🦦 ponchos blog.

Identifying Cobalt Strike

Here are 3 examples of Cobalt Strike [Redacted]:

Cobalt1
Cobalt2
Cobalt3

All 3 of the examples had base64 strings [Redacted].

How do we know it's Cobalt Strike?

Let's start with the first example. The base64 string will be decoded using CyberChef.

Take the base64 string [redacted] and input this in CyberChef.

Stage 1

base1

Stage 2

base2

Stage 3

base3

Looking at Stage 1 of the decoded base64 script, we see $s=New-Object IO.MemoryStream, which Cobalt Strike almost always has, and if that doesn't give it away, the XOR 35 will, and if that doesn't, then Pipe.

References:

Guide to named pipes and hunting for cobalt strike pipes
&
Learn pipe fitting for all of your offense projects

- 6 toasts