Threat Research

Cobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding

Securonix

Cobalt Strike Beacon communicates with an external TeamServer to emulate long-term C2 activity, while using multiple encoding schemes to hide metadata in HTTP traffic. The post analyzes five encoding methods (Base64, Base64URL, NetBIOS, NetBIOSU, and Mask), how metadata is encoded/decoded, and real-world cases where these techniques appear.
#CobaltStrike #Beacon #Havex #OcspProfile #AsproxProfile #CNNVideoProfile #Unit42

Keypoints

  • Beacon is the component of Cobalt Strike that communicates with an external TeamServer to emulate C2 traffic.
  • Cobalt Strike supports five encoding schemes for metadata: Base64, Base64URL, NetBIOS, NetBIOSU, and Mask.
  • The encoding framework uses RSA-encrypted metadata that is encoded to transfer ciphered data over network protocols.
  • Base64 encoding is shown in Havex profiles with metadata placed in the Cookie header during HTTP C2 traffic.
  • Base64URL encoding appears in CNN video profiles, appending encoded data to a parameter in HTTP requests.
  • NetBIOS and NetBIOSU encodings convert victim metadata into URI-appendaged data, with NetBIOSU using uppercase characters.
  • Mask encoding combines a random XOR key with the encoded data, and decoding reveals RSA-encrypted metadata of 128 bytes.

MITRE Techniques

  • [T1071.001] Web Protocols – Beacon uses HTTP for C2 traffic; “Beacon communicates with an external team server to emulate command and control (C2) traffic.”
  • [T1132] Data Encoding – “There are five encoding schemes supported by Cobalt Strike. The RSA-encrypted metadata is being encoded to easily transfer the ciphered binary data in network protocol.”
  • [T1140] Deobfuscate/Decode Files or Information – “Any tool can decode the encrypted metadata.”
  • [T1027] Obfuscated/Compressed Data – “There are five encoding schemes… designed to evade security detections.”

Indicators of Compromise

  • [SHA256] CS Samples – 6b6413a059a9f12d849c007055685d981ddb0ff308d6e3c2638d197e6d3e8802, f6e75c20ddcbe3bc09e1d803a8268a00bf5f7e66b7dbd221a36ed5ead079e093
  • [SHA256] CS Beacon Samples – fc95e7f4c8ec810646c16c8b6075b0b9e2cc686153cdad46e82d6cca099b19e7, 11b8beaa53353f5f52607e994849c3086733dfa01cc57fea2dae42eb7a6ee972
  • [IP] CS TeamServer IP addresses – 80.255.3.109, 143.244.178.247

Read more: https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/#Indicators-of-Compromise