fox-it/dissect.cobaltstrike

GitHub: fox-it/dissect.cobaltstrike

一个用于解析和解密 Cobalt Strike 相关数据（信标载荷、C2 配置、PCAP 流量）的 Python 库。

Stars: 188 | Forks: 23

# 使用 Python 剖析 Cobalt Strike .. image:: https://github.com/fox-it/dissect.cobaltstrike/workflows/Tests/badge.svg :target: https://github.com/fox-it/dissect.cobaltstrike/actions :alt: GitHub Actions 状态 .. image:: https://readthedocs.org/projects/dissect-cobaltstrike/badge/?version=latest :target: https://dissect-cobaltstrike.readthedocs.io/en/latest/?badge=latest :alt: 文档状态 .. image:: https://img.shields.io/pypi/v/dissect.cobaltstrike.svg :target: https://pypi.python.org/pypi/dissect.cobaltstrike **dissect.cobaltstrike** 是一个用于剖析和解析 Cobalt Strike 相关数据的 Python 库，例如信标载荷（beacon payloads）和可变形 C2 配置文件（Malleable C2 Profiles）。 ## 安装该库在 `PyPI `_ 上可用。使用 ``pip`` 安装： ```bash $ pip install dissect.cobaltstrike ``` 或者安装 ``full`` 额外依赖以自动安装 C2 和 PCAP 支持所需的依赖项： ```bash $ pip install 'dissect.cobaltstrike[full]' ``` 如果希望安装最新的预发布版本，请使用 ``--pre`` 标志： ```bash $ pip install --pre dissect.cobaltstrike ``` **dissect.cobaltstrike** 需要 Python 3.9 或更高版本。 ## 文档项目文档可在此处找到：https://dissect-cobaltstrike.readthedocs.io ## 基本用法 ## 剖析 Cobalt Strike 信标并提取配置设置 .. code-block:: python ``` >>> from dissect.cobaltstrike.beacon import BeaconConfig >>> bconfig = BeaconConfig.from_path("beacon.bin") >>> hex(bconfig.watermark) '0x5109bf6d' >>> bconfig.protocol 'https' >>> bconfig.version >>> bconfig.settings mappingproxy({'SETTING_PROTOCOL': 8, 'SETTING_PORT': 443, 'SETTING_SLEEPTIME': 5000, 'SETTING_MAXGET': 1048576, 'SETTING_JITTER': 0, ... >>> bconfig.settings["SETTING_C2_REQUEST"] [('_HEADER', b'Connection: close'), ('_HEADER', b'Accept-Language: en-US'), ('BUILD', 'metadata'), ('MASK', True), ('BASE64', True), ('PREPEND', b'wordpress_ed1f617bbd6c004cc09e046f3c1b7148='), ('HEADER', b'Cookie')] ``` ## 剖析可变形 C2 配置文件并读取配置设置 .. code-block:: python ``` >>> from dissect.cobaltstrike.c2profile import C2Profile >>> profile = C2Profile.from_path("amazon.profile") >>> profile.as_dict() {'sleeptime': ['5000'], 'jitter': ['0'], 'maxdns': ['255'], 'useragent': ['Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'], 'http-get.uri': ['/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'], 'http-get.client.header': [('Accept', '*/*'), ('Host', 'www.amazon.com')], ... } >>> profile.properties["useragent"] ['Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'] >>> profile.properties["http-get.uri"] ['/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'] ``` ## 以信标客户端身份连接到 Team Server 请参阅文档中的 `一个最小信标客户端 `_ 教程。 .. image:: https://raw.githubusercontent.com/fox-it/dissect.cobaltstrike/main/docs/images/beacon-client.png ## 剖析并解密包含 Cobalt Strike 流量的 PCAP 请参阅文档中的 `解密 Cobalt Strike PCAP `_ 教程。 .. code-block:: shell $ beacon-pcap --extract-beacons 2021-06-15-Hancitor-with-Ficker-Stealer-and-Cobalt-Strike.pcap [+] 在 b'/ZsDK' 处找到 ']>，提取信标载荷到 'beacon-ZsDK.bin' [+] 在 b'/8mJm' 处找到 ']>，提取信标载荷到 'beacon-8mJm.bin' $ beacon-pcap -p key.pem 2021-06-15-Hancitor-with-Ficker-Stealer-and-Cobalt-Strike.pcap --beacon beacon-8mJm.bin ') dst_port=443 raw_http=b'GET /activity HTTP/1.1\r\nAccept: */*\r\nCookie: kR/OTFMhCYQpv09cXl2R7qEespVUfQ/8YahAbs1b+rEESbSzcAc44R9Klf4zH4GGYxT4dErzNQWimmMW5wQVQSEGFZ36mWc/beoUTQUGVUxcZWXl0t8WBO12qC6vsmRSV5uQO+qxz0Lbz1P/wOkWwbNM0XF9LhVjRrGYSR0Jlrc=\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)\r\nHost: :443\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r \r ' magic=48879 size=92 aes_rand=b'\xf9dA\xc8\x8b\x07\xe1:\xfa\np\xbc{`m\xe0' ansi_cp=58372 oem_cp=46337 bid=693615746 pid=6396 port=0 flag=4 ver_major=10 ver_minor=0 ver_build=19042 ptr_x64=0 ptr_gmh=1972243040 ptr_gpa=1972237648 ip=net.ipaddress('') info=b'DESKTOP-X9JH6AW\ttabitha.gomez\tsvchost.exe'> ') src_port=443 dst_ip=net.ipaddress('10.0.0.134') dst_port=52894 raw_http=b'HTTP/1.1 200 OK\r\nDate: Tue, 15 Jun 2021 15:09:55 GMT\r\nContent-Type: application/octet-stream\r\nContent-Length: 48\r \r 'P\xc1\xf1\xa0{3 \xa8\x01}\xfe\xbcl\x8e\xa2\x81\xd7A2\xa3;\xe0\x91\xf5\x90\xdd]\xc5\x88`\xa2\x88\x93\x14-\xb4\xbb\x96\xf1\x1c\xd7\r\xa60\xfe\xc5\x9e\xd6' epoch=2021-06-15 15:09:55 total_size=16 command='COMMAND_SLEEP' size=8 data=b'\x00\x00\x00d\x00\x00\x00Z'> ## 许可证 **dissect.cobaltstrike** 在 MIT 许可证下开发并分发。

标签：Beacon, C2 配置文件, Cobalt Strike, DAST, dissect, HTTPS, Malleable C2, Payload 解析, PyPI, Python, Python 3.9, URL提取, 二进制分析, 云安全运维, 反编译, 威胁情报, 安全, 开发者工具, 恶意软件分析, 攻击诱捕, 无后门, 网络安全, 超时处理, 逆向分析, 逆向工具, 隐私保护