Cobalt Strike – Part One – Statistics
The data used for this post, and subsequent posts regarding this topic, has been graciously made available by https://hunt.io.
Featured image is graciously AI generated and cannot spell ‘Cobalt Strike’. It just works.
Introduction
We are nearly halfway through 2024 and it’s time to do some stats. Specifically, Cobalt Strike stats!
Cobalt Strike beacon configurations consist of variables. A lot of them. This post will cover a non-exhaustive list of some of these, such as C2 domain, C2 port, ‘spawnto’, ‘sleep’, ‘jitter’, and ‘watermarks’, albeit the latter is a bit unreliable.
C2 Domains and IPs
First, let’s take a look at the number of unique domains and IPs observed within the five month period. The dataset consists of 2855 unique IPs, with a total of 681 unique domain names and/or IPs associated with them for C2 purposes. This means most of the beacon configs parsed consists of only direct IP communication.
2486 of these unique IPs do not have a domain associated with them. As such, 87.06% of parsed beacon configs rely solely on IPs for C2 traffic.
So, where are all these C2 IPs/domains located?
The usual suspects – China, The US, and Hong Kong. Nothing surprising here.
Next, let’s look at some of the AS numbers and IP ranges these beacons are talking to:
| Country | AS | ASN | Count | Percentage |
|---|---|---|---|---|
| China | Shenzhen Tencent Computer Systems Company Limited | 45090 | 580 | 29.20% |
| China | Hangzhou Alibaba Advertising Co.,Ltd. | 37963 | 417 | 21.00% |
| Hong Kong | POWER LINE DATACENTER | 132839 | 213 | 10.73% |
| China | Huawei Cloud Service data center | 55990 | 124 | 6.24% |
| United States | AMAZON-02 | 16509 | 117 | 5.89% |
| United States | CLOUDFLARENET | 13335 | 58 | 2.92% |
| United States | MICROSOFT-CORP-MSN-AS-BLOCK | 8075 | 46 | 2.32% |
| United States | AS-COLOCROSSING | 36352 | 44 | 2.22% |
| Hong Kong | Alibaba US Technology Co., Ltd. | 45102 | 42 | 2.11% |
| Hong Kong | DXTL Tseung Kwan O Service | 134548 | 40 | 2.01% |
| United States | DIGITALOCEAN-ASN | 14061 | 32 | 1.61% |
| Bulgaria | LIMENET | 394711 | 30 | 1.51% |
| Singapore | BGPNET Global ASN | 64050 | 29 | 1.46% |
| China | China Unicom Beijing Province Network | 4808 | 28 | 1.41% |
| Singapore | Tencent Building, Kejizhongyi Avenue | 132203 | 22 | 1.11% |
| United States | MULTA-ASN1 | 35916 | 22 | 1.11% |
| United States | AMAZON-AES | 14618 | 21 | 1.06% |
| Singapore | Alibaba US Technology Co., Ltd. | 45102 | 20 | 1.01% |
| China | Chinanet | 4134 | 18 | 0.91% |
| Singapore | DIGITALOCEAN-ASN | 14061 | 17 | 0.86% |
| Hong Kong | LUCIDACLOUD LIMITED | 139659 | 16 | 0.81% |
| Germany | AMAZON-02 | 16509 | 13 | 0.65% |
| Hong Kong | Tencent Building, Kejizhongyi Avenue | 132203 | 13 | 0.65% |
| United States | LUCIDACLOUD LIMITED | 139659 | 13 | 0.65% |
| Hong Kong | STARCLOUD GLOBAL PTE., LTD. | 140224 | 11 | 0.55% |
Essentially, 47% of the beacon configs parsed point towards China, and 29.20% of them are going towards ASN 45090 – "Shenzhen Tencent Computer Systems Company Limited".
spawnto_x64/x86
Next, let’s take a look at the top 10 spawnto processes for 64-bit beacons:
| Spawnto_x64/x86 | Count | Percentage |
|---|---|---|
| %windir%\sysnative\rundll32.exe | 2173 | 82.12% |
| %windir%\sysnative\dllhost.exe | 213 | 8.05% |
| %windir%\sysnative\WUAUCLT.exe | 66 | 2.49% |
| %windir%\sysnative\gpupdate.exe | 35 | 1.32% |
| %windir%\sysnative\wermgr.exe | 32 | 1.21% |
| c:\windows\system32\rundll32.exe | 32 | 1.21% |
| %windir%\sysnative\svchost.exe | 30 | 1.13% |
| %windir%\sysnative\runonce.exe | 29 | 1.10% |
| %windir%\sysnative\WerFault.exe | 18 | 0.68% |
| %windir%\sysnative\regsvr32.exe | 18 | 0.68% |
This table covers both x64 AND x86 as there is no difference between the two in terms of ranking.
Sleep
The sleep timer, a feature that defines in which intervals the beacon should check in. The default value is ‘60000’, measured in miliseconds – 60 seconds.
If this value varies from the norm, it could be an indicator that the actor has modified additional variables within the config itself.
| Sleep (miliseconds) | Count | Percentage |
|---|---|---|
| 60000 | 2211 | 77.39% |
| 5000 | 187 | 6.55% |
| 45000 | 121 | 4.24% |
| 3000 | 99 | 3.47% |
| 30000 | 76 | 2.66% |
| 10000 | 52 | 1.82% |
| 58252 | 40 | 1.40% |
| 1000 | 30 | 1.05% |
| 20000 | 22 | 0.77% |
| 42000 | 19 | 0.67% |
Interestingly, count-wise, the default value is very close to the most used ‘spawnto’, as terms of count.
