user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Linux/CobaltStrike.I!MTB
Trojan:Linux/CobaltStrike.I!MTB - Windows Defender threat signature analysis

Trojan:Linux/CobaltStrike.I!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Linux/CobaltStrike.I!MTB
Classification:
Type:Trojan
Platform:Linux
Family:CobaltStrike
Detection Type:Concrete
Known malware family with identified signatures
Variant:I
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for Linux platform, family CobaltStrike

Summary:

This is a concrete detection of a Linux Cobalt Strike trojan, a highly sophisticated post-exploitation agent. It acts as a command-and-control (C2) beacon, enabling adversaries to execute arbitrary commands, upload/download files, establish port forwards, and maintain persistence on compromised Linux systems.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - sysnative (PEHSTR_EXT)
 - %s (admin) (PEHSTR_EXT)
 - HTTP/1.1 200 OK (PEHSTR_EXT)
 - %02d/%02d/%02d %02d:%02d:%02d (PEHSTR_EXT)
 - !#HSTR:IntentBase64 (PEHSTR_EXT)
 - ToBase64String (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - bitsadmin (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - InvokeV (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - ENIGMA (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
YARA Rule:
rule Trojan_Linux_CobaltStrike_I_2147951877_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Linux/CobaltStrike.I!MTB"
        threat_id = "2147951877"
        type = "Trojan"
        platform = "Linux: Linux platform"
        family = "CobaltStrike"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "6"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "main/command.parseCommandUpload" ascii //weight: 1
        $x_1_2 = "main/command.portForwardServe" ascii //weight: 1
        $x_1_3 = "main/packet.PullCommand" ascii //weight: 1
        $x_1_4 = "/command/port_forward.go" ascii //weight: 1
        $x_1_5 = "main/command.parseCommandShell" ascii //weight: 1
        $x_1_6 = "main/command.Upload" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: nodejs
8c927ebecb3fc2945bc2df903012f5736eff43884665e27ea5497cdc3476a70e
07/12/2025
VirusTotalDownload Sample
Filename: d
d88a5f1d23da79bccafc1cd797d331d211a0106eb5494d1ca88600edb1ed16d9
07/12/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected Linux system, terminate any associated malicious processes, and remove persistence mechanisms. Conduct a comprehensive forensic investigation to identify the initial compromise vector, lateral movement, and any data exfiltration. Update all systems, rotate credentials, and strengthen security controls.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 07/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$