{"id":13845489,"url":"https://github.com/splunk/melting-cobalt","last_synced_at":"2025-10-11T09:57:17.443Z","repository":{"id":41040553,"uuid":"413213821","full_name":"splunk/melting-cobalt","owner":"splunk","description":"A Cobalt Strike Scanner that retrieves detected Team Server beacons into a JSON object","archived":false,"fork":false,"pushed_at":"2022-10-14T15:16:42.000Z","size":101,"stargazers_count":164,"open_issues_count":0,"forks_count":25,"subscribers_count":16,"default_branch":"main","last_synced_at":"2024-11-21T18:40:40.375Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/splunk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-10-03T22:44:24.000Z","updated_at":"2024-10-22T06:46:22.000Z","dependencies_parsed_at":"2023-01-19T21:32:51.308Z","dependency_job_id":null,"html_url":"https://github.com/splunk/melting-cobalt","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/splunk/melting-cobalt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fmelting-cobalt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fmelting-cobalt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fmelting-cobalt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fmelting-cobalt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/splunk","download_url":"https://codeload.github.com/splunk/melting-cobalt/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fmelting-cobalt/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279006747,"owners_count":26084185,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-11T02:00:06.511Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:03:25.930Z","updated_at":"2025-10-11T09:57:17.414Z","avatar_url":"https://github.com/splunk.png","language":"Python","readme":"# melting-cobalt 👀\nA tool to hunt/mine for Cobalt Strike beacons and \"reduce\"\ntheir beacon configuration for later indexing. Hunts can either be expansive and internet wide using services like SecurityTrails, Shodan, or ZoomEye or a list of IP's.\n\n## Getting started\n\n1. [Install](#installation) melting-cobalt\n2. [Configure](#configuration) your tokens to begin the hunt\n3. [Mine](#search-examples) Beacons to begin reducing them\n4. Review results `cat results.json | jq`\n\n:tv: **Demo**\n\n[![Melting-Cobalt Demo](https://img.youtube.com/vi/IBwwFUwFkU4/3.jpg)](https://www.youtube.com/watch?v=IBwwFUwFkU4)\n\n## Installation\n\nRequirements: `virtualenv`, and `python3.8+`\n\n1. `git clone https://github.com/splunk/melting-cobalt \u0026\u0026 cd melting-cobalt` Clone project and cd into the project dir.\n2. `pip install virtualenv \u0026\u0026 virtualenv -p python3 venv \u0026\u0026 source venv/bin/activate \u0026\u0026 pip install -r requirements.txt` Create Virtualenv and install requirements.\n\nContinue to [configuring](#configuration) for SecurityTrails, Shodan, or ZoomEye API key.\n\n## Configuration [`melting-cobalt.conf`](https://github.com/splunk/melting-cobalt/blob/master/melting-cobalt.conf.example)\n\nCopy `melting-cobalt.conf.example` to `melting-cobalt.conf`!\n\nMake sure to set a token for one of the available [providers](https://github.com/splunk/melting-cobalt/blob/main/melting-cobalt.conf.example#L18-L25). If you need to create one for your account follow [these](htt://need wiki page) instructions.\n\nConfiguration example:\n\n```\n[global]\noutput = results.json\n# stores matches in JSON here\n\nlog_path = melting-cobalt.log\n# Sets the log_path for the logging file\n\nlog_level = INFO\n# Sets the log level for the logging\n# Possible values: INFO, ERROR, VERBOSE\n\nnse_script = grab_beacon_config.nse\n# path to the nse script that rips down cobalt configs. This is specifically using https://github.com/whickey-r7/grab_beacon_config\n\nsearches = search.yml\n# contains the different searches to run on each internet scanning service provider (eg shodan, zoomeye, security trails) when hunting for team servers.\n\nshodan_token = TOKENHERE\n# shodan token for searching\n\nzoomeye_token = TOKENHERE\n# zoomeye token for searching\n\nsecuritytrails_token = TOKENHERE\n# security trails token for searching\n```\n\n### Search The Internet\n\nTo modify the default mining performed across different providers, customize `search.yml`. The default melting-cobalt [Search Examples](#search-examples) below.