Coder Social home page Coder Social logo

cobaltstrikeparser's People

Contributors

danielr-github avatar drakearonhalt avatar kristal-g avatar nbareil avatar rxwx avatar usualsuspect avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

cobaltstrikeparser's Issues

error line 38

Hi all,

I am trying to use this parser and it is erroring with the following:

File "parse_beacon_config.py", line 38
print(msg, end=end)
^
Please advise as to a fix, as I am unsure on what to try change at the moment. Any assistance will be greatly appreciated, and hope I can help contribute to at same stage.

Non-Standard Config XOR Key

Recently came across a number of stager payloads that are not using the standard (0x69, 0x2e) XOR configuration key. Given that it's a single byte key a simple brute force check works. Not sure if you want to consider implementing that into your code.

At the same time, also came across one version that along with changing the key, also changed the type markers in the configuration by multiplying them by two. So SHORT moves from 0x01 to 0x02, INT from 0x02 to 0x04 and STR from 0x03 to 0x06, I don't think this will be as easier a fix or option to factor in. Sample currently at https://8[.]218[.]28[.]246:8443/

Non existing file problem.

Hi team,
Thanks for the interesting solution.
When I provide non existing file path, I am getting:

[-] Failed to find any beacon configuration

Shouldn't is say "Non existing file"?

MemoryError on big memory image

Hi team,
Thanks for the interesting solution.
On ~30GB memory image, I am getting:

trikeConfig(args.beacon).parse_config(version=args.version, quiet=args.quiet, as_json=args.json) or \
  File "/CobaltStrikeParser/parse_beacon_config.py", line 372, in __init__
    self.data = fobj.read()
MemoryError

unexpected output of recent NOBELIUM samples

Description

Today, a CISA Mawlare Analysis Report was released which details the CS Beacon config of ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c and provides a config (detailed below in Expected Output) which is different than the config extract when running parse_beacon_config.py

Most fields are missing, thought it almost gets some of the fields, it seems to be missing a few while others appear to be jumbled.

Actual Output

> python parse_beacon_config.py 7edf943ed251fa480c5ca5abb2446c75
BeaconType                       - Not Found
Port                             - 187
SleepTime                        - Not Found
MaxGetSize                       - Not Found
Jitter                           - Not Found
MaxDNS                           - Not Found
PublicKey_MD5                    - Not Found
C2Server                         - Not Found
UserAgent                        - Not Found
HttpPostUri                      - j/uqre-y.3.3.2im.nowff2
Malleable_C2_Instructions        - Not Found
HttpGet_Metadata                 - Not Found
HttpPost_Metadata                - Not Found
PipeName                         - Not Found
DNS_Idle                         - Not Found
DNS_Sleep                        - Not Found
SSH_Host                         - Not Found
SSH_Port                         - Not Found
SSH_Username                     - Not Found
SSH_Password_Plaintext           - Not Found
SSH_Password_Pubkey              - Not Found
SSH_Banner                       - 
HttpGet_Verb                     - EGT
HttpPost_Verb                    - OPTS
HttpPostChunk                    - 0
Spawnto_x86                      - w%niid%rs\syow6w\4ldhlso.txee
Spawnto_x64                      - w%niid%rs\syanitevd\llohtse.ex
CryptoScheme                     - 0
Proxy_Config                     - Not Found
Proxy_User                       - Not Found
Proxy_Password                   - Not Found
Proxy_Behavior                   - Use IE settings
Watermark                        - 610669
bStageCleanup                    - Not Found
bCFGCaution                      - False
KillDate                         - 0
bProcInject_StartRWX             - False
bProcInject_UseRWX               - False
bProcInject_MinAllocSize         - 0
ProcInject_PrependAppend_x86     - Not Found
ProcInject_PrependAppend_x64     - Not Found
ProcInject_Execute               - Not Found
ProcInject_AllocationMethod      - NtMapViewOfSection
bUsesCookies                     - True
HostHeader                       - 
headersToRemove                  - Not Found
DNS_Beaconing                    - Not Found
DNS_get_TypeA                    - Not Found
DNS_get_TypeAAAA                 - Not Found
DNS_get_TypeTXT                  - Not Found
DNS_put_metadata                 - Not Found
DNS_put_output                   - Not Found
DNS_resolver                     - Not Found
DNS_strategy                     - Not Found
DNS_strategy_rotate_seconds      - Not Found
DNS_strategy_fail_x              - Not Found
DNS_strategy_fail_seconds        - Not Found

