This repository contains:
analyze.py: a script to analyze a Cobalt Strike beacon (python analyze.py BEACON)extract.py: extract a beacon from an encrypted beaconlib.py: library containing functions for the other scriptsoutput.csv: CSV file containing CS servers identified online in Dec 2020rules.yar: Yara rules for CS beaconsscan_list.py: script to scan a list of servers (python scan_list.py FILE)scan.py: script to scan a server (python scan.py IP)
You can see my blog post Analyzing Cobalt Strike for Fun and Profit for more information.
- Default HTTPs certificate is self-signed with serial number 146473198 (sha256: 87f2085c32b6a2cc709b365f55873e207a9caa10bffecf2fd16d3cf9d94d390c)
- Default JARM signature can be (see this article)
- 07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1 for Java 11 Stack
- 2ad2ad16d2ad2ad22c42d42d00042d58c7162162b6a603d3d90a2b76865b53 for Java 13 Stack
- 07d14d16d21d21d07c07d14d07d21d9b2f5869a6985368a9dec764186a9175 for Java 1.8 Stack
- 05d14d16d04d04d05c05d14d05d04d4606ef7946105f20b303b9a05200e829 for Java 1.9 Stack
- Check for valid beacon url on port 80 or 443 such as:
/aaa9or/aab8for 32b beacons/aab9ou/aac8for 64b beacons
If it is indeed a Cobalt Strike server, you can get the payload and extract its configutation with the script scan.py:
$ python scan.py https://45.77.249.XXX/
Checking https://45.77.249.XXX/
Configuration of the x86 payload:
dns False
ssl True
port 443
.sleeptime 60000
.http-get.server.output
.jitter 0
.maxdns 255
publickey 30819f300d06092a864886f70d010101050003818d0030818902818100ecec56e6ee516018c3152b6239b1f29f1ef930e6ce0695e62e7bdaee69f5a1e432563111f97ea180b4f095be6491f566e39ee8448b071635cfb99e8839f9de4db9c5e1319164ad7b699355fdca04358eaabe1872f5e139a71dfbe2db793c2bfe198ece6bae8544503f72e4e2d4c1df76d239fa7837450eb894eabb164e00aeff020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
.http-get.uri 45.77.249.XXX,/updates.rss
[SNIP]
x86_64: Payload not found
When you get a Cobalt Strike beacon, it can be a PE file, or an encrypted payload. This repository provides yara rules to check files:
$ yara ../github/rules.yar payload
CS_encrypted_beacon_x86 payload
If it is indeed a beacon, you can extract the configuration with the analyze script:
$ python ../github/analyze.py 95.217.197.85_32b
Unknown config command 58
Unknown config command 57
dns False
ssl True
port 443
.sleeptime 60000
.http-get.server.output
.jitter 0
.maxdns 255
publickey 30819f300d06092a864886f70d010101050003818d00308189028181008d12bd5ea1b3827d29393c82876d00351750a28d9ffd634cdeadd0a921435d915dd6422f92c1a19bbef39d3028a19138446810f9e87e492b0adc54b8482f7d3bab264c48d1dd19fbb2be18ec427d10225533422d2c69c209cc7db5f6f1bcf449c294f4cc89493da6ced72d8f444d462efc32330f71ab3fe10c151fa8752e239d020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
.http-get.uri [REDACTED],/pixel.gif
.user-agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
.http-post.uri /submit.php
.http-get.client Cookie
[SNIP]
Credits : Amnesty Tech
This code is published under the MIT license.