1 minute read

Introduction

This post aims to bring together some resources for quick wins to get cobalt beacons.

Not reinventing the wheel

The below Sophos post does such a great job at explaining the process.

Sophos - Decoding malicious powershell

TLDR Quick Wins

Check your base64 against this cheatsheet base64 cheatsheet

Some beacons like to use a %COMSPEC% service with encoded powershell that looks something like %COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand <Base64Here>

Plugging this into cyberchef with the following recipie should show the next stage of the config Recipie1

In the case there is some more obfuscation here, and it is compressed try the following recipie Recipe2

Now you should see the config with a $DoIt = @ at the top after Set-StrictMode version 2

Scrolling down, you may see [Byte[]]$var_code = <another base64 string>

Copy out this base64 string and place into this recipie (Take note of the bxor <number> below the base64 command, this contains the decimal xor string you might need) recipie3

This will output the URL or a Named Pipe, if you save this file (Windows Defender will block it) as a .bin file you can use scdbg to see the windows API Calls

scdbg /f download.bin

You May Also Enjoy

Handy DFIR Excel Formulas

less than 1 minute read

Introduction We all know DFIR loves spreadsheets for timelines, but copying out times, dates and converting data types can be a pain. This post aims to show ...

PowerShell Cheat Sheet

1 minute read

Introduction Script blocks i find myself using in powershell all the time