{ "id": "2f689149-234c-4a11-8191-46c6ccd057bd", "created_at": "2026-04-06T00:09:07.393397Z", "updated_at": "2026-04-10T13:12:33.586279Z", "deleted_at": null, "sha1_hash": "e15f7532efb0ef38750132b7300d5b0e8c8960b6", "title": "Volatility Plugin for Detecting Cobalt Strike Beacon - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 646284, "plain_text": "Volatility Plugin for Detecting Cobalt Strike Beacon - JPCERT/CC\r\nEyes\r\nBy JPCERT/CC\r\nPublished: 2018-08-02 · Archived: 2026-04-05 15:02:22 UTC\r\nPython\r\nJPCERT/CC has observed some Japanese organisations being affected by cyber attacks leveraging “Cobalt Strike”\r\nsince around July 2017. It is a commercial product that simulates targeted attacks [1], often used for incident\r\nhandling exercises, and likewise it is an easy-to-use tool for attackers. Reports from LAC [2] and FireEye [3]\r\ndescribe details on Cobalt Strike and actors who conduct attacks using this tool.\r\nCobalt Strike is delivered via a decoy MS Word document embedding a downloader. This will download a\r\npayload (Cobalt Strike Beacon), which will be executed within the memory. Since Cobalt Strike Beacon is not\r\nsaved on the filesystem, whether a device is infected cannot be confirmed just by looking for the file itself. There\r\nis a need to look into memory dump or network device logs.\r\nThis article is to introduce a tool that we developed to detect Cobalt Strike Beacon from the memory. It is\r\navailable on GitHub - Feel free to try from the following webpage:\r\nJPCERTCC/aa-tools · GitHub\r\nhttps://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py\r\nTool details\r\nThis tool works as a plugin for The Volatility Framework (hereafter “Volatility”), a memory forensic tool. Here are\r\nthe functions of cobaltstrikescan.py:\r\ncobaltstrikescan: Detect Cobalt Strike Beacon from memory image\r\ncobaltstrikeconfig: Detect Cobalt Strike Beacon from memory image and extract configuration\r\nTo run the tool, save cobaltstrikescan.py in ”contrib/plugins/malware” folder in Volatility, and execute the\r\nfollowing command:\r\n$python vol.py [cobaltstrikescan|cobaltstrikeconfig] –f \u003cmemory.image\u003e ––profile=\u003cprofile\u003e\r\nFigure 1 shows an example output of cobaltstrikescan. You can see the detected process name (Name) and process\r\nID (PID) indicating where the malware is injected to.\r\nFigure 1: Execution results of cobaltstrikescan\r\nhttps://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html\r\nPage 1 of 7\n\nFigure 2 shows an example output of cobalrstrikeconfig. Please refer to Appendix A for configuration details for\r\nCobalt Strike Beacon.\r\nFigure 2: Execution results of cobaltstrikeconfig\r\nIn closing\r\nActors using Cobalt Strike continue attacks against Japanese organisations. We hope this tool helps detecting the\r\nattack in an early stage.\r\nhttps://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html\r\nPage 2 of 7\n\n- Takuya Endo\r\n(Translated by Yukako Uchida)\r\nReference\r\n[1] Strategic Cyber LLC:COBALT STRIKE ADVANCED THREAT TACTICS FOR PANETRATION TESTERS\r\nhttps://www.cobaltstrike.com/\r\n[2] LAC: New attacks by APT actors menuPass (APT10) observed (Japanese)\r\nhttps://www.lac.co.jp/lacwatch/people/20180521_001638.html\r\n[3] FireEye: Privileges and Credentials: Phished at the Request of Counsel\r\nhttps://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html\r\n[4] Cybereason: Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group\r\nhttps://www.cybereason.com/blog/operation-cobalt-kitty-apt\r\nAppendix A\r\nTable A: Configuration format\r\nOffset Length Description\r\n0x00 2 index (Refer to Table B)\r\n0x02 2\r\nData length\r\n1 = 2 byte, 2 = 4 byte, 3 = as specified in 0x04\r\n0x04 2 Data length\r\n0x06 As specified in 0x04 Data\r\n \r\nTable B: Configuration\r\nOffset Description Remarks\r\n0x01 BeaconType 0=HTTP, 1=Hybrid HTTP and DNS, 8=HTTPS\r\n0x02 Port number  \r\n0x03 Polling time  \r\nhttps://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html\r\nPage 3 of 7\n\nOffset Description Remarks\r\n0x04 Unknown  \r\n0x05 Jitter Ratio of jitter in polling time (0-99%)\r\n0x06 Maxdns\r\nMaximum length of host name when using DNS (0-\r\n255)\r\n0x07 Unknown  \r\n0x08 Destination host  \r\n0x09 User agent  \r\n0x0a\r\nPath when communicating\r\nHTTP_Header2\r\n \r\n0x0b Unknown  \r\n0x0c HTTP_Header1  \r\n0x0d HTTP_Header2  \r\n0x0e Injection process  \r\n0x0f Pipe name  \r\n0x10 Year\r\nStops operating after the specified date by Year, Month,\r\nDay\r\n0x11 Month  \r\n0x12 Day  \r\n0x13 DNS_idle  \r\n0x14 DNS_Sleep  \r\n0x1a HTTP_Method1  \r\n0x1b HTTP_Method2  \r\n0x1c Unknown  \r\n0x1d\r\nProcess to inject arbitrary shellcode\r\n(32bit)\r\n \r\n0x1e\r\nProcess to inject arbitrary shellcode\r\n(64bit)\r\n \r\nhttps://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html\r\nPage 4 of 7\n\nOffset Description Remarks\r\n0x1f Unknown  \r\n0x20 Proxy server name  \r\n0x21 Proxy user name  \r\n0x22 Proxy password  \r\n0x23 AccessType\r\n1 = Do not use proxy server\r\n2 = Use IE configuration in the registry\r\n4 = Connect via proxy server\r\n0x24 create_remote_thread\r\nFlag whether to allow creating threads in other\r\nprocesses\r\n0x25 Not in use  \r\nJPCERT/CC\r\nPlease use the below contact form for any inquiries about the article.\r\nRelated articles\r\nUpdate on Attacks by Threat Group APT-C-60\r\nhttps://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html\r\nPage 5 of 7\n\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nhttps://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html\r\nPage 6 of 7\n\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html\r\nhttps://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html" ], "report_names": [ "volatility-plugin-for-detecting-cobalt-strike-beacon.html" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805", "created_at": "2023-07-20T02:00:08.724751Z", "updated_at": "2026-04-10T02:00:03.341845Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "MISPGALAXY:APT-C-60", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854", "created_at": "2024-12-28T02:01:54.668462Z", "updated_at": "2026-04-10T02:00:04.564201Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "ETDA:APT-C-60", "tools": [ "SpyGlace" ], "source_id": "ETDA", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434147, "ts_updated_at": 1775826753, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e15f7532efb0ef38750132b7300d5b0e8c8960b6.pdf", "text": "https://archive.orkl.eu/e15f7532efb0ef38750132b7300d5b0e8c8960b6.txt", "img": "https://archive.orkl.eu/e15f7532efb0ef38750132b7300d5b0e8c8960b6.jpg" } }