Sunday, May 30, 2021

Video: Cobalt Strike & DNS – Part 1, (Sun, May 30th)

One of the Cobalt Strike servers reported by Brad Duncan also communicates over DNS.

This can be tested with a simple DNS TXT query:

The content of this TXT record contains the start of a Cobalt Strike beacon, encoded with Netbios Name encoding. I recently published an update to my base64dump.py tool to handle this encoding.

In the following video, I show how to use my new, quick & dirty tool to retrieve all DNS TXT records (cs-dns-stager.py) that make up the encoded beacon, and how to decoded this with base64dump and extract the config with my 1768.py tool.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post Video: Cobalt Strike & DNS – Part 1, (Sun, May 30th) appeared first on Malware Devil.



https://malwaredevil.com/2021/05/30/video-cobalt-strike-dns-part-1-sun-may-30th/?utm_source=rss&utm_medium=rss&utm_campaign=video-cobalt-strike-dns-part-1-sun-may-30th
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Barbary Pirates and Russian Cybercrime

In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...