Hunting for Cobalt Strike Beacons in Shodan and Censys

Shodan is a great tool for security researchers. It can be used to search for vulnerable devices, open webcam feeds, products, IPs, ports, and a lot more.

From a Cyber Threat Intelligence perspective Shodan can be used to search for active Cobalt Strike Beacons. This list can be extracted and filtered before being applied to watch lists to generate alerts on a SIEM or other security monitoring solution.

The search query used:

product:"Cobalt Strike Beacon"

At this time of this post there were over 1000 beacons identified by Shodan:

Example Cobalt Strike Beacon on port 8009:

The list of all servers hosting a Cobalt Strike Beacon includes VPS and public cloud servers, so perhaps not the best to generate alerts on due to the high risk of false positive alerts.

We can use the following search to filter out results from VPS and shared hosting infrastructure:

product:"Cobalt Strike Beacon" -org:"digitalocean" -org:"amazon" -org:"tencent" -org:"microsoft"

This limits our results to just over 700, a more managable list but perhaps still large and false positive prone:

Censys can also be used to search for possible Cobalt Strike Beacons with the following search query:

services.cobalt_strike: *

Censys returns just over 800 results: