This is a bugfix version.
base64dump_V0_0_19.zip (https)MD5: 0D250DCB3FCE5D41A6FCB3AAD3937019
SHA256: FECA04873B87A15F0713938717611E86ED360F51AF28FCD03CEEFC4688BD7D67
Sunday 19 December 2021
Update: base64dump.py Version 0.0.19
MD5: 0D250DCB3FCE5D41A6FCB3AAD3937019
SHA256: FECA04873B87A15F0713938717611E86ED360F51AF28FCD03CEEFC4688BD7D67
Saturday 11 December 2021
MiTM Cobalt Strike Network Traffic
I made a small PoC. cs-mitm. py is a mitmproxy script that intercepts Cobalt Strike traffic, decrypts it and injects its own commands. In this video, a malicious beacon is terminated by sending it an exit command. I selected a malicious beacon that uses one of the leaked private keys.
The script does not support data transforms, but that can be easily added, for example with code found in cs-parse-traffic.py.
Wednesday 1 December 2021
Overview of Content Published in November
Here is an overview of content I published in November:
Blog posts:
Blog posts:
- New Tool: cs-extract-key.py
- Update: 1768.py Version 0.0.9
- Update: cs-decrypt-metadata.py Version 0.0.2
- Update: 1768.py Version 0.0.10
- Update: base64dump.py Version 0.0.18
- Update: cs-decrypt-metadata.py Version 0.0.3
- New tool: cs-analyze-processdump.py
- New Tool: cs-parse-traffic.py
- Update: cs-extract-key.py Version 0.0.3
- Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
- Decrypting Cobalt Strike Metadata Without and With Malleable C2 Instructions
- Obfuscated Maldoc: Reversed BASE64
- YARA Rules for Office Maldocs
- Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
- Decrypting Cobalt Strike Metadata Without and With Malleable C2 Instructions
- Obfuscated Maldoc: Reversed BASE64
- YARA Rules for Office Maldocs
- Decrypting Cobalt Strike Traffic With a “Leaked” Private Key
- Sysinternals: Autoruns and Sysmon updates
- Video: Phishing ZIP With Malformed Filename
- Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
- Video: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
- Obfuscated Maldoc: Reversed BASE64
- Video: Obfuscated Maldoc: Reversed BASE64
- External Email System FBI Compromised: Sending Out Fake Warnings
- Backdooring PAM
- Simple YARA Rules for Office Maldocs
- YARA Rule for OOXML Maldocs: Less False Positives
- YARA’s Private Strings
- Video: SANS Holiday Hack Challenge 2021 Q&A with Ed Skoudis
- Video: YARA Rules for Office Maldocs
- Wireshark 3.6.0 Released
Tuesday 30 November 2021
Update: cs-extract-key.py Version 0.0.3
This update brings a new option: -V –verbose.
Verbose output includes an hex/ascii dump of the decrypted data:
MD5: C40C96B68701369F41EB6731FD83B28B
SHA256: CBB5EC3C8C36931D56AB42E3086CF7E95ABC7782D74F30DDCCF874BD4E89B6BB
Monday 29 November 2021
New Tool: cs-parse-traffic.py
This tool is the combination of beta tool cs-parse-http-traffic.py (discontinued) and unreleased tool cs-parse-dns-traffic.py: it can decrypt and parse Cobalt Strike DNS and HTTP beacon network traffic.
By default it handles HTTP traffic. Use option -f dns to handle DNS traffic.
cs-parse-traffic_V0_0_3.zip (https)MD5: D11D64222CD77407FCEE5E6235470828
SHA256: 916B44513620FD2BB3F7263D279E8219419A87F89CDA1253011D7338896405DD
Thursday 25 November 2021
New tool: cs-analyze-processdump.py
This is cs-analyze-processdump.py, my tool to analyze Cobalt Strike beacon process dumps, detecting and decoding sleep mode encoding.
cs-analyze-processdump_V0_0_2.zip (https)MD5: 699C184AA60F741B6DD7CB8C05E12448
SHA256: 5E6C121783C9BC1A392AA4FEFD77D66709B0C8FB2F3E568D8538C6CD81C7B315
Tuesday 23 November 2021
Update: cs-decrypt-metadata.py Version 0.0.3
This is a bugfix version of cs-decrypt-metadata.py, my tool to decrypt Cobalt Strike metadata.
cs-decrypt-metadata_V0_0_3.zip (https)MD5: BC42AF00F35FE8460E8AA23F2B54A84A
SHA256: 13C62A515D49CF8DEF4A866B069AFC47885B13CAB3703AA529C214B88FF576D3
Monday 22 November 2021
Update: base64dump.py Version 0.0.18
This is a bug fix version.
base64dump_V0_0_18.zip (https)MD5: C1D1FBED0E4C1A4703C56412611EF47D
SHA256: 3F46110F9A1750D2351EB7CE2278C1E61EE1C421E10ABB5EC5BFC28B0DA61285
Sunday 21 November 2021
Update: 1768.py Version 0.0.10
This new version of 1768.py, my tool to analyze Cobalt Strike beacons, adds some small changes, like extra tests and defines more field names.
1768_v0_0_10.zip (https)MD5: 603EFE48CF8740397562F65C9E22B648
SHA256: 67F2D59FCE9757B10FE4B50C7D7CD284D36AE21912A13531820AC0BDA8ABC0C1
Friday 12 November 2021
Update: cs-decrypt-metadata.py Version 0.0.2
This new version of my tool to decrypt Cobalt Strike metadata, now supports transformations.
By default, encrypted metadata in Cobalt Strike traffic is encoded with BASE64 and then transmitted via the Cookie header in HTTP(S) requests.
This metadata is encrypted with a public RSA key, and can be decrypted if the private key is known.
Here is an example of a malicious beacon with a specific metadata encoding.
Analyzing the beacon with my tool 1768.py yields the following information:
First: a public key (field 0x0007) is used, for which we know the private key: thus we will be able to decrypt the metadata.
Second: the encrypted metadata has a specific encoding (field 0x000c). This beacon was configured with a profile that specifies that the encrypted metadata must be encoded with BASE64 URL-safe (this is a variant of BASE64, that uses characters – and _ in stead of + and /). Then it is prefixed with string __cfduid= and transmitted via the Cookie header.
An error will result when this data is processed by tool cs-decrypt-metadata.py without providing the transformation instructions:
The following transformation instructions must be provided to properly decode and decrypt the metadata: 7:Metadata,13,2:__cfduid=,6:Cookie
This is done with option -t:
MD5: 368EA059E91716DD071975B13A3F108D
SHA256: B906191D376F81E687392EC30EA57483BFC791E3D478E863FA0DB7B468662310
Didier Stevens 