sentinel-one / cobaltstrikeparser Goto Github PK
View Code? Open in Web Editor NEWLicense: Other
cobaltstrikeparser's People
Contributors
Stargazers
Watchers
Forkers
hackinglz askyeye bigbrobro gavz wolfking2 preventions jack51706 leftp c0axx rvrsh3ll killvxk atropineal invokethreatguy zone009 chased9166 lt-src raystyle usualsuspect akpotter cutff 5m477 kmwin fdlucifer credteam bcp-infosec-repo amjiyu insolent-m1nx patroclica dycsy bhassani superuser5 myhkho schrodyn rv0p111 litchi125 avgirl poppopdrivel sixdub benny33 binlmmhc ls-wen starkchristmas listenquiet onesorzer0es dickchan12 tai-rex nbareil peta909 dasdboot nighttardis explore-c 0ccupi3r leaptrutime pypypy123 svch0stz tropicaligloo want2live233 newmsk crackercat yougar0 whiteeyehansel gdraperi venkat2402 nexusfuzzy yumusb 1amfine2333 yusuke-kubo flynnoverflow matosdiego securityanalysts 5l1v3r1 traxsw grayddq dk47os3r darksidesfear 8l4nk kernweak stuckinvim-forever lzb960827 ramen-king kai0sec evi1hack drakearonhalt tttttint redwifiteam pisut4152 blasterxiao johnhubcr anhnh121 jaygith hzdwang akiyamaliet sigma-random ashleykellyforensics ilifelog r0th-m hanabi-client startagain2016 kn6869610 sunsetrcobaltstrikeparser's Issues
Feature Request: Extract Public Key
Hello,
I've noticed that a few other CS config parsers are able to extract the public key from within the beacon. For the following sample:
https://www.virustotal.com/gui/file/742a06efbebca717271b6beda1ff4a22f6f0be6acda9590ab32b38e1d5721140/detection
Processed through Tek's parser (https://github.com/Te-k/cobaltstrike), returns:
dns False
ssl True
port 443
.sleeptime 60000
.http-get.server.output 00000004000000010000017700000001000000fa0000000200000004000000020000001c000000020000002400000002000000120000000200000004000000020000001c0000000200000024000000020000001100000002000000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
.jitter 15
.maxdns 255
publickey 30819f300d06092a864886f70d010101050003818d0030818902818100aef69a6fb8f21092c01a95cbdcac0f03f79738adecda36cffc6c5cf607943e72663865f8f69d84961910201ffde089b24cd4352c766414d0665537956b8ec8f4e23df0cd79e9284c16c899fde818758a22c53947e3dd52f440be86f71cdf8abb79adb3b8afaf9f80af028d823f1d70fcdbb34b0b5f5293f74dbb184a3c9109f3020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
.http-get.uri 156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/
.user-agent Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)
.http-post.uri /mail/u/0/
.http-get.client OSID=Cookie
GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
ui=d3244c4707ient
hop=6928632 start=0
=Content-Type: application/x-www-form-urlencoded;charset=utf-8OSID=Cookie
.spawto
.post-ex.spawnto_x86 %windir%\syswow64\notepad.exe
.post-ex.spawnto_x64 %windir%\sysnative\notepad.exe
.pipename
.cryptoscheme 0
.dns_idle 134743044
.dns_sleep 0
.http-get.verb GET
.http-post.verb POST
shouldChunkPosts 0
.watermark 305419896
.stage.cleanup 0
CFGCaution 0
host_header
cookieBeacon 1
.proxy_type 2
funk 0
killdate 0
text_section 0
process-inject-start-rwx 64
process-inject-use-rwx 64
process-inject-min_alloc 0
process-inject-transform-x86
process-inject-transform-x64
process-inject-stub a56c813864af878a4c10083ca1578e0a
process-inject-execute
process-inject-allocation-method 0
The key is also extracted by Didier's 1768 parser: https://blog.didierstevens.com/2020/11/07/1768-k/
Finally, SpawnTo is extracted as "AAAAAAAAAAAAAAAAAAAAAA==", is this being parsed correctly, if at all?
Many thanks!
Non existing file problem.
Hi team,
Thanks for the interesting solution.
