Tuesday, December 7, 2021

Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory

In diary entry “Decrypting Cobalt Strike Traffic With a “Leaked” Private Key” I showed how to decrypt Cobalt Strike network traffic with private RSA keys.

In this diary entry, I will show how to decrypt Cobalt Strike network traffic with AES keys extracted from the beacon’s process memory.

Inside a sandbox, I start the beacon and let it communicate with the C2 while I capture network traffic. And I make a process memory dump of the beacon process.

Analyzing the beacon with my tool 1768.py sho…

Read More

Latest news
Related news