Decrypting C2 traffic with known key

Reference: https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/

Some leaked copies of Cobalt Strike have the RSA keypair already generated. If the operator does not generate a new key pair by deleting the old one and restarting the teamserver, defenders can use the leaked private key to decrypt the C2 traffic.

The tool to check for known private keys is at https://blog.didierstevens.com/2021/10/11/update-1768-py-version-0-0-8/

PreviousHunting Beacon in the heapNextCyber Defenders Discovery Camp 2021

Last updated