[SANS ISC] Video: Cobalt Strike & DNS – Part 1, (Sun, May 30th)

One of the Cobalt Strike servers reported by Brad Duncan also communicates over DNS.

This can be tested with a simple DNS TXT query:

The content of this TXT record contains the start of a Cobalt Strike beacon, encoded with Netbios Name encoding. I recently published an update to my base64dump.py tool to handle this encoding.

In the following video, I show how to use my new, quick & dirty tool to retrieve all DNS TXT records (cs-dns-stager.py) that make up the encoded beacon, and how to decoded this with base64dump and extract the config with my 1768.py tool.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[BleepingComputer] CISA, FBI reveal top targeted vulnerabilities of the last two years

A joint security advisory issued today by several cybersecurity agencies from the US, the UK, and Australia reveals the top 30 most targeted security vulnerabilities of the last two years. […] Source: Read More (BleepingComputer)

Read More

[HackerNews] A Simple 1-Click Compromised Password Reset Feature Coming to Chrome Browser

All posts, HackerNews

Google on Tuesday announced a new feature to its password manager that could be used to change a stolen password automatically with a single tap. Automated password changes build on the tool’s ability to check the safety of saved passwords. Thus when Chrome finds a password that may have been compromised as part of a data breach, it will […]

Read More

[ZDNet] Phishing attacks: One in three suspect emails reported by employees really are malicious

All posts, ZDNet

Up to a third of emails that were flagged as suspicious by employees were actually a threat, according to a new report. Source: Read More (Latest topics for ZDNet in Security)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.