Via our honeypots, we can tell that RIFT is not alone in mining beacons. For that, we are grateful and hope this doesn’t change in the future. In addition, we are sure that the original author of Cobalt Strike intentionally left some indicators in there to help blue teams. This method is similar to how the company behind Cobalt Strike did their own Cobalt Strike Team Server Population Study back in 2019.Īlthough the anomalous space fingerprint we used for identification was since fixed, we found other reliable methods for identifying Team Servers. The Cobalt Strike beacons were acquired by first identifying Team Servers on the Internet and then downloading the beacon using a checksum8 HTTP request. That means Red Teams (and sadly threat actors) with good OPSEC have nothing to worry about being present in this dataset.
Therefore the dataset is unfiltered, full disclosure and contains all beacons we have collected.Ĭobalt Strike Team Servers that are properly hidden or have payload staging disabled are, of course, not included.
While there are some trivial methods to identify cracked/pirated Cobalt Strike Team Servers from the beacon payload, it’s difficult to tell for the non-trivial ones. using baltstrike or another parser of choice)
The raw beacon configuration bytes handy if you want to parse the beacon config manually.If the payload was XOR encoded, and which XOR key was used for config obfuscation.PE information (timestamps, magic_mz, magic_pe, stage_prepend, stage_append).Date the beacon was collected and from which IP address and port.Instead, the different beacon configuration settings are stored, including other metadata such as: The beacon payloads themselves are not in the dataset due to the size. In addition, the dataset mainly focuses on x86 beacons collected from active Team Servers on HTTP port 80, 443 and DNS therefore, it does not contain any beacons from other sources, such as VirusTotal. Unfortunately, we lost five months’ worth of data in 2019 due to archiving issues. The dataset spans almost four years of historical Cobalt Strike beacon metadata from July 2018 until February 2022.
You can download it from the following repository and make sure to also check out the accompanying Jupyter notebook: The dataset is a GZIP compressed file containing 128,340 rows of beacon metadata as JSON-lines. We encourage other researchers also to explore the dataset and share exciting results with the community. This blog will highlight some interesting findings you can extract and query from this extensive dataset. The published dataset contains historical beacon metadata ranging from 2018 to 2022. Today, RIFT is making this extensive beacon dataset publicly available in combination with the open-source release of baltstrike, our Python library for studying and parsing Cobalt Strike related data. Since we published about identifying Cobalt Strike Team Servers in the wild just over three years ago, we’ve collected over 128,000 beacons from over 24,000 active Team Servers.