Forensic Blogs

An aggregator for digital forensics blogs

May 26, 2022 by Didier Stevens

PoC: Cobalt Strike mitm Attack

I did this about 6 months ago, but this blog post didn’t get posted back then. I’m posting it now.

I made a small Proof-of-Concept: cs-mitm.py is a mitmproxy script that intercepts Cobalt Strike traffic, decrypts it and injects its own commands.

In this video, a malicious beacon is terminated by sending it a sleep command followed by an exit command. I just included the sleep command to show that it’s possible to do this for more than one command.

I selected this malicious beacon for this PoC because it uses one of the leaked private keys, enabling the script to decrypt the metadata and obtain the necessary AES and HMAC keys.

The PoC does not support malleable C2 data transforms, but the code to do this can be taken from my other cs-* tools.

Read the original at: Didier StevensFiled Under: Digital Forensics Tagged With: Encryption, Hacking, Malware

May 26, 2022 by Didier Stevens

Update: Python Templates Version 0.0.7

Some small updates to my Python templates.

python-templates_V0_0_7.zip (http)
MD5: 46EE756206A0A941F7B29C3551FF48FF
SHA256: 5158046371E8E925AB7A158827496BA971F24F5FE0A232AC0FDF0B10427DB98B

Read the original at: Didier StevensFiled Under: Digital Forensics Tagged With: My Software, Update

May 26, 2022 by Didier Stevens

Update: 1768.py Version 0.0.14

Here is a small update of my tool to analyze Cobalt Strike beacons.

1768_v0_0_14.zip (http)
MD5: 6E8494125F4DDB044556182C8A196DD1
SHA256: D8CFCC735666D90BB160E30C7AD7100B0520FAC2929277E7B1DAD1CFFD0B3EC8

Read the original at: Didier StevensFiled Under: Digital Forensics Tagged With: My Software, Update

  • 1
  • 2
  • 3
  • …
  • 235
  • Next Page »

About

This site aggregates posts from various digital forensics blogs. Feel free to take a look around, and make sure to visit the original sites.

  • Contact
  • Aggregated Sites

Suggest a Site

Know of a site we should add? Enter it below

Sending

Jump to Category

All content is copyright the respective author(s)