 Hello, DDS Davens here. I'm going to show you two methods to decrypt Cobblestrike metadata. So first one here is based on a diary entry that I wrote on the InternetStormCenter, where I show how to decrypt this data with a leaked private key. So Brad Duncan has a capture file, and I have it here. So this is a beacon communicating with its C2, a real malicious beacon. And here you can see its get statement to get commands. And inside the headers there's a cookie. Now you can see it's not a normal cookie, it's not name equals value, it's just a value. And this value is the encrypted metadata in base 64 representation. And you can use my tool CS decrypt metadata to decrypt this metadata, because for this particular beacon, this beacon here is using a public key that is associated with a private key that I found on VirusTotal. So it has been leaked and we can use it to decrypt. So I'm copying this metadata from Wireshark. I'm giving it as argument to my tool, and then it is able to do the decryption. And so for example here, you can see the AES and HMAC key derived from the raw key that is inside the encrypted metadata, and then also other information like the name of the computer and the user and the process and things like that. So that is the straight forward way with the metadata that is just base 64 encoded and put inside the cookie header, that is the default. But you can have beacons that use an other encoding. And that is the second example. I have a beacon here and I'm going to analyze it with my tool 1768. So this analyzes the configuration of the beacon here. So you can see this is this public key and that public key has a known private key. So because of that I can do the decryption. And then here if you look in the HTTP get header, then you have here instructions to build the metadata. So the encrypted metadata has to be base 64 URL encoded. So that's a variant of base 64. The difference is that in base 64 you use characters plus and slash. But that is not compatible with a URL. So when you encode it for URL you replace the plus and the slash with a dash, a minus and an underscore. When that is base 64 encoded, then this string is prepended and then it is put in the header cookie. And here I have a shorthand representation of these instructions. So for the metadata 13 that's base 64 to underscore underscore CFD UID equals that is this one. And then six cookie that's a header. So I can copy these instructions. It's a shorthand notation that my tools understand. And then I can feed that to see as the crypt and then give it the metadata. Now the metadata I have it here in a blog post. I got the metadata here by intersecting the HTTPS traffic of that beacon with MITM proxy. So I have that metadata here as you can see it starts with underscore underscore CFD UID. I can just paste this here and now we have the decoded data. If I would not provide instructions on how to do the decoding, then you get no output because it does not recognize this. This is not normal base 64. You need the modlable C2 instructions to know how to decode this. And then once it is decoded it can be decrypted provided that you have the private key.