Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time
December 20, 2020 18:45
December 20, 2020 18:45
December 20, 2020 18:45
December 20, 2020 18:45
December 20, 2020 18:45
January 20, 2021 19:02

Cobalt Strike Resources

This repository contains:

  • a script to analyze a Cobalt Strike beacon (python BEACON)
  • extract a beacon from an encrypted beacon
  • library containing functions for the other scripts
  • output.csv: CSV file containing CS servers identified online in Dec 2020
  • rules.yar: Yara rules for CS beacons
  • script to scan a list of servers (python FILE)
  • : script to scan a server (python IP)

You can see my blog post Analyzing Cobalt Strike for Fun and Profit for more information.

Identifying a Cobalt Strike server

  • Default HTTPs certificate is self-signed with serial number 146473198 (sha256: 87f2085c32b6a2cc709b365f55873e207a9caa10bffecf2fd16d3cf9d94d390c)
  • Default JARM signature can be (see this article)
    • 07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1 for Java 11 Stack
    • 2ad2ad16d2ad2ad22c42d42d00042d58c7162162b6a603d3d90a2b76865b53 for Java 13 Stack
    • 07d14d16d21d21d07c07d14d07d21d9b2f5869a6985368a9dec764186a9175 for Java 1.8 Stack
    • 05d14d16d04d04d05c05d14d05d04d4606ef7946105f20b303b9a05200e829 for Java 1.9 Stack
  • Check for valid beacon url on port 80 or 443 such as:
    • /aaa9 or /aab8 for 32b beacons
    • /aab9 ou /aac8 for 64b beacons

If it is indeed a Cobalt Strike server, you can get the payload and extract its configutation with the script

$ python https://45.77.249.XXX/
Checking https://45.77.249.XXX/
Configuration of the x86 payload:
dns                            False
ssl                            True
port                           443
.sleeptime                     60000
.jitter                        0
.maxdns                        255
publickey                      30819f300d06092a864886f70d010101050003818d0030818902818100ecec56e6ee516018c3152b6239b1f29f1ef930e6ce0695e62e7bdaee69f5a1e432563111f97ea180b4f095be6491f566e39ee8448b071635cfb99e8839f9de4db9c5e1319164ad7b699355fdca04358eaabe1872f5e139a71dfbe2db793c2bfe198ece6bae8544503f72e4e2d4c1df76d239fa7837450eb894eabb164e00aeff020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
.http-get.uri                  45.77.249.XXX,/updates.rss

x86_64: Payload not found

Analyzing a Cobalt Strike beacon

When you get a Cobalt Strike beacon, it can be a PE file, or an encrypted payload. This repository provides yara rules to check files:

$ yara ../github/rules.yar payload
CS_encrypted_beacon_x86 payload

If it is indeed a beacon, you can extract the configuration with the analyze script:

$ python ../github/
Unknown config command 58
Unknown config command 57
dns                            False
ssl                            True
port                           443
.sleeptime                     60000
.jitter                        0
.maxdns                        255
publickey                      30819f300d06092a864886f70d010101050003818d00308189028181008d12bd5ea1b3827d29393c82876d00351750a28d9ffd634cdeadd0a921435d915dd6422f92c1a19bbef39d3028a19138446810f9e87e492b0adc54b8482f7d3bab264c48d1dd19fbb2be18ec427d10225533422d2c69c209cc7db5f6f1bcf449c294f4cc89493da6ced72d8f444d462efc32330f71ab3fe10c151fa8752e239d020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
.http-get.uri                  [REDACTED],/pixel.gif
.user-agent                    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
.http-post.uri                 /submit.php
.http-get.client               Cookie

Credits and license

Credits : Amnesty Tech

This code is published under the MIT license.


Code and yara rules to detect and analyze Cobalt Strike







No releases published


No packages published