Network Forensic Analysis of a Hancitor–Cobalt Strike Incident: Application of the NIST Methodology

Abstract

Cybersecurity incidents involving the Hancitor and Cobalt Strike malware have been increasing and pose a significant threat to the security of organizational information systems. This study aims to conduct a network forensic analysis of attacks that employ the combined use of Hancitor and Cobalt Strike by applying the methodology of the National Institute of Standards and Technology (NIST) SP 800-86. The research adopts a qualitative approach by implementing the four stages of the NIST framework, namely collection, examination, analysis, and reporting. Data were obtained through simulated attacks in a controlled environment using forensic tools such as Wireshark and NetworkMiner. The findings reveal an attack pattern that begins with the initial Hancitor infection delivered through a malicious Microsoft Office document, followed by command and control (C2) communication used to download and execute the Cobalt Strike payload. Network packet analysis successfully identified suspicious traffic characteristics, including Cobalt Strike beaconing and data exfiltration activities. This study concludes that the application of the NIST forensic methodology is effective in uncovering the stages of such attacks and can assist organizations in responding to similar incidents in the future. Furthermore, the research findings can serve as indicators of compromise (IoCs) to enhance early detection of attacks involving the combined use of Hancitor and Cobalt Strike.