Skip to content

Instantly share code, notes, and snippets.

@usualsuspect
Created March 13, 2023 13:35
Show Gist options
  • Save usualsuspect/73eef6367d61085c000f775ae4c260bb to your computer and use it in GitHub Desktop.
Save usualsuspect/73eef6367d61085c000f775ae4c260bb to your computer and use it in GitHub Desktop.
NY Times Cobalt Strike Config
BeaconType - HTTPS
Port - 443
SleepTime - 165000
MaxGetSize - 2097223
Jitter - 77
MaxDNS - Not Found
PublicKey_MD5 - 59c484f9028a06073eb133568ef23de1
C2Server - content.api.nytimes.com,/caa09abd7511/XNc549Rf1p3VXb6h2g8q9ey6pp,csp.nytimes.com,/caa09abd7511/eXlTjaR3heoufbSNC-H4EJbCnOqpn
UserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
HttpPostUri - /921d522938b2/GmFoRGmqwNIbBmPUEKtJE
Malleable_C2_Instructions - Remove 34 bytes from the end
Remove 31 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
HttpGet_Metadata - ConstHeaders
Accept: */*
Content-Type: application/x-www-form-urlencoded
Tb-Aad-Device-Family: 3
Tb-Aad-Env-Id: 10.0.19041.1865
X-Ms-Refreshtokencredential: NA
Connection: close
Metadata
mask
base64url
prepend "3925e84a-80e3-4930-"
append ""
header "Client-Request-Id"
HttpPost_Metadata - ConstHeaders
Tb-Aad-Device-Family: 3
Tb-Aad-Env-Id: 10.0.19041.1865
Cache-Control: no-cache
X-Ms-Refreshtokencredential: NA
SessionId
mask
base64url
header "Cookie"
Output
mask
base64url
prepend "grant_type=srv_challenge&client_id=ab9b8c07-8f02-4f72-87fa-80105867a763&redirect_uri=ms-appx-web%3a%2f%2fMicroso"
append "ft.AAD.BrokerPlugin%2fab9b8c07-8f02-4f72-87fa-80105867a763"
print
PipeName - Not Found
DNS_Idle - Not Found
DNS_Sleep - Not Found
SSH_Host - Not Found
SSH_Port - Not Found
SSH_Username - Not Found
SSH_Password_Plaintext - Not Found
SSH_Password_Pubkey - Not Found
SSH_Banner - Host: ap1.azcdnms.com.global.prod.fastly.net
HttpGet_Verb - GET
HttpPost_Verb - POST
HttpPostChunk - 0
Spawnto_x86 - %windir%\syswow64\auditpol.exe
Spawnto_x64 - %windir%\sysnative\auditpol.exe
CryptoScheme - 0
Proxy_Config - Not Found
Proxy_User - Not Found
Proxy_Password - Not Found
Proxy_Behavior - Use IE settings
Watermark_Hash - jwc+KbN2lepCgBMaWJ7lKw==
Watermark - 1438267441
bStageCleanup - True
bCFGCaution - False
KillDate - 0
bProcInject_StartRWX - True
bProcInject_UseRWX - False
bProcInject_MinAllocSize - 55514
ProcInject_PrependAppend_x86 - b'\x90\x90\x90\x90\x90\x90\x90\x90\x90'
Empty
ProcInject_PrependAppend_x64 - b'\x90\x90\x90\x90\x90\x90\x90\x90\x90'
Empty
ProcInject_Execute - ntdll.dll:RtlUserThreadStart
NtQueueApcThread-s
SetThreadContext
CreateRemoteThread
kernel32.dll:LoadLibraryA
RtlCreateUserThread
ProcInject_AllocationMethod - NtMapViewOfSection
bUsesCookies - True
HostHeader - Host: ap1.azcdnms.com.global.prod.fastly.net
headersToRemove - Not Found
DNS_Beaconing - Not Found
DNS_get_TypeA - Not Found
DNS_get_TypeAAAA - Not Found
DNS_get_TypeTXT - Not Found
DNS_put_metadata - Not Found
DNS_put_output - Not Found
DNS_resolver - Not Found
DNS_strategy - failover
DNS_strategy_rotate_seconds - -1
DNS_strategy_fail_x - 5
DNS_strategy_fail_seconds - -1
Retry_Max_Attempts - 10
Retry_Increase_Attempts - 5
Retry_Duration - 1800
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment