A Cobalt Strike Scanner that retrieves detected Team Server beacons into a JSON object

Related tags

JSONmelting-cobalt
Overview

melting-cobalt 👀

A tool to hunt/mine for Cobalt Strike beacons and "reduce" their beacon configuration for later indexing. Hunts can either be expansive and internet wide using services like SecurityTrails, Shodan, or ZoomEye or a list of IP's.

Getting started

  1. Install melting-cobalt
  2. Configure your tokens to begin the hunt
  3. Mine Beacons to begin reducing them
  4. Review results cat results.json | jq

📺 Demo

Installation

Requirements: virtualenv, and python3.8+

  1. git clone https://github.com/splunk/melting-cobalt && cd melting-cobalt Clone project and cd into the project dir.
  2. pip install virtualenv && virtualenv -p python3 venv && source venv/bin/activate && pip install -r requirements.txt Create Virtualenv and install requirements.

Continue to configuring for SecurityTrails, Shodan, or ZoomEye API key.

Configuration melting-cobalt.conf

Copy melting-cobalt.conf.example to melting-cobalt.conf!

Make sure to set a token for one of the available providers. If you need to create one for your account follow [these](htt://need wiki page) instructions.

Configuration example:

[global]
output = results.json
# stores matches in JSON here

log_path = melting-cobalt.log
# Sets the log_path for the logging file

log_level = INFO
# Sets the log level for the logging
# Possible values: INFO, ERROR, VERBOSE

nse_script = grab_beacon_config.nse
# path to the nse script that rips down cobalt configs. This is specifically using https://github.com/whickey-r7/grab_beacon_config

searches = search.yml
# contains the different searches to run on each internet scanning service provider (eg shodan, zoomeye, security trails) when hunting for team servers.

shodan_token = TOKENHERE
# shodan token for searching

zoomeye_token = TOKENHERE
# zoomeye token for searching

securitytrails_token = TOKENHERE
# security trails token for searching

Search The Internet

To modify the default mining performed across different providers, customize search.yml. The default melting-cobalt Search Examples below.

Run:

python melting-cobalt.py

Search IP list

populate ips.txt with potential Cobalt Strike C2 IPs a new line delimeted, example:

1.1.1.1
2.2.2.2
3.3.3.3

Run:

python melting-cobalt.py -i ips.txt

If you need inspiration from hunters we highly recommend:

Usage

usage: melting-cobalt.py [-h] [-c CONFIG] [-o OUTPUT] [-v] [-i INPUT]

scans for open cobalt strike team servers and grabs their beacon configs and write this as a json log to be analyzed by any analytic tools
like splunk, elastic, etc..

optional arguments:
  -h, --help            show this help message and exit
  -c CONFIG, --config CONFIG
                        config file path
  -o OUTPUT, --output OUTPUT
                        file to write to the results, defaults to results.json.log
  -v, --version         shows current melting-cobalt version
  -i INPUT, --input INPUT
                        newline delimeted file of cobalt strike server ips to grab beacon configs from. example ips.txt

Search Examples

The following searches are provided out of the box and more may be added to search.yml for more data.

Shodan

Find specific JARM signatures, out of the box we track Cobalt Strike 4.x

'ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1'

Filter by HTTP headers and ports to reduce noisy results

'ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1 port:"22, 80, 443, 444, 1234, 2000, 2222, 3000, 3780, 4000, 4443, 6379, 7443, 8443, 8080, 8081, 8082, 8087, 8088, 8099, 8089, 8090, 8181, 8888, 8889, 9443, 50050" HTTP/1.1 404 Not Found Content-Length: 0'

Team server detected by Shodan

'product:"cobalt strike team server"'

note: will generate lots of noisy results, do not actually schedule this unless you want to burn your license credits.

Team server certificate serial

'ssl.cert.serial:146473198'

SecurityTrails

Find specific JARM signatures

'SELECT address, ports.port FROM ips WHERE jarm = "07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1"'

Filter by HTTP Headers and ports to reduce noisy nmap_results

'SELECT address, ports.port, isp.name_normalized, ports.port, address, asn.number, jarm, http.headers.raw FROM ips WHERE jarm = "07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1" OR jarm = "07d14d16d21d21d07c07d14d07d21d9b2f5869a6985368a9dec764186a9175" OR jarm = "2ad2ad16d2ad2ad22c42d42d00042d58c7162162b6a603d3d90a2b76865b53" AND http.headers.content_type = "text/plain" AND http.headers.raw = "content-length:0" AND ports.port IN (22, 80, 443, 444, 1234, 2000, 2222, 3000, 3780, 4000, 4443, 6379, 7443, 8443, 8080, 8081, 8082, 8087, 8088, 8099, 8089, 8090, 8181, 8888, 8889, 9443, 50050)'

Author

Support 📞

Please use the GitHub issue tracker to submit bugs or request features.

