In diary entry “Decrypting Cobalt Strike Traffic With a “Leaked” Private Key” I showed how to decrypt Cobalt Strike network traffic with private RSA keys.
In this diary entry, I will show how to decrypt Cobalt Strike network traffic with AES keys extracted from the beacon’s process memory.
Inside a sandbox, I start the beacon and let it communicate with the C2 while I capture network traffic. And I make a process memory dump of the beacon process.
Analyzing the beacon with my tool 1768.py sho…