Video: Cobalt Strike & DNS - Part 1

One of the Cobalt Strike servers reported by Brad Duncan also communicates over DNS.

This can be tested with a simple DNS TXT query:

The content of this TXT record contains the start of a Cobalt Strike beacon, encoded with Netbios Name encoding. I recently published an update to my tool to handle this encoding.

In the following video, I show how to use my new, quick & dirty tool to retrieve all DNS TXT records ( that make up the encoded beacon, and how to decoded this with base64dump and extract the config with my tool.


Didier Stevens
Senior handler
Microsoft MVP


677 Posts
ISC Handler
May 30th 2021

Sign Up for Free or Log In to start participating in the conversation!