Watermarks
Watermarks are not static and can be changed with some know-how before a specific version of Cobalt Strike, which made it more difficult. As such, a watermark is not a sure-fire method of identification, only an indicator at best.
Let’s expand this search a bit, and add the spawnto and the countries to the list, as well as some watermarks in an attempt to identify some clusters of similar beacons. We’ll add the ‘jitter’ value as well, to funnel it down even further:
| Country | Sleep (miliseconds) | Jitter (%) | Spawnto_x64 | Cobalt Strike Watermark | Count |
|---|---|---|---|---|---|
| China | 60000 | 0 | %windir%\sysnative\rundll32.exe | 987654321 | 351 |
| Hong Kong | 60000 | 0 | %windir%\sysnative\rundll32.exe | 100000 | 269 |
| China | 60000 | 0 | %windir%\sysnative\rundll32.exe | 391144938 | 191 |
| United States | 60000 | 0 | %windir%\sysnative\rundll32.exe | 987654321 | 104 |
| China | 60000 | 0 | %windir%\sysnative\rundll32.exe | 100000 | 100 |
| China | 60000 | 0 | %windir%\sysnative\rundll32.exe | 1234567890 | 71 |
| China | 60000 | 0 | %windir%\sysnative\rundll32.exe | 305419896 | 62 |
| Hong Kong | 60000 | 0 | %windir%\sysnative\rundll32.exe | 987654321 | 57 |
| China | 60000 | 0 | %windir%\sysnative\rundll32.exe | 666666666 | 52 |
| China | 60000 | 0 | %windir%\sysnative\rundll32.exe | 0 | 44 |
Jitter adds a percentage based variation to the sleep. If the jitter is set to 25, that means a 25% variation in the sleep time check-in interval, allowing the beacon to communicate back between 45 and 75 seconds, instead of every 60 seconds, making it potentially harder for defenders who look for a ‘static’ heartbeat.
As is easily observed, ‘rundll32.exe’ takes up all of the real estate in the table above. Not surprising however, as it was the most used ‘spawnto’ process. Also easily observed is the fact that the ‘sleep’ and ‘jitter’ values are at their default values.
Additionally, the watermarks used are observed multiple times in different countries, which is somewhat expected.
However, if we exclude ‘rundll32.exe’, the table looks like this:
| Country | Sleep | Jitter (%) | Spawnto_x64 | Cobalt Strike Watermark | Count |
|---|---|---|---|---|---|
| United States | 58252 | 37 | %windir%\sysnative\WUAUCLT.exe | 364188498 | 40 |
| China | 45000 | 37 | %windir%\sysnative\dllhost.exe | 987654321 | 20 |
| United States | 42000 | 33 | %windir%\sysnative\wbem\WmiPrvSE.exe | 1590258876 | 17 |
| United States | 5000 | 44 | %windir%\sysnative\wermgr.exe | 589039153 | 17 |
| United States | 5000 | 0 | %windir%\sysnative\wermgr.exe | 589039153 | 14 |
| United States | 45000 | 37 | %windir%\sysnative\dllhost.exe | 987654321 | 12 |
| United States | 65000 | 37 | %windir%\sysnative\dllhost.exe | 1019254577 | 12 |
| United States | 5218 | 61 | %windir%\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe | 1032681566 | 10 |
| The Netherlands | 45000 | 37 | %windir%\sysnative\dllhost.exe | 987654321 | 6 |
| United States | 60000 | 35 | %windir%\sysnative\WerFault.exe | 335259885 | 6 |
The results are completely different; the default ‘sleep’ and ‘jitter’ have only been changed in one place respectively. Additionally, the data suggests that the beacons that come from elsewhere than China have more variation to them. Once ‘rundll32.exe’ has been excluded from the results, only one entry appears in the table.
Some rows stick out like a sore thumb, such as:
- WUAUCLT.exe, ‘Windows Update Agent’, is the most commonly used ‘spawnto’ process if one disregards ‘rundll32.exe’.
- Someone in the US using ‘ComSvcConfig.exe’ as their spawnto, with a very specific sleep timer of 5218.
- Someone in China using ‘EhStorAuthn.exe’ as their spawnto, with a very specific sleep timer of 4193. This is possibly supposed to mimic Microsoft’s ‘Enhanced Storage Device’.
Summing it all up
So what does this all mean? Well, the brief version is that China, at first glance, appears to keep things very much the same, with little variation. ‘Sleep’ and ‘jitter’ values are not changed for the most part. Although this is not a rule, it is what this very brief overview suggests.
The data also shows that the most used ‘spawnto’ process is ‘rundll32.exe’, for both x64 and x86.
Additionally, it shows that the top three observed ASN’s are from China and Hong Kong. Between these three, they account for over 50% of the observed stagers/beacons:
| Country | AS | ASN | Count | Percentage |
|---|---|---|---|---|
| China | Shenzhen Tencent Computer Systems Company Limited | 45090 | 580 | 29.20% |
| China | Hangzhou Alibaba Advertising Co.,Ltd. | 37963 | 417 | 21.00% |
| Hong Kong | POWER LINE DATACENTER | 132839 | 213 | 10.73% |
And that’s it for now – more Cobalt Strike related posts to come.