Kali Linux

Melting-Cobalt : A Cobalt Strike Scanner That Retrieves Detected Team Server Beacons Into A JSON Object

Melting-Cobalt tool to hunt/mine for Cobalt Strike beacons and “reduce” their beacon configuration for later indexing. Hunts can either be expansive and internet wide using services like Security Trails, Shodan, or ZoomEye or a list of IP’s.

Getting started

  • Install melting-cobalt
  • Configure your tokens to begin the hunt
  • Mine Beacons to begin reducing them
  • Review results cat results.json | jq

Installation

Requirements: virtualenv, and python3.8+

  • git clone https://github.com/splunk/melting-cobalt && cd melting-cobalt Clone project and cd into the project dir.
  • pip install virtualenv && virtualenv -p python3 venv && source venv/bin/activate && pip install -r requirements.txt Create Virtualenv and install requirements.

Continue to configuring for SecurityTrails, Shodan, or ZoomEye API key.

Configuration melting-cobalt.conf

Copy melting-cobalt.conf.example to melting-cobalt.conf!

Make sure to set a token for one of the available providers. If you need to create one for your account follow [these](htt://need wiki page) instructions.

Configuration example:

[global]
output = results.json
#stores matches in JSON here
log_path = melting-cobalt.log
#Sets the log_path for the logging file
log_level = INFO
#Sets the log level for the logging
#Possible values: INFO, ERROR, VERBOSE
nse_script = grab_beacon_config.nse
#path to the nse script that rips down cobalt configs. This is specifically using https://github.com/whickey-r7/grab_beacon_config
searches = search.yml
#contains the different searches to run on each internet scanning service provider (eg shodan, zoomeye, security trails) when hunting for team servers.
#shodan_token = TOKENHERE
shodan token for searching
zoomeye_token = TOKENHERE
zoomeye token for searching
securitytrails_token = TOKENHERE
security trails token for searching

Search The Internet

To modify the default mining performed across different providers, customize search.yml. The default melting-cobalt Search Examples below.

Run:

python melting-cobalt.py

Search IP list

populate ips.txt with potential Cobalt Strike C2 IPs a new line delimeted, example:

1.1.1.1
2.2.2.2
3.3.3.3

Run:

python melting-cobalt.py -i ips.txt

If you need inspiration from hunters we highly recommend:

  • The DFIR Report
  • Awesome-Cobalt-Strike
  • CobaltStrikeBot

Usage

usage: melting-cobalt.py [-h] [-c CONFIG] [-o OUTPUT] [-v] [-i INPUT]
scans for open cobalt strike team servers and grabs their beacon configs and write this as a json log to be analyzed by any analytic tools
like splunk, elastic, etc..
optional arguments:
-h, –help show this help message and exit
-c CONFIG, –config CONFIG
config file path
-o OUTPUT, –output OUTPUT
file to write to the results, defaults to results.json.log
v, –version shows current melting-cobalt version
i INPUT, –input INPUT
newline delimeted file of cobalt strike server ips to grab beacon configs from. example ips.txt

Search Examples

The following searches are provided out of the box and more may be added to search.yml for more data.

Shodan

Find specific JARM signatures, out of the box we track Cobalt Strike 4.x

'ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1'

Filter by HTTP headers and ports to reduce noisy results

'ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1 port:"22, 80, 443, 444, 1234, 2000, 2222, 3000, 3780, 4000, 4443, 6379, 7443, 8443, 8080, 8081, 8082, 8087, 8088, 8099, 8089, 8090, 8181, 8888, 8889, 9443, 50050" HTTP/1.1 404 Not Found Content-Length: 0'

Team server detected by Shodan

'product:"cobalt strike team server"'

note: will generate lots of noisy results, do not actually schedule this unless you want to burn your license credits.

Team server certificate serial

'ssl.cert.serial:146473198'

Security Trails

Find specific JARM signatures

'SELECT address, ports.port FROM ips WHERE jarm = "07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1"'

Filter by HTTP Headers and ports to reduce noisy nmap_results

'SELECT address, ports.port, isp.name_normalized, ports.port, address, asn.number, jarm, http.headers.raw FROM ips WHERE jarm = "07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1" OR jarm = "07d14d16d21d21d07c07d14d07d21d9b2f5869a6985368a9dec764186a9175" OR jarm = "2ad2ad16d2ad2ad22c42d42d00042d58c7162162b6a603d3d90a2b76865b53" AND http.headers.content_type = "text/plain" AND http.headers.raw = "content-length:0" AND ports.port IN (22, 80, 443, 444, 1234, 2000, 2222, 3000, 3780, 4000, 4443, 6379, 7443, 8443, 8080, 8081, 8082, 8087, 8088, 8099, 8089, 8090, 8181, 8888, 8889, 9443, 50050)'

R K

Recent Posts

How Does a Firewall Work Step by Step

How Does a Firewall Work Step by Step? What Is a Firewall and How Does…

11 hours ago

ROADTools: The Modern Azure AD Exploration Framework

ROADTools is a powerful framework designed for exploring and interacting with Microsoft Azure Active Directory…

4 days ago

How to Enumerate Microsoft 365 Groups Using PowerShell and Python

Microsoft 365 Groups (also known as M365 Groups or Unified Groups) are at the heart…

4 days ago

SeamlessPass: Using Kerberos Tickets to Access Microsoft 365

SeamlessPass is a specialized tool designed to leverage on-premises Active Directory Kerberos tickets to obtain…

5 days ago

PPLBlade: Advanced Memory Dumping and Obfuscation Tool

PPLBlade is a powerful Protected Process Dumper designed to capture memory from target processes, hide…

5 days ago

HikPwn : Simple Scanner For Hikvision Devices With Basic Vulnerability Scanning

HikPwn: Comprehensive Guide to Scanning Hikvision Devices for Vulnerabilities If you’re searching for an efficient…

5 days ago