Rapid7’s Incident Response (IR) team was engaged to investigate an incident involving an attempted Cobalt Strike execution.
The investigation uncovered twists and turns with pre-ransomware activities, tunneling tools, and attackers taking a page out of the defender’s playbook. The attacker took careful steps to maintain access to the environment through persistence that mimicked normal user behavior. This blog covers the techniques, indicators of compromise (IoCs), and detections for Rapid7 customers.
Read more…
Source: Rapid7
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Identifying and Mitigating Potential Velociraptor Abuse
October 9, 2025
Open-source technologies and communities are a big part of the Rapid7 ethos, and that’s not by chance – it’s by design. Rapid7 believe that their Metasploit, AttackerKB, and Velociraptor initiatives help create a strong threat intelligence foundation as well as a secure digital future for all. Unfortunately, the same open-source tools that help security teams ...
- Chinese authorities are using a new tool to hack seized phones and extract data
July 16, 2025
Security researchers say Chinese authorities are using a new type of malware to extract data from seized phones, allowing them to obtain text messages — including from chat apps such as Signal — images, location histories, audio recordings, contacts, and more. In a report shared exclusively with TechCrunch, mobile cybersecurity company Lookout detailed the hacking tool ...
- Forensic journey: Breaking down the UserAssist artifact structure
July 14, 2025
As members of the Global Emergency Response Team (GERT), Kaspersky works with forensic artifacts on a daily basis to conduct investigations, and one of the most valuable artifacts is UserAssist. It contains useful execution information that helps us determine and track adversarial activities, and reveal malware samples. However, UserAssist has not been extensively examined, leaving ...
- Innovative Tunnelling and Forensic Tool Abuse: IR Tales from the Field
June 17, 2025
Rapid7’s Incident Response (IR) team was engaged to investigate an incident involving an attempted Cobalt Strike execution. The investigation uncovered twists and turns with pre-ransomware activities, tunneling tools, and attackers taking a page out of the defender’s playbook. The attacker took careful steps to maintain access to the environment through persistence that mimicked normal user behavior. ...
- Host-based logs, container-based threats: How to tell where an attack began
June 3, 2025
Although containers provide an isolated runtime environment for applications, this isolation is often overestimated. While containers encapsulate dependencies and ensure consistency, the fact that they share the host system’s kernel introduces security risks. Based on Kaspersky security researchers experience providing Compromise Assessment, SOC Consulting, and Incident Response services to Kaspersky customers, the researchers have repeatedly seen ...
- Cybertruck driver used ChatGPT to plan Las Vegas attack
January 7, 2025
Police found a six-page manifesto on Matthew Livelsberger’s phone and said he used ChatGPT to plan his New Year’s Day bombing at the Trump International Hotel in Las Vegas, Sheriff Kevin McMahill said at a news conference Tuesday. A few of the entries posted in the application included “How much Tannerite is equivalent to 1 pound ...