Cobalt Strike Decoding
Introduction
This post aims to bring together some resources for quick wins to get cobalt beacons.
Not reinventing the wheel
The below Sophos post does such a great job at explaining the process.
Sophos - Decoding malicious powershell
TLDR Quick Wins
Check your base64 against this cheatsheet base64 cheatsheet
Some beacons like to use a %COMSPEC% service with encoded powershell that looks something like
%COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand <Base64Here>
Plugging this into cyberchef with the following recipie should show the next stage of the config Recipie1
In the case there is some more obfuscation here, and it is compressed try the following recipie Recipe2
Now you should see the config with a $DoIt = @
at the top after Set-StrictMode version 2
Scrolling down, you may see [Byte[]]$var_code = <another base64 string>
Copy out this base64 string and place into this recipie (Take note of the bxor <number>
below the base64 command, this contains the decimal xor string you might need)
recipie3
This will output the URL or a Named Pipe, if you save this file (Windows Defender will block it) as a .bin file you can use scdbg to see the windows API Calls
scdbg /f download.bin