Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Video: Cobalt Strike & DNS - Part 1

Published: 2021-05-30
Last Updated: 2021-05-30 16:48:17 UTC
by Didier Stevens (Version: 1)
0 comment(s)

One of the Cobalt Strike servers reported by Brad Duncan also communicates over DNS.

This can be tested with a simple DNS TXT query:

The content of this TXT record contains the start of a Cobalt Strike beacon, encoded with Netbios Name encoding. I recently published an update to my base64dump.py tool to handle this encoding.

In the following video, I show how to use my new, quick & dirty tool to retrieve all DNS TXT records (cs-dns-stager.py) that make up the encoded beacon, and how to decoded this with base64dump and extract the config with my 1768.py tool.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

0 comment(s)

Sysinternals: Procmon, Sysmon, TcpView and Process Explorer update

Published: 2021-05-30
Last Updated: 2021-05-30 10:55:16 UTC
by Didier Stevens (Version: 1)
0 comment(s)

New versions of Sysinternals' tools Procmon, Sysmon, TcpView and Process Explorer were released.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

0 comment(s)

YARA Release v4.1.1

Published: 2021-05-30
Last Updated: 2021-05-30 10:44:34 UTC
by Didier Stevens (Version: 1)
0 comment(s)

YARA version 4.1.1 was released.

This is a bug fix release.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

Keywords: yara
0 comment(s)
Diary Archives