Unmasking Cobalt Strike: A Shodan-Powered Hunt

Article by Zaki Pedio

Introduction

Cobalt Strike, a powerful adversary simulation platform, has become a favored tool among both legitimate security professionals and malicious actors alike. With its sophisticated capabilities, Cobalt Strike enables attackers to conduct advanced cyber attack scenarios, from spear phishing and privilege escalation to data exfiltration. This blog post aims to provide insights into the workings of Cobalt Strike, its appeal to state-sponsored actors, and how Shodan, a powerful search engine for connected devices, can be leveraged to detect its presence on the internet.

Understanding Command and Control (C2) Servers and Cobalt Strike

What is Cobalt Strike and How Does It Work?

Cobalt Strike, developed by Raphael Mudge, is an advanced adversary simulation platform primarily designed for penetration testers. It offers a comprehensive suite of tools that allow users to simulate complex cyber attack scenarios. With its modular architecture, Cobalt Strike offers a comprehensive suite of built-in tools and functionalities, allowing users to conduct a variety of cyber attack scenarios, from spear phishing and privilege escalation to lateral movement and data exfiltration.

Why Do State-Sponsored Actors Use Cobalt Strike and How Powerful Is It?

State-sponsored actors often opt for Cobalt Strike due to its advanced capabilities, enabling them to execute complex and coordinated cyber attack campaigns. The platform's versatility allows for the customization of attack vectors, making it adaptable to various target environments and scenarios. Cobalt Strike's interactive post-exploit capabilities cover a wide range of ATT&CK tactics, providing attackers with a single, integrated system for executing their operations. Despite its steep licensing fee and export controls aimed at restricting its use to legitimate security professionals, the platform's effectiveness and wide adoption by security professionals further emphasize its power and appeal to state-sponsored threat actors.

The Power of Shodan in Open-Source Intelligence (OSINT)

What is Shodan and How Does It Work?

Often referred to as the "search engine for the Internet of Things (IoT) or Google for Hackers," Shodan scans the internet for connected devices, collecting data on open ports, services, and even banner information. Unlike traditional search engines, Shodan provides a comprehensive view of the Internet's exposed infrastructure, making it an invaluable tool for Open-Source Intelligence (OSINT) gathering.

How Is Shodan Used for Mapping and Footprinting in OSINT?

In the realm of OSINT, Shodan plays a crucial role in mapping and footprinting target networks. Security professionals and threat actors alike utilize Shodan to identify exposed services, potential vulnerabilities, and specific devices or systems that may be susceptible to exploitation. By analyzing the data collected by Shodan, analysts can gain insights into an organization's attack surface, helping them understand potential risks and devise effective mitigation strategies.

Detecting Cobalt Strike with Shodan

Identifying Cobalt Strike servers in the wild requires a multi-faceted approach, leveraging various detection methods and indicators. Shodan, with its extensive scanning capabilities, plays a pivotal role in this endeavor. Below, we explore several techniques and examples used to detect Cobalt Strike servers using Shodan:

Shodan Product: "Cobalt Strike Beacon"

Shodan allows for the identification of Cobalt Strike servers by filtering results based on the "Cobalt Strike Beacon" product tag. This specific product tag denotes servers that are likely hosting the Cobalt Strike Beacon, a component used by attackers to communicate with compromised systems. By focusing on servers tagged with "Cobalt Strike Beacon," security researchers can pinpoint potential instances of Cobalt Strike activity, providing valuable insights into the infrastructure used by malicious actors. Shodan query:

Default Security Certificate Fingerprinting

One of the most reliable methods for identifying Cobalt Strike servers is by fingerprinting the default security certificate they ship with. This default certificate remains unchanged unless manually updated by the administrator. Shodan query:

Controller Port Identification

The default controller port for Cobalt Strike Team Server is 50050/TCP, typically not found open on other servers. While this port can strongly indicate Cobalt Strike activity, it's essential to note that it shouldn't be relied upon as the sole indicator, as it could result in false positives. Shodan query:

JARM TLS Fingerprint

JARM is a tool designed to fingerprint TLS servers based on their unique responses to specific probes. When scanning a Cobalt Strike server using JARM, the results obtained are dependent on the Java version utilized. According to Cobalt Strike's documentation, the preferred Java version for operators is OpenJDK 11. This specification simplifies the identification of potential Cobalt Strike servers. However, it's crucial to note that this method can also yield false positives. Many legitimate servers on the internet utilize OpenJDK 11 for operating their web applications, complicating the differentiation between benign and malicious instances. Other JARMs related to Cobalt Strike servers can be found on https://github.com/carbonblack/active_c2_ioc_public/blob/main/cobaltstrike/JARM/jarm_cs_202107_uniq_sorted.txt Shodan query:

Conclusion

Detecting and understanding the presence of Cobalt Strike servers is crucial for organizations aiming to safeguard their networks against advanced threats. Leveraging Shodan's extensive capabilities provides a powerful means to identify and map out potential Cobalt Strike activity. By employing a combination of techniques, from fingerprinting default certificates to analyzing unique HTTP responses and TLS fingerprints, security professionals can gain valuable insights into the presence and behavior of Cobalt Strike servers within their environment.

However, it's important to note that these are just a few of the techniques available for identifying Cobalt Strike servers. For a deeper understanding and to explore more comprehensive detection methods, I encourage reading the insightful articles in the sitography and conducting further research.

Furthermore, the widespread use of Cobalt Strike by state-sponsored actors highlights its effectiveness as a penetration testing tool, but also underscores its attractiveness to malicious actors for conducting cyber-espionage, data theft, and other nefarious activities. Being proactive in monitoring and detecting Cobalt Strike activity can significantly enhance an organization's security posture, enabling timely response and mitigation measures.

In an ever-evolving threat landscape, continuous monitoring, intelligence-driven analysis, and robust defensive strategies are essential components of a resilient cybersecurity framework. By staying informed and vigilant, organizations can effectively counter the threats posed by tools like Cobalt Strike and safeguard their digital assets against sophisticated adversaries.

My personal framework: C2Watch

While creating this article i also made an ugly and rudimental Threat Intelligence framework to monitor C2 in the wild if you are interested you can improve it by contributing to the project.

GitHub - ZakiPedio/C2Watch: C2Watch is a Threat Intelligence framework to monitor C2 in the wildGitHub

Sitography

• Cobalt Strike - Official Website

• Shodan - Official Website

• Michael Koczwara's Medium article "Hunting C2"

• Bank Security's Medium article "Hunting Cobalt Strike Servers"