Cobalt Stike Beacon Detected – 104[.]208[.]28[.]78:443
Cobalt Strike Beacon Detection Alerts
The Information provided at the time of posting was detected as “Cobalt Strike”. Depending on when you are viewing this article, it may no longer be the case and could be determined as being a false positive. Please do your own additional validation. – RedPacket Security
TimeStamp 2021-11-17T17:13:50.747677
General Information
| Cloud Provider | Azure |
| Cloud Region | centralus |
| Service | AzureCloud |
| Domains | N/A |
| Hostnames | N/A |
| HTTP Host | 104[.]208[.]28[.]78 |
| ISP | Microsoft Corporation |
| ORG | Microsoft Corporation |
| OS | N/A |
| HTTP | N/A |
| HTTP HTML HASH | N/A |
| HTTP LOCATION | / |
| HTTP REDIRECTS | |
| HTTP ROBOTS | N/A |
| HTTP ROBOTS HASH | N/A |
| HTTP SECURITY.TXT | N/A |
| HTTP SECURITY.TXT HASH | N/A |
| HTTP SERVER | N/A |
| HTTP SITEMAP | N/A |
| HTTP SITEMAP HASH | N/A |
| HTTP TITLE | N/A |
| LOCATION (AREA CODE) | N/A |
| LOCATION (CITY) | Des Moines |
| LOCATION (COUNTRY CODE) | US |
| LOCATION (COUNTRY NAME) | United States |
| LOCATION (LATITUDE) | 41.5878 |
| LOCATION (LONGITUDE) | -93.6274 |
| LOCATION (POSTAL CODE) | N/A |
| SSL SERIAL | 2129243741|
| SSL EXPIRED | N/A |
| SSL FINGERPRINT (SHA1) | a3c8511973e265db970d5caaa1c16af84ba80b64 |
| SSL ISSUED | 20211117150605Z |
| SSL EXPIRES | 20221117150605Z |
| SSL CYPHER | ECDHE-RSA-AES256-GCM-SHA384 |
| SSL VERSION | TLSv1/SSLv3 |
| SSL TRUST (REVOKED) | N/A |
| TAGS | cloud, self-signed |
Cobalt Strike Beacon Information
| Beacon Type | HTTPS |
| http-get.client | name=images, Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*, Accept-Language: en-en, Connection: Keel-Alive, Cache-Control: no-cache, User-Agent: Mozilla/5[.]0 (Windows NT 10[.]0; Win64; x64) AppleWebKit/537[.]36 (KHTML, like Gecko) Chrome/94[.]0[.]4606[.]71 Safari/537[.]36, X-API-ID: a2054113-f9c9-4a9a-a005-d349511d55c7, SESSIONID=, Cookie |
| http-post.client | Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*, Accept-Language: en-en, Connection: Keel-Alive, Cache-Control: no-cache, User-Agent: Mozilla/5[.]0 (Windows NT 10[.]0; Win64; x64) AppleWebKit/537[.]36 (KHTML, like Gecko) Chrome/94[.]0[.]4606[.]71 Safari/537[.]36, X-API-ID: a2054113-f9c9-4a9a-a005-d349511d55c7, SESSIONID=, Cookie |
| DNS Beacon MaxDNS | N/A |
| DNS Beacon Idle | N/A |
| Beacon Jitter | 20 |
| dns-beacon.strategy_fail_seconds | -1 |
| dns-beacon.strategy_rotate_seconds | -1 |
| dns-beacon.strategy_fail_x | -1 |
| HTTP GET URI | arellenar,/res/d28dcbcc-1190-4e8a-b41b-8c6f7ade6774 |
| HTTP POST URI | /f38cb755/407bdb93d65a/ |
| Max GET Size | 1398102 |
| Port | 443 |
| post-ex.spawnto_x64 | c:\windows\system32\conhost[.]exe |
| post-ex.spawnto_x86 | c:\windows\system32\conhost[.]exe |
| process-inject.startrwx | 4 |
| process-inject.userwx | 32 |
| process-inject.allocator | N/A |
| proxy.behavior | 2 (Use IE settings) |
| sleeptime | 30000 |
| useragent_header | Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) |
| uses_cookies | 1 |
| process-inject.execute | ntdll.dll:RtlUserThreadStart, SetThreadContext, ntdll.dll:RtlUserThreadStart |
| Watermark | 89878410 |
| Beacon Stage Cleanup | 1 |
