Cobalt Strike: Memory Dumps – Part 6

This is an overview of different methods to create and analyze memory dumps of Cobalt Strike beacons. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. In part 1 of this series, we revealed private encryption keys found in rogue Cobalt Strike packages. In part 2, we decrypted Cobalt Strike traffic starting with … Continue reading Cobalt Strike: Memory Dumps – Part 6

Threat Update – Ukraine & Russia war

Last updated on 2022-03-17/ 8am CET 2022-02-25: added key historical operation: Cyclops Blink2022-03-02: added note on spillover and recommendation2022-03-03: added further information on attacks, updated recommendations2022-03-07: added info on HermeticRansom decrypter and our mission statement2022-03-15: added info on CaddyWiper and fake AV update phishing campaign used to drop Cobalt Strike2022-03-17: added info on the removal … Continue reading Threat Update – Ukraine & Russia war

Cobalt Strike: Decrypting DNS Traffic – Part 5

Cobalt Strike beacons can communicate over DNS. We show how to decode and decrypt DNS traffic in this blog post. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. In part 1 of this series, we revealed private encryption keys found in rogue Cobalt Strike packages. In part 2, we decrypted … Continue reading Cobalt Strike: Decrypting DNS Traffic – Part 5

Cobalt Strike: Decrypting Obfuscated Traffic – Part 4

Encrypted Cobalt Strike C2 traffic can be obfuscated with malleable C2 data transforms. We show how to deobfuscate such traffic. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. In part 1 of this series, we revealed private encryption keys found in rogue Cobalt Strike packages. In part 2, we decrypted … Continue reading Cobalt Strike: Decrypting Obfuscated Traffic – Part 4

Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3

We decrypt Cobalt Strike traffic with cryptographic keys extracted from process memory. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. In part 1 of this series, we revealed private encryption keys found in rogue Cobalt Strike packages. And in part 2, we decrypted Cobalt Strike traffic starting with a private … Continue reading Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3

Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2

We decrypt Cobalt Strike traffic using one of 6 private keys we found. In this blog post, we will analyze a Cobalt Strike infection by looking at a full packet capture that was taken during the infection. This analysis includes decryption of the C2 traffic. If you haven't already, we invite you to read part … Continue reading Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2

Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1

We found 6 private keys for rogue Cobalt Strike software, enabling C2 network traffic decryption. The communication between a Cobalt Strike beacon (client) and a Cobalt Strike team server (C2) is encrypted with AES (even when it takes place over HTTPS). The AES key is generated by the beacon, and communicated to the C2 using … Continue reading Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1

Credential harvesting and automated validation: a case study

During our incident response engagements, we very frequently come across phishing lures set up to harvest as many credentials as possible, which will likely be sold afterwards or used in follow-up attacks against an organization (or both). While many of these credential harvesting attacks follow the same pattern, from time to time we stumble upon … Continue reading Credential harvesting and automated validation: a case study