Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Mon, Nov 23rd):VMWare Update; DB2 Vuln; Fortinet SSL VPN

Latest Diaries

Quick Tip: Cobalt Strike Beacon Analysis

Published: 2020-11-23
Last Updated: 2020-11-23 08:21:30 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Several of our handlers, like Brad and Renato, have written diary entries about malware infections that involved the red team framework Cobalt Strike.

In this diary entry, I'll show you how you can quickly extract the configuration of Cobalt Strike beacons mentioned in these 2 diary entries:

  1. Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike
  2. Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike

The configuration of a beacon is stored as an encoded table of type-length-value records. There are a couple of tools to analyze Cobalt Strike beacons, and I recently made my own tool 1768.py public.

The analysis of the sample that Brad mentioned in his diary entry (1) is simple:

In the screenshot above, you can see all the records of the decoded configuration of this sample. Records that you might be most interested in as an analyst, are the server record, the port record and the URL used with GET and POST (highlighted in red).

In Renato's diary entry (2), there are 2 artifacts to analyze.

There's the shellcode: Renato explained how to deal with the different layers of obfuscation of this shellcode.

Here I use different of my tools to deobfuscate the shellcode, and then pass it on to my 1768.py tool:

The payload downloaded by this shellcode is easy to analyze:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Quick Tip: Extracting all VBA Code from a Maldoc - JSON Format
Nov 22nd 2020
18 hours ago by DidierStevens (0 comments)

Malicious Python Code and LittleSnitch Detection
Nov 20th 2020
3 days ago by Xme (0 comments)

PowerShell Dropper Delivering Formbook
Nov 19th 2020
4 days ago by Xme (0 comments)

When Security Controls Lead to Security Issues
Nov 18th 2020
5 days ago by Xme (0 comments)

Heartbleed, BlueKeep and other vulnerabilities that didn't disappear just because we don't talk about them anymore
Nov 16th 2020
1 week ago by Jan (0 comments)

View All Diaries →

Latest Discussions

Port 23 & 2323 107.173.58.179
created Nov 15th 2020
1 week ago by Anonymous (0 replies)

Gmail hacked vis MS Outlook / request.zip virus/malware
created Oct 13th 2020
1 month ago by Anonymous (3 replies)

Why is the entire community so... I don't know the words...
created Sep 8th 2020
2 months ago by Everseeker (0 replies)

I can not find the Bluetooth channel!
created Aug 31st 2020
2 months ago by Martin (0 replies)

Fellow Cyber Security Pro's, where do you get your regular feeds of information?
created Aug 11th 2020
3 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Old Worm But New Obfuscation Technique
Nov 13th 2020
1 week ago by Xme (0 comments)

AV Cleaned Maldoc
Nov 2nd 2020
3 weeks ago by DidierStevens (0 comments)

Open Packaging Conventions
Oct 10th 2020
1 month ago by DidierStevens (0 comments)

Traffic Analysis Quiz: Ugly-Wolf.net
Oct 16th 2020
1 month ago by Brad (0 comments)

send lots of email to money@stifortunes.com