Created
June 15, 2020 10:26
-
-
Save olliencc/14d6ba34c1a36429d062b70959b6d2e9 to your computer and use it in GitHub Desktop.
Parse AES tasks from CobaltStrike Beacon
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# NOTE: insert decryption functions | |
if __name__ == "__main__": | |
SHARED_KEY = binascii.unhexlify("bca4caea1b3172aa979a5eac6c813184") | |
HMAC_KEY = binascii.unhexlify("94b64efcf87b13c6828bcf14373bb2f9") | |
with open(sys.argv[1], 'rb') as f: | |
enc_data = f.read() | |
encrypted_data, data_length = readInt(enc_data) | |
print "Encrypted data should be: %d" % data_length | |
signature = encrypted_data[-16:] | |
iv_bytes = "abcdefghijklmnop" | |
encrypted_data = encrypted_data[:-16] | |
dec = decrypt(encrypted_data, iv_bytes, signature, SHARED_KEY, HMAC_KEY) | |
dec, counter = readInt(dec) | |
dec, decrypted_length = readInt(dec) | |
dec, output_type = readInt(dec) | |
print "Decrypted length: %s" % decrypted_length | |
print "Output type: %d" % output_type | |
print "Beacon data: %s" % dec |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment