Cobalt Strike Beacon configuration extractor and parser.

Overview

Cobalt Strike Configuration Extractor and Parser

Overview

Pure Python library and set of scripts to extract and parse configurations (configs) from Cobalt Strike Beacons. The library, libcsce, contains classes for building tools to work with Beacon configs. There are also two CLI scripts included that use the library to parse Beacon config data:

  1. csce: Parses all known Beacon config settings to JSON, mimicing the Malleable C2 profile structure.
  2. list-cs-settings: Attempts to find by brute-force the associated Cobalt Strike version, and all settings/their types, of a Beacon config. This script is useful for conducting research on Beacon samples.

Installation

Install from Pypi (preferred method)

> pip install libcsce

Install from GitHub with Pip

> pip install git+ssh://[email protected]/strozfriedberg/cobaltstrike-config-extractor.git#egg=libcsce

Install from Cloned Repo

> git clone ssh://[email protected]/strozfriedberg/cobaltstrike-config-extractor.git
> cd libcsce
> pip install .

Dependencies

The only external non-development dependency is pefile, which is required to decrypt Beacon configs from the .data section of PE files. Requires Python 3.6+.

Development dependencies include those specified in pyproject.toml as well as:

Getting Started

csce

Both of the CLI scripts support extracting Beacon configs from PE files (DLLs/EXEs) and memory dumps where a Beacon was running. To parse a Beacon PE file to JSON, use csce:

> csce --pretty <path/to/file.{exe,dll,bin,dmp}>

By default, the script will try to parse the Beacon as version 3 and, if that fails, try version 4. You can specify a version manually via the -v flag to save cycles if you know the Beacon is version 4 (using -v 3 doesn't technically save cycles because the script tries that version first by default).

list-cs-settings

To discover new settings and while conducting research, sometimes it's useful to extract all possible settings and their types from a Beacon sample. Use list-cs-settings to detect by brute-force the Cobalt Strike version and all settings/types:

> list-cs-settings <path/to/file.{exe,dll,bin,dmp}>

This script produces JSON where the top-level key is the Cobalt Strike version number, which points to a mapping from setting number to information about that setting, including:

  1. length (in bytes)
  2. offset from the beginning of the config section
  3. fundamental type (short, int, str)

Contributing

Stroz Friedberg wants to work with the security community to make these open source tools the most comprehensive available for working with Cobalt Strike Beacons. If you encounter a bug, have research to share on Beacons, spot a typo in the documentation, want to request new functionality, etc. please submit an issue! If you want to contribute code or documentation to the project, please submit a PR and we will review it! Note that all contributions will be subject to the Apache-2.0 license included in the repo.

You might also like...
Dome - Subdomain Enumeration Tool. Fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports.
Dome - Subdomain Enumeration Tool. Fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports.

DOME - A subdomain enumeration tool Check the Spanish Version Dome is a fast and reliable python script that makes active and/or passive scan to obtai

Arbitrium is a cross-platform, fully undetectable remote access trojan, to control Android, Windows and Linux and doesn't require any firewall exceptions or port forwarding rules
Arbitrium is a cross-platform, fully undetectable remote access trojan, to control Android, Windows and Linux and doesn't require any firewall exceptions or port forwarding rules

About: Arbitrium is a cross-platform is a remote access trojan (RAT), Fully UnDetectable (FUD), It allows you to control Android, Windows and Linux an

Consolidating and extending hosts files from several well-curated sources. You can optionally pick extensions to block pornography, social media, and other categories.
Consolidating and extending hosts files from several well-curated sources. You can optionally pick extensions to block pornography, social media, and other categories.

Take Note! With the exception of issues and PRs regarding changes to hosts/data/StevenBlack/hosts, all other issues regarding the content of the produ

HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.

