HIGH: Post-Exploitation Framework Report

DESCRIPTION LAST UPDATED: 2023-12-19

DEFAULT SEVERITY LEVEL: HIGH

This report identifies Post-Exploitation Framework tools which we identify in our daily Internet-wide scans. These are sophisticated tools that allow for the post-exploitation management of compromised hosts. We currently track multiple different Post-Exploitation Framework tools (Cobalt Strike and Sliver are prominent examples), with more being added.

While many of the Post-Exploitation Framework tools we detect belong to malicious actors, some instances of tools may be a part of a legitimate Red Team penetration test. We attempt to filter these detected instances out of our reporting (currently only Cobalt Strike for now), but that may not always be possible.

If you receive a report from us about a Post-Exploitation Framework tool being detected on your network that is not in legitimate use, please make sure to take immediate action.

You can track various frameworks on our Dashboard.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page.

This report is released as part of the EU ISF MISP-LEA project.

Filename: scan_post_exploitation_framework.

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that response came on
  • port
    Port that the response came from
  • hostname
    Reverse DNS name of the device in question
  • tag
    Tag set to the post-exploitation framework name
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • sector
    Sector of the device in question
  • http
    HTTP version in used in response, e.g HTTP/1.1
  • http_url
    URL used to illicit the server response
  • http_code
    HTTP Response code: e.g., 200, 401, 404
  • content_type
    The MIME type of the body of the request
  • content_length
    The length of the response body in octets
  • architecture
    The CPU architecture of the beacon. Either x86 or x64
  • beacon_type
    Protocol that the beacon speaks. Usually HTTP
  • beacon_host
    C2 of the beacon IP/hostname. (often matches the host that was scanned)
  • beacon_port
    Port that the beacon_host is listening on
  • beacon_http_get
    Path that the beacon uses for the GET method
  • beacon_http_post
    Path that the beacon uses for the POST method
  • license_id
    The license number
  • config_md5
    MD5 of the config file
  • config_sha1
    SHA1 of the config file
  • config_sha256
    SHA256 of the config file
  • config_sha512
    SHA512 of the config file
  • binary_md5
    MD5 of the PE binary
  • binary_sha1
    SHA1 of the PE binary
  • binary_sha256
    SHA256 of the PE binary
  • binary_sha512
    SHA512 of the PE binary
  • encoded_length
    Length of the base64 decoded raw config
  • encoded_data
    Base64 encoded config file

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","http","http_url","http_code","content_type","content_length","architecture","beacon_type","beacon_host","beacon_port","beacon_http_get","beacon_http_post","license_id","config_md5","config_sha1","config_sha256","config_sha512","binary_md5","binary_sha1","binary_sha256","binary_sha512","encoded_length","encoded_data"
"2010-02-10 00:00:00",high,192.168.0.1,tcp,10001,node01.example.com,cobalt-strike-beacon,64512,ZZ,Region,City,0,,,HTTP/1.1,/api/v1/update,200,application/octet-stream,223306,x86,HTTP,192.168.0.1,10001,/pixel,/submit.php,391144938,95d20de796208d112c83dd70826542b8,04cad395a8ae5742088e5c4dc136216ac96a3240,a44f76d38ae470f406e81e5525f9e1e145dad199625f80e6c69c788a473610da,c9d52398e66d83f116d2227c36f559c7d4e10a06bf76abcd0b927bd6703a0b3a374004f9d35b80786c476b5c2fbfc7bc5a8d95fd426903e9e2c9baf65b940bbe,d3e8186b3000305bba4f3e8c80ead68d,98773bd68797b81e8b8633377556a193a888b004,1a97d818dbbf2b45d9cc09c514bfdc50839929f9dc2babe9cf5fef835f51e629,ee28efdadc791fe28121bcd502de650aca5dfb01416ebff17e7b6f316e403bb8c32271a055b221a8aa812831312e7ea7c260ca85a75b1a2986d121e91b4d55ba,64,EJ6m0DYauf0/thha/qMO1oKA0RfGFS2UcVe3DP3X8fs4ofnOaX4mhz8icUh19qdfH6N7ddC81z2dtIMeGzTrmA==
"2010-02-10 00:00:01",high,192.168.0.2,tcp,1080,node02.example.com,cobalt-strike-beacon,64512,ZZ,Region,City,0,,,HTTP/1.1,/api/v1/update,200,application/octet-stream,213074,x86,HTTP,192.168.0.2,1080,/dpixel,/submit.php,100000,b37d5a07c5c38460b1417f651d4fda43,c8c1ce536554140474c80a3701abd6105ee10087,e708f2f6a28e3aa3cf5650680d71b3ecd5570adfc826d8e1a79ae6c041d441c7,b4cf5994cfecd6696902ca9410add7bb3e092b5be54a87342df981190cf87c87051258a8d9ec7fdd77269000710572f0419043db4faf168279abc3d32eb1015a,592e3f333b6bb9b70dac325c38527de8,17d610bc15eab0a5e88bffa2039af7a41ef04498,43886dec7d5748f568e4ee7e68b370a1982b4e59088a5383d4db7cb12d8b433c,3c0edac37bf93be26890bf2ada1b524bf9b406c9b6668573bbbeb9419097c50fb4848a863e208cb0a7ac199176f7293c86768668a3d6ae5f2246b9b016351a8e,64,Zi0u0jFOIyjAsJV5bCVQBKmqCW6rmGxkBClqJOCSUBCKFB1Ss0OsWFzo/h1gG9P6c+KQ7JOaA2J4zeBzhRdxmg==
"2010-02-10 00:00:02",high,192.168.0.3,tcp,1234,node03.example.com,cobalt-strike-beacon,64512,ZZ,Region,City,0,,,HTTP/1.1,/api/v1/update,200,application/octet-stream,208973,x86,HTTP,192.168.0.3,1234,/push,/submit.php,305419896,60f92f98ee26c49f613d29201dff22f1,5651118229d452af1f58e6654f396cd03c5f0207,e941c5edfec60c3feaa3dab882a076e2896e32db209fa603e91bedfc17f24b91,83725f5474c397a4c6701948523b57d590040840aa8e110e11f13e45a77cbcd0a507a69595b0c68f7df1c649ee6cd63cf020d942b427555985f7d7b105031d8d,60783c403ac6bc3cc91b3955ca941ef9,fa8e6028e99094fb783ad64d21dafc095cb69945,17a1b5e5c215a251bd301874617f37f0b897b2717ae90c0860215dbf9f3a71f9,945c3f0b0f0e2901f17991a0a2f46d040235d9cb9b2e79ee54fa3c0f667d20ea8fd3fe4de227fb38914c6c586d9677c2b9081ab17652f824ca62c53dc2ee1d7a,64,oVyhJDgMY94ms/mcqMgFjyXxPGaj+ZNHZHifXX6366G1cYLOhkKIPEC2qqnH0SL0logmSsDPtsOGuQpp1L+UJg==




Our 124 Report Types