CobaltStrike data with passiveSSL

Today, FoxIT published an blog post with an github repository listing potential CobaltStrike servers for the last few years.

I was interested in the data so I processed the data with my osint-timesketch scripts to add passiveDNS and passiveSSL data. I only took the IPs that where last seen >2019 to not create to much data.

Adding it to timesketch was pretty straight forward:

sudo tsctl csv2ts -f output_cobalt.csv --name cobalt_strike
Indexing progress: 23000 events
Total events: 23650

Some quick findings, after searching for google I discovered several weird certificates, among them.

Some weird things: safebrowsing(.)net is not owned by google, the IP to that certificate accoring to Virustotal https://www.virustotal.com/#/ip-address/204.154.199.184 is resolving to microsoftapis(.)com – for sure nothing good.

Some other funny things where found by a quick look…

Hack me if you can

Hack me if you can

Happy Hacker fake CA

Happy Hacker Fake CA

This outlines the importance of:

  • Share the data (kudos FoxIT!)
  • Provide researchers access to data sets (thx to CIRCL and Virustotal!)

My dataset is available on github.