Cobalt Strike Beacon configuration extractor and parser.

Overview

Cobalt Strike Configuration Extractor and Parser

Overview

Pure Python library and set of scripts to extract and parse configurations (configs) from Cobalt Strike Beacons. The library, libcsce, contains classes for building tools to work with Beacon configs. There are also two CLI scripts included that use the library to parse Beacon config data:

  1. csce: Parses all known Beacon config settings to JSON, mimicing the Malleable C2 profile structure.
  2. list-cs-settings: Attempts to find by brute-force the associated Cobalt Strike version, and all settings/their types, of a Beacon config. This script is useful for conducting research on Beacon samples.

Installation

Install from Pypi (preferred method)

> pip install libcsce

Install from GitHub with Pip

> pip install git+ssh://[email protected]/strozfriedberg/cobaltstrike-config-extractor.git#egg=libcsce

Install from Cloned Repo

> git clone ssh://g[email protected]/strozfriedberg/cobaltstrike-config-extractor.git
> cd libcsce
> pip install .

Dependencies

The only external non-development dependency is pefile, which is required to decrypt Beacon configs from the .data section of PE files. Requires Python 3.6+.

Development dependencies include those specified in pyproject.toml as well as:

Getting Started

csce

Both of the CLI scripts support extracting Beacon configs from PE files (DLLs/EXEs) and memory dumps where a Beacon was running. To parse a Beacon PE file to JSON, use csce:

> csce --pretty <path/to/file.{exe,dll,bin,dmp}>

By default, the script will try to parse the Beacon as version 3 and, if that fails, try version 4. You can specify a version manually via the -v flag to save cycles if you know the Beacon is version 4 (using -v 3 doesn't technically save cycles because the script tries that version first by default).

list-cs-settings

To discover new settings and while conducting research, sometimes it's useful to extract all possible settings and their types from a Beacon sample. Use list-cs-settings to detect by brute-force the Cobalt Strike version and all settings/types:

> list-cs-settings <path/to/file.{exe,dll,bin,dmp}>

This script produces JSON where the top-level key is the Cobalt Strike version number, which points to a mapping from setting number to information about that setting, including:

  1. length (in bytes)
  2. offset from the beginning of the config section
  3. fundamental type (short, int, str)

Contributing

Stroz Friedberg wants to work with the security community to make these open source tools the most comprehensive available for working with Cobalt Strike Beacons. If you encounter a bug, have research to share on Beacons, spot a typo in the documentation, want to request new functionality, etc. please submit an issue! If you want to contribute code or documentation to the project, please submit a PR and we will review it! Note that all contributions will be subject to the Apache-2.0 license included in the repo.

Owner
Stroz Friedberg
Stroz Friedberg
A collection of over 5.1 million sub-domains and assets belonging to public bug bounty programs, compiled into a repo, for performing bulk operations.

📂 Public Bug Bounty Targets Data By BugBountyResources A collection of over 5.1M sub-domains and assets belonging to bug bounty targets, all put in a

Bug Bounty Resources 87 Dec 13, 2022
Trainspotting - Python Dependency Injector based on interface binding

Choose dependency injection Friendly with MyPy Supports lazy injections Supports

avito.tech 3 Jan 26, 2022
Simple script to have LDAP authentication in Home Assistant Docker, using NGINX's ldap-auth container

Home Assistant LDAP Auth Simple script to have LDAP authentication in Home Assistant Docker, using NGINX's ldap-auth container. Usage Deploy NGINX's l

Erik 1 Sep 21, 2022
Worm/Trojan/Ransomware/apt/Rootkit/Virus Database

Pestilence - The Malware Database [] Screenshot Pestilence is a project created to make the possibility of malware analysis open and available to the

*ERR0R* 47 Dec 21, 2022
Gmail Accounts Hacking

gmail-hack Gmail Accounts Hacking Gemail-Hack python script for Hack gmail account brute force What is brute force attack? In brute force attack,scrip

Aryan 25 Nov 10, 2022
RedTeam-Security - In this repo you will get the information of Red Team Security related links

OSINT Passive Discovery Amass - https://github.com/OWASP/Amass (Attack Surface M

Abhinav Pathak 5 May 18, 2022
Discord exploit allowing you to be unbannable.

Discord-Ban-Immunity Discord exploit allowing you to be unbannable. 9/3/2021 Found in late August. Found by Passive and Me. Explanation If a user gets

orlando 9 Nov 23, 2022
Statistical Random Number Generator Attack Against The Kirchhoff-law-johnson-noise (Kljn) Secure Key Exchange Protocol

Statistical Random Number Generator Attack Against The Kirchhoff-law-johnson-noise (Kljn) Secure Key Exchange Protocol

zeze 1 Jan 13, 2022
Looks at Python code to search for things which look "dodgy" such as passwords or diffs

dodgy Dodgy is a very basic tool to run against your codebase to search for "dodgy" looking values. It is a series of simple regular expressions desig

Landscape 112 Nov 25, 2022
A gui application used for network reconnaissance while pentesting

netrecon A gui application used for network reconnaissance while pentesting

Krisna Pranav 4 Sep 03, 2022
Python DNS Lookup: The Domain Name System (DNS) is basically the phonebook of the Internet

-Python-DNS-Lookup- ✨ 🌟 Python DNS Lookup ✨ 🌟 The Domain Name System (DNS) is

Ronnie Atuhaire 2 Feb 14, 2022
Natas teaches the basics of serverside web-security.

over-the-wire-natas Natas teaches the basics of serverside web-security. Each level of natas consists of its own website located at http://natasX.nata

Siddhant Chouhan 1 Nov 27, 2021
Separate handling of protected media in Django, with X-Sendfile support

Django Protected Media Django Protected Media is a Django app that manages media that are considered sensitive in a protected fashion. Not only does t

Cobus Carstens 46 Nov 12, 2022
🎻 Modularized exploit generation framework

Modularized exploit generation framework for x86_64 binaries Overview This project is still at early stage of development, so you might want to come b

ᴀᴇꜱᴏᴘʜᴏʀ 30 Jan 17, 2022
Make your own huge Wordlist with advanced options

#It's my first tool i hope to be useful for everyone, Make your own huge Wordlist with advanced options, You need python3 to run this tool, If you hav

0.1Arafa 6 Dec 08, 2022
Open Source Tool - Cybersecurity Graph Database in Neo4j

GraphKer Open Source Tool - Cybersecurity Graph Database in Neo4j |G|r|a|p|h|K|e|r| { open source tool for a cybersecurity graph database in neo4j } W

Adamantios - Marios Berzovitis 27 Dec 06, 2022
Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries

Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries. Using xrefs to commonly injected and format string'd files, it will scan binaries faster than F

Christopher Roberts 3 Nov 16, 2021
KeyLogger

By-Emirhan KeyLogger Hangi Sistemlerde Çalışır? | On Which Systems Does It Work? KALİ LİNUX UBUNTU PARDUS MİNT TERMUX ARCH YÜKLEME & ÇALIŞTIRMA KOMUTL

2 Feb 24, 2022
Jolokia Exploitation Toolkit (JET) helps exploitation of exposed jolokia endpoints.

jolokia-exploitation-toolkit Jolokia Exploitation Toolkit (JET) helps exploitation of exposed jolokia endpoints. Core concept Jolokia is a protocol br

Laluka 194 Jan 01, 2023
A simple python script to dump remote files through a local file read or local file inclusion web vulnerability.

A simple python script to dump remote files through a local file read or local file inclusion web vulnerability. Features Dump a single file w

Podalirius 48 Dec 03, 2022