Cobalt Strike PowerShell Payload Analysis
8 min readSep 1, 2021
I have spotted this interesting tweet from Malwar3Ninja and decided to take a look and analyse the Cobalt Strike PowerShell payload.
PowerShell Payload Analysis.
We can spot the for function:
for ($x = 0; $x -lt $var_code.Count; $x++) {
$var_code[$x] = $var_code[$x] -bxor 35
Base64 block is encrypted with XOR with a key of 35 and we can decrypt it using CyberChef.
We have uploaded the file and now we can extract the encoded Base64 payload from the PowerShell.
Extracted Base64
‘32ugx9PL6yMjI2JyYnNxcnVrEvFGa6hxQ2uocTtrqHEDa6hRc2sslGl…