Hunting for Cobalt Strike with Shodan

Published by Reza Rafati on

Cobalt Strike developed for red teaming exercises is being abused by cybercriminals. It contains all of the tools an attacker would need to accomplish their campaign target. The tool has been developed by Raphael Mudge and you can actually buy it via the official Cobalt Strike website.

Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer’s network.

Cobalt Strike

Hunting for Cobalt Strike with Shodan

We have now done a couple of posts on Shodan, and everytime we have been able to find some interesting items. In this case, we will be hunting for Cobalt Strike C2 servers by performing some hunts via Shodan.

Time needed: 15 minutes.

The Cobalt Strike hunting steps are very straight forward, you just need to know where to start.

  1. Login to your Shodan account

    Navigate to the official shodan.io website and log-in to your account.

  2. Try to find it by the default Cobalt Strike certificate

    The following SSL CERT serial will help you to find Cobalt Strike C2 on Shodan: ssl.cert.serial:146473198Shodan Cobalt Strike C2

  3. Try to find it by the HASH and port 50050

    You can use the following hash ‘-2007783223‘ and the port ‘50050‘ in the Shodan query to quickly find Cobalt Strike C2 servers. Use the following query:
    hash:-2007783223 port:”50050″Shodan Cobalt Strike beacon hunting by hash

  4. Utilize JARM for hunting

    The following JARM checksum can be used to find Cobalt Strike beacons on Shodan, do note, there are multiple JARM checksums that can be used, so do look around. The query to be put into Shodan is:
    ssl.jarm:07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2Using JARM to hunt Cobalt Strike beacons

  5. Cobalt Strike hunting by product name

    Yes, you can actually find Cobalt Strike beacons by searching for the product name. Try the following query:
    product:”Cobalt Strike Beacon”Cobalt Strike by product

  6. Utilize scripts made by various security teams

    The following security teams have crafted tools that help you to hunt down Cobalt Strike C2 servers. JPCERT, Sentinel-One, Didier Stevens, Roman Emelynaov. For example, this one allows you to use nMap to perform the hunts for Cobalt Strike.

Type of huntFP sensitiveAmount
Certificate serialNo696
Hash and portYes953
JARM huntingYes562
Cobalt Strike hunting scriptsNoDepends on scan
Cobalt Strike by product nameNo2589
A quick summary of what you can expect

Awesome GIT repo by Michael Koczwara

Michael has made a nice repo on Github with tips and tricks on how to hunt for Cobalt Strike beacons. I really recommend that you check the repository out.

additionally, if you want to get a better understanding of how Cobalt Strike works, then do check this blog out. If you liked this summary on how to do Cobalt Strike hunting with Shodan, then please do share it around.

Share this information
Categories: How to

Reza Rafati

Founder of Cyberwarzone.com.