: any time Cobalt Strike starts a new Beacon process, the process will be the one designated by spawnto. The default is rundll32.exe. https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/
How to Write Malleable C2 Profiles for Cobalt Strike

It’s not fun to get caught on an assessment because your target has your toolset signatured. It’s even less fun if that signature is easily bypassed. Cobalt Strike’s Malleable C2 is a method of...

https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/
What can we learn from this work by @MichalKoczwara?
The majority use the default (rundll32), and as it tapers off we see some interesting processes used:
rundll32.exe401
gpupdate.exe16
svchost.exe8
mstsc.exe6
WerFault.exe3
dllhost.exe3
mavinject.exe3
gpresult.exe2
net.exe2
wusa.exe2
WUAUCLT.exe1
cmstp.exe1
compact.exe1
eventvwr.exe1
iexplore.exe1
lsass.exe1
regsvr32.exe1
w32tm.exe1
How can defenders use this? I recommend reviewing, with the data we have, normal process lineage of each of these. Ask (for each):
Does wusa.exe spawn from explorer.exe?
When gpresult.exe is used, does it normally have command line arguments?
Some of this was disclosed in the @FireEye Red Team tools https://github.com/fireeye/red_team_tool_countermeasures, under the name "BEACON". Above we saw what is public, but what was the FireEye Red Team doing?
fireeye/red_team_tool_countermeasures

Contribute to fireeye/red_team_tool_countermeasures development by creating an account on GitHub.

https://github.com/fireeye/red_team_tool_countermeasures
Quick breakdown -
spawnto_:
SYMERR
Microsoft WorkFlow Compiler
SEARCH INDEXER
SEARCHPROTOCOLHOST
ask the same questions as before.

Moved/renamed:
msbuild
regsvr32
Microsoft WorkFlow Compiler
Gist for posterity - https://gist.github.com/MHaggis/bdcd0e6d5c727e5b297a3e69e6c52286
Extraction of Spawnto's in public CobaltStrike servers, related to https://twitter.com/M_haggis/s...

Extraction of Spawnto's in public CobaltStrike servers, related to https://twitter.com/M_haggis/status/1341746928665542659?s=20, https://twitter.com/MichalKoczwara/status/13416593568662405...

https://gist.github.com/MHaggis/bdcd0e6d5c727e5b297a3e69e6c52286
You can follow @M_haggis.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.