With the release of my open-source #CobaltStrike stager decoder (which you can read about here: stairwell.com/news/stairwell…) I thought I'd make a thread showcasing some of the other great open-source tooling out there to help with Cobalt Strike #ThreatHunting and #ThreatIntel 🧵
github.com/RomanEmelyanov…: These are the OG scripts designed for interfacing with Team Servers. Famous for its get_beacon script for milking staged payloads from Team Servers and decrypting them, this GH account also has a script for logging into teamservers and wordlists💀
github.com/JPCERTCC/aa-to… The first Cobalt Strike Beacon configuration extractor that I was aware of, @jpcert_en created a volatility plugin for finding and parsing Beacon configs from memory
github.com/sysopfb/malwar… @sysopfb's OG standalone static decoder for Beacons, which is still useful today as it bruteforces the config's XOR key for modified beacons that don't use 0x69 or 0x2e
github.com/Sentinel-One/C… @gal_kristal's industry-standard config parser, which now has grown to also pull Beacons via Roman's get_beacon logic and also has a poc for communicating with Team Servers. This has really paved the way for mass-scanning of teamservers (scroll down!)
github.com/nccgroup/pybea… @buffaloverflow's more robust tooling for emulating Cobalt Strike's C2 protocols, which at one time also included a poc for exploiting them!
github.com/CCob/BeaconEye @_EthicalChaos_ 's BeaconEye, which will scan all processes on a machine for an injected Cobalt Strike Beacon, and if it finds one prints all C2 traffic between the Beacon and its C2
With these tools, there are now quite a few ways to keep tabs on Cobalt Strike internet-wide. Here are some great accounts of people to follow who are already keeping tabs:
@ovtracker
@cobaltstrikebot
@silascutler
Happy Hunting, and don't forget to scan port 53! 🙂
@ovtracker
@cobaltstrikebot
@silascutler
Happy Hunting, and don't forget to scan port 53! 🙂
• • •
Missing some Tweet in this thread? You can try to
force a refresh
