michaelder
michaelder
/ For x64
Last active
May 14, 2022 01:16
Cyberchef Recipe for Cobalt Strike Reflective Loader(beacon) v4 with parsing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Regular_expression('User defined','FromBase64String\\("([^"]+)',true,true,false,false,false,false,'List capture groups') | |
| From_Base64('A-Za-z0-9+/=',true) | |
| Gunzip() | |
| Register('([\\s\\S]*)',true,false,false) | |
| Regular_expression('User defined','FromBase64String\\(\'([^\']+)',true,true,false,false,false,false,'List capture groups') | |
| Register('([\\s\\S]*)',true,false,false) | |
| Find_/_Replace({'option':'Regex','string':'.+'},'$R0',true,false,true,true) | |
| Regular_expression('User defined','-bxor (.+)',true,true,false,false,false,false,'List capture groups') | |
| Register('([\\s\\S]*)',true,false,false) | |
| Find_/_Replace({'option':'Regex','string':'.+'},'$R1',true,false,true,true) |
michaelder
/ For x32
Last active
June 23, 2023 10:26
Cyberchef Recipe for Cobalt Strike Reflective Loader(beacon) v4 with parsing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Regular_expression('User defined','FromBase64String\\("([^"]+)',true,true,false,false,false,false,'List capture groups') | |
| From_Base64('A-Za-z0-9+/=',true) | |
| Gunzip() | |
| Register('([\\s\\S]*)',true,false,false) | |
| Regular_expression('User defined','FromBase64String\\(\'([^\']+)',true,true,false,false,false,false,'List capture groups') | |
| Register('([\\s\\S]*)',true,false,false) | |
| Find_/_Replace({'option':'Regex','string':'.+'},'$R0',true,false,true,true) | |
| Regular_expression('User defined','-bxor (.+)',true,true,false,false,false,false,'List capture groups') | |
| Register('([\\s\\S]*)',true,false,false) | |
| Find_/_Replace({'option':'Regex','string':'.+'},'$R1',true,false,true,true) |
michaelder
/ For x32
Last active
May 14, 2022 04:50
Cyberchef Recipe for Cobalt Strike Reflective Loader(beacon) v4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Regular_expression('User defined','FromBase64String\\("([^"]+)',true,true,false,false,false,false,'List capture groups') | |
| From_Base64('A-Za-z0-9+/=',true) | |
| Gunzip() | |
| Register('([\\s\\S]*)',true,false,false) | |
| Regular_expression('User defined','FromBase64String\\(\'([^\']+)',true,true,false,false,false,false,'List capture groups') | |
| Register('([\\s\\S]*)',true,false,false) | |
| Find_/_Replace({'option':'Regex','string':'.+'},'$R0',true,false,true,true) | |
| Regular_expression('User defined','-bxor (.+)',true,true,false,false,false,false,'List capture groups') | |
| Register('([\\s\\S]*)',true,false,false) | |
| Find_/_Replace({'option':'Regex','string':'.+'},'$R1',true,false,true,true) |
michaelder
/ For x64
Last active
June 23, 2023 10:26
Cyberchef Recipe for Cobalt Strike Reflective Loader(beacon) v4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Regular_expression('User defined','FromBase64String\\("([^"]+)',true,true,false,false,false,false,'List capture groups') | |
| From_Base64('A-Za-z0-9+/=',true) | |
| Gunzip() | |
| Register('([\\s\\S]*)',true,false,false) | |
| Regular_expression('User defined','FromBase64String\\(\'([^\']+)',true,true,false,false,false,false,'List capture groups') | |
| Register('([\\s\\S]*)',true,false,false) | |
| Find_/_Replace({'option':'Regex','string':'.+'},'$R0',true,false,true,true) | |
| Regular_expression('User defined','-bxor (.+)',true,true,false,false,false,false,'List capture groups') | |
| Register('([\\s\\S]*)',true,false,false) | |
| Find_/_Replace({'option':'Regex','string':'.+'},'$R1',true,false,true,true) |