I like taking a closer look at captures files posted by Brad. In his latest diary entry, we have a capture file with Cobalt Strike traffic. With regular expression "^/....$" I look for URIs that are typical for Cobalt Strike shellcode (and Metasploit too): Following this HTTP stream, I see data that looks encoded and has some repetitions, so this might be some kind of XOR encoding: I export this data stream as a file: Then pass it through my 1768.py Cobalt Strike beacon analysis tool: And this is indeed the configuration of a beacon. Didier Stevens |
DidierStevens 546 Posts ISC Handler Mar 7th 2021 |
Thread locked Subscribe |
Mar 7th 2021 1 month ago |
Sign Up for Free or Log In to start participating in the conversation!