Expected Output

(From CISA report)

--Begin configuration data--
BeaconType                     - Not Found
Port                             - 187
SleepTime                        - Not Found
MaxGetSize                     - Not Found
Jitter                         - Not Found
MaxDNS                         - Not Found
PublicKey_MD5                    - Not Found
C2Server                         - dataplane.theyardservice[.]com,/jquery-3.3.1.min.woff2,cdn.theyardservice[.]com,/jquery-3.3.1.min.woff2,static.theyardservice[.]com,/jquery-3.3.1.min.woff2,worldhomeoutlet[.]com,/jquery-3.3.1.min.woff2
UserAgent                        - Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri                     - /jquery-3.3.2.min.woff2
Malleable_C2_Instructions        - Remove 1522 bytes from the end
                                Remove 84 bytes from the beginning
                                Remove 3931 bytes from the beginning
                                Base64 URL-safe decode
                                XOR mask w/ random key
HttpGet_Metadata                 - Metadata
                                      mask
                                      base64url
                                      prepend "_cfuid="
                                      header "Cookie"
HttpPost_Metadata                - SessionId
                                      mask
                                      base64url
                                      parameter "_cfuid"
                                Output
                                      mask
                                      base64url
                                      print
PipeName                         - Not Found
DNS_Idle                         - Not Found
DNS_Sleep                        - Not Found
SSH_Host                         - Not Found
SSH_Port                         - Not Found
SSH_Username                     - Not Found
SSH_Password_Plaintext         - Not Found
SSH_Password_Pubkey             - Not Found
SSH_Banner                     -
HttpGet_Verb                     - GET
HttpPost_Verb                    - POST
HttpPostChunk                    - 0
Spawnto_x86                     - %windir%\syswow64\dllhost.exe
Spawnto_x64                     - %windir%\sysnative\dllhost.exe
CryptoScheme                     - 0
Proxy_Config                     - Not Found
Proxy_User                     - Not Found
Proxy_Password                 - Not Found
Proxy_Behavior                 - Use IE settings
Watermark                        - 1359593325
bStageCleanup                    - True
bCFGCaution                     - False
KillDate                         - 0
bProcInject_StartRWX             - False
bProcInject_UseRWX             - False
bProcInject_MinAllocSize         - 0
ProcInject_PrependAppend_x86     - b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
                                Empty
ProcInject_PrependAppend_x64     - b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
                                Empty
ProcInject_Execute             - ntdll:RtlUserThreadStart
                                CreateThread
                                NtQueueApcThread-s
                                CreateRemoteThread
                                RtlCreateUserThread
ProcInject_AllocationMethod     - NtMapViewOfSection
bUsesCookies                     - True
HostHeader                     -
headersToRemove                 - Not Found
DNS_Beaconing                    - Not Found
DNS_get_TypeA                    - Not Found
DNS_get_TypeAAAA                 - Not Found
DNS_get_TypeTXT                 - Not Found
DNS_put_metadata                 - Not Found
DNS_put_output                 - Not Found
DNS_resolver                     - Not Found
DNS_strategy                     - Not Found
DNS_strategy_rotate_seconds     - Not Found
DNS_strategy_fail_x             - Not Found
DNS_strategy_fail_seconds        - Not Found

Port and Sleep Settings reported incorrectly for CS4 beacon

Hi,

Thanks for releasing this tool. Testing it across a couple of samples shows a few incorrectly reported settings for a CS4.0 memory dump:

Port                             - 450
SleepTime                        - 50090

Sleep should be 60000 in the above example, and the remote port should be 443. I can't provide the sample in this case, but thought it would be worth highlighting for visibility.

