Didier Stevens

Sunday 19 December 2021

Update: cs-decrypt-metadata.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 9:43

This is a bugfix version.

cs-decrypt-metadata_V0_0_4.zip (https)
MD5: 50C8AEFA1A1A507012BE72C71C449818
SHA256: CAFCCE9A8897C257AE39259D3F444E0F40473BF0D9590DC1A035316EBDDBBC84

Update: base64dump.py Version 0.0.19

Filed under: My Software,Update — Didier Stevens @ 9:40

This is a bugfix version.

base64dump_V0_0_19.zip (https)
MD5: 0D250DCB3FCE5D41A6FCB3AAD3937019
SHA256: FECA04873B87A15F0713938717611E86ED360F51AF28FCD03CEEFC4688BD7D67

Saturday 11 December 2021

MiTM Cobalt Strike Network Traffic

Filed under: Encryption,Hacking,Malware,My Software — Didier Stevens @ 10:14

I made a small PoC. cs-mitm. py is a mitmproxy script that intercepts Cobalt Strike traffic, decrypts it and injects its own commands. In this video, a malicious beacon is terminated by sending it an exit command. I selected a malicious beacon that uses one of the leaked private keys.

The script does not support data transforms, but that can be easily added, for example with code found in cs-parse-traffic.py.

Wednesday 1 December 2021

Overview of Content Published in November

Filed under: Announcement — Didier Stevens @ 0:00
Here is an overview of content I published in November:

Blog posts: YouTube videos: Videoblog posts: SANS ISC Diary entries: NVISO blog posts:

Tuesday 30 November 2021

Update: cs-extract-key.py Version 0.0.3

Filed under: Uncategorized — Didier Stevens @ 0:00

This update brings a new option: -V –verbose.

Verbose output includes an hex/ascii dump of the decrypted data:

cs-extract-key_V0_0_3.zip (https)
MD5: C40C96B68701369F41EB6731FD83B28B
SHA256: CBB5EC3C8C36931D56AB42E3086CF7E95ABC7782D74F30DDCCF874BD4E89B6BB

Monday 29 November 2021

New Tool: cs-parse-traffic.py

Filed under: Announcement,My Software — Didier Stevens @ 0:00

This tool is the combination of beta tool cs-parse-http-traffic.py (discontinued) and unreleased tool cs-parse-dns-traffic.py: it can decrypt and parse Cobalt Strike DNS and HTTP beacon network traffic.

By default it handles HTTP traffic. Use option -f dns to handle DNS traffic.

cs-parse-traffic_V0_0_3.zip (https)
MD5: D11D64222CD77407FCEE5E6235470828
SHA256: 916B44513620FD2BB3F7263D279E8219419A87F89CDA1253011D7338896405DD

Thursday 25 November 2021

New tool: cs-analyze-processdump.py

Filed under: My Software,Update — Didier Stevens @ 0:00

This is cs-analyze-processdump.py, my tool to analyze Cobalt Strike beacon process dumps, detecting and decoding sleep mode encoding.

cs-analyze-processdump_V0_0_2.zip (https)
MD5: 699C184AA60F741B6DD7CB8C05E12448
SHA256: 5E6C121783C9BC1A392AA4FEFD77D66709B0C8FB2F3E568D8538C6CD81C7B315

Tuesday 23 November 2021

Update: cs-decrypt-metadata.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a bugfix version of cs-decrypt-metadata.py, my tool to decrypt Cobalt Strike metadata.

cs-decrypt-metadata_V0_0_3.zip (https)
MD5: BC42AF00F35FE8460E8AA23F2B54A84A
SHA256: 13C62A515D49CF8DEF4A866B069AFC47885B13CAB3703AA529C214B88FF576D3

Monday 22 November 2021

Update: base64dump.py Version 0.0.18

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a bug fix version.

base64dump_V0_0_18.zip (https)
MD5: C1D1FBED0E4C1A4703C56412611EF47D
SHA256: 3F46110F9A1750D2351EB7CE2278C1E61EE1C421E10ABB5EC5BFC28B0DA61285

Sunday 21 November 2021

Update: 1768.py Version 0.0.10

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of 1768.py, my tool to analyze Cobalt Strike beacons, adds some small changes, like extra tests and defines more field names.

1768_v0_0_10.zip (https)
MD5: 603EFE48CF8740397562F65C9E22B648
SHA256: 67F2D59FCE9757B10FE4B50C7D7CD284D36AE21912A13531820AC0BDA8ABC0C1

« Previous PageNext Page »

Blog at WordPress.com.