相关文章

dissect.cobaltstrike

dissect.cobaltstrike是一个 Python 库，用于剖析和解析 Cobalt Strike 相关数据，例如信标有效负载和可扩展 C2 配置文件。

安装

该库在 PyPI 上可用。用于pip安装它：

$ pip install dissect.cobaltstrike

dissect.cobaltstrike需要 Python 3.6 或更高版本。

文档

基本用法

加载信标并访问一些属性和设置：

>>> from dissect.cobaltstrike.beacon import BeaconConfig
>>> bconfig = BeaconConfig.from_path("beacon.bin")
>>> bconfig.version
<BeaconVersion 'Cobalt Strike 4.2 (Nov 06, 2020)', tuple=(4, 2), date=2020-11-06>
>>> hex(bconfig.watermark)
'0x5109bf6d'
>>> bconfig.protocol
'https'
>>> bconfig.settings
mappingproxy({'SETTING_PROTOCOL': 8,
              'SETTING_PORT': 443,
              'SETTING_SLEEPTIME': 5000,
              'SETTING_MAXGET': 1048576,
              'SETTING_JITTER': 0, ...
>>> bconfig.settings["SETTING_C2_REQUEST"]
[('_HEADER', b'Connection: close'),
 ('_HEADER', b'Accept-Language: en-US'),
 ('BUILD', 'metadata'),
 ('MASK', True),
 ('BASE64', True),
 ('PREPEND', b'wordpress_ed1f617bbd6c004cc09e046f3c1b7148='),
 ('HEADER', b'Cookie')]

加载 Malleable C2 配置文件和访问设置：

>>> from dissect.cobaltstrike.c2profile import C2Profile
>>> profile = C2Profile.from_path("amazon.profile")
>>> profile.as_dict()
{'sleeptime': ['5000'],
 'jitter': ['0'],
 'maxdns': ['255'],
 'useragent': ['Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'],
 'http-get.uri': ['/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'],
 'http-get.client.header': [('Accept', '*/*'), ('Host', 'www.amazon.com')],
 ...
}
>>> profile.properties["useragent"]
['Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko']
>>> profile.properties["http-get.uri"]
['/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books']

执照

dissect.cobaltstrike是在 MIT 许可下开发和分发的。