melting-cobalt: Cobalt Strike Scanner


A tool to hunt/mine for Cobalt Strike beacons and “reduce” their beacon configuration for later indexing. Hunts can either be expansive and internet-wide using services like SecurityTrails, Shodan, or ZoomEye or a list of IPs.


Requirements: virtualenv, and python3.8+

  1. git clone && cd melting-cobalt Clone project and cd into the project dir.
  2. pip install virtualenv && virtualenv -p python3 venv && source venv/bin/activate && pip install -r requirements.txt Create Virtualenv and install requirements.

Continue to configure for SecurityTrails, Shodan, or ZoomEye API key.

Configuration melting-cobalt.conf

Copy melting-cobalt.conf.example to melting-cobalt.conf!

Make sure to set a token for one of the available providers. If you need to create one for your account follow [these](htt://need wiki page) instructions.

Configuration example:


output = results.json
# stores matches in JSON here

log_path = melting-cobalt.log
# Sets the log_path for the logging file

log_level = INFO
# Sets the log level for the logging
# Possible values: INFO, ERROR, VERBOSE

nse_script = grab_beacon_config.nse
# path to the nse script that rips down cobalt configs. This is specifically using

searches = search.yml
# contains the different searches to run on each internet scanning service provider (eg shodan, zoomeye, security trails) when hunting for team servers.

shodan_token = TOKENHERE
# shodan token for searching

zoomeye_token = TOKENHERE
# zoomeye token for searching

securitytrails_token = TOKENHERE
# security trails token for searching


Search The Internet

To modify the default mining performed across different providers, customize search.yml. The default melting-cobalt Search Examples are below.



Search IP list

populate ips.txt with potential Cobalt Strike C2 IPs a new line delimited, example:


python -i ips.txt


Cobalt Strike Scanner

Search Examples

The following searches are provided out of the box and more may be added to search.yml for more data.


Find specific JARM signatures, out of the box we track Cobalt Strike 4.x


Filter by HTTP headers and ports to reduce noisy results
'ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1 port:"22, 80, 443, 444, 1234, 2000, 2222, 3000, 3780, 4000, 4443, 6379, 7443, 8443, 8080, 8081, 8082, 8087, 8088, 8099, 8089, 8090, 8181, 8888, 8889, 9443, 50050" HTTP/1.1 404 Not Found Content-Length: 0'


Team server detected by Shodan

‘product:”cobalt strike team server”‘

note: will generate lots of noisy results, do not actually schedule this unless you want to burn your license credits.

Team server certificate serial



Find specific JARM signatures
'SELECT address, ports.port FROM ips WHERE jarm = "07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1"'


Filter by HTTP Headers and ports to reduce noisy nmap_results
'SELECT address, ports.port, isp.name_normalized, ports.port, address, asn.number, jarm, http.headers.raw FROM ips WHERE jarm = "07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1" OR jarm = "07d14d16d21d21d07c07d14d07d21d9b2f5869a6985368a9dec764186a9175" OR jarm = "2ad2ad16d2ad2ad22c42d42d00042d58c7162162b6a603d3d90a2b76865b53" AND http.headers.content_type = "text/plain" AND http.headers.raw = "content-length:0" AND ports.port IN (22, 80, 443, 444, 1234, 2000, 2222, 3000, 3780, 4000, 4443, 6379, 7443, 8443, 8080, 8081, 8082, 8087, 8088, 8099, 8089, 8090, 8181, 8888, 8889, 9443, 50050)'


Copyright 2020 Splunk Inc.