Didier Stevens

Friday 12 November 2021

Update: cs-decrypt-metadata.py Version 0.0.2

Filed under: Encryption,My Software,Update — Didier Stevens @ 0:00

This new version of my tool to decrypt Cobalt Strike metadata, now supports transformations.

By default, encrypted metadata in Cobalt Strike traffic is encoded with BASE64 and then transmitted via the Cookie header in HTTP(S) requests.

This metadata is encrypted with a public RSA key, and can be decrypted if the private key is known.

Here is an example of a malicious beacon with a specific metadata encoding.

Analyzing the beacon with my tool 1768.py yields the following information:

First: a public key (field 0x0007) is used, for which we know the private key: thus we will be able to decrypt the metadata.

Second: the encrypted metadata has a specific encoding (field 0x000c). This beacon was configured with a profile that specifies that the encrypted metadata must be encoded with BASE64 URL-safe (this is a variant of BASE64, that uses characters – and _ in stead of + and /). Then it is prefixed with string __cfduid= and transmitted via the Cookie header.

An error will result when this data is processed by tool cs-decrypt-metadata.py without providing the transformation instructions:

The following transformation instructions must be provided to properly decode and decrypt the metadata: 7:Metadata,13,2:__cfduid=,6:Cookie

This is done with option -t:

cs-decrypt-metadata_V0_0_2.zip (https)
MD5: 368EA059E91716DD071975B13A3F108D
SHA256: B906191D376F81E687392EC30EA57483BFC791E3D478E863FA0DB7B468662310

2 Comments »

  1. […] Didier StevensUpdate: cs-decrypt-metadata.py Version 0.0.2 […]

    Pingback by Week 46 – 2021 – This Week In 4n6 — Sunday 14 November 2021 @ 6:31

  2. […] Tools: 1768.py, cs-decrypt-metadata.py […]

    Pingback by Decrypting Cobalt Strike Metadata Without and With Malleable C2 Instructions – Didier Stevens Videos — Tuesday 23 November 2021 @ 19:35


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.