If you have questions or need support, you can:

Credits & References

Inspiration came from a handful of blogs: Much of this is only possible because whiskey-7 shared with us grab_beacon_config.nse

TODO

  • add zoomeye
  • Dedup results before nmap
  • add checking the most recent result by looking at the latest_updated field

License

Copyright 2020 Splunk Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Owner
Splunk GitHub
Splunk GitHub
Easy JSON wrapper modfied to wrok with suggestions

🈷️ Suggester Easy JSON wrapper modfied to wrok with suggestions. This was made for small discord bots, for big bots you should not use this. 📥 Usage

RGBCube 1 Jan 22, 2022
This open source Python project allow you to create JSON data trees using Minmup.com

This open source Python project allow you to create JSON data trees using Minmup.com. I try to develop this project all the time. But feel free to use :).

Arttu Väisänen 1 Jan 30, 2022
Simple, minimal conversion of Bus Open Data Service SIRI-VM data to JSON

Simple, minimal conversion of Bus Open Data Service SIRI-VM data to JSON

Andy Middleton 0 Jan 22, 2022
MOSP is a platform for creating, editing and sharing validated JSON objects of any type.

MONARC Objects Sharing Platform Presentation MOSP is a platform for creating, editing and sharing validated JSON objects of any type. You can use any

CASES Luxembourg 72 Dec 14, 2022
JSONx - Easy JSON wrapper packed with features.

🈷️ JSONx Easy JSON wrapper packed with features. This was made for small discord bots, for big bots you should not use this JSON wrapper. 📥 Usage Cl

2 Dec 25, 2022
JSON Schema validation library

jsonschema A JSON Schema validator implementation. It compiles schema into a validation tree to have validation as fast as possible. Supported drafts:

Dmitry Dygalo 309 Jan 01, 2023
A daily updated JSON dataset of all the Open House London venues, events, and metadata

Open House London listings data All of it. Automatically scraped hourly with updates committed to git, autogenerated per-day CSV's, and autogenerated

Jonty Wareing 4 Jan 01, 2022
simdjson : Parsing gigabytes of JSON per second

JSON is everywhere on the Internet. Servers spend a *lot* of time parsing it. We need a fresh approach. The simdjson library uses commonly available SIMD instructions and microparallel algorithms to

16.3k Dec 29, 2022
Convert your subscriptions csv file into a valid json for Newpipe!

Newpipe-CSV-Fixer Convert your Google subscriptions CSV file into a valid JSON for Newpipe! Thanks to nikcorg for sharing how to convert the CSV into

Juanjo 44 Dec 29, 2022
Creates fake JSON files from a JSON schema

Use jsf along with fake data generators to provide consistent and meaningful fake data for your system.

Andy Challis 86 Jan 03, 2023
Make JSON serialization easier

Make JSON serialization easier

4 Jun 30, 2022
simplejson is a simple, fast, extensible JSON encoder/decoder for Python

simplejson simplejson is a simple, fast, complete, correct and extensible JSON http://json.org encoder and decoder for Python 3.3+ with legacy suppo

1.5k Jan 05, 2023
import json files directly in your python scripts

Install Install from git repository pip install git+https://github.com/zaghaghi/direct-json-import.git Use With the following json in a file named inf

Hamed Zaghaghi 51 Dec 01, 2021
A JSON API for returning Godspeak sentences. Based on the works of Terry A Davis (Rest in Peace, King)

GodspeakAPI A simple API for generating random words ("godspeaks"), inspired by the works of Terrence Andrew Davis (Rest In Peace, King). Installation

Eccentrici 3 Jan 24, 2022
A python library to convert arbitrary strings representing business opening hours into a JSON format that's easier to use in code

A python library to convert arbitrary strings representing business opening hours into a JSON format that's easier to use in code

Adrian Edwards 9 Dec 02, 2022
Roamtologseq - A script loads a json export of a Roam graph and cleans it up for import into Logseq

Roam to Logseq The script loads a json export of a Roam graph and cleans it up f

Sebastian Pech 4 Mar 07, 2022
Python script for converting .json to .md files using Mako templates.

Install Just install poetry and update script dependencies Usage Put your settings in settings.py and .json data (optionally, with attachments) in dat

Alexey Borontov 6 Dec 07, 2021
A query expression for extracting data from JSON.

JSONPATH A selector expression for extracting data from JSON. Quickstarts Installation Install the stable version from PYPI. pip install jsonpath-extr

林玮 (Jade Lin) 33 Oct 22, 2022
Marshall python objects to and from JSON

Pymarshaler - Marshal and Unmarshal Python Objects Disclaimer This tool is in no way production ready About Pymarshaler allows you to marshal and unma

Hernan Romer 9 Dec 20, 2022
Wikidot-forum-dump - Simple Python script that dumps a Wikidot wiki forum into JSON structures.

wikidot-forum-dump Script is partially based on 2stacks by bluesoul: https://github.com/scuttle/2stacks To dump a Wiki's forum, edit config.py and put

ZZYZX 1 Jun 29, 2022