When I provide non existing file path, I am getting:
[-] Failed to find any beacon configuration
Shouldn't is say "Non existing file"?
communication_poc.py Forgot to deal with Port
function register_beacon When non-port 80 Unable to go online Can be used directly conf['Port'] get Beacon Port
Does not work with x64.beacon
MD5:00004362f5f0ab88730db31c1a168186
UnicodeDecodeError / Punycode
Getting the following error when attempting to parse a Beacon:
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xf6 in position 0: invalid start byte
MD5 3d919f663d6201c66572ee4510699864
SHA-1 7bd34858fcce27bc7ac6149b033e535ae6ba4152
SHA-256 c69c750a2dda1a73b7e0c2e8c85db2a71315ebb6e137d17d7aa293a766058332
pDNS
xn--sf-eka[.]digital
vpn2[.]xn--sf-eka[.]digital
certificate[.]xn--sf-eka[.]digital
xn--sf-1ja[.]digital
community[.]xn--sf-eka[.]digital
dev[.]xn--sf-eka[.]digital
learninghub[.]xn--sf-eka[.]digital
signature[.]xn--sf-eka[.]digital
The umlaut appears to be causing the issue: ösf[.]digital.
First time seeing this type of error.
unexpected output of recent NOBELIUM samples
Description
Today, a CISA Mawlare Analysis Report was released which details the CS Beacon config of ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c and provides a config (detailed below in Expected Output) which is different than the config extract when running parse_beacon_config.py
Most fields are missing, thought it almost gets some of the fields, it seems to be missing a few while others appear to be jumbled.
Actual Output
> python parse_beacon_config.py 7edf943ed251fa480c5ca5abb2446c75
BeaconType - Not Found
Port - 187
SleepTime - Not Found
MaxGetSize - Not Found
Jitter - Not Found
MaxDNS - Not Found
PublicKey_MD5 - Not Found
C2Server - Not Found
UserAgent - Not Found
HttpPostUri - j/uqre-y.3.3.2im.nowff2
Malleable_C2_Instructions - Not Found
HttpGet_Metadata - Not Found
HttpPost_Metadata - Not Found
PipeName - Not Found
DNS_Idle - Not Found
DNS_Sleep - Not Found
SSH_Host - Not Found
SSH_Port - Not Found
SSH_Username - Not Found
SSH_Password_Plaintext - Not Found
SSH_Password_Pubkey - Not Found
SSH_Banner -
HttpGet_Verb - EGT
HttpPost_Verb - OPTS
HttpPostChunk - 0
Spawnto_x86 - w%niid%rs\syow6w\4ldhlso.txee
Spawnto_x64 - w%niid%rs\syanitevd\llohtse.ex
CryptoScheme - 0
Proxy_Config - Not Found
Proxy_User - Not Found
Proxy_Password - Not Found
Proxy_Behavior - Use IE settings
Watermark - 610669
bStageCleanup - Not Found
bCFGCaution - False
KillDate - 0
bProcInject_StartRWX - False
bProcInject_UseRWX - False
bProcInject_MinAllocSize - 0
ProcInject_PrependAppend_x86 - Not Found
ProcInject_PrependAppend_x64 - Not Found
ProcInject_Execute - Not Found
ProcInject_AllocationMethod - NtMapViewOfSection
bUsesCookies - True
HostHeader -
headersToRemove - Not Found
DNS_Beaconing - Not Found
DNS_get_TypeA - Not Found
DNS_get_TypeAAAA - Not Found
DNS_get_TypeTXT - Not Found
DNS_put_metadata - Not Found
DNS_put_output - Not Found
DNS_resolver - Not Found
DNS_strategy - Not Found
DNS_strategy_rotate_seconds - Not Found
DNS_strategy_fail_x - Not Found
DNS_strategy_fail_seconds - Not Found
Expected Output
(From CISA report)
--Begin configuration data--
BeaconType - Not Found
Port - 187
SleepTime - Not Found
MaxGetSize - Not Found
Jitter - Not Found
MaxDNS - Not Found
PublicKey_MD5 - Not Found
C2Server - dataplane.theyardservice[.]com,/jquery-3.3.1.min.woff2,cdn.theyardservice[.]com,/jquery-3.3.1.min.woff2,static.theyardservice[.]com,/jquery-3.3.1.min.woff2,worldhomeoutlet[.]com,/jquery-3.3.1.min.woff2
UserAgent - Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri - /jquery-3.3.2.min.woff2
Malleable_C2_Instructions - Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
HttpGet_Metadata - Metadata
mask
base64url
prepend "_cfuid="
header "Cookie"
HttpPost_Metadata - SessionId
mask
base64url
parameter "_cfuid"
Output
mask
base64url
print
PipeName - Not Found
DNS_Idle - Not Found
DNS_Sleep - Not Found
SSH_Host - Not Found
SSH_Port - Not Found
SSH_Username - Not Found
SSH_Password_Plaintext - Not Found
SSH_Password_Pubkey - Not Found
SSH_Banner -
HttpGet_Verb - GET
HttpPost_Verb - POST
HttpPostChunk - 0
Spawnto_x86 - %windir%\syswow64\dllhost.exe
Spawnto_x64 - %windir%\sysnative\dllhost.exe
CryptoScheme - 0
Proxy_Config - Not Found
Proxy_User - Not Found
Proxy_Password - Not Found
Proxy_Behavior - Use IE settings
Watermark - 1359593325
