Cobalt Strike Hunting with @shodanhq
Default cert:
ssl.cert.serial:146473198
shodan.io/search?query=s…
example
shodan.io/host/155.138.2…
725 hits
Cobalt Strike Hunting
hash + port (FP filtering is required)
hash:-2007783223 port:"50050"
50050 is CS TeamServer port
shodan.io/search?query=h…
example:
beta.shodan.io/host/155.138.2…
1357 hits
Cobalt Strike Hunting
JARM (FP filtering is required)
ssl.jarm:07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2
You can get other JARMs from here
github.com/carbonblack/ac…
example
shodan.io/host/18.167.1.…
1519 hits
Cobalt Strike Hunting
Let's quickly analyse this one
shodan.io/host/18.167.1.…
HTTP/1.1 404 Not Found
Date: Mon, 6 Sep 2021 17:00:39 GMT
Content-Type: text/plain
Content-Length: 0
Typical characteristics of Cobalt Strike
Cobalt Strike Hunting
I scanned suspicious server with Nmap script from @notwhickey
github.com/whickey-r7/gra…
C2 updata.flash-tool.]ml
From the scan results, we can find out info about beacon config such as where the shellcode would spawn, watermark, beacon time, etc
from here you can pivot into the VT for additional info
virustotal.com/gui/file/90f67…
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.