🔒 ponchos blog.

Cobalt Strike Analysis (PwSh)

Here is some Cobalt Strike I came across today.


How do we know it's Cobalt Strike?

Let's unpack the updater.bat file.

Stage 1 & 2

Cobalt2 As we can see, this is a partial output of the base64 string. From here we can use a CyberChef recipe to convert the base64 string.
See screenshot below.


Which will then give us the output of the decoded string and give us an insight on what we need to do next.

Cobalt4 Partial output of the decoded base64 string.

Stage 3

In Stage 2 we can see there is more base64 to be decoded. We can copy this and use the same recipe as before to decode the string.


There is still some obfuscation present, to convert this we can use the detect file type recipe to give us a clue on how to convert the obfuscated strings.
See screenshot below.

Cobalt6 CyberChef has detected the obfuscated contents as Gzip.

Stage 4

Using the recipe Gunzip [along with from base64] within CyberChef we can unpack the obfuscated strings to reveal our next steps.

There's two parts to the decoded strings, we can see in the screenshots below there is more base64 strings to unpack, and there is $var_code followed by -bxor 35. This a bitwise XOR operator with the integer 35.



Stage 5 [Final]

Using the following recipe; from base64, XOR Key: 35 Decimal, and Strings [Minimum Length: 10] we can decode the obfuscated strings.

You will should see an output similar to the screenshot below [redacted].


I've previously said, looking at the original decoded base64 script, we see $s=New-Object IO.MemoryStream, which Cobalt Strike almost always has, and if that doesn't give it away, the XOR 35 will, and if that doesn't, then Pipe. In this case we do not see Pipe but the attackers C2 [redacted].

View original