{ "id": "d13e4a8c-74ec-497a-abab-b1aa6481227c", "created_at": "2026-04-06T00:09:08.289816Z", "updated_at": "2026-04-10T13:11:44.755716Z", "deleted_at": null, "sha1_hash": "6d6de03a9562a4a53703320431ce705ef720a9ad", "title": "The default: 63 6f 62 61 6c 74 strike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1583550, "plain_text": "The default: 63 6f 62 61 6c 74 strike\r\nBy Intel Operator\r\nPublished: 2021-09-17 · Archived: 2026-04-05 20:55:35 UTC\r\nPress enter or click to view image in full size\r\nGrabbing the configs\r\nSo the first thing we do is run cb_looper against the Shodan export to collect all the major and minor cobalt strike\r\nconfigs exported into a Splunk index for later parsing and analysis.\r\nThe below image is the cb_looper log file, and as we can see, we have started to collect major and minor\r\nconfigurations, plus some IP’s do not have enumerable beacon configs.\r\nLogging is working!\r\nhttps://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7\r\nPage 1 of 5\n\nAfter looper has finished, we can check to ensure the configurations were extracted and have the correct\r\ninformation we need, as displayed below.\r\nExample Beacon config\r\nLets check the Splunk!\r\nGet Intel Operator’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nAs we can see, all the configurations are indexed within Splunk correctly. There are approx. 40 or so fields that\r\ncontain the data we need (Image was snipped for visibility)\r\nIf you are doing this yourself and using Splunk's data models I suggest you rename the fields with\r\nspaces and join certain fields like C2, user agent etc.\r\n|rename \"x64.config.C2 Server\" as x64c2\r\n|rename \"x86.config.C2 Server\" as x86c2\r\n|rename \"x86.config.User Agent\" as x86ua\r\n|rename \"x64.config.User Agent\" as x64ua\r\nhttps://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7\r\nPage 2 of 5\n\n|rename \"x64.config.Spawn To x86\" as x64spwnx86\r\n|rename \"x64.config.Spawn To x64\" as x64spwnx64\r\nPress enter or click to view image in full size\r\nSplunk data.\r\nPress enter or click to view image in full size\r\nhttps://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7\r\nPage 3 of 5\n\nC2 Port %\r\nSo after I configured all the correct data models, I started analysing the data for this subset of C2 beacons and\r\nidentified that port:443 was the most popular and port:8443 was the least. It’s also interesting to note that not one\r\nof these beacons uses any custom ports.\r\nAfter that, I wanted to see the main injection processes, as seen below in the code snippet and image.\r\n\"%windir%\\syswow64\\WUAUCLT.exe\"\r\n\"%windir%\\syswow64\\WerFault.exe\"\r\n\"%windir%\\syswow64\\dllhost.exe\"\r\n\"%windir%\\syswow64\\eventvwr.exe\"\r\n\"%windir%\\syswow64\\msdt.exe\"\r\n\"%windir%\\syswow64\\mstsc.exe\"\r\n\"%windir%\\syswow64\\rundll32.exe\"\r\n\"%windir%\\syswow64\\spoolsv.exe\"\r\n\"%windir%\\syswow64\\svchost.exe -k netsvcs\"\r\nThen I checked the C2 URLs for both X86 and X64 beacons.\r\n[SNIP]\r\n\"121[.]4[.]213[.]91,/push\"\r\n\"129[.]28[.]201[.]96,/geo/collect/v1\"\r\n\"164[.]138[.]25[.]191,/resolve/alter/\"\r\n\"46[.]19[.]37[.]133,/resolve/alter/\"\r\n\"clubuz[.]com,/us/ky/louisville/312-s-fourth-st[.]html\"\r\n[SNIP]\r\nUser agents used for X64 beacons.\r\n[SNIP]\r\n\"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; InfoPath.3)\"\r\n\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; BOIE8;ENUS)\"\r\nhttps://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7\r\nPage 4 of 5\n\n\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2)\"\r\n\"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)\"\r\n\"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0;) like Gecko\"\r\n\"Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40\"\r\n[SNIP]\r\nX64 Beacon Jitters\r\nFinally, I wanted to see if I could create detection methods based on time-based analysis, and I realised most of the\r\nbeacons use zero jitters, and none of the beacons uses any custom jitter, which is a bit sad :(.\r\nThanks for reading, and if you have any questions or “positive feedback”, feel free to reach out, and as always…..\r\nSource: https://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7\r\nhttps://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7" ], "report_names": [ "the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434148, "ts_updated_at": 1775826704, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6d6de03a9562a4a53703320431ce705ef720a9ad.pdf", "text": "https://archive.orkl.eu/6d6de03a9562a4a53703320431ce705ef720a9ad.txt", "img": "https://archive.orkl.eu/6d6de03a9562a4a53703320431ce705ef720a9ad.jpg" } }