Cobalt Strike Beacon configuration extractor and parser.

Overview

Cobalt Strike Configuration Extractor and Parser

Overview

Pure Python library and set of scripts to extract and parse configurations (configs) from Cobalt Strike Beacons. The library, libcsce, contains classes for building tools to work with Beacon configs. There are also two CLI scripts included that use the library to parse Beacon config data:

  1. csce: Parses all known Beacon config settings to JSON, mimicing the Malleable C2 profile structure.
  2. list-cs-settings: Attempts to find by brute-force the associated Cobalt Strike version, and all settings/their types, of a Beacon config. This script is useful for conducting research on Beacon samples.

Installation

Install from Pypi (preferred method)

> pip install libcsce

Install from GitHub with Pip

> pip install git+ssh://[email protected]/strozfriedberg/cobaltstrike-config-extractor.git#egg=libcsce

Install from Cloned Repo

> git clone ssh://g[email protected]/strozfriedberg/cobaltstrike-config-extractor.git
> cd libcsce
> pip install .

Dependencies

The only external non-development dependency is pefile, which is required to decrypt Beacon configs from the .data section of PE files. Requires Python 3.6+.

Development dependencies include those specified in pyproject.toml as well as:

Getting Started

csce

Both of the CLI scripts support extracting Beacon configs from PE files (DLLs/EXEs) and memory dumps where a Beacon was running. To parse a Beacon PE file to JSON, use csce:

> csce --pretty <path/to/file.{exe,dll,bin,dmp}>

By default, the script will try to parse the Beacon as version 3 and, if that fails, try version 4. You can specify a version manually via the -v flag to save cycles if you know the Beacon is version 4 (using -v 3 doesn't technically save cycles because the script tries that version first by default).

list-cs-settings

To discover new settings and while conducting research, sometimes it's useful to extract all possible settings and their types from a Beacon sample. Use list-cs-settings to detect by brute-force the Cobalt Strike version and all settings/types:

> list-cs-settings <path/to/file.{exe,dll,bin,dmp}>

This script produces JSON where the top-level key is the Cobalt Strike version number, which points to a mapping from setting number to information about that setting, including:

  1. length (in bytes)
  2. offset from the beginning of the config section
  3. fundamental type (short, int, str)

Contributing

Stroz Friedberg wants to work with the security community to make these open source tools the most comprehensive available for working with Cobalt Strike Beacons. If you encounter a bug, have research to share on Beacons, spot a typo in the documentation, want to request new functionality, etc. please submit an issue! If you want to contribute code or documentation to the project, please submit a PR and we will review it! Note that all contributions will be subject to the Apache-2.0 license included in the repo.

Owner
Stroz Friedberg
Stroz Friedberg
Advanced subdomain scanner, any domain hidden subdomains

little advanced subdomain scanner made in python, works very quick and has options to change the port u want it to connect for

Nano 5 Nov 23, 2021
Deltaspy - an advanced keylogger that can send keylogs and screenshots to gmail

Deltaspy Deltaspy is a advanced keylogger which sends keylogs and screenshot to

Praanesh S 1 Dec 31, 2021
hackinsta: a program to hack instagram

hackinsta a program to hack instagram Yokoback_(instahack) is the file to open, you need libraries write on import. You run that file in the same fold

1 Dec 04, 2021
Easily retargetable and hackable interactive disassembler with IDAPython-compatible plugin API

ScratchABit is an interactive incremental disassembler with data/control flow analysis capabilities. ScratchABit is dedicated to the effor

Paul Sokolovsky 380 Dec 28, 2022
A simple subdomain scanner in python

Subdomain-Scanner A simple subdomain scanner in python ✨ Features scans subdomains of a domain thats it! 💁‍♀️ How to use first download the scanner.p

Portgas D Ace 2 Jan 07, 2022
Python tool for enumerating directories and for fuzzing

Python tool for enumerating directories and for fuzzing

Gourab Roy 5 Feb 21, 2022
👑 Discovery Header DoD Bug-Bounty

👑 Discovery Header DoD Bug-Bounty Did you know that DoD accepts server headers? 😲 (example: apache"version" , php"version") ? In this code it is pos

KingOfTips 38 Aug 09, 2022
ssh-audit is a tool for ssh server & client configuration auditing.

SSH server & client auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)

Joe Testa 1.4k Dec 31, 2022
RCE Exploit for Gitlab < 13.9.4

GitLab-Wiki-RCE RCE Exploit for Gitlab 13.9.4 RCE via unsafe inline Kramdown options when rendering certain Wiki pages Allows any user with push acc

Enox 52 Nov 09, 2022
CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection

CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection Usage usage: cve-2021-26084_confluence_rce.py [-h] --url URL [--cmd CMD] [--shell] CVE-2021-2

r0cky 92 Jul 20, 2022
A simple python script for hosting a Snowflake Proxy in your python program or with it's standalone cli

snowflake-cli Snowflake is a system to defeat internet censorship, made by Tor Project. The system works by volunteers who run the snowflake extension

Guilherme Paixão 6 Jul 14, 2022
Tools for investigating Log4j CVE-2021-44228

Log4jTools Tools for investigating Log4j CVE-2021-44228 FetchPayload.py (Get java payload from ldap path provided in JNDI lookup). Example command: Re

MalwareTech 91 Dec 29, 2022
A hack for writing switch statements with type annotations in Python.

py_annotation_switch A hack for writing switch statements in type annotations for Python. Why should I use this? You most definitely should not use th

6 Oct 17, 2021
Tool To generate Stable Undetected Payload

windowsPayload Tool To generate Stable Undetected Payload Don t Upload to Virus Total :) Follow on Social Media Platforms ScreenShots How to install +

youhacker55 117 Dec 30, 2022
It's a simple tool for test vulnerability shellshock

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to ex

Mr. Cl0wn - H4ck1ng C0d3r 88 Dec 23, 2022
一个自动挖掘漏洞的框架,日后会发展成强大的信息收集+漏洞挖掘脚本!

介绍 工具介绍 这是一款致力于将各类优秀脚本集合在一起调用、联动,最终可形成超级渗透脚本的工具。目的是扫描到更全的资产信息,发现更多的漏洞利用。但是这是通过牺牲扫描速度来提升扫描广度的。所以不太适合要进行紧急信息收集和漏洞利用的情况。

Thinking rookie 23 Jul 05, 2022
A simple linux keylogger project.

The project This project is a simple linux keylogger. When activated, it registers all the actions made with the keyboard. The log files are registere

1 Oct 24, 2021
对安卓APP注入MSF PAYLOAD,并且对手机管家进行BYPASS。

520_APK_HOOK 介绍 将msf生成的payload,注入到一个正常的apk文件中,重新打包后进行加固,bypass手机安全管家的检测。 项目地址: https://github.com/cleverbao/520apkhook 作者: BaoGuo 优点 相比于原始的msf远控,此版本ap

BaoGuo 368 Jan 02, 2023
EMBArk - The firmware security scanning environment

Embark is being developed to provide the firmware security analyzer emba as a containerized service and to ease accessibility to emba regardless of system and operating system.

emba 175 Dec 14, 2022
Mips script decompiles MIPS assembly instructions & bot functionality

mips mips is a python-based script that decodes MIPS instructions. Usage cd into mips and run python decode.py command or open decode.py to run the sc

Anthony Tedja 0 Mar 30, 2022