CobaltStrikeParser – Python parser for CobaltStrike Beacon’s configuration

Python parser for CobaltStrike Beacon’s configuration Description Use parse_beacon_config.py for stageless beacons, memory dumps or C2 urls with metasploit compatibility mode (default true). Many stageless beacons are PEs where the beacon code itself is stored in the .data section and xored with 4-byte key. The script tries to find the xor key and data heuristically,Read More

BeaconEye – Hunts Out CobaltStrike Beacons And Logs Operator Command Output

BeaconEye scans running processes for active CobaltStrike beacons. When processes are found to be running beacon, BeaconEye will monitor each process for C2 activity. How it works BeaconEye will scan live processes or MiniDump files for suspected CobaltStrike beacons. In live process mode, BeaconEye optionally attaches itself as a debugger and will begin monitoring beaconRead More

RedWarden – Flexible CobaltStrike Malleable Redirector

RedWarden – Flexible CobaltStrike Malleable Redirector (previously known as proxy2’s malleable_redirector plugin) Let’s raise the bar in C2 redirectors IR resiliency, shall we? Red Teaming business has seen several different great ideas on how to combat incident responders and misdirect them while offering resistant C2 redirectors network at the same time. This work combines manyRead More

CobaltStrikeScan – Scan Files Or Process Memory For CobaltStrike Beacons And Parse Their Configuration

Scan files or process memory for Cobalt Strike beacons and parse their configuration. CobaltStrikeScan scans Windows process memory for evidence of DLL injection (classic or reflective injection) and performs a YARA scan on the target process’ memory for Cobalt Strike v3 and v4 beacon signatures. Alternatively, CobaltStrikeScan can perform the same YARA scan on aRead More

X