Code and yara rules to detect and analyze Cobalt Strike

Tek

Last update: Jan 4, 2023

Related tags

Miscellaneous cobaltstrike

Overview

Cobalt Strike Resources

This repository contains:

analyze.py: a script to analyze a Cobalt Strike beacon (python analyze.py BEACON)
extract.py; extract a beacon from an encrypted beacon
lib.py: library containing functions for the other scripts
output.csv : CSV file containing CS servers identified online in Dec 2020
rules.yar: Yara rules for CS beacons
scan_list.py: script to scan a list of servers (python scan_list.py FILE)
scan.py : script to scan a server (python scan.py IP)

You can see my blog post Analyzing Cobalt Strike for Fun and Profit for more information.

Credits : Amnesty Tech

This library attempts to abstract the handling of Sigma rules in Python

This library attempts to abstract the handling of Sigma rules in Python. The rules are parsed using a schema defined with pydantic, and can be easily loaded from YAML files into a structured Python object.

44 Oct 29, 2022

Developed a website to analyze and generate report of students based on the curriculum that represents student’s academic performance.

Developed a website to analyze and generate report of students based on the curriculum that represents student’s academic performance. We have developed the system such that, it will automatically parse data onto the database from excel file, which will in return reduce time consumption of analysis of data.

3 Nov 8, 2022

Fetch PRs from GitHub and analyze which ones are unmergeable

Set up token Generate a personal access token on GitHub. Add repo permissions. export GH_TOKEN="abcdefg" Pull PR data make Usually, GitHub doesn't h

1 Nov 5, 2021

Improve current data preprocessing for FTM's WOB data to analyze Shell and Dutch Governmental contacts.

We're the hackathon leftovers, but we are Too Good To Go ;-). A repo by Lukas Schubotz and Raymon van Dinter. We aim to improve current data preprocessing for FTM's WOB data to analyze Shell and Dutch Governmental contacts.

5 Dec 9, 2021

Analyze FnO trends by using NSE Bhav copy

BhavFnO Analyze FnO trends by using NSE Bhav copy Download entire BhavFnO folder and unzip it In that folder open command window

33 Jan 4, 2023

Set of tools to analyze Tinynuke samples

tinynuke-toolset You'll find in that repository a set of tools and scripts I developped to analyze Tinynuke samples. Dll extractor: script used to ext

14 Aug 18, 2022

Script to quickly get the metrics from Github repos to analyze.

commit-prefix-analysis Script to quickly get the metrics from Github repos to analyze. Setup Install the Github CLI. You'll know its working when runn

1 Dec 17, 2022

script to analyze EQ decay using python

pyq_decay script to analyze EQ decay using python PyQ Decay ver 1.0 A pythonic script to analyze EQ aftershock decay using method of Omori (1894), Mog

1 Nov 4, 2021

A collection of useful functions for writers to analyze text/stories.

AuthorTools AuthorTools provides a multitude of functions for easily analyzing (your?) writing. AuthorTools is made especially for creative writers wi

1 Jan 14, 2022

Comments

Samples not parsed

The following samples cannot be parsed by your script (while SentinelOne's one works) :

1538339863779e04fa6578bd24fdba8e397d0563ac1776e0e941ebf17a15cec6 42a96ff5ba5f5f7e07f296237d9dc04db1f4de200e5d5106b140d36c6e06fc10 6ffacc3363ffa170b1c06a3f0f9612d968397ebcbf754e54431f0ea6d45ee124 ac6f07d03eb84a5ffa3149766e1746a4645faf89b376540af2919c914592ee7e

Files attached (password: infected) m.zip

opened by nbareil 2
Enhancement : Multiprocessing, payload choose, HTTP or HTTPS, port selection, format selection
Hi, Sorry for the first bad PR. Here is the good one.

I added :

Multiprocessing (option -j)

Port selection (option -p)

HTTP or HTTPS force (option --HTTP)

Payload to be downloaded (32 or 64b) (option -b)

Format output (based on pandas DataFrame) CSV or JSON (option -f)

I hope you will enjoy it

Example of command line : python3 scan_list.py ip.list -j 10 -p 80 -b 32 --HTTP -f json
opened by AZobec 1
add pandas Dataframe, multiprocessing, and port handling
Hi,

I added :

Multiprocessing (option -j)

Port selection (option -p)

HTTP or HTTPS force (option --HTTP)

Payload to be downloaded (32 or 64b) (option -b)

Format output (based on pandas DataFrame) CSV or JSON (option -f)

I hope you will enjoy it

Example of command line : python3 scan_list.py ip.list -j 10 -p 80 -b 32 --HTTP -f json
opened by AZobec 1
[bug] Variable in decode_config argument was not set line 53

In the elif condition (if "MZ " in data), I failed and I put "beacon" instead of "data" , for decode_config argument. "beacon" was not set in this condition (because no need to decode it)

opened by AZobec 0

Owner

Tek

Hacking things here and there, mostly threat intel, osint, malware analysis and human rights

GitHub

Script to use SysWhispers2 direct system calls from Cobalt Strike BOFs

SysWhispers2BOF Script to use SysWhispers2 direct system calls from Cobalt Strike BOFs. Introduction This script was initially created to fix specific

101 Dec 20, 2022

Cobalt Strike Sleep Python Bridge

This project is 'bridge' between the sleep and python language. It allows the control of a Cobalt Strike teamserver through python without the need for for the standard GUI client. NOTE: This project is very much in BETA. The goal is to provide a playground for testing and is in no way an officially support feature. Perhaps this could be something added in the future to the core product.

140 Jan 4, 2023

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

150 Dec 31, 2022

Kellogg bad | Union good | Support strike funds

KelloggBot Credit to SeanDaBlack for the basis of the script. req.py is selenium python bot. sc.js is a the base of the ios shortcut [COMING SOON] Set

407 Nov 17, 2022

This is a calculator of strike price distance for options.

Calculator-of-strike-price-distance-for-options This is a calculator of strike price distance for options. Options are a type of derivative. One strat

4 Dec 30, 2022

A Regex based linter tool that works for any language and works exclusively with custom linting rules.

renag Documentation Available Here Short for Regex (re) Nag (like "one who complains"). Now also PEGs (Parsing Expression Grammars) compatible with py

12 Oct 20, 2022

A class to draw curves expressed as L-System production rules

6 Sep 9, 2022

Takes output from RedLime's SpeedRunIGT mod (igt_timer.log) to get the top run retime as per the rules in speedrun.com/mc as well as generating a new file which is a copy of igt_timer.log which specifies what type of pause each one was.

top-run-time Takes output from RedLime's SpeedRunIGT mod (igt_timer.log) to get the top run retime as per the rules in speedrun.com/mc as well as gene

2 May 12, 2022

Python script to autodetect a base set of swiftlint rules.

swiftlint-autodetect Python script to autodetect a base set of swiftlint rules. Installation brew install pipx

24 Sep 20, 2022

Bazel rules to install Python dependencies with Poetry

rules_python_poetry Bazel rules to install Python dependencies from a Poetry project. Works with native Python rules for Bazel. Getting started Add th

7 Dec 15, 2021