Let’s take a look at the configuration of the beacon we started with in part 1: Figure 1: beacon with default malleable C2 instructions In the example we will look at in this blog post, the encrypted data is hidden inside JavaScript code.īut how do we know if a beacon is using such instructions to obfuscate traffic, or not? This can be seen in the analysis results of the latest version of tool 1768.py. This encrypted data can be transformed into traffic that looks more benign, using malleable C2 data transforms. In the first 3 parts of this series, we have always looked at traffic that contains the unaltered, encrypted data: the data returned for a query and the data posted, was just the encrypted data.
#What is a cobalt strike beacon how to
And in part 3, we explain how to decrypt Cobalt Strike traffic if you don’t know the private RSA key but do have a process memory dump. In part 2, we decrypted Cobalt Strike traffic starting with a private RSA key.
In part 1 of this series, we revealed private encryption keys found in rogue Cobalt Strike packages. This series of blog posts describes different methods to decrypt Cobalt Strike traffic.