HatVenom HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures. Featu

A python script to turn Ubuntu Desktop in a one stop security platform. The InfoSec Fortress installs the packages,tools, and resources to make Ubuntu 20.04 capable of both offensive and defensive security work.

infosec-fortress A python script to turn Ubuntu Desktop into a strong DFIR/RE System with some teeth (Purple Team Ops)! This is intended to create a s

Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service

Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service. This tool can help a digital forensic investigator to know the context, origin of specific files during a digital forensic investigation.

compact and speedy hash cracker for md5, sha1, and sha256 hashes

hash-cracker hash cracker is a multi-functional and compact...hash cracking tool...that supports dictionary attacks against three kinds of hashes: md5

Comments
  • Can't Parse beaconing exe cobalt strike 4.5

    Can't Parse beaconing exe cobalt strike 4.5

    Why the result just "{}"? I'm using cobalt strike 4.5 and trying to parse the executor. The executor malleable C2 with apt1_virtuallythere.profile from

    image

    Malleable C2 image image

    opened by nateambringit 0
  • Add automated CD workflow to create release and push to PyPI

    Add automated CD workflow to create release and push to PyPI

    Add CD workflow that runs when push to releases/* branch that will:

    1. Create a tag with the proper release version and commit it to the repo
    2. Use the ./scripts/run.sh publish command to create a source distribution and wheel then publish to PyPI
    3. Add the source distribution and wheel as artifacts to the release in GitHub

    Separated PR should figure out best way to include release message in worfklow, perhaps from CHANGELOG file. Should we build executables for Linux and Windows too? TBD.

    enhancement ci-cd 
    opened by sf-nrubin 0
  • Add automated CI workflow

    Add automated CI workflow

    Add CI workflow to run for the following triggers:

    1. Push to master or any release tags
    2. PR to be merged into master or any release tags

    Workflow should run on Linux and Windows with Python versions 3.6, 3.7, 3.8, 3.9, and 3.10 (3.6+). Black, Pylint, MyPy, and Pytest all should exit successfully for workflow to pass.

    enhancement ci-cd 
    opened by sf-nrubin 0
Owner
Stroz Friedberg
Stroz Friedberg
Cobalt Strike < 4.4 dos CVE-2021-36798

CVE-2021-36798 CVE-2021-36798 Cobalt Strike < 4.3 dos 用法 python3 CVE-2021-36798.py BeaconURL 打瘫Cobalt Strike 只需要一个包 已测试 4.3 4.2 参考: https://labs.sent

null 37 Nov 9, 2022
Crypto Meta Extractor

Crypto Meta Extractor This repository contains the code which extracts some metadata of all the cryptocurrencies listed (>9K) on CoinMarketCap. Coding

Samyak Jain 3 Jul 3, 2022
Malware Configuration And Payload Extraction

CAPEv2 (Python3) has now been released CAPEv2 With the imminent end-of-life for Python 2 (January 1 2020), CAPEv1 will be phased out. Please upgrade t

Context Information Security 701 Dec 27, 2022
Malware Configuration And Payload Extraction

CAPE: Malware Configuration And Payload Extraction CAPE is a malware sandbox. It is derived from Cuckoo and is designed to automate the process of mal

Kevin O'Reilly 1k Dec 30, 2022
A Feature Rich Modular Malware Configuration Extraction Utility for MalDuck

Malware Configuration Extractor A Malware Configuration Extraction Tool and Modules for MalDuck This project is FREE as in FREE ?? , use it commercial

c3rb3ru5 103 Dec 18, 2022
An interactive python script that enables root access on the T-Mobile (Wingtech) TMOHS1, as well as providing several useful utilites to change the configuration of the device.

TMOHS1 Root Utility Description An interactive python script that enables root access on the T-Mobile (Wingtech) TMOHS1, as well as providing several

null 40 Dec 29, 2022
Better-rtti-parser - IDA script to parse RTTI information in executable

RTTI parser Parses RTTI information from executable. Example HexRays decompiler view Before: After: Functions window Before: After: Structs window Ins

null 101 Jan 4, 2023
A signature parser for hikari's command handler tanjun.

tanchi A signature parser for hikari's command handler tanjun. Finally be able to define your commands without those bloody decorator chains! Example

sadru 11 Nov 17, 2022
RedDrop is a quick and easy web server for capturing and processing encoded and encrypted payloads and tar archives.

RedDrop Exfil Server Check out the accompanying MaverisLabs Blog Post Here! RedDrop Exfil Server is a Python Flask Web Server for Penetration Testers,

null 53 Nov 1, 2022
Dependency Combobulator is an Open-Source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks.

Dependency Combobulator Dependency Combobulator is an Open-Source, modular and extensible framework to detect and prevent dependency confusion leakage

Apiiro 84 Dec 23, 2022