bStageCleanup - True
bCFGCaution - False
KillDate - 0
bProcInject_StartRWX - False
bProcInject_UseRWX - False
bProcInject_MinAllocSize - 0
ProcInject_PrependAppend_x86 - b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
Empty
ProcInject_PrependAppend_x64 - b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
Empty
ProcInject_Execute - ntdll:RtlUserThreadStart
CreateThread
NtQueueApcThread-s
CreateRemoteThread
RtlCreateUserThread
ProcInject_AllocationMethod - NtMapViewOfSection
bUsesCookies - True
HostHeader -
headersToRemove - Not Found
DNS_Beaconing - Not Found
DNS_get_TypeA - Not Found
DNS_get_TypeAAAA - Not Found
DNS_get_TypeTXT - Not Found
DNS_put_metadata - Not Found
DNS_put_output - Not Found
DNS_resolver - Not Found
DNS_strategy - Not Found
DNS_strategy_rotate_seconds - Not Found
DNS_strategy_fail_x - Not Found
DNS_strategy_fail_seconds - Not Found
Does it works with updated CS version?
It's unable to parse CS v4 configuration. Is this issue depend on START_PATTERN variable that needs to be updated?
unexpected output of recent NOBELIUM samples
error line 38
Hi all,
I am trying to use this parser and it is erroring with the following:
File "parse_beacon_config.py", line 38
print(msg, end=end)
^
Please advise as to a fix, as I am unsure on what to try change at the moment. Any assistance will be greatly appreciated, and hope I can help contribute to at same stage.
Port and Sleep Settings reported incorrectly for CS4 beacon
Hi,
Thanks for releasing this tool. Testing it across a couple of samples shows a few incorrectly reported settings for a CS4.0 memory dump:
Port - 450
SleepTime - 50090
Sleep should be 60000 in the above example, and the remote port should be 443. I can't provide the sample in this case, but thought it would be worth highlighting for visibility.
can't parser the hostheader
Does not work on stageless dll beacons
Just as I've stated above, we are getting and observing new dlls and this script no longer works.
improper md5 calculation
hey thanks for the great tool
By the way, I think the MD5 calculation of the public key in "parse_beacon_config.py" is inappropriate.
Where CB's public key is supposed to be 256 bytes, you have an implementation that removes consecutive null-bytes at the start and end of the public key.
If the implementation is as it is, MD5 will be calculated from the key length shorter than 256 bytes.
If you comment out "conf_data = conf_data.strip(b'\x00')" on line 244, you should be able to calculate an appropriate MD5.
Sincerely
License incoherence
Hello, first thank you for your parser it's very appreciated.
I found out that the license you are using Attribution-NonCommercial-ShareAlike 4.0 International is very unusual for software. Actually even CC is not recommending to use such license in this case: https://creativecommons.org/faq/#can-i-apply-a-creative-commons-license-to-software
Do you think you could change the license to something else? Like MIT maybe?
Cheers
Invalid URL under C2Server
Is this being parsed correctly?
ctxis/CAPE#478
Non-Standard Config XOR Key
Recently came across a number of stager payloads that are not using the standard (0x69, 0x2e) XOR configuration key. Given that it's a single byte key a simple brute force check works. Not sure if you want to consider implementing that into your code.
At the same time, also came across one version that along with changing the key, also changed the type markers in the configuration by multiplying them by two. So SHORT moves from 0x01 to 0x02, INT from 0x02 to 0x04 and STR from 0x03 to 0x06, I don't think this will be as easier a fix or option to factor in. Sample currently at https://8[.]218[.]28[.]246:8443/
Feature Request: Save Beacon
Thank you for the great update!
Now that the script supports configuration parsing directly via a URL, could a --save option be added to allow the script to save a copy of the beacon locally please? The file could be saved/named as its md5. Thanks for your consideration!
MemoryError on big memory image
Hi team,
Thanks for the interesting solution.
On ~30GB memory image, I am getting:
trikeConfig(args.beacon).parse_config(version=args.version, quiet=args.quiet, as_json=args.json) or \
File "/CobaltStrikeParser/parse_beacon_config.py", line 372, in __init__
self.data = fobj.read()
MemoryError
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.