Set image_size_圆4 "500000" # Mark the memory region as RWX Set sleep_mask "true" # The size of memory beacon will allocate in our target process (500KB) # Obfuscate Beacon, in-memory, prior to sleeping We’ll be using the reference profile located here, but making a few changes… Let’s repeat the process using a C2 profile that specifics the sleep_mask command, among a few others… Scrolling through this memory region we can see our entire beacon unencrypted in memory. We can copy the offset directly under that at 0x1a0ffcecd9f and look for it in the Memory tab of Process Hacker: Taking a hint from the great article by Elastic Security we can track this down by looking for calls to SleepEx from running threads within the process our beacon was injected into. I’m going to inject this beacon into a notepad.exe process as an easy example: We can prove that with the following exercise:įirst, let’s spin up a teamserver using the default profile (no custom profile specified), generate a stageless 圆4 binary and execute it on our Windows 10 machine. Out-of-the-box, Cobalt Strike (as of 4.4) does not use sleep_mask to encrypt the beacon payload in-memory. I haven’t seen much information on this topic yet so I wanted to put together a very simple post that will show you how to hunt for beacons in-memory and change the default sleep_mask encryption behavior! Huge shoutout to the research done by Elastic at this post, whose tactics I borrow heavily from: Detecting Cobalt Strike with Memory Signatures. If you want to get even more creative, you can change the algorithm entirely. ![]() By default it uses a 13-byte XOR key, however this key size easily changed by modifying a single variable and rebuilding the Sleep Mask Kit. In Cobalt Strike 4.4, Sleep Mask Kit was released to help operators customize the encryption algorithm used to obfuscate the data and strings within beacon’s memory.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |