Decoding Cobalt Strike: Understanding Payloads

Avast - 


Cobalt Strike

Cobalt Strike has multiple unique features, secure communication and it is fully modular and customizable so proper detection and attribution can be problematic. It is the main reason why we have seen use of Cobalt Strike in almost every major incident or big for the past several years.

There are many great articles about reverse engineering Cobalt Strike software, especially beacon modules as the most important part of the whole chain. Other modules and payloads are very often overlooked, but these parts also contain valuable information for researchers and forensic analysts or investigators.

The first part of this series is dedicated to proper identification of all raw types and decode and parse them. We also share our useful parsers, scripts and yara rules based on these findings back to the community. 

Raw payloads

Cobalt Strike’s payloads are based on Meterpreter shellcodes and include many similarities like API hashing (x86 and x64

Read More: