In this post, I will show you how to use VirusTotal and Mandiant Security Validation to validate that your internet security controls can detect and/or prevent command and control communication for a malware sample.
As a security analyst, you have been tasked with validating whether your network security controls can detect and/or prevent Cobalt Strike Command and Control communication..
The steps will be as follows:
- Find the Cobalt Strike malware sample that triggered both crowdsourced IDS and YARA rules.
- Download the PCAP artifacts of the malware.
- Create network actions by importing the PCAP.
- Run the network actions between an internal actor (representing a victim PC) and a cloud actor (representing the adversary C2 server).
- Validate the efficacy of the internet security controls and address any gaps.
Having access to VirusTotal you can search using the following filter:
crowdsourced_ids:"Cobalt Strike" crowdsourced_ids:"Beacon" crowdsourced_yara_rule:CobaltStrike
The filter will return a list of malware files uploaded to VirusTotal that generated network traffic detected by the crowdsourced IDS rules and matched one or more of the Cobalt Strike Yara rules.

Out of these I picked up the following interesting malware (artifact.exe
SHA-256 : bac119d2db4efdad6c6b264942e0e10ec5c3d919480b8ed2b25a747ad4e8a96e)
Going through the details of the sample, it is definitely malicious and matches 3 YARA rules and 4 Cobalt Strike IDS rules. This means we have a good sample representing a real working malware.

Let’s download the pcap , Go to BEHAVIOR then Click on Download Artifacts and Download the PCAP of VirusTotal Jujubox

Next upload the pcap to Mandiant Security Validation, Goto Library --> Actions --> Add Action --> Select form PCAP and upload the pcap file to the Upload Pcap File Form

All looks good and nothing to change in the Conversations form, Then Click on Next

In the Create PCAP Action Form, add the necessary information as shown and Then save the action

Go back to the Library --> Actions --> Select the action you created and Click on Run

In the Job Definition Form, select your Source and Destination Actors, then Click Run Now

Wait a few minutes and them view the results. As you can see the Coblat Strike communication has been blocked.

The Next Generation Firewall (Palo Alto) successfully detected and prevented the communication. The logs and alerts were sent to the SIEM (QRadar).

Excellent job! Now you can demonstrate with evidence that your internet security controls, along with SIEM integration, can detect and prevent command and control communications relevant to the threats that matter to your organization.
