Decrypting C2 traffic with known key
Reference: https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/
Some leaked copies of Cobalt Strike have the RSA keypair already generated. If the operator does not generate a new key pair by deleting the old one and restarting the teamserver, defenders can use the leaked private key to decrypt the C2 traffic.
The tool to check for known private keys is at https://blog.didierstevens.com/2021/10/11/update-1768-py-version-0-0-8/
Last updated