Identifying Cobalt Strike
Here are 3 examples of Cobalt Strike [Redacted]:
All 3 of the examples had
base64 strings [Redacted].
How do we know it's Cobalt Strike?
Let's start with the first example. The base64 string will be decoded using CyberChef.
base64 string [redacted] and input this in CyberChef.
Looking at Stage 1 of the decoded
base64 script, we see
$s=New-Object IO.MemoryStream, which Cobalt Strike almost always has, and if that doesn't give it away, the
XOR 35 will, and if that doesn't, then
Guide to named pipes and hunting for cobalt strike pipes
Learn pipe fitting for all of your offense projects