|
I have a couple of questions on my diary entry "Finding Metasploit & Cobalt Strike URLs", thus I made a video that shows the method and explains in detail the checksum calculation. I don't use this method to go hunting (in proxy logs for example), as the checksum has a low-entropy, thus prone to collisions/false positives. But I do use this when I suspect the presence of Metasploit or Cobalt Strike traffic. Cobalt Strike beacons often use HTTPS, but the URLs I talked about in my diary entry, are not the ones used by the beacon itself. These are the URLs of the staging shellcode, that precedes the beacon. Didier Stevens |
DidierStevens 546 Posts ISC Handler Mar 21st 2021 |
| Reply Subscribe |
Mar 21st 2021 3 weeks ago |
Sign Up for Free or Log In to start participating in the conversation!
