Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Video: Cobalt Strike & DNS - Part 1 SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Video: Cobalt Strike & DNS - Part 1

One of the Cobalt Strike servers reported by Brad Duncan also communicates over DNS.

This can be tested with a simple DNS TXT query:

The content of this TXT record contains the start of a Cobalt Strike beacon, encoded with Netbios Name encoding. I recently published an update to my base64dump.py tool to handle this encoding.

In the following video, I show how to use my new, quick & dirty tool to retrieve all DNS TXT records (cs-dns-stager.py) that make up the encoded beacon, and how to decoded this with base64dump and extract the config with my 1768.py tool.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

DidierStevens

558 Posts
ISC Handler
May 30th 2021

Sign Up for Free or Log In to start participating in the conversation!