1 minute read


This post aims to bring together some resources for quick wins to get cobalt beacons.

Not reinventing the wheel

The below Sophos post does such a great job at explaining the process.

Sophos - Decoding malicious powershell

TLDR Quick Wins

Check your base64 against this cheatsheet base64 cheatsheet

Some beacons like to use a %COMSPEC% service with encoded powershell that looks something like %COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand <Base64Here>

Plugging this into cyberchef with the following recipie should show the next stage of the config Recipie1

In the case there is some more obfuscation here, and it is compressed try the following recipie Recipe2

Now you should see the config with a $DoIt = @ at the top after Set-StrictMode version 2

Scrolling down, you may see [Byte[]]$var_code = <another base64 string>

Copy out this base64 string and place into this recipie (Take note of the bxor <number> below the base64 command, this contains the decimal xor string you might need) recipie3

This will output the URL or a Named Pipe, if you save this file (Windows Defender will block it) as a .bin file you can use scdbg to see the windows API Calls

scdbg /f download.bin