Cobalt Strike Configuration Extractor and Parser
Overview
Pure Python library and set of scripts to extract and parse configurations (configs) from Cobalt Strike Beacons. The library, libcsce
, contains classes for building tools to work with Beacon configs. There are also two CLI scripts included that use the library to parse Beacon config data:
csce
: Parses all known Beacon config settings to JSON, mimicing the Malleable C2 profile structure.list-cs-settings
: Attempts to find by brute-force the associated Cobalt Strike version, and all settings/their types, of a Beacon config. This script is useful for conducting research on Beacon samples.
Installation
Install from Pypi (preferred method)
> pip install libcsce
Install from GitHub with Pip
> pip install git+ssh://[email protected]/strozfriedberg/cobaltstrike-config-extractor.git#egg=libcsce
Install from Cloned Repo
> git clone ssh://[email protected]/strozfriedberg/cobaltstrike-config-extractor.git > cd libcsce > pip install .
Dependencies
The only external non-development dependency is pefile, which is required to decrypt Beacon configs from the .data
section of PE files. Requires Python 3.6+.
Development dependencies include those specified in pyproject.toml
as well as:
Getting Started
csce
Both of the CLI scripts support extracting Beacon configs from PE files (DLLs/EXEs) and memory dumps where a Beacon was running. To parse a Beacon PE file to JSON, use csce
:
> csce --pretty <path/to/file.{exe,dll,bin,dmp}>
By default, the script will try to parse the Beacon as version 3
and, if that fails, try version 4
. You can specify a version manually via the -v
flag to save cycles if you know the Beacon is version 4
(using -v 3
doesn't technically save cycles because the script tries that version first by default).
list-cs-settings
To discover new settings and while conducting research, sometimes it's useful to extract all possible settings and their types from a Beacon sample. Use list-cs-settings
to detect by brute-force the Cobalt Strike version and all settings/types:
> list-cs-settings <path/to/file.{exe,dll,bin,dmp}>
This script produces JSON where the top-level key is the Cobalt Strike version number, which points to a mapping from setting number to information about that setting, including:
- length (in bytes)
- offset from the beginning of the config section
- fundamental type (short, int, str)