Cobalt Strike Beacon configuration extractor and parser.

Overview

Cobalt Strike Configuration Extractor and Parser

Overview

Pure Python library and set of scripts to extract and parse configurations (configs) from Cobalt Strike Beacons. The library, libcsce, contains classes for building tools to work with Beacon configs. There are also two CLI scripts included that use the library to parse Beacon config data:

  1. csce: Parses all known Beacon config settings to JSON, mimicing the Malleable C2 profile structure.
  2. list-cs-settings: Attempts to find by brute-force the associated Cobalt Strike version, and all settings/their types, of a Beacon config. This script is useful for conducting research on Beacon samples.

Installation

Install from Pypi (preferred method)

> pip install libcsce

Install from GitHub with Pip

> pip install git+ssh://[email protected]/strozfriedberg/cobaltstrike-config-extractor.git#egg=libcsce

Install from Cloned Repo

> git clone ssh://g[email protected]/strozfriedberg/cobaltstrike-config-extractor.git
> cd libcsce
> pip install .

Dependencies

The only external non-development dependency is pefile, which is required to decrypt Beacon configs from the .data section of PE files. Requires Python 3.6+.

Development dependencies include those specified in pyproject.toml as well as:

Getting Started

csce

Both of the CLI scripts support extracting Beacon configs from PE files (DLLs/EXEs) and memory dumps where a Beacon was running. To parse a Beacon PE file to JSON, use csce:

> csce --pretty <path/to/file.{exe,dll,bin,dmp}>

By default, the script will try to parse the Beacon as version 3 and, if that fails, try version 4. You can specify a version manually via the -v flag to save cycles if you know the Beacon is version 4 (using -v 3 doesn't technically save cycles because the script tries that version first by default).

list-cs-settings

To discover new settings and while conducting research, sometimes it's useful to extract all possible settings and their types from a Beacon sample. Use list-cs-settings to detect by brute-force the Cobalt Strike version and all settings/types:

> list-cs-settings <path/to/file.{exe,dll,bin,dmp}>

This script produces JSON where the top-level key is the Cobalt Strike version number, which points to a mapping from setting number to information about that setting, including:

  1. length (in bytes)
  2. offset from the beginning of the config section
  3. fundamental type (short, int, str)

Contributing

Stroz Friedberg wants to work with the security community to make these open source tools the most comprehensive available for working with Cobalt Strike Beacons. If you encounter a bug, have research to share on Beacons, spot a typo in the documentation, want to request new functionality, etc. please submit an issue! If you want to contribute code or documentation to the project, please submit a PR and we will review it! Note that all contributions will be subject to the Apache-2.0 license included in the repo.

Owner
Stroz Friedberg
Stroz Friedberg
Script Crack Facebook Yang Kaya Akan Teh Hijau 🚶‍♂

r-mbf Script Crack Facebook 🚶‍♂ Bukti Recode [•] Install Script $ pkg update && pkg upgrade $ pkg install python $ pkg install git $ pip install requ

O'Hayo Smrn 3 Apr 02, 2022
To explore creating an application that detects available connections at once from wifi and bluetooth

Signalum A Linux Package to detect and analyze existing connections from wifi and bluetooth. Also checkout the Desktop Application. Signalum Installat

BISOHNS 56 Mar 03, 2021
This is an injection tool that can inject any xposed modules apk into the debug android app

This is an injection tool that can inject any xposed modules apk into the debug android app, the native code in the xposed module can also be injected.

Windy 32 Nov 05, 2022
Detection tool of malware(s) by checksum (useful for forensic)

🐍 malware_checker.py Detection tool of malware(s) by checksum (useful for forensic) 📦 Dependencies installation $ pip3 install -r requirements.txt

Fayred 1 Jan 30, 2022
Log4j2 intranet scan

Log4j2-intranet-scan ⚠️ 免责声明 本项目仅面向合法授权的企业安全建设行为,在使用本项目进行检测时,您应确保该行为符合当地的法律法规,并且已经取得了足够的授权 如您在使用本项目的过程中存在任何非法行为,您需自行承担相应后果,我们将不承担任何法律及连带责任 在使用本项目前,请您务

k3rwin 16 Dec 19, 2022
Open source vulnerability DB and triage service.

