{ "id": "eb1eeb09-4fe6-49d1-95ab-e7c7bbe5b797", "created_at": "2026-04-06T00:08:40.989873Z", "updated_at": "2026-04-10T03:24:23.495268Z", "deleted_at": null, "sha1_hash": "8ce59ec67fa1b0be35ec51085440cac4dcdb45b5", "title": "Stats from Hunting Cobalt Strike Beacons", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 377684, "plain_text": "Stats from Hunting Cobalt Strike Beacons\r\nBy svch0st\r\nPublished: 2021-05-06 · Archived: 2026-04-05 13:18:03 UTC\r\nSome Statistics on Cobalt Strike Configs in April and May 2021\r\nCollected from over 1000 configurations, here are some high-level statistics that demonstrate some of the\r\ncommon trends among one of the most popular tools in an adversary’s arsenal. These configs were collected from\r\nlive servers around early May 2021.\r\nIf you are interested in how the data was collected, scroll to the bottom of the article. Also if you just want the\r\nraw data here is a link.\r\nIf you want to read more about how the configurations are structured in Cobalt Strike payloads his article is a\r\ngood start:\r\nMost common watermark\r\nUnsurprisingly most common watermark was 0. The watermark of 0 is indicative of cracked versions for Cobalt\r\nStrike which are commonly used by threat actors in their campaigns. More interestingly is 305419896,\r\n1359593325, and 1580103814, all had configuration counts above 100.\r\nhttps://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b\r\nPage 1 of 4\n\nThe watermark 305419896 has been associated with the Maze ransomware:\r\nUser Agents\r\nBesides the standard user agents imitating web browsers, several configurations had the user agent of “Shockwave\r\nFlash”\r\nInteresting URI\r\nThe more standard URIs of /submit.php and /jquery-3.3.2.min.js were the most common but this one stood out to\r\nme:\r\n/r/webdev/comments/95lyr/slow_loading_of_google\r\nMost common process spawn targets\r\nGet svch0st’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe default values of rundll32.exe were the most common.\r\nLooking at the information, I was most interested in some of the more custom values such as:\r\n%windir%\\syswow64\\eventvwr.exe\r\n%windir%\\syswow64\\backgroundtaskhost.exe\r\n%windir%\\system32\\mobsync.exe\r\n%windir%\\sysnative\\adobe64.exe\r\nhttps://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b\r\nPage 2 of 4\n\nHow I collected the Data\r\nI used 2 main queries to get as many C2 IPs as quickly as possible.\r\nRiskIQ prebuild component to search for Cobalt Strike (requires a free account) (~8k IPs)\r\nA search on JARM hashes that I had found in a recent case (~10k IPs):\r\nJARMFuzzy: 07d14d16d21d21d07c42d41d00041d\r\nIf you want to learn more about JARM, which is developed by the Salesforce team, this is a great article:\r\nThis data contained many IPs that were burnt by the time of analysis; however, it still provided a decent enough\r\ndataset to get some results.\r\nRetreiving the Configs\r\nI had two ideas for harvesting configs; one would be downloading the binary payload from sources like Virustotal\r\nand MalwareBazaar and parsing them.\r\nBut if we know the IPs already, let's just ask the servers for the config?\r\nThere are a bunch of awesome tools that exist for extracting and parsing Cobalt beacon configs, but the one I used\r\nfor this was a Nmap NSE script by Wade Hickey.\r\nI had added some error exception handling and most importantly an extra line to pull out the beacon Watermark\r\n(or license number) which is very helpful for threat intelligence.\r\nPress enter or click to view image in full size\r\nSee my fork here:\r\nI then used the IP lists I had as input and ran the Nmap script.\r\nnmap --script=grab_beacon_config.nse -p 80,443,8080 -iL jarmfuzzy.txt -oA jarmfuzzy -T4\r\nThe output of the script will look something like this:\r\n|_grab_beacon_config: {\"x86\": {\"uri_queried\": \"\\/DxRN\", \"md5\": \"7118007ad133a9dcd59419beef0896a5\", \"c\r\nhttps://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b\r\nPage 3 of 4\n\nFrom there, it was an exercise of cleaning up the data into something useable and using Excel-fu to get some ugly\r\npie graphs :)\r\nSource: https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b\r\nhttps://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b\r\nPage 4 of 4\n\nUnsurprisingly Strike which most common are commonly used watermark was by threat actors 0. The watermark in their campaigns. of 0 is indicative More of cracked interestingly is versions for 305419896, Cobalt\n1359593325, and 1580103814, all had configuration counts above 100.\n Page 1 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b" ], "report_names": [ "stats-from-hunting-cobalt-strike-beacons-c17e56255f9b" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434120, "ts_updated_at": 1775791463, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8ce59ec67fa1b0be35ec51085440cac4dcdb45b5.pdf", "text": "https://archive.orkl.eu/8ce59ec67fa1b0be35ec51085440cac4dcdb45b5.txt", "img": "https://archive.orkl.eu/8ce59ec67fa1b0be35ec51085440cac4dcdb45b5.jpg" } }