We found 6 private keys for rogue Cobalt Strike software, enabling C2 network traffic decryption. The communication between a Cobalt Strike beacon (client) and a Cobalt Strike team server (C2) is encrypted with AES (even when it takes place over HTTPS). The AES key is generated by the beacon, and communicated to the C2 using … Continue reading Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1
All aboard the internship – whispering past defenses and sailing into kernel space
Previously, we have already published Sander's (@cerbersec) internship testimony. Since this post does not really contain any juicy technical details and Sander has done a terrific job putting together a walkthrough of his process, we thought it would be a waste not to highlight his previous posts again. In Part 1, Sander explains how he … Continue reading All aboard the internship – whispering past defenses and sailing into kernel space
Phish, Phished, Phisher: A Quick Peek Inside a Telegram Harvester
In one of the smaller campaigns we monitored last month (September 2021), the threat actor inadvertently exposed Telegram credentials to their harvester. This opportunity provided us some insight into their operations; a peek behind the curtains we wanted to share.
Building an ICS Firing Range – Part 2 (Defcon 29 ICS Village)
As discussed in our first post in the series about our ICS firing range, we came to the conclusion that we had to build a lab ourselves. Now, this turned out to be a quite tricky task and in this blog post I am going to tell you why: which challenges we faced and which … Continue reading Building an ICS Firing Range – Part 2 (Defcon 29 ICS Village)
Kusto hunting query for CVE-2021-40444
Introduction On September 7th 2021, Microsoft published customer guidance concerning CVE-2021-40444, an MSHTML Remote Code Execution Vulnerability: Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.An attacker could craft a … Continue reading Kusto hunting query for CVE-2021-40444
Anatomy and Disruption of Metasploit Shellcode
In April 2021 we went through the anatomy of a Cobalt Strike stager and how some of its signature evasion techniques ended up being ineffective against detection technologies. In this blog post we will go one level deeper and focus on Metasploit, an often-used framework interoperable with Cobalt Strike. Throughout this blog post we will … Continue reading Anatomy and Disruption of Metasploit Shellcode