Announcement Archives | Forensic Blogs

December 31, 2021 by Didier Stevens

Overview of Content Published in December

Here is an overview of content I published in December: Blog posts: MiTM Cobalt Strike Network Traffic Update: base64dump.py Version 0.0.19 Update: cs-decrypt-metadata.py Version 0.0.4 Update: cs-parse-traffic.py Version 0.0.4 Update: 1768.py Version 0.0.11 Update: cs-extract-key.py Version 0.0.4 Update: cs-analyze-processdump.py Version 0.0.3 VBA: __SRP_ Streams Update: pecheck Version 0.7.14 Update: base64dump.py Version 0.0.20 YouTube videos: MSBuild & Cobalt Strike SANS ISC Diary entries: Office 2021: VBA Project Version TShark Tip: Extracting Field Values From Capture Files Quicktip: TShark’s Options -e and -T

November 30, 2021 by Didier Stevens

Overview of Content Published in November

Here is an overview of content I published in November:

Blog posts: New Tool: cs-extract-key.py Update: 1768.py Version 0.0.9 Update: cs-decrypt-metadata.py Version 0.0.2 Update: 1768.py Version 0.0.10 Update: base64dump.py Version 0.0.18 Update: cs-decrypt-metadata.py Version 0.0.3 New tool: cs-analyze-processdump.py New Tool: cs-parse-traffic.py Update: cs-extract-key.py Version 0.0.3 YouTube videos: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory Decrypting Cobalt Strike Metadata Without and With Malleable C2 Instructions Obfuscated Maldoc: Reversed BASE64 YARA Rules for Office Maldocs Videoblog posts: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory Decrypting Cobalt Strike Metadata Without and With Malleable C2 Instructions Obfuscated Maldoc: Reversed BASE64 YARA Rules for Office Maldocs SANS ISC Diary entries: Decrypting Cobalt Strike Traffic With a “Leaked” Private Key Sysinternals: Autoruns and Sysmon updates Video: Phishing ZIP With Malformed Filename Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory Video: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory Obfuscated Maldoc: Reversed BASE64 Video: Obfuscated Maldoc: Reversed BASE64 External Email System FBI Compromised: Sending Out Fake Warnings Backdooring PAM Simple YARA Rules for Office Maldocs YARA Rule for OOXML Maldocs: Less False Positives YARA’s Private Strings Video: SANS Holiday Hack Challenge 2021 Q&A with Ed Skoudis Video: YARA Rules for Office Maldocs Wireshark 3.6.0 Released NVISO blog posts: Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3 Detecting DCSync and DCShadow Network Traffic Cobalt Strike: Decrypting Obfuscated Traffic – Part 4 Cobalt Strike: Decrypting DNS Traffic – Part 5

November 28, 2021 by Didier Stevens

New Tool: cs-parse-traffic.py

This tool is the combination of beta tool cs-parse-http-traffic.py (discontinued) and unreleased tool cs-parse-dns-traffic.py: it can decrypt and parse Cobalt Strike DNS and HTTP beacon network traffic.

By default it handles HTTP traffic. Use option -f dns to handle DNS traffic.

cs-parse-traffic_V0_0_3.zip (https)
MD5: D11D64222CD77407FCEE5E6235470828
SHA256: 916B44513620FD2BB3F7263D279E8219419A87F89CDA1253011D7338896405DD