For years, the Twitter account @cobaltstrikebot provided the cybersecurity community with invaluable threat intelligence on Cobalt Strike beacons detected in the wild.
Although the account went silent in June 2023, its legacy continues to inspire defenders to gather their intelligence.
This article demonstrates how you can replicate similar threat hunting by leveraging Shodan and PowerShell to extract and analyze Cobalt Strike beacon configurations-focusing on the critical SpawnTo values and watermark identifiers.
Cobalt Strike Beacons and Their Significance
Cobalt Strike is a widely used adversary simulation framework, originally intended for red teams but frequently repurposed by threat actors for real-world attacks, including ransomware and espionage operations.
The core of Cobalt Strike is the Beacon, a modular implant that communicates with the attacker’s command and control (C2) server, executing post-exploitation tasks.
Each beacon is configured with unique parameters-such as SpawnTo values (the process paths where payloads are injected) and watermarks (unique license identifiers)-that can be leveraged for detection and attribution.
Collecting Beacon Configurations from Shodan
To begin, you need at least a Shodan “membership” account, which unlocks advanced search filters like product:"Cobalt Strike". Shodan indexes public-facing Cobalt Strike servers and often captures their beacon configurations as part of the service banner.
After running the search, you can download the results (typically in compressed JSON format) for analysis.
Alternatively, the Shodan CLI tool streamlines this process:
bashshodan download beacon_data product:"Cobalt Strike"
After downloading, rename the file for clarity (e.g., beacon_data.json.gz).
Parsing Beacon Data with PowerShell
While Python can parse JSON, PowerShell often handles the diverse and sometimes malformed Cobalt Strike configuration data more gracefully.
First, initialize the Shodan CLI:
bashshodan init <API key>
Then, extract normalized JSON beacon configurations:
bashshodan parse --fields cobalt_strike_beacon.x86 .\beacon_data.json.gz > beacon_data.json
Now, use PowerShell to analyze the extracted data:
powershell# Read Cobalt Strike beacon configs from JSON file
$beaconConfigs = Get-Content .\beacon_data.json | ConvertFrom-Json
$beaconSpawnTos = @()
$beaconWatermarks = @()
# Extract SpawnTo and watermark values
foreach ($beacon in $beaconConfigs) {
$beaconSpawnTos += $beacon.'post-ex.spawnto_x64'
$beaconSpawnTos += $beacon.'post-ex.spawnto_x86'
$beaconWatermarks += $beacon.watermark
}
Analyzing SpawnTo and Watermark Values
The SpawnTo values indicate which legitimate Windows processes are targeted for code injection by the beacon. Common values include:
%windir%\syswow64\rundll32.exe%windir%\sysnative\rundll32.exe%windir%\syswow64\dllhost.exe
You can sort and count occurrences to identify the most prevalent targets:
powershell$beaconSpawnTos | Group-Object | Sort-Object Count -Descending | Format-Table Count, Name
Watermarks are unique 4-byte integers tied to the CobaltStrike.auth file, essentially acting as a license fingerprint.
Matching watermarks across beacons can indicate use of the same Cobalt Strike license, though not necessarily the same operator, as licenses and auth files are often shared or pirated.
powershell$beaconWatermarks | Group-Object | Sort-Object Count -Descending | Format-Table Count, Name
Operationalizing the Data for Detection
With the extracted SpawnTo values, defenders can create or tune detection analytics.
For instance, a Sigma rule to detect dllhost.exe executions without command-line parameters common Cobalt Strike tactic- might look like:
texttitle: DllHost Execution Without CommandLine Parameters
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|endswith:
- '\dllhost.exe'
condition: selection
level: high
By automating the collection and parsing of Cobalt Strike beacon configurations from Shodan, security professionals can independently monitor threat trends, enrich detection analytics, and track the use of pirated or shared Cobalt Strike licenses via watermark analysis.
This approach empowers defenders to stay proactive in the ongoing battle against adversary simulation tool abuse.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=For years, the Twitter account @cobaltstrikebot provided the cybersecurity community with invaluable threat intelligence on Cobalt Strike beacons detected in the wild.){kind=link}