Melting-Cobalt - A Cobalt Strike Scanner That Retrieves Detected Team Server Beacons Into A JSON Object

#438
Topic created · 1 Posts · 0 Views

  • A tool to hunt/mine for Cobalt Strike beacons and "reduce" their beacon configuration for later indexing. Hunts can either be expansive and internet wide using services like SecurityTrails, Shodan, or ZoomEye or a list of IP's.
    Getting started

    1. Install melting-cobalt
    2. Configure your tokens to begin the hunt
    3. Mine Beacons to begin reducing them
    4. Review results cat results.json | jq
      Installation
      Requirements: virtualenv, and python3.8+
    5. git clone https://github.com/splunk/melting-cobalt && cd melting-cobalt Clone project and cd into the project dir.
    6. pip install virtualenv && virtualenv -p python3 venv && source venv/bin/activate && pip install -r requirements.txt Create Virtualenv and install requirements.
      Continue to configuring for SecurityTrails, Shodan, or ZoomEye API key.
      Configuration melting-cobalt.conf
      Copy melting-cobalt.conf.example to melting-cobalt.conf!
      Make sure to set a token for one of the available providers. If you need to create one for your account follow [these](htt://need wiki page) instructions.
      Configuration example:
      scanning service provider (eg shodan, zoomeye, security trails) when hunting for team servers. shodan_token = TOKENHERE # shodan token for searching zoomeye_token = TOKENHERE # zoomeye token for searching securitytrails_token = TOKENHERE # security trails token for searching ">
    [global]  
    output = results.json  
    # stores matches in JSON here  
    log_path = melting-cobalt.log  
    # Sets the log_path for the logging file  
    log_level = INFO  
    # Sets the log level for the logging  
    # Possible values: INFO, ERROR, VERBOSE  
    nse_script = grab_beacon_config.nse  
    # path to the nse script that rips down cobalt configs. This is specifically using https://github.com/whickey-r7/grab_beacon_config  
    searches = search.yml  
    # contains the different searches to run on each internet scanning service provider (eg shodan, zoomeye, security trails) when hunting for team servers.  
    shodan_token = TOKENHERE  
    # shodan token for searching  
    zoomeye_token = TOKENHERE  
    # zoomeye token for searching  
    securitytrails_token = TOKENHERE  
    # security trails token for searching  
    

    Search The Internet
    To modify the default mining performed across different providers, customize search.yml. The default melting-cobalt Search Examples below.
    Run:
    python melting-cobalt.py
    Search IP list
    populate ips.txt with potential Cobalt Strike C2 IPs a new line delimeted, example:

    1.1.1.1  
    2.2.2.2  
    3.3.3.3  
    

    Run:
    python melting-cobalt.py -i ips.txt
    If you need inspiration from hunters we highly recommend:

    usage: melting-cobalt.py [-h] [-c CONFIG] [-o OUTPUT] [-v] [-i INPUT]  
    scans for open cobalt strike team servers and grabs their beacon configs and write this as a json log to be analyzed by any analytic tools  
    like splunk, elastic, etc..  
    optional arguments:  
    -h, --help            show this help message and exit  
    -c CONFIG, --config CONFIG  
    config file path  
    -o OUTPUT, --output OUTPUT  
    file to write to the results, defaults to results.json.log  
    -v, --version         shows current melting-cobalt version  
    -i INPUT, --input INPUT  
    newline delimeted file of cobalt strike server ips to grab beacon configs from. example ips.txt  
    

    Search Examples
    The following searches are provided out of the box and more may be added to search.yml for more data.
    Shodan
    Find specific JARM signatures, out of the box we track Cobalt Strike 4.x
    'ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1'
    Filter by HTTP headers and ports to reduce noisy results
    'ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1 port:"22, 80, 443, 444, 1234, 2000, 2222, 3000, 3780, 4000, 4443, 6379, 7443, 8443, 8080, 8081, 8082, 8087, 8088, 8099, 8089, 8090, 8181, 8888, 8889, 9443, 50050" HTTP/1.1 404 Not Found Content-Length: 0'
    Team server detected by Shodan
    'product:"cobalt strike team server"'
    note: will generate lots of noisy results, do not actually schedule this unless you want to burn your license credits.
    Team server certificate serial
    'ssl.cert.serial:146473198'
    SecurityTrails
    Find specific JARM signatures
    'SELECT address, ports.port FROM ips WHERE jarm = "07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1"'
    Filter by HTTP Headers and ports to reduce noisy nmap_results
    'SELECT address, ports.port, isp.name_normalized, ports.port, address, asn.number, jarm, http.headers.raw FROM ips WHERE jarm = "07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1" OR jarm = "07d14d16d21d21d07c07d14d07d21d9b2f5869a6985368a9dec764186a9175" OR jarm = "2ad2ad16d2ad2ad22c42d42d00042d58c7162162b6a603d3d90a2b76865b53" AND http.headers.content_type = "text/plain" AND http.headers.raw = "content-length:0" AND ports.port IN (22, 80, 443, 444, 1234, 2000, 2222, 3000, 3780, 4000, 4443, 6379, 7443, 8443, 8080, 8081, 8082, 8087, 8088, 8099, 8089, 8090, 8181, 8888, 8889, 9443, 50050)'
    Author

    • Michael Haag @M_haggis
    • Jose Hernandez @d1vious
      Support 
      Please use the GitHub issue tracker to submit bugs or request features.
      If you have questions or need support, you can:
    • Join the #security-research room in the Splunk Slack channel
      Credits & References
      Inspiration came from a handful of blogs: Much of this is only possible because whiskey-7 shared with us grab_beacon_config.nse
      TODO
    • add zoomeye
    • Dedup results before nmap
    • add checking the most recent result by looking at the latest_updated field
      License
      Copyright 2020 Splunk Inc.
      Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
      http://www.apache.org/licenses/LICENSE-2.0
      Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
      Download Melting-Cobalt
Log in to reply