[et_pb_section fb_built=”1″ _builder_version=”4.16″ _module_preset=”default” background_image=”https://quointelligence.eu/wp-content/uploads/2021/06/Lead-Visual-3.png” da_disable_devices=”off|off|off” global_colors_info=”{}” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on”][et_pb_row _builder_version=”4.20.2″ _module_preset=”default” min_height=”130px” custom_margin=”69px|auto||auto||” custom_padding=”17px||0px||false|false” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” header_font_size=”29px” header_line_height=”1.6em” min_height=”146.8px” custom_padding=”||8px|||” global_colors_info=”{}”]

Intel Briefing |

Use of Exploitation Frameworks Alternative to Cobalt Strike by Threat Actors |

April 2023

[/et_pb_text][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” header_font_size=”29px” header_line_height=”1.6em” custom_margin=”-38px|||||” custom_padding=”1px|||||” global_colors_info=”{}”]

Sector: IT, Cross-sector | Reading time: 15 min | Audience Role: CISO, Threat Analyst |

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row column_structure=”1_2,1_2″ module_class=”newsletter_form” _builder_version=”4.16″ _module_preset=”default” background_color=”RGBA(0,0,0,0)” background_enable_image=”off” custom_padding=”3%|5%|11px|5%|false|false” global_colors_info=”{}”][et_pb_column type=”1_2″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” text_text_color=”#ffffff” text_font_size=”16px” text_line_height=”1.6em” header_text_color=”#ffffff” header_2_text_color=”#ffffff” custom_padding=”0%||||false|false” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]

In the past years Cobalt Strike was the main exploitation and post-exploitation framework used by criminal and state-affiliated threat actors. However, advancements in Cobalt Strike Beacon detection have made it harder for threat actors to use it successfully.

In recent months we have observed a switch to alternative frameworks, such as Brute Ratel, Sliver, and Manjusaka.

While those are not as widespread as Cobalt Strike yet, eCrime and state-affiliated threat actors deployed these attack frameworks in their campaigns.

QuoIntelligence assesses that the move to tooling alternative to Cobalt Strike will continue in the future. As such, detection and prevention measures must be adjusted accordingly to ensure coverage of emerging exploitation frameworks.

In this report we describe functionality and suggested detection measures for three frameworks that are gaining increasing footprint – Sliver, Brute Ratel, and Manjusaka.

[/et_pb_text][et_pb_image src=”https://quointelligence.eu/wp-content/uploads/2023/06/logo_white.png” title_text=”logo_white” _builder_version=”4.20.2″ _module_preset=”default” custom_padding=”28px||48px||false|false” global_colors_info=”{}”][/et_pb_image][/et_pb_column][et_pb_column type=”1_2″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_button button_url=”https://mercury.quointelligence.eu/api/mercury/attachment/88/96294/14410″ url_new_window=”on” button_text=”QuoIntelligence Premium Subscribers click here for direct access to the report” button_alignment=”center” _builder_version=”4.20.2″ _module_preset=”default” custom_button=”on” button_text_size=”20px” button_text_color=”#FFFFFF” button_bg_color=”RGBA(255,255,255,0)” button_border_width=”5px” button_border_color=”#D65B32″ button_border_radius=”3px” button_letter_spacing=”0px” button_font=”|600|||||||” button_icon=”I||divi||400″ background_layout=”dark” custom_margin=”30px||23px||false|false” hover_enabled=”0″ button_text_shadow_style=”preset2″ button_text_shadow_horizontal_length=”0em” button_text_shadow_vertical_length=”0em” button_text_shadow_color=”#0c0c0c” box_shadow_style=”preset1″ box_shadow_color=”#FFFFFF” global_colors_info=”{}” sticky_enabled=”0″][/et_pb_button][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” custom_margin=”||-6px||false|false” custom_padding=”||22px||false|false” global_colors_info=”{}”]

Fill the form to request access:

[/et_pb_text][et_pb_code _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][/et_pb_code][/et_pb_column][/et_pb_row][/et_pb_section]