a Python library for dissecting Cobalt Strike related data
Project description
dissect.cobaltstrike is a Python library for dissecting and parsing Cobalt Strike related data such as beacon payloads and Malleable C2 Profiles.
Installation
The library is available on PyPI. Use pip to install it:
$ pip install dissect.cobaltstrike
dissect.cobaltstrike requires Python 3.6 or later.
Documentation
The project documentation can be found here: https://dissect-cobaltstrike.readthedocs.io
Basic Usage
Parse a Cobalt Strike beacon and extract some config settings:
>>> from dissect.cobaltstrike.beacon import BeaconConfig
>>> bconfig = BeaconConfig.from_path("beacon.bin")
>>> hex(bconfig.watermark)
'0x5109bf6d'
>>> bconfig.protocol
'https'
>>> bconfig.version
<BeaconVersion 'Cobalt Strike 4.2 (Nov 06, 2020)', tuple=(4, 2), date=2020-11-06>
>>> bconfig.settings
mappingproxy({'SETTING_PROTOCOL': 8,
'SETTING_PORT': 443,
'SETTING_SLEEPTIME': 5000,
'SETTING_MAXGET': 1048576,
'SETTING_JITTER': 0, ...
>>> bconfig.settings["SETTING_C2_REQUEST"]
[('_HEADER', b'Connection: close'),
('_HEADER', b'Accept-Language: en-US'),
('BUILD', 'metadata'),
('MASK', True),
('BASE64', True),
('PREPEND', b'wordpress_ed1f617bbd6c004cc09e046f3c1b7148='),
('HEADER', b'Cookie')]Parse a Malleable C2 Profile and read some configuration settings:
>>> from dissect.cobaltstrike.c2profile import C2Profile
>>> profile = C2Profile.from_path("amazon.profile")
>>> profile.as_dict()
{'sleeptime': ['5000'],
'jitter': ['0'],
'maxdns': ['255'],
'useragent': ['Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'],
'http-get.uri': ['/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'],
'http-get.client.header': [('Accept', '*/*'), ('Host', 'www.amazon.com')],
...
}
>>> profile.properties["useragent"]
['Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko']
>>> profile.properties["http-get.uri"]
['/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books']License
dissect.cobaltstrike is developed and distributed under the MIT license.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
dissect.cobaltstrike-0.2.0.tar.gz
(51.2 kB
view hashes)
Built Distribution
Close
Hashes for dissect.cobaltstrike-0.2.0.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | c1feaa37c4065674565e041b7a953df1643cbe8cfbdb4cab82f59dc7d6fb4a9a |
|
| MD5 | ce8e591364369f9e1c555638800653c3 |
|
| BLAKE2b-256 | eaf2947eb378d50cb19ee2ac3d235ec7c9c6a38ca3d457a839ca9879fdbc6d3b |
Close
Hashes for dissect.cobaltstrike-0.2.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | fac0bc0872c2b27dedd5461eb26c5ca0a8dfa698e78c2450fb2fda55e2055868 |
|
| MD5 | 7ef4561d942f89765069a697f9314301 |
|
| BLAKE2b-256 | 1dca5f40cbd293c4f7c40d3a0d69e32578136e919884cbb4c5ed23afe513f564 |
