Cobalt Strike PowerShell Payload Analysis

Michael Koczwara
8 min readSep 1, 2021

I have spotted this interesting tweet from Malwar3Ninja and decided to take a look and analyse the Cobalt Strike PowerShell payload.

PowerShell Payload Analysis.

We can spot the for function:

for ($x = 0; $x -lt $var_code.Count; $x++) {
$var_code[$x] = $var_code[$x] -bxor 35

Base64 block is encrypted with XOR with a key of 35 and we can decrypt it using CyberChef.

We have uploaded the file and now we can extract the encoded Base64 payload from the PowerShell.

Extracted Base64

‘32ugx9PL6yMjI2JyYnNxcnVrEvFGa6hxQ2uocTtrqHEDa6hRc2sslGl…

--

--