forked from Te-k/cobaltstrike
-
Notifications
You must be signed in to change notification settings - Fork 0
/
analyze.py
53 lines (46 loc) · 1.7 KB
/
analyze.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
import argparse
import json
import os
import sys
from lib import decrypt_beacon, decode_config, JsonEncoder
"""
Extract configuration from a Cobalt Strike beacon
Author : Etienne Maynier, Amnesty Tech
Email: [email protected]
Date : March 2020
"""
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Extract Cobalt Strike configuration')
parser.add_argument('PAYLOAD', help='A Cobalt Strike beacon')
parser.add_argument('--json', '-j', action="store_true", help='Print json')
parser.add_argument('--dump', '-D', help='Extract the beacon (only if the beacon is encrypted)')
args = parser.parse_args()
if not os.path.isfile(args.PAYLOAD):
print("Not a file")
sys.exit(-1)
with open(args.PAYLOAD, "rb") as f:
data = f.read()
if data.startswith(b"\xfc\xe8") or data.startswith(b"\xfc\x48"):
# Encrypted beacon
payload = decrypt_beacon(data)
if payload:
if args.dump:
with open(args.dump, "wb+") as f:
f.write(payload)
print("Beacon written in {}".format(args.dump))
data = payload
else:
print("Looks like an encrypted beacon but impossible to find the base address")
sys.exit(-1)
config = decode_config(data)
if config:
if args.json:
print(json.dumps(config, indent=4, sort_keys=True, cls=JsonEncoder))
else:
for d in config:
if isinstance(config[d], bytearray):
print("{:30} {}".format(d, config[d].hex()))
else:
print("{:30} {}".format(d, config[d]))
else:
print("Configuration not found")