Out-of-the-box, Cobalt Strike (as of 4.4) does not use sleep_mask to encrypt the beacon payload in-memory. I haven’t seen much information on this topic yet so I wanted to put together a very simple post that will show you how to hunt for beacons in-memory and change the default sleep_mask encryption behavior! Huge shoutout to the research done by Elastic at this post, whose tactics I borrow heavily from: Detecting Cobalt Strike with Memory Signatures. If you want to get even more creative, you can change the algorithm entirely. By default it uses a 13-byte XOR key, however this key size easily changed by modifying a single variable and rebuilding the Sleep Mask Kit.
In Cobalt Strike 4.4, Sleep Mask Kit was released to help operators customize the encryption algorithm used to obfuscate the data and strings within beacon’s memory.
0 kommentar(er)
