cs-decrypt-metadata.py is a new tool, developed to decrypt the metadata of a Cobalt Strike beacon.
An active beacon regularly checks in with its team server, transmitting medata (like the AES key, the username & machine name, …) that is encrypted with the team server’s private key.
This tool can decrypt this data, provided:
- you give it the file containing the private (and public) key, .cobaltstrike.beacon_keys (option -f)
- you give it the private key in hexadecimal format (option -p)
- the private key is one of the 6 keys in its repository (default behavior)
I will publish blog posts explaining how to use this tool.
Here is a quick example:
Article Link: New Tool: cs-decrypt-metadata.py | Didier Stevens