Figure 7 shows a sample Python script to decode the data. Use the scripting language to do the job.Then any Base64 decoding tool can be used to get the encrypted metadata. ![]() The replaced string becomes standard Base64-encoded data. A user can replace the ‘ -’ with ‘ +’ and ‘ _’ with ‘ /’ along with adding a pad character ‘ =’.HTTP C2 traffic generated using CNN video profile.Ī user has a couple of options to decode the data. The parameter value is the Base64URL-encoded metadata about the victim. Metadata encoding in CNN video profile.įigure 6 shows the HTTP C2 traffic generated by the Beacon. (Note that this profile is an example of mimicking legitimate CNN HTTP traffic and has no connection to the organization.) Figure 5 shows the metadata is encoded using the Base64URL encoding algorithm and appends the data to parameter g. Let's understand the use of the Base64URL algorithm in Malleable profiles by studying an example.Ĭnnvideo_getonly.profile uses Base64URL encoding to transform the metadata information. The Pad character ‘ =’ is skipped from the encoded data as it is normally percent-encoded in URI. Here is the character set:Ĭompared to the Standard Base64 character set, the modified version has replaced ‘ +’ with ‘-’ and ‘ /’ with ‘ _’. The modified version uses URL and filename-safe characters for encoding and decoding. Base64URL Encoding and Decodingīase64URL is a modified version of the Base64 encoding algorithm. Sample Python script to decode Base64 data. This is RSA-encrypted metadata about the compromised system: Here is the decoded data from the script.Figure 4 shows a sample script to decode the data and print it in hex format. We have used the Python Base64 library to complete the task. Any tool can decode the encrypted metadata.The highlighted part is the Base64-encoded metadata about the compromised machine. Metadata encoding options in the Havex profile.įigure 3 shows the HTTP C2 traffic generated from the profiles. Figure 2 shows the metadata is encoded using the Base64 encoding algorithm and the result is placed in the Cookie header. Havex.profile uses Base64 encoding to transform metadata information about compromised systems before sending it. Let's understand the use of the Base64 algorithm in Malleable profiles by studying an example. Here is the list of characters used for encoding and decoding the data. The author has not made any changes to the Base64 Character set. Base64 Encoding and Decodingīase64 Encoding and Decoding is a standard Request for Comments (RFC) algorithm implementation. Encoding schemes in the Cobalt Strike profile. ![]() The RSA-encrypted metadata is being encoded to easily transfer the ciphered binary data in network protocol. There are five encoding schemes supported by Cobalt Strike. Related Unit 42 TopicsĪdditional Resources Metadata Encoding Algorithm In doing so, we demonstrate how the encoding and decoding algorithm works during the C2 traffic communication, and why this versatility makes Cobalt Strike an effective emulator for which it is difficult to design traditional firewall defenses. In this blog post, we will go through the encoding algorithm, describe definitions and differences of encoding types used in the Cobalt Strike framework, and cover some malicious attacks seen in the wild. The red team or attackers have to define how this metadata is encoded and sent with the HTTP request to finish the C2 traffic communication. When Cobalt Strike’s Beacon “phones home,” it sends metadata – information about the compromised system – to the Cobalt Strike TeamServer. In a previous blog, “ Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect,” we learned that an attacker or red team can define metadata encoding indicators in Malleable C2 profiles for an HTTP transaction. Different elements of Cobalt Strike contribute to that versatility, including the encoding algorithm that obfuscates metadata sent to the C2 server. Due to its versatility, Cobalt Strike is commonly used as a legitimate tool by red teams – but is also widely used by threat actors for real-world attacks. This actor, known as Beacon, communicates with an external team server to emulate command and control (C2) traffic. Cobalt Strike is commercial threat emulation software that emulates a quiet, long-term embedded actor in a network.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |