• Stars
    star
    237
  • Rank 169,885 (Top 4 %)
  • Language
    Python
  • License
    MIT License
  • Created about 4 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Code and yara rules to detect and analyze Cobalt Strike

Cobalt Strike Resources

This repository contains:

  • analyze.py: a script to analyze a Cobalt Strike beacon (python analyze.py BEACON)
  • extract.py: extract a beacon from an encrypted beacon
  • lib.py: library containing functions for the other scripts
  • output.csv: CSV file containing CS servers identified online in Dec 2020
  • rules.yar: Yara rules for CS beacons
  • scan_list.py: script to scan a list of servers (python scan_list.py FILE)
  • scan.py : script to scan a server (python scan.py IP)

You can see my blog post Analyzing Cobalt Strike for Fun and Profit for more information.

Identifying a Cobalt Strike server

  • Default HTTPs certificate is self-signed with serial number 146473198 (sha256: 87f2085c32b6a2cc709b365f55873e207a9caa10bffecf2fd16d3cf9d94d390c)
  • Default JARM signature can be (see this article)
    • 07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1 for Java 11 Stack
    • 2ad2ad16d2ad2ad22c42d42d00042d58c7162162b6a603d3d90a2b76865b53 for Java 13 Stack
    • 07d14d16d21d21d07c07d14d07d21d9b2f5869a6985368a9dec764186a9175 for Java 1.8 Stack
    • 05d14d16d04d04d05c05d14d05d04d4606ef7946105f20b303b9a05200e829 for Java 1.9 Stack
  • Check for valid beacon url on port 80 or 443 such as:
    • /aaa9 or /aab8 for 32b beacons
    • /aab9 ou /aac8 for 64b beacons

If it is indeed a Cobalt Strike server, you can get the payload and extract its configutation with the script scan.py:

$ python scan.py https://45.77.249.XXX/
Checking https://45.77.249.XXX/
Configuration of the x86 payload:
dns                            False
ssl                            True
port                           443
.sleeptime                     60000
.http-get.server.output
.jitter                        0
.maxdns                        255
publickey                      30819f300d06092a864886f70d010101050003818d0030818902818100ecec56e6ee516018c3152b6239b1f29f1ef930e6ce0695e62e7bdaee69f5a1e432563111f97ea180b4f095be6491f566e39ee8448b071635cfb99e8839f9de4db9c5e1319164ad7b699355fdca04358eaabe1872f5e139a71dfbe2db793c2bfe198ece6bae8544503f72e4e2d4c1df76d239fa7837450eb894eabb164e00aeff020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
.http-get.uri                  45.77.249.XXX,/updates.rss
[SNIP]

x86_64: Payload not found

Analyzing a Cobalt Strike beacon

When you get a Cobalt Strike beacon, it can be a PE file, or an encrypted payload. This repository provides yara rules to check files:

$ yara ../github/rules.yar payload
CS_encrypted_beacon_x86 payload

If it is indeed a beacon, you can extract the configuration with the analyze script:

$ python ../github/analyze.py 95.217.197.85_32b
Unknown config command 58
Unknown config command 57
dns                            False
ssl                            True
port                           443
.sleeptime                     60000
.http-get.server.output
.jitter                        0
.maxdns                        255
publickey                      30819f300d06092a864886f70d010101050003818d00308189028181008d12bd5ea1b3827d29393c82876d00351750a28d9ffd634cdeadd0a921435d915dd6422f92c1a19bbef39d3028a19138446810f9e87e492b0adc54b8482f7d3bab264c48d1dd19fbb2be18ec427d10225533422d2c69c209cc7db5f6f1bcf449c294f4cc89493da6ced72d8f444d462efc32330f71ab3fe10c151fa8752e239d020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
.http-get.uri                  [REDACTED],/pixel.gif
.user-agent                    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
.http-post.uri                 /submit.php
.http-get.client               Cookie
[SNIP]

Credits and license

Credits : Amnesty Tech

This code is published under the MIT license.

More Repositories

1

harpoon

CLI tool for open source and threat intelligence
Python
1,107
star
2

flexidie

Source code and binaries of FlexiSpy from the Flexidie dump
824
star
3

pecli

CLI tool to analyze PE files
YARA
71
star
4

malware-classification

Data and code for malware classification using machine learning (for fun, not production)
Python
37
star
5

phpscanner

Php Scanner for malicious files (/!\ this tool is not maintained anymore)
Python
33
star
6

apkcli

CLI tool to analyze APKs
Python
31
star
7

openssh-backdoor

Openssh backdoor found with a ssh honeypot
C
28
star
8

pycrtsh

Python 3 library to request https://crt.sh/
Python
27
star
9

commands-for-sec

Useful commands for infosec
26
star
10

harpoontools

CLI tools using Harpoon features
Python
20
star
11

pysafebrowsing

Python 3 Google Safe Browsing library
Python
20
star
12

pybinaryedge

Python 3 Wrapper for the BinaryEdge API https://www.binaryedge.io/
Python
18
star
13

how-to-quick-forensic

Advices to look for malicious software on your devices
17
star
14

sdanalyzer

Tool to analyze a lot of APK files
HTML
16
star
15

spyonweb

Python3 wrapper and CLI for the SpyOnWeb API
Python
9
star
16

tips

Tips command line tool
Go
7
star
17

machocli

Python tool to analyse mach-o files (based in LIEF)
YARA
7
star
18

pysecuritytrails

Python3 wrapper for the Security Trails API
Python
7
star
19

binaryedge-maltego-local-transform

Maltego Local Transform for BinaryEdge
Python
7
star
20

webcache

OSINT tool to search or save pages in cache
Python
6
star
21

php-malicious-sample

Sample of malicious php
PHP
4
star
22

ipvtechbib

Bibliography on technology used in intimate partner violence
HTML
4
star
23

yaraa

Advanced Yara - extended features to Yara
Python
3
star
24

blog

Static pages of my blog
HTML
3
star
25

pyregripper

A forensic tool I started some time ago to understand some forensic artifacts, definitely not as good as RegRipper but in python
Python
3
star
26

random

Random stuff
2
star
27

100DaysofYARA

Notes for my #100DaysofYARA
2
star
28

andfind

List files and their creation, modification and access time on android
Go
2
star
29

mispcli

CLI tool for MISP
Python
1
star
30

privacytoronto-website

Website for Privacy Toronto
HTML
1
star
31

gdpr_us_media

Python
1
star
32

pypermacc

Python3 wrapper for the perma.cc API
Python
1
star