OSV - Open Source Vulnerabilities OSV is a vulnerability database and triage infrastructure for open source projects aimed at helping both open source

Google 893 Jan 04, 2023
TightVNC Vulnerability.

CVE-2022-23967 In TightVNC 1.3.10, there is an integer signedness error and resultant heap-based buffer overflow in InitialiseRFBConnection in rfbprot

MaherAzzouzi 15 Jul 11, 2022
Client script for the fisherman phishing tool

Client script for the fisherman phishing tool

Pushkar Raj 1 Feb 23, 2022
You can manage your password with this program.

You must have Python compilers in order to run this program. First of all, download the compiler in the link.

Mustafa Bahadır Doğrusöz 6 Aug 07, 2021
✨ Powerfull & Universal Link Bypasser ✨

✨ Powerfull & Universal Link Bypasser ✨

Vodkarm06 4 Jun 03, 2022
Red Team Toolkit is an Open-Source Django Offensive Web-App which is keeping the useful offensive tools used in the red-teaming together.

RedTeam Toolkit Note: Only legal activities should be conducted with this project. Red Team Toolkit is an Open-Source Django Offensive Web-App contain

Mohammadreza Sarayloo 382 Jan 01, 2023
A Feature Rich Modular Malware Configuration Extraction Utility for MalDuck

Malware Configuration Extractor A Malware Configuration Extraction Tool and Modules for MalDuck This project is FREE as in FREE 🍺 , use it commercial

c3rb3ru5 103 Dec 18, 2022
A gui application used for network reconnaissance while pentesting

netrecon A gui application used for network reconnaissance while pentesting

Krisna Pranav 4 Sep 03, 2022
QHack-2022 - Solutions to the Coding Challenges of QHack 2022

QHack 2022 Problems from Coding Challenges 2022. Rules and how it works To test

Isacco Gobbi 1 Feb 14, 2022
This repository will contain python scripts for hackers and pentesters

This repository will contain python scripts for hackers and pentesters. stop being limited with availble tools. Build your own.

0xTRAW 24 Nov 29, 2022
Chrome Post-Exploitation is a client-server Chrome exploit to remotely allow an attacker access to Chrome passwords, downloads, history, and more.

ChromePE [Linux/Windows] Chrome Post-Exploitation is a client-server Chrome exploit to remotely allow an attacker access to Chrome passwords, download

Finn Lancaster 3 Oct 05, 2022
This exploit allows to connect to the remote RemoteMouse 3.008 service to virtually press arbitrary keys and execute code on the machine.

RemoteMouse-3.008-Exploit The RemoteMouse application is a program for remotely controlling a computer from a phone or tablet. This exploit allows to

Podalirius 25 Dec 04, 2022
SEBUAH TOOLS TERMUX CRACK AKUN FF HOMKI AKUN EPEP DAH SATU FOLLOW AE YA BROO AWOKWOK

print " INSTALL TOOLS " $ pkg update && upgrade $ pkg install python2 $ pkg install git $ pip2 install lolcat $ pip2 install bs4 $ pip2 install reques

Jeeck 2 Nov 29, 2021
Fast subdomain scanner, Takes arguments from a Json file ("args.json") and outputs the subdomains.

Fast subdomain scanner, Takes arguments from a Json file ("args.json") and outputs the subdomains. File Structure core/ colors.py db/ wordlist.txt REA

whoami security 4 Jul 02, 2022
Unicode fuzzer for various purposes

UnicodeToy Unicode fuzzer for various purposes Unicode based on version 14.0 features Generate the shortest xss domain payload Generate unicode str, u

33 Nov 27, 2022