Identifying Cobalt Strike
Here are 3 examples of Cobalt Strike [Redacted]:
All 3 of the examples had base64
strings [Redacted].
How do we know it's Cobalt Strike?
Let's start with the first example. The base64 string will be decoded using CyberChef.
Take the base64
string [redacted] and input this in CyberChef.
Stage 1
Stage 2
Stage 3
Looking at Stage 1 of the decoded base64
script, we see $s=New-Object IO.MemoryStream
, which Cobalt Strike almost always has, and if that doesn't give it away, the XOR 35
will, and if that doesn't, then Pipe
.
References:
Guide to named pipes and hunting for cobalt strike pipes
&
Learn pipe fitting for all of your offense projects