Cobalt Strike Decoding
source link: https://angry-bender.github.io/blog/Cobalt-Strike-Decoding/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Cobalt Strike Decoding
April 5, 2022
1 minute read
IntroductionPermalink
This post aims to quicky bring together some resources for quick wins to get cobalt beacons.
Not reinventing the wheelPermalink
The below Sophos post does such a great job at explaining the process.
Sophos - Decoding malicious powershell
TLDR Quick WindsPermalink
Check your base64 against this cheatsheet base64 cheatsheet
Some beacons like to use a %COMSPEC% service with encoded powershell that looks something like
%COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand <Base64Here>
Plugging this into cyberchef with the following recipie should show the next stage of the config Recipie1
In the case there is some more obfuscation here, and it is compressed try the following recipie Recipe2
Now you should see the config with a $DoIt = @ at the top after Set-StrictMode version 2
Scrolling down, you may see [Byte[]]$var_code = <another base64 string>
Copy out this base64 string and place into this recipie (Take note of the bxor <number> below the base64 command, this contains the decimal xor string you might need)
recipie3
This will output the beacon config, where you can see either a URL or a Named Pipe, if you save this file (Windows Defender will block it) as a .bin file you can use scdbg to see the windows API Cals
scdbg /f download.bin
Categories: blog
Updated: April 5, 2022
You May Also Enjoy
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK