irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
e62a14dafcfc5b5d8fea1babc97fea756f17f76e
docker_file_analysis/data/generated/wiki/workflows/cobalt-strike-workflow.md
T
tobias e62a14dafc Add markdown wiki with 473 pages and zk browser 
Generate interlinked wiki from master inventory: 397 tool pages,
15 workflow pages, 27 recipe pages, 33 category pages, plus index.
All pages use [[wiki-links]] for cross-navigation between tools,
workflows, recipes, and categories (1782 links total).

Install zk for interactive browsing with fzf search, tag filtering,
and backlink discovery. Add 'fhelp wiki' command and Makefile target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 19:50:36 +01:00

2.1 KiB
Raw Blame History

Cobalt Strike Analysis

Analyze Cobalt Strike beacons, configurations, and network traffic using Didier Stevens' CS toolkit on REMnux.

FOR610 Labs: 3.4

Steps

Step 1: Beacon Detection

Tools: tools/yara, tools/capa

Scan suspect file with YARA rules for CS signatures. capa detects 'receive data from C2' and beacon-like capabilities. Check for: characteristic 200KB+ size, sleep patterns.

yara-rules specimen.bin
capa specimen.exe

Step 2: Configuration Extraction

Tools: tools/1768-py

Parse beacon config: 1768.py . Extracts: C2 URLs, user-agent, beacon interval, watermark, spawn-to process, named pipes, proxy config.

1768.py shellcode.bin

Step 3: Metadata Decryption

Tools: tools/cs-decrypt-metadata-py

Decrypt beacon metadata from network captures: cs-decrypt-metadata.py . Reveals: computer name, user, process info sent to team server.

cs-decrypt-metadata.py <metadata_hex>

Step 4: Key Extraction

Tools: tools/cs-extract-key-py

Extract encryption keys: cs-extract-key.py -f <process_dump>. Recovers AES and HMAC keys used for C2 communication encryption.

cs-extract-key.py -f <process_dump>

Step 5: Traffic Decryption

Tools: tools/cs-parse-traffic-py

Decrypt C2 traffic: cs-parse-traffic.py -f -k . Reveals: tasking commands, downloaded payloads, exfiltrated data.

cs-parse-traffic.py -f <capture.pcap> -k <keys_file>

Step 6: Sleep Mask Analysis

Tools: tools/cs-analyze-processdump-py

Analyze sleep mask: cs-analyze-processdump.py . Detects if beacon encrypts itself in memory during sleep. Useful for memory forensics.

cs-analyze-processdump.py <process_dump>

Step 7: Document Findings

Record: C2 domains/IPs, beacon interval, watermark (operator ID), user-agent strings, named pipe patterns, spawn-to process, malleable C2 profile indicators.

#cobalt-strike #c2 #beacon #didier-stevens #threat-intel #workflow

Reference in New Issue View Git Blame Copy Permalink