Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Parse AES tasks from CobaltStrike Beacon
# NOTE: insert decryption functions
if __name__ == "__main__":
SHARED_KEY = binascii.unhexlify("bca4caea1b3172aa979a5eac6c813184")
HMAC_KEY = binascii.unhexlify("94b64efcf87b13c6828bcf14373bb2f9")
with open(sys.argv[1], 'rb') as f:
enc_data =
encrypted_data, data_length = readInt(enc_data)
print "Encrypted data should be: %d" % data_length
signature = encrypted_data[-16:]
iv_bytes = "abcdefghijklmnop"
encrypted_data = encrypted_data[:-16]
dec = decrypt(encrypted_data, iv_bytes, signature, SHARED_KEY, HMAC_KEY)
dec, counter = readInt(dec)
dec, decrypted_length = readInt(dec)
dec, output_type = readInt(dec)
print "Decrypted length: %s" % decrypted_length
print "Output type: %d" % output_type
print "Beacon data: %s" % dec
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment