Welcome to our

Cyber Security News Aggregator

.

Cyber Tzar

provide a

cyber security risk management

platform; including automated penetration tests and risk assesments culminating in a "cyber risk score" out of 1,000, just like a credit score.

Update: 1768.py Version 0.0.20

published on 2023-11-25 10:09:58 UTC by Didier Stevens
Content:

This update to 1768.py, my Cobalt Strike beacon analysis tool, adds “runtime configuration” extraction.

Although 1768.py could already search for beacon configurations inside process memory dumps, the dump was just processed as a raw file.

With this update, 1768.py will also search for the runtime configuration inside a process memory dump. The runtime configuration, is a C/C++ array with integers and pointers, that is created in the heap by the beacon’s C/C++ code from the obfuscated configuration (e.g., XOR 0x2E).

Because this requires pointer calculations for the heap, Python module minidump is required. A warning will be displayed if it is not installed and it is needed.

The hexadecimal dump screenshots in this blog post show a runtime configuration.

Example of 1768.py finding a runtime configuration:

This is a 32-bit runtime config.

As the runtime config uses pointers, its structure is different for 32-bit and 64-bit beacons (because pointer size is different).

In this process memory dump, 1768.py only found the runtime config, not the embedded config.

Here is an example where both configs are found:

1768_v0_0_20.zip (http)
MD5: EFEFF856FEAD08DE8F9F27056E729351
SHA256: 2F71EA23F64403C26B64CA32E8FA025CAB1F941790D746E8906AA87401900AAC
Article: Update: 1768.py Version 0.0.20 - published 12 months ago.

https://blog.didierstevens.com/2023/11/25/update-1768-py-version-0-0-20/   
Published: 2023 11 25 10:09:58
Received: 2024 03 23 08:40:40
Feed: Didier Stevens
Source: Didier Stevens
Category: Cyber Security
Topic: Cyber Security
Views: 2

Custom HTML Block

Click to Open Code Editor