I have seen a definite uptick in security researchers hunting Cobalt Strike servers, and tweeting/sharing indicators or config data. There are two popular config parsing methods I have seen: the Nmap NSE script written by @notwhickey and the Sentinel One parser by @gal_kristal (yes, I am aware many organizations have custom parsers). In the case of these two public parsers, I sometimes find myself desiring configuration data that the parsers were missing and when engaging with researchers, I discovered a few did not understand that these tools were not extracting the full configs or did not have a complete understanding…

Justin Warner

Tech: Threat Intel | Photographer @ https://www.justinwarnerphoto.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store