Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Decoding Cobalt Strike Traffic

Published: 2021-04-18
Last Updated: 2021-04-18 11:42:21 UTC
by Didier Stevens (Version: 1)
0 comment(s)

In diary entry "Example of Cleartext Cobalt Strike Traffic (Thanks Brad)" I share a capture file I found with unencrypted Cobalt Strike traffic. The traffic is unencrypted since the malicious actors used a trial version of Cobalt Strike.

This weekend I carried on with the analysis of that traffic, you can see my findings in this video and read the diary entry below.

Reader binarysheperds posted a comment to point out packet 8241, that looks like containing output of a UAC bypass command:

Yesterday I took a closer look at the binary protocol, started to see some patterns (like an epoch value), and then I found Python code on Github that handles Cobalt Strike's encrypted traffic.

This allowed me to write a decoding tool: parse-cs-http-traffic.py. It takes the pcap file as argument and relies on Python module pyshark to parse the pcap file. I then extract the traffic and parse it. The parsing code is still incomplete because of inciomplete understanding of the protocol.

Here is the output of my tool for the UAC bypass:

First, with an HTTP response, commands are delivered to the beacon: download a DLL and do a UAC bypass.

Second, the output (text) is send to the C2 with an HTTP POST request.

This DLL is a reflective loader to perform a UAC bypass:

I also found portscanning activity. You can watch the complete analysis in this video:

And here are 2 videos by Cobalt Strike developer Raphael Mudge on portscanning and UAC bypass.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: beacon pcap
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Querying Spamhaus for IP reputation
Apr 17th 2021
1 day ago by Rick (0 comments)

HTTPS Support for All Internal Services
Apr 16th 2021
2 days ago by Xme (0 comments)

Why and How You Should be Using an Internal Certificate Authority
Apr 15th 2021
3 days ago by Johannes (0 comments)

April 2021 Forensic Quiz: Answers and Analysis
Apr 14th 2021
4 days ago by Brad (0 comments)

Microsoft April 2021 Patch Tuesday
Apr 13th 2021
4 days ago by Richard (0 comments)

Example of Cleartext Cobalt Strike Traffic (Thanks Brad)
Apr 12th 2021
5 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

RSS feed containing non-XML compatible characters
created Apr 14th 2021
4 days ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
1 month ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
1 month ago by astraea (0 replies)

PFSense
created Dec 23rd 2020
3 months ago by bas.auer@auerplace.nl (6 replies)

Port 23 & 2323 107.173.58.179
created Nov 15th 2020
5 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Qakbot infection with Cobalt Strike
Mar 3rd 2021
1 month ago by Brad (0 comments)

Fun with DNS over TLS (DoT)
Mar 1st 2021
1 month ago by Rob VandenBrink (0 comments)

Adversary Simulation with Sim
Mar 2nd 2021
1 month ago by Russ McRee (0 comments)

Maldocs: Protection Passwords
Feb 28th 2021
1 month ago by DidierStevens (0 comments)