Inspecting a PowerShell Cobalt Strike Beacon
Tags
attack-pattern: Data Powershell - T1059.001 System Checks - T1633.001 System Checks - T1497.001 Virtualization/Sandbox Evasion - T1497 Tool - T1588.002 Virtualization/Sandbox Evasion - T1633 Execution Through Module Load - T1129 Powershell - T1086 Scripting - T1064 Scripting
Show in Graph
Common Information
Type Value
UUID e42b6f8d-c30f-4c4b-90fc-e81dd3a41b3f
Fingerprint 5c6333352bdb405e
Analysis status DONE
Considered CTI value 2
Text language
Published Jan. 9, 2022, midnight
Added to db June 1, 2023, 10:50 a.m.
Last updated Nov. 17, 2024, 11:40 p.m.
Headline Inspecting a PowerShell Cobalt Strike Beacon
Title Inspecting a PowerShell Cobalt Strike Beacon
Detected Hints/Tags/Attributes 43/1/16
Source URLs
Redirection Url
Details Source https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/
URL Provider
Details Provider Source level domain
Details github.io forensicitguy.github.io
Attributes
Details Type #Events CTI Value
Details Domain 93 
bazaar.abuse.ch
Details Domain 15 
outlook.live.com
Details Domain 21 
1768.py
Details File 3 
payload.ps1
Details File 11 
'system.dll
Details File 748 
kernel32.dll
Details File 20 
shellcode.bin
Details File 18 
1768.py
Details md5 1 
63603bb6854a022e997a06fe7220a220
Details sha1 1 
ce72e661393227a1816e43159139860660118ccb
Details sha256 1 
6881531ab756d62bdb0c3279040a5cbe92f9adfeccb201cca85b7d3cff7158d3
Details sha256 1 
0a0dddca72464f3baa600be64e9f7da9c0cbe1126e8e713d0c9dba6ed231234a
Details IPv4 1 
47.242.164.33
Details MITRE ATT&CK Techniques 97 
T1497.001
Details MITRE ATT&CK Techniques 120 
T1129
Details Url 1 
https://bazaar.abuse.ch/sample/6881531ab756d62bdb0c3279040a5cbe92f9adfeccb201cca85b7d3cff7158d3