Skip to content

Instantly share code, notes, and snippets.

@sopsmattw
sopsmattw / 0_CyberChef_CobaltStrike_Shellcode_Decoder_Recipe
Created July 22, 2021 18:01 — forked from 0xtornado/0_CyberChef_CobaltStrike_Shellcode_Decoder_Recipe
CyberChef recipe to extract and decode Shellcode from a Cobalt Strike beacon
[{"op":"Conditional Jump","args":["bxor",false,"Decode_Shellcode",10]},{"op":"Label","args":["Decode_beacon"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Decode text","args":["UTF-16LE (1200)"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Gunzip","args":[]},{"op":"Label","args":["Decode_Shellcode"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"Conditional Jump","args":["",false,"",10]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"XOR","args":[{"option":"Decimal","string":"35"},"Standard",false]}]
# Map URLs to Internet Explorer Security Zones via PowerShell
$csSource = @'
using System;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices.ComTypes;
public class IEZones
{