cs-dns-stager.py is a quick & dirty tool I wrote to retrieve a Cobalt Strike DNS beacon from its server, if you only have the IP address of said server.
If you want to know more about Cobalt Strike and DNS, watch this video I recorded:
Sunday 30 May 2021
Tuesday 25 May 2021
Update: base64dump.py Version 0.0.14
This new version of base64dump.py supports a new encoding: NETBIOS Name encoding.
NETBIOS Name encoding is very similar to hexadecimal encoding: in stead of hexadecimal digits 0-9 and a-f, letters A-P are used.
I encountered this in DNS TXT records of a Cobalt Strike DNS stager. More on that later.
MD5: 35BF4900BED40E828887C7601F9C8751
SHA256: 2F58F630D9B12D2B70CECF35728096A247890808E44DAB9C94400A073D5E29BF
Sunday 23 May 2021
Update: re-search.py Version 0.0.17
This new version of re-search.py adds gzip support and filtering of private IPv4 addresses:
MD5: 8945F435BDA03D73EF7A2BA1AA64A65E
SHA256: 0D74709B9F26FC7F6EEADAEE1BAA3AF7AADAA618F88B1C267BA5A063C8E3D997
Saturday 22 May 2021
Update: 1768.py Version 0.0.6
This new version of 1768.py, my tool to analyze Cobalt Stike beacons, has fixes, support for more encodings, and an option to output the config in JSON format.
MD5: EB9C949BB7B5DD3EF9ECEBF7F3C21184
SHA256: 3EC0BB7B41CC5C0E1534F09BAE67D62B220F8D83A7F02EC0F856F8741F86EB31
Sunday 2 May 2021
Overview of Content Published in April
Here is an overview of content I published in April:
Blog posts:
YouTube videos:
- YARA and CyberChef
- YARA and CyberChef: ZIP
- Decoding Cobalt Strike Traffic
- Lua CSV Wireshark Dissector
- The Security Toolsmith (NVISO Brown Bag 2021)
Videoblog posts:
- YARA and CyberChef
- YARA and CyberChef: ZIP
- Decoding Cobalt Strike Traffic
- Lua CSV Wireshark Dissector
- The Security Toolsmith (NVISO Brown Bag 2021)
SANS ISC Diary entries:
Didier Stevens 