sentinel-one / cobaltstrikeparser Goto Github PK
View Code? Open in Web Editor NEWLicense: Other
License: Other
Hi team,
Thanks for the interesting solution.
When I provide non existing file path, I am getting:
[-] Failed to find any beacon configuration
Shouldn't is say "Non existing file"?
Hello, first thank you for your parser it's very appreciated.
I found out that the license you are using Attribution-NonCommercial-ShareAlike 4.0 International
is very unusual for software. Actually even CC is not recommending to use such license in this case: https://creativecommons.org/faq/#can-i-apply-a-creative-commons-license-to-software
Do you think you could change the license to something else? Like MIT maybe?
Cheers
function register_beacon When non-port 80 Unable to go online Can be used directly conf['Port']
get Beacon Port
Today, a CISA Mawlare Analysis Report was released which details the CS Beacon config of ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c and provides a config (detailed below in Expected Output) which is different than the config extract when running parse_beacon_config.py
Most fields are missing, thought it almost gets some of the fields, it seems to be missing a few while others appear to be jumbled.
> python parse_beacon_config.py 7edf943ed251fa480c5ca5abb2446c75
BeaconType - Not Found
Port - 187
SleepTime - Not Found
MaxGetSize - Not Found
Jitter - Not Found
MaxDNS - Not Found
PublicKey_MD5 - Not Found
C2Server - Not Found
UserAgent - Not Found
HttpPostUri - j/uqre-y.3.3.2im.nowff2
Malleable_C2_Instructions - Not Found
HttpGet_Metadata - Not Found
HttpPost_Metadata - Not Found
PipeName - Not Found
DNS_Idle - Not Found
DNS_Sleep - Not Found
SSH_Host - Not Found
SSH_Port - Not Found
SSH_Username - Not Found
SSH_Password_Plaintext - Not Found
SSH_Password_Pubkey - Not Found
SSH_Banner -
HttpGet_Verb - EGT
HttpPost_Verb - OPTS
HttpPostChunk - 0
Spawnto_x86 - w%niid%rs\syow6w\4ldhlso.txee
Spawnto_x64 - w%niid%rs\syanitevd\llohtse.ex
CryptoScheme - 0
Proxy_Config - Not Found
Proxy_User - Not Found
Proxy_Password - Not Found
Proxy_Behavior - Use IE settings
Watermark - 610669
bStageCleanup - Not Found
bCFGCaution - False
KillDate - 0
bProcInject_StartRWX - False
bProcInject_UseRWX - False
bProcInject_MinAllocSize - 0
ProcInject_PrependAppend_x86 - Not Found
ProcInject_PrependAppend_x64 - Not Found
ProcInject_Execute - Not Found
ProcInject_AllocationMethod - NtMapViewOfSection
bUsesCookies - True
HostHeader -
headersToRemove - Not Found
DNS_Beaconing - Not Found
DNS_get_TypeA - Not Found
DNS_get_TypeAAAA - Not Found
DNS_get_TypeTXT - Not Found
DNS_put_metadata - Not Found
DNS_put_output - Not Found
DNS_resolver - Not Found
DNS_strategy - Not Found
DNS_strategy_rotate_seconds - Not Found
DNS_strategy_fail_x - Not Found
DNS_strategy_fail_seconds - Not Found
(From CISA report)
--Begin configuration data--
BeaconType - Not Found
Port - 187
SleepTime - Not Found
MaxGetSize - Not Found
Jitter - Not Found
MaxDNS - Not Found
PublicKey_MD5 - Not Found
C2Server - dataplane.theyardservice[.]com,/jquery-3.3.1.min.woff2,cdn.theyardservice[.]com,/jquery-3.3.1.min.woff2,static.theyardservice[.]com,/jquery-3.3.1.min.woff2,worldhomeoutlet[.]com,/jquery-3.3.1.min.woff2
UserAgent - Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri - /jquery-3.3.2.min.woff2
Malleable_C2_Instructions - Remove 1522 bytes from the end
