Cobalt Strike Analysis (PwSh)
Here is some Cobalt Strike I came across today.
How do we know it's Cobalt Strike?
Let's unpack the updater.bat
file.
Stage 1 & 2
As we can see, this is a partial output of the base64
string. From here we can use a CyberChef recipe to convert the base64
string.
See screenshot below.
Which will then give us the output of the decoded string and give us an insight on what we need to do next.
Partial output of the decoded base64
string.
Stage 3
In Stage 2 we can see there is more base64
to be decoded. We can copy this and use the same recipe as before to decode the string.
There is still some obfuscation present, to convert this we can use the detect file type
recipe to give us a clue on how to convert the obfuscated strings.
See screenshot below.
CyberChef has detected the obfuscated contents as Gzip.
Stage 4
Using the recipe Gunzip
[along with from base64
] within CyberChef we can unpack the obfuscated strings to reveal our next steps.
There's two parts to the decoded strings, we can see in the screenshots below there is more base64
strings to unpack, and there is $var_code
followed by -bxor 35
. This a bitwise XOR operator with the integer 35.
Stage 5 [Final]
Using the following recipe; from base64
, XOR Key: 35 Decimal
, and Strings
[Minimum Length: 10] we can decode the obfuscated strings.
You will should see an output similar to the screenshot below [redacted].
I've previously said, looking at the original decoded base64
script, we see $s=New-Object IO.MemoryStream
, which Cobalt Strike almost always has, and if that doesn't give it away, the XOR 35
will, and if that doesn't, then Pipe
. In this case we do not see Pipe
but the attackers C2 [redacted].