# Volatility Plugin for Detecting Cobalt Strike Beacon **[blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html](https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html)** [JPCERT/CC](https://blogs.jpcert.or.jp/en/retiree_blog/) August 3, 2018 [Python](https://blogs.jpcert.or.jp/en/tags/python/) [Email](http://10.10.0.46/mailto:?subject=Volatility%20Plugin%20for%20Detecting%20Cobalt%20Strike%20Beacon&body=https%3A%2F%2Fblogs.jpcert.or.jp%2Fen%2F2018%2F08%2Fvolatility-plugin-for-detecting-cobalt-strike-beacon.html) JPCERT/CC has observed some Japanese organisations being affected by cyber attacks leveraging “Cobalt Strike” since around July 2017. It is a commercial product that simulates targeted attacks [1], often used for incident handling exercises, and likewise it is an easy-touse tool for attackers. Reports from LAC [2] and FireEye [3] describe details on Cobalt Strike and actors who conduct attacks using this tool. Cobalt Strike is delivered via a decoy MS Word document embedding a downloader. This will download a payload (Cobalt Strike Beacon), which will be executed within the memory. Since Cobalt Strike Beacon is not saved on the filesystem, whether a device is infected cannot be confirmed just by looking for the file itself. There is a need to look into memory dump or network device logs. This article is to introduce a tool that we developed to detect Cobalt Strike Beacon from the memory. It is available on GitHub - Feel free to try from the following webpage: JPCERTCC/aa-tools · GitHub [https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py](https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py) **Tool details** This tool works as a plugin for The Volatility Framework (hereafter “Volatility”), a memory forensic tool. Here are the functions of cobaltstrikescan.py: cobaltstrikescan: Detect Cobalt Strike Beacon from memory image cobaltstrikeconfig: Detect Cobalt Strike Beacon from memory image and extract configuration To run the tool, save cobaltstrikescan.py in ”contrib/plugins/malware” folder in Volatility, and execute the following command: ----- ``` $python vol.py [cobaltstrikescan|cobaltstrikeconfig] f profile ``` Figure 1 shows an example output of cobaltstrikescan. You can see the detected process name (Name) and process ID (PID) indicating where the malware is injected to. Figure 1: Execution results of cobaltstrikescan Figure 2 shows an example output of cobalrstrikeconfig. Please refer to Appendix A for configuration details for Cobalt Strike Beacon. Figure 2: Execution results of cobaltstrikeconfig ----- **In closing** Actors using Cobalt Strike continue attacks against Japanese organisations. We hope this tool helps detecting the attack in an early stage. - Takuya Endo _(Translated by Yukako Uchida)_ **Reference** [1] Strategic Cyber LLC:COBALT STRIKE ADVANCED THREAT TACTICS FOR PANETRATION TESTERS ----- [https://www.cobaltstrike.com/](https://www.cobaltstrike.com/) [2] LAC: New attacks by APT actors menuPass (APT10) observed (Japanese) [https://www.lac.co.jp/lacwatch/people/20180521_001638.html](https://www.lac.co.jp/lacwatch/people/20180521_001638.html) [3] FireEye: Privileges and Credentials: Phished at the Request of Counsel [https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html](https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html) [4] Cybereason: Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group [https://www.cybereason.com/blog/operation-cobalt-kitty-apt](https://www.cybereason.com/blog/operation-cobalt-kitty-apt) **Appendix A** Table A: Configuration format **Offset** **Length** **Description** 0x00 2 index (Refer to Table B) 0x02 2 Data length 1 = 2 byte, 2 = 4 byte, 3 = as specified in 0x04 0x04 2 Data length 0x06 As specified in 0x04 Data Table B: Configuration **Offset** **Description** **Remarks** 0x01 BeaconType 0=HTTP, 1=Hybrid HTTP and DNS, 8=HTTPS 0x02 Port number 0x03 Polling time 0x04 Unknown 0x05 Jitter Ratio of jitter in polling time (0-99%) 0x06 Maxdns Maximum length of host name when using DNS (0-255) 0x07 Unknown ----- **Offset** **Description** **Remarks** 0x08 Destination host 0x09 User agent 0x0a Path when communicating HTTP_Header2 0x0b Unknown 0x0c HTTP_Header1 0x0d HTTP_Header2 0x0e Injection process 0x0f Pipe name 0x10 Year Stops operating after the specified date by Year, Month, Day 0x11 Month 0x12 Day 0x13 DNS_idle 0x14 DNS_Sleep 0x1a HTTP_Method1 0x1b HTTP_Method2 0x1c Unknown 0x1d Process to inject arbitrary shellcode (32bit) 0x1e Process to inject arbitrary shellcode (64bit) 0x1f Unknown 0x20 Proxy server name 0x21 Proxy user name 0x22 Proxy password ----- **Offset** **Description** **Remarks** 0x23 AccessType 1 = Do not use proxy server 2 = Use IE configuration in the registry 4 = Connect via proxy server 0x24 create_remote_thread Flag whether to allow creating threads in other processes 0x25 Not in use [Email](http://10.10.0.46/mailto:?subject=Volatility%20Plugin%20for%20Detecting%20Cobalt%20Strike%20Beacon&body=https%3A%2F%2Fblogs.jpcert.or.jp%2Fen%2F2018%2F08%2Fvolatility-plugin-for-detecting-cobalt-strike-beacon.html) Author [JPCERT/CC](https://blogs.jpcert.or.jp/en/retiree_blog/) Please use the below contact form for any inquiries about the article. Was this page helpful? 0 people found this content helpful. If you wish to make comments or ask questions, please use this form. This form is for comments and inquiries. For any questions regarding specific commercial products, please contact the vendor. please change the setting of your browser to set JavaScript valid. Thank you! ## Related articles Analysis of HUI Loader ----- Anti-UPX Unpacking Technique FAQ: Malware that Targets Mobile Devices and How to Protect Them Malware WinDealer used by LuoYu Attack Group Malware Gh0stTimes Used by BlackTech [Back](https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html) [Top](https://blogs.jpcert.or.jp/en/) [Next](https://blogs.jpcert.or.jp/en/2018/09/visualise-sysmon-logs-and-detect-suspicious-device-behaviour--sysmonsearch.html) -----