a Python library for dissecting Cobalt Strike related data
Project description
dissect.cobaltstrike is a Python library for dissecting and parsing Cobalt Strike related data such as beacon payloads and Malleable C2 Profiles.
Installation
The library is available on PyPI. Use pip to install it:
$ pip install dissect.cobaltstrike
dissect.cobaltstrike requires Python 3.6 or later.
Documentation
The project documentation can be found here: https://dissect-cobaltstrike.readthedocs.io
Basic Usage
Parse a Cobalt Strike beacon and extract some config settings:
>>> from dissect.cobaltstrike.beacon import BeaconConfig
>>> bconfig = BeaconConfig.from_path("beacon.bin")
>>> hex(bconfig.watermark)
'0x5109bf6d'
>>> bconfig.protocol
'https'
>>> bconfig.version
<BeaconVersion 'Cobalt Strike 4.2 (Nov 06, 2020)', tuple=(4, 2), date=2020-11-06>
>>> bconfig.settings
mappingproxy({'SETTING_PROTOCOL': 8,
'SETTING_PORT': 443,
'SETTING_SLEEPTIME': 5000,
'SETTING_MAXGET': 1048576,
'SETTING_JITTER': 0, ...
>>> bconfig.settings["SETTING_C2_REQUEST"]
[('_HEADER', b'Connection: close'),
('_HEADER', b'Accept-Language: en-US'),
('BUILD', 'metadata'),
('MASK', True),
('BASE64', True),
('PREPEND', b'wordpress_ed1f617bbd6c004cc09e046f3c1b7148='),
('HEADER', b'Cookie')]
Parse a Malleable C2 Profile and read some configuration settings:
>>> from dissect.cobaltstrike.c2profile import C2Profile
>>> profile = C2Profile.from_path("amazon.profile")
>>> profile.as_dict()
{'sleeptime': ['5000'],
'jitter': ['0'],
'maxdns': ['255'],
'useragent': ['Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'],
'http-get.uri': ['/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'],
'http-get.client.header': [('Accept', '*/*'), ('Host', 'www.amazon.com')],
...
}
>>> profile.properties["useragent"]
['Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko']
>>> profile.properties["http-get.uri"]
['/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books']
License
dissect.cobaltstrike is developed and distributed under the MIT license.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
dissect.cobaltstrike-0.2.0.tar.gz
(51.2 kB
view hashes)
Built Distribution
Close
Hashes for dissect.cobaltstrike-0.2.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | c1feaa37c4065674565e041b7a953df1643cbe8cfbdb4cab82f59dc7d6fb4a9a |
|
MD5 | ce8e591364369f9e1c555638800653c3 |
|
BLAKE2b-256 | eaf2947eb378d50cb19ee2ac3d235ec7c9c6a38ca3d457a839ca9879fdbc6d3b |
Close
Hashes for dissect.cobaltstrike-0.2.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | fac0bc0872c2b27dedd5461eb26c5ca0a8dfa698e78c2450fb2fda55e2055868 |
|
MD5 | 7ef4561d942f89765069a697f9314301 |
|
BLAKE2b-256 | 1dca5f40cbd293c4f7c40d3a0d69e32578136e919884cbb4c5ed23afe513f564 |