Hello, welcome to the Monday, November 8, 2021 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Amazing diary this week from DDIH is showing you how to decrypt Cobalt strike traffic, but this time not using the leaked keys that

the DAA published about a week ago, but instead extracting keys from process memory.

So this assumes that you have a system that's currently infected with Cobalt Strike and you're trying to decrypt the traffic that Cobalt Strike sends back to its command control infrastructure.

Well, the next thing you need to decrypt it is you need the key and that can be found in memory.

Now, older versions of Cobalt Strike, you could pretty easily extract that key and

Didier in his usual fashion created a Python script to do that for you, but for some of the

newer versions of Cobalt Strike 4 and later, you do actually need some

encrypted network traffic to find the key.

And again, yet another little Python script here by DDE.

You feed it two packets that you collected off the network that were encrypted with

Cobalt Strike, and then it will use that data in order to extract the keys from memory.

So that's, well, all it takes in order to decrypt the traffic. A pretty neat technique,

and thanks, DDA, again again for publishing all these Python scripts

that make this process while, of course, there are a lot of moving parts, reasonably straightforward.

Well, while DDA's post is probably more interesting for those of you who are using network

forensics.

We do have a second post this weekend by Tom.

Tom is talking quickly about a tool called Xmount.

Nice thing about Xmount is that allows you to convert various disk image formats that are commonly

used in forensics and also convert them then into formats

...