Didier Stevens: finding Metasploit & Cobalt Strike URLs

An interesting article and video lesson by security reserarcher Didier Stevens.

Cobalt Strike and Metasploit are the offensive security tools most commonly used to host malware command-and-control (C2) servers: both tool allows generation of shellcode for http(s) shells so, during a malware/forensic analysis, is really useful be able to identify URLs used by this kind of payloads.

The researcher Didier Stevens comes to our help with a couple of articles published on SANS ISC forum:

Metasploit and Cobalt Strike generate shellcode for http(s) shells. The URLs found in this shellcode have a path that consist of 4 random alphanumeric characters. But they are not completely random: their 8-bit checksum is a member of a small set of constants.

In the first post [1] Stevens explains how, starting from a network traffic dump generated with Wireshark, it is possible to identify some patterns related to Metasploit and Cobal Strike activities using metatool.py [2], a python utility developed by himself.

Few days after, Stevens published another post [3], this time with a video, in order to show the method and explaining in detail the checksum calculation.

I don’t use this method to go hunting (in proxy logs for example), as the checksum has a low-entropy, thus prone to collisions/false positives. But I do use this when I suspect the presence of Metasploit or Cobalt Strike traffic.
Cobalt Strike beacons often use HTTPS, but the URLs I talked about in my diary entry, are not the ones used by the beacon itself. These are the URLs of the staging shellcode, that precedes the beacon.

I hope it will be helpfull!


References

  1. Finding Metasploit & Cobalt Strike URLs
  2. https://github.com/DidierStevens/Beta/blob/master/metatool.py
  3. Video: Finding Metasploit & Cobalt Strike URLs

Related posts

  1. Some thoughts about Stuxnet
  2. How “Process Ghosting“ works
  3. dfir_ntfs: a forensic parser for NTFS filesystems
  4. iLEAPP: an iOS logs, events, and plists parser
  5. iOS Forensics: how to perform a logical acquisition with libimobiledevice