Feature Request: Extract Public Key
ssnkhan opened this issue · comments
Hello,
I've noticed that a few other CS config parsers are able to extract the public key from within the beacon. For the following sample:
https://www.virustotal.com/gui/file/742a06efbebca717271b6beda1ff4a22f6f0be6acda9590ab32b38e1d5721140/detection
Processed through Tek's parser (https://github.com/Te-k/cobaltstrike), returns:
dns False
ssl True
port 443
.sleeptime 60000
.http-get.server.output 00000004000000010000017700000001000000fa0000000200000004000000020000001c000000020000002400000002000000120000000200000004000000020000001c0000000200000024000000020000001100000002000000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
.jitter 15
.maxdns 255
publickey 30819f300d06092a864886f70d010101050003818d0030818902818100aef69a6fb8f21092c01a95cbdcac0f03f79738adecda36cffc6c5cf607943e72663865f8f69d84961910201ffde089b24cd4352c766414d0665537956b8ec8f4e23df0cd79e9284c16c899fde818758a22c53947e3dd52f440be86f71cdf8abb79adb3b8afaf9f80af028d823f1d70fcdbb34b0b5f5293f74dbb184a3c9109f3020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
.http-get.uri 156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/
.user-agent Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)
.http-post.uri /mail/u/0/
.http-get.client OSID=Cookie
GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
ui=d3244c4707ient
hop=6928632 start=0
=Content-Type: application/x-www-form-urlencoded;charset=utf-8OSID=Cookie
.spawto
.post-ex.spawnto_x86 %windir%\syswow64\notepad.exe
.post-ex.spawnto_x64 %windir%\sysnative\notepad.exe
.pipename
.cryptoscheme 0
.dns_idle 134743044
.dns_sleep 0
.http-get.verb GET
.http-post.verb POST
shouldChunkPosts 0
.watermark 305419896
.stage.cleanup 0
CFGCaution 0
host_header
cookieBeacon 1
.proxy_type 2
funk 0
killdate 0
text_section 0
process-inject-start-rwx 64
process-inject-use-rwx 64
process-inject-min_alloc 0
process-inject-transform-x86
process-inject-transform-x64
process-inject-stub a56c813864af878a4c10083ca1578e0a
process-inject-execute
process-inject-allocation-method 0
The key is also extracted by Didier's 1768 parser: https://blog.didierstevens.com/2020/11/07/1768-k/
Finally, SpawnTo is extracted as "AAAAAAAAAAAAAAAAAAAAAA==", is this being parsed correctly, if at all?
Many thanks!
Hey,
you can just uncomment this line if you want:
CobaltStrikeParser/parse_beacon_config.py
Line 226 in 8172610
Also, I don't understand what you meant about the SpawnTo field. I don't know if it's the new cobalt version but until that one - that field was parsed correctly.
Hope it helps :)
Thanks for the prompt reply — the spawnTo is what’s being returned as a BASE64 string, it’s for the same sample above. I’ll test a few other beacons to see what they return. Thanks again for your help :)
It could be that the actor wrongfully put a base64 string instead of normal string..
If you see more beacons with it, open a new FR with this new problem :)