\n\nRun:\n\n`python melting-cobalt.py`\n\n### Search IP list\npopulate `ips.txt` with potential Cobalt Strike C2 IPs a new line delimeted, example:\n\n```\n1.1.1.1\n2.2.2.2\n3.3.3.3\n```\n\nRun:\n\n`python melting-cobalt.py -i ips.txt`\n\nIf you need inspiration from hunters we highly recommend:\n\n* [The DFIR Report](https://twitter.com/TheDFIRReport)\n* [Awesome-Cobalt-Strike](https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence)\n* [CobaltStrikeBot](https://twitter.com/cobaltstrikebot)\n\n## Usage\n\n```\nusage: melting-cobalt.py [-h] [-c CONFIG] [-o OUTPUT] [-v] [-i INPUT]\n\nscans for open cobalt strike team servers and grabs their beacon configs and write this as a json log to be analyzed by any analytic tools\nlike splunk, elastic, etc..\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -c CONFIG, --config CONFIG\n                        config file path\n  -o OUTPUT, --output OUTPUT\n                        file to write to the results, defaults to results.json.log\n  -v, --version         shows current melting-cobalt version\n  -i INPUT, --input INPUT\n                        newline delimeted file of cobalt strike server ips to grab beacon configs from. example ips.txt\n```\n\n## Search Examples\n\nThe following searches are provided out of the box and more may be added to [`search.yml`](https://github.com/splunk/melting-cobalt/blob/main/search.yml) for more data.\n\n#### Shodan\n\n##### Find specific [JARM](https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/) signatures, out of the box we track Cobalt Strike 4.x\n`'ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1'`\n\n##### Filter by HTTP headers and ports to reduce noisy results\n`'ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1 port:\"22, 80, 443, 444, 1234, 2000, 2222, 3000, 3780, 4000, 4443, 6379, 7443, 8443, 8080, 8081, 8082, 8087, 8088, 8099, 8089, 8090, 8181, 8888, 8889, 9443, 50050\" HTTP/1.1 404 Not Found Content-Length: 0'`\n\n##### Team server detected by Shodan\n`'product:\"cobalt strike team server\"'`\n\n_note_: will generate lots of noisy results, do not actually schedule this unless you want to burn your license credits.\n\n##### Team server certificate serial\n`'ssl.cert.serial:146473198'`\n\n#### SecurityTrails\n\n##### Find specific [JARM](https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/) signatures\n`'SELECT address, ports.port FROM ips WHERE jarm = \"07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1\"'`\n\n##### Filter by HTTP Headers and ports to reduce noisy nmap_results\n`'SELECT address, ports.port, isp.name_normalized, ports.port, address, asn.number, jarm, http.headers.raw FROM ips WHERE jarm = \"07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1\" OR jarm = \"07d14d16d21d21d07c07d14d07d21d9b2f5869a6985368a9dec764186a9175\" OR jarm = \"2ad2ad16d2ad2ad22c42d42d00042d58c7162162b6a603d3d90a2b76865b53\" AND http.headers.content_type = \"text/plain\" AND http.headers.raw = \"content-length:0\" AND ports.port IN (22, 80, 443, 444, 1234, 2000, 2222, 3000, 3780, 4000, 4443, 6379, 7443, 8443, 8080, 8081, 8082, 8087, 8088, 8099, 8089, 8090, 8181, 8888, 8889, 9443, 50050)'`\n\n## Author\n\n* Michael Haag [@M_haggis](https://twitter.com/M_haggis)\n* Jose Hernandez [@d1vious](https://twitter.com/d1vious)\n\n## Support 📞\nPlease use the [GitHub issue tracker](https://github.com/splunk/melting-cobalt/issues) to submit bugs or request features.\n\nIf you have questions or need support, you can:\n\n* Join the [#security-research](https://splunk-usergroups.slack.com/archives/C1S5BEF38) room in the [Splunk Slack channel](http://splunk-usergroups.slack.com)\n\n## Credits \u0026 References\n\n* Inspiration came from a handful of blogs:https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2, https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468\n* Much of this is only possible because whickey-r7 shared with us [grab_beacon_config.nse](https://github.com/whickey-r7/grab_beacon_config)\n* [Aan](https://twitter.com/petruknisme) For Contributing the ZoomEye integration!\n\n## TODO\n- [ ] Dedup results before nmap\n- [ ] add checking the most recent result by looking at the latest_updated field\n\n## License\nCopyright 2020 Splunk Inc.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\nhttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n","funding_links":[],"categories":["Pentesting","Python"],"sub_categories":["Red Team"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsplunk%2Fmelting-cobalt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsplunk%2Fmelting-cobalt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsplunk%2Fmelting-cobalt/lists"}