UnicodeDecodeError / Punycode

Getting the following error when attempting to parse a Beacon:
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xf6 in position 0: invalid start byte

MD5 3d919f663d6201c66572ee4510699864
SHA-1 7bd34858fcce27bc7ac6149b033e535ae6ba4152
SHA-256 c69c750a2dda1a73b7e0c2e8c85db2a71315ebb6e137d17d7aa293a766058332

https://www.virustotal.com/gui/file-analysis/M2Q5MTlmNjYzZDYyMDFjNjY1NzJlZTQ1MTA2OTk4NjQ6MTY2ODUwNDI4NA==

pDNS

xn--sf-eka[.]digital
vpn2[.]xn--sf-eka[.]digital
certificate[.]xn--sf-eka[.]digital
xn--sf-1ja[.]digital
community[.]xn--sf-eka[.]digital
dev[.]xn--sf-eka[.]digital
learninghub[.]xn--sf-eka[.]digital
signature[.]xn--sf-eka[.]digital

The umlaut appears to be causing the issue: ösf[.]digital.

First time seeing this type of error.

improper md5 calculation

hey thanks for the great tool

By the way, I think the MD5 calculation of the public key in "parse_beacon_config.py" is inappropriate.

Where CB's public key is supposed to be 256 bytes, you have an implementation that removes consecutive null-bytes at the start and end of the public key.
If the implementation is as it is, MD5 will be calculated from the key length shorter than 256 bytes.

If you comment out "conf_data = conf_data.strip(b'\x00')" on line 244, you should be able to calculate an appropriate MD5.

Sincerely

Feature Request: Extract Public Key

Hello,

I've noticed that a few other CS config parsers are able to extract the public key from within the beacon. For the following sample:
https://www.virustotal.com/gui/file/742a06efbebca717271b6beda1ff4a22f6f0be6acda9590ab32b38e1d5721140/detection

Processed through Tek's parser (https://github.com/Te-k/cobaltstrike), returns:

dns                            False
ssl                            True
port                           443
.sleeptime                     60000
.http-get.server.output        00000004000000010000017700000001000000fa0000000200000004000000020000001c000000020000002400000002000000120000000200000004000000020000001c0000000200000024000000020000001100000002000000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
.jitter                        15
.maxdns                        255
publickey                      30819f300d06092a864886f70d010101050003818d0030818902818100aef69a6fb8f21092c01a95cbdcac0f03f79738adecda36cffc6c5cf607943e72663865f8f69d84961910201ffde089b24cd4352c766414d0665537956b8ec8f4e23df0cd79e9284c16c899fde818758a22c53947e3dd52f440be86f71cdf8abb79adb3b8afaf9f80af028d823f1d70fcdbb34b0b5f5293f74dbb184a3c9109f3020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
.http-get.uri                  156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/
.user-agent                    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)
.http-post.uri                 /mail/u/0/
.http-get.client               OSID=Cookie
GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
ui=d3244c4707ient
                hop=6928632	start=0
=Content-Type: application/x-www-form-urlencoded;charset=utf-8OSID=Cookie
.spawto
.post-ex.spawnto_x86           %windir%\syswow64\notepad.exe
.post-ex.spawnto_x64           %windir%\sysnative\notepad.exe
.pipename
.cryptoscheme                  0
.dns_idle                      134743044
.dns_sleep                     0
.http-get.verb                 GET
.http-post.verb                POST
shouldChunkPosts               0
.watermark                     305419896
.stage.cleanup                 0
CFGCaution                     0
host_header
cookieBeacon                   1
.proxy_type                    2
funk                           0
killdate                       0
text_section                   0
process-inject-start-rwx       64
process-inject-use-rwx         64
process-inject-min_alloc       0
process-inject-transform-x86
process-inject-transform-x64
process-inject-stub            a56c813864af878a4c10083ca1578e0a
process-inject-execute
process-inject-allocation-method 0

The key is also extracted by Didier's 1768 parser: https://blog.didierstevens.com/2020/11/07/1768-k/

Finally, SpawnTo is extracted as "AAAAAAAAAAAAAAAAAAAAAA==", is this being parsed correctly, if at all?

Many thanks!

Feature Request: Save Beacon

Thank you for the great update!

Now that the script supports configuration parsing directly via a URL, could a --save option be added to allow the script to save a copy of the beacon locally please? The file could be saved/named as its md5. Thanks for your consideration!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.