Remove 84 bytes from the beginning
Remove 3931 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key
HttpGet_Metadata - Metadata
mask
base64url
prepend "_cfuid="
header "Cookie"
HttpPost_Metadata - SessionId
mask
base64url
parameter "_cfuid"
Output
mask
base64url
print
PipeName - Not Found
DNS_Idle - Not Found
DNS_Sleep - Not Found
SSH_Host - Not Found
SSH_Port - Not Found
SSH_Username - Not Found
SSH_Password_Plaintext - Not Found
SSH_Password_Pubkey - Not Found
SSH_Banner -
HttpGet_Verb - GET
HttpPost_Verb - POST
HttpPostChunk - 0
Spawnto_x86 - %windir%\syswow64\dllhost.exe
Spawnto_x64 - %windir%\sysnative\dllhost.exe
CryptoScheme - 0
Proxy_Config - Not Found
Proxy_User - Not Found
Proxy_Password - Not Found
Proxy_Behavior - Use IE settings
Watermark - 1359593325
bStageCleanup - True
bCFGCaution - False
KillDate - 0
bProcInject_StartRWX - False
bProcInject_UseRWX - False
bProcInject_MinAllocSize - 0
ProcInject_PrependAppend_x86 - b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
Empty
ProcInject_PrependAppend_x64 - b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
Empty
ProcInject_Execute - ntdll:RtlUserThreadStart
CreateThread
NtQueueApcThread-s
CreateRemoteThread
RtlCreateUserThread
ProcInject_AllocationMethod - NtMapViewOfSection
bUsesCookies - True
HostHeader -
headersToRemove - Not Found
DNS_Beaconing - Not Found
DNS_get_TypeA - Not Found
DNS_get_TypeAAAA - Not Found
DNS_get_TypeTXT - Not Found
DNS_put_metadata - Not Found
DNS_put_output - Not Found
DNS_resolver - Not Found
DNS_strategy - Not Found
DNS_strategy_rotate_seconds - Not Found
DNS_strategy_fail_x - Not Found
DNS_strategy_fail_seconds - Not Found
Getting the following error when attempting to parse a Beacon:
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xf6 in position 0: invalid start byte
MD5 3d919f663d6201c66572ee4510699864
SHA-1 7bd34858fcce27bc7ac6149b033e535ae6ba4152
SHA-256 c69c750a2dda1a73b7e0c2e8c85db2a71315ebb6e137d17d7aa293a766058332
pDNS
xn--sf-eka[.]digital
vpn2[.]xn--sf-eka[.]digital
certificate[.]xn--sf-eka[.]digital
xn--sf-1ja[.]digital
community[.]xn--sf-eka[.]digital
dev[.]xn--sf-eka[.]digital
learninghub[.]xn--sf-eka[.]digital
signature[.]xn--sf-eka[.]digital
The umlaut appears to be causing the issue: ösf[.]digital
.
First time seeing this type of error.
Is this being parsed correctly?
ctxis/CAPE#478
It's unable to parse CS v4 configuration. Is this issue depend on START_PATTERN variable that needs to be updated?
MD5:00004362f5f0ab88730db31c1a168186
Recently came across a number of stager payloads that are not using the standard (0x69, 0x2e) XOR configuration key. Given that it's a single byte key a simple brute force check works. Not sure if you want to consider implementing that into your code.
At the same time, also came across one version that along with changing the key, also changed the type markers in the configuration by multiplying them by two. So SHORT moves from 0x01 to 0x02, INT from 0x02 to 0x04 and STR from 0x03 to 0x06, I don't think this will be as easier a fix or option to factor in. Sample currently at https://8[.]218[.]28[.]246:8443/
Just as I've stated above, we are getting and observing new dlls and this script no longer works.
hey thanks for the great tool
By the way, I think the MD5 calculation of the public key in "parse_beacon_config.py" is inappropriate.
