PCAPs and Beacons

Published: 2021-03-07
Last Updated: 2021-03-07 20:55:50 UTC
by Didier Stevens (Version: 1)
0 comment(s)

I like taking a closer look at captures files posted by Brad. In his latest diary entry, we have a capture file with Cobalt Strike traffic.

With regular expression "^/....$" I look for URIs that are typical for Cobalt Strike shellcode (and Metasploit too):

Following this HTTP stream, I see data that looks encoded and has some repetitions, so this might be some kind of XOR encoding:

I export this data stream as a file:

Then pass it through my 1768.py Cobalt Strike beacon analysis tool:

And this is indeed the configuration of a beacon.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: beacon pcap
0 comment(s)

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .

Diary Archives