Video: Cobalt Strike & DNS - Part 1

Published: 2021-05-30
Last Updated: 2021-05-30 16:48:17 UTC
by Didier Stevens (Version: 1)
0 comment(s)

One of the Cobalt Strike servers reported by Brad Duncan also communicates over DNS.

This can be tested with a simple DNS TXT query:

The content of this TXT record contains the start of a Cobalt Strike beacon, encoded with Netbios Name encoding. I recently published an update to my tool to handle this encoding.

In the following video, I show how to use my new, quick & dirty tool to retrieve all DNS TXT records ( that make up the encoded beacon, and how to decoded this with base64dump and extract the config with my tool.


Didier Stevens
Senior handler
Microsoft MVP

0 comment(s)


Diary Archives