Home

Awesome

Cobalt Strike Resources

This repository contains:

You can see my blog post Analyzing Cobalt Strike for Fun and Profit for more information.

Identifying a Cobalt Strike server

If it is indeed a Cobalt Strike server, you can get the payload and extract its configutation with the script scan.py:

$ python scan.py https://45.77.249.XXX/
Checking https://45.77.249.XXX/
Configuration of the x86 payload:
dns                            False
ssl                            True
port                           443
.sleeptime                     60000
.http-get.server.output
.jitter                        0
.maxdns                        255
publickey                      30819f300d06092a864886f70d010101050003818d0030818902818100ecec56e6ee516018c3152b6239b1f29f1ef930e6ce0695e62e7bdaee69f5a1e432563111f97ea180b4f095be6491f566e39ee8448b071635cfb99e8839f9de4db9c5e1319164ad7b699355fdca04358eaabe1872f5e139a71dfbe2db793c2bfe198ece6bae8544503f72e4e2d4c1df76d239fa7837450eb894eabb164e00aeff020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
.http-get.uri                  45.77.249.XXX,/updates.rss
[SNIP]

x86_64: Payload not found

Analyzing a Cobalt Strike beacon

When you get a Cobalt Strike beacon, it can be a PE file, or an encrypted payload. This repository provides yara rules to check files:

$ yara ../github/rules.yar payload
CS_encrypted_beacon_x86 payload

If it is indeed a beacon, you can extract the configuration with the analyze script:

$ python ../github/analyze.py 95.217.197.85_32b
Unknown config command 58
Unknown config command 57
dns                            False
ssl                            True
port                           443
.sleeptime                     60000
.http-get.server.output
.jitter                        0
.maxdns                        255
publickey                      30819f300d06092a864886f70d010101050003818d00308189028181008d12bd5ea1b3827d29393c82876d00351750a28d9ffd634cdeadd0a921435d915dd6422f92c1a19bbef39d3028a19138446810f9e87e492b0adc54b8482f7d3bab264c48d1dd19fbb2be18ec427d10225533422d2c69c209cc7db5f6f1bcf449c294f4cc89493da6ced72d8f444d462efc32330f71ab3fe10c151fa8752e239d020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
.http-get.uri                  [REDACTED],/pixel.gif
.user-agent                    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
.http-post.uri                 /submit.php
.http-get.client               Cookie
[SNIP]

Credits and license

Credits : Amnesty Tech

This code is published under the MIT license.