Where CB's public key is supposed to be 256 bytes, you have an implementation that removes consecutive null-bytes at the start and end of the public key.
If the implementation is as it is, MD5 will be calculated from the key length shorter than 256 bytes.
If you comment out "conf_data = conf_data.strip(b'\x00')" on line 244, you should be able to calculate an appropriate MD5.
Sincerely
Thank you for the great update!
Now that the script supports configuration parsing directly via a URL, could a --save
option be added to allow the script to save a copy of the beacon locally please? The file could be saved/named as its md5
. Thanks for your consideration!
Hi all,
I am trying to use this parser and it is erroring with the following:
File "parse_beacon_config.py", line 38
print(msg, end=end)
^
Please advise as to a fix, as I am unsure on what to try change at the moment. Any assistance will be greatly appreciated, and hope I can help contribute to at same stage.
Hi team,
Thanks for the interesting solution.
On ~30GB memory image, I am getting:
trikeConfig(args.beacon).parse_config(version=args.version, quiet=args.quiet, as_json=args.json) or \
File "/CobaltStrikeParser/parse_beacon_config.py", line 372, in __init__
self.data = fobj.read()
MemoryError
Hello,
I've noticed that a few other CS config parsers are able to extract the public key from within the beacon. For the following sample:
https://www.virustotal.com/gui/file/742a06efbebca717271b6beda1ff4a22f6f0be6acda9590ab32b38e1d5721140/detection
Processed through Tek's parser (https://github.com/Te-k/cobaltstrike), returns:
dns False
ssl True
port 443
.sleeptime 60000
.http-get.server.output 00000004000000010000017700000001000000fa0000000200000004000000020000001c000000020000002400000002000000120000000200000004000000020000001c0000000200000024000000020000001100000002000000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
.jitter 15
.maxdns 255
publickey 30819f300d06092a864886f70d010101050003818d0030818902818100aef69a6fb8f21092c01a95cbdcac0f03f79738adecda36cffc6c5cf607943e72663865f8f69d84961910201ffde089b24cd4352c766414d0665537956b8ec8f4e23df0cd79e9284c16c899fde818758a22c53947e3dd52f440be86f71cdf8abb79adb3b8afaf9f80af028d823f1d70fcdbb34b0b5f5293f74dbb184a3c9109f3020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
.http-get.uri 156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/
.user-agent Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)
.http-post.uri /mail/u/0/
.http-get.client OSID=Cookie
GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
ui=d3244c4707ient
hop=6928632 start=0
=Content-Type: application/x-www-form-urlencoded;charset=utf-8OSID=Cookie
.spawto
.post-ex.spawnto_x86 %windir%\syswow64\notepad.exe
.post-ex.spawnto_x64 %windir%\sysnative\notepad.exe
.pipename
.cryptoscheme 0
.dns_idle 134743044
.dns_sleep 0
.http-get.verb GET
.http-post.verb POST
shouldChunkPosts 0
.watermark 305419896
.stage.cleanup 0
CFGCaution 0
host_header
cookieBeacon 1
.proxy_type 2
funk 0
killdate 0
text_section 0
process-inject-start-rwx 64
process-inject-use-rwx 64
process-inject-min_alloc 0
process-inject-transform-x86
process-inject-transform-x64
process-inject-stub a56c813864af878a4c10083ca1578e0a
process-inject-execute
process-inject-allocation-method 0
The key is also extracted by Didier's 1768 parser: https://blog.didierstevens.com/2020/11/07/1768-k/
Finally, SpawnTo
is extracted as "AAAAAAAAAAAAAAAAAAAAAA=="
, is this being parsed correctly, if at all?
Many thanks!
Hi,
Thanks for releasing this tool. Testing it across a couple of samples shows a few incorrectly reported settings for a CS4.0 memory dump:
Port - 450
SleepTime - 50090
Sleep should be 60000 in the above example, and the remote port should be 443. I can't provide the sample in this case, but thought it would be worth highlighting for visibility.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.