Cobalt Strike: Overview – Part 7

This is an overview of a series of 6 blog posts we dedicated to the analysis and decryption of Cobalt Strike traffic. We include videos for different analysis methods. In part 1, we explain that Cobalt Strike traffic is encrypted using RSA and AES cryptography, and that we found private RSA keys that can help … Continue reading Cobalt Strike: Overview – Part 7

Cobalt Strike: Memory Dumps – Part 6

This is an overview of different methods to create and analyze memory dumps of Cobalt Strike beacons. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. In part 1 of this series, we revealed private encryption keys found in rogue Cobalt Strike packages. In part 2, we decrypted Cobalt Strike traffic starting with … Continue reading Cobalt Strike: Memory Dumps – Part 6

Threat Update – Ukraine & Russia war

Last updated on 2022-03-17/ 8am CET 2022-02-25: added key historical operation: Cyclops Blink2022-03-02: added note on spillover and recommendation2022-03-03: added further information on attacks, updated recommendations2022-03-07: added info on HermeticRansom decrypter and our mission statement2022-03-15: added info on CaddyWiper and fake AV update phishing campaign used to drop Cobalt Strike2022-03-17: added info on the removal … Continue reading Threat Update – Ukraine & Russia war

Cobalt Strike: Decrypting DNS Traffic – Part 5

Cobalt Strike beacons can communicate over DNS. We show how to decode and decrypt DNS traffic in this blog post. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. In part 1 of this series, we revealed private encryption keys found in rogue Cobalt Strike packages. In part 2, we decrypted … Continue reading Cobalt Strike: Decrypting DNS Traffic – Part 5