|
I like taking a closer look at captures files posted by Brad. In his latest diary entry, we have a capture file with Cobalt Strike traffic. With regular expression "^/....$" I look for URIs that are typical for Cobalt Strike shellcode (and Metasploit too):
Following this HTTP stream, I see data that looks encoded and has some repetitions, so this might be some kind of XOR encoding:
I export this data stream as a file:
Then pass it through my 1768.py Cobalt Strike beacon analysis tool:
And this is indeed the configuration of a beacon. Didier Stevens |
DidierStevens 546 Posts ISC Handler Mar 7th 2021 |
| Thread locked Subscribe |
Mar 7th 2021 1 month ago |
Sign Up for Free or Log In to start participating in the conversation!
