GithubHelp home page GithubHelp logo

apr4h / cobaltstrikescan Goto Github PK

View Code? Open in Web Editor NEW
874.0 874.0 113.0 30.49 MB

Scan files or process memory for CobaltStrike beacons and parse their configuration

License: MIT License

C# 99.33% Smalltalk 0.67%

cobaltstrikescan's People

Contributors

apr4h avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

cobaltstrikescan's Issues

feature: Specify PID

Describe the solution you'd like
It appears the current method of scanning can take a little bit of time to scan through the entire system. It would be much more ideal if one could specify a suspected target process via a --pid argument (e.g. ./CobaltStrikeScan -i --pid 1234, much like malunpack or hollowshunter.

ArgumentException in Beacon.cs

Hi, I hope its okay that I raised another issue. I tested this with CobaltStrike beacon v4 on x64 injected threads on two different Windows 10 VMs and it produced the following output:


Scanning processes for injected threads
Found injected thread
Process : <process name>
Process ID : 4592
Thread ID : 5484

Scanning injected thread for CobaltStrike beacon

Unhandled Exception: System.ArgumentException: An item with the same key has already been added.
at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
at System.Collections.Generic.Dictionary2.Insert(TKey key, TValue value, Boolean add) at CobaltStrikeConfigParser.Beacon.ParseTLV(Byte[] configBytes) at ConsoleUI.Program.GetBeaconFromYaraScan(Dictionary2 beaconMatchOffsets, Byte[] bytes) in C:\Users<username>\CobaltStrikeScan\ConsoleUI\Program.cs:line 167
at ConsoleUI.Program.Main(String[] args) in C:\Users<username>\CobaltStrikeScan\ConsoleUI\Program.cs:line 52


I'm unable to debug CobaltStrikeConfigParser in the solution because of the build order so I wasn't able to dig deeper. I tried adding some try catch blocks and checks for whether the dict contains the key, but that doesn't seem to help.

Thank you!

Build errors - Visual Studio 2019

Hi, I've been trying to build your project for a few days to no avail. I've configured the project to build a x64 .NET 4.6 assembly

Error:

Severity Code Description Project File Line Suppression State
Error CS0006 Metadata file 'C:\Users<username>\CobaltStrikeScan\CobaltStrikeConfigParser\bin\Debug\CobaltStrikeConfigParser.dll' could not be found ConsoleUI C:\Users<username>\CobaltStrikeScan\ConsoleUI\CSC 1 Active

Error CS0006 Metadata file 'C:\Users<username>\CobaltStrikeScan\GetInjectedThreads\bin\Debug\GetInjectedThreads.dll' could not be found ConsoleUI C:\Users<username>\CobaltStrikeScan\ConsoleUI\CSC 1 Active

Error This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is packages\Microsoft.O365.Security.Native.libyara.NET.4.0.2\build\net46\Microsoft.O365.Security.Native.libyara.NET.props. CobaltStrikeConfigParser C:\Users<username>\CobaltStrikeScan\CobaltStrikeConfigParser\CobaltStrikeConfigParser.csproj 93

I've tried building CobaltStrikeConfigParser/GetInjectedThreads first before building the project, I've tried adding all the different versions of Microsoft.O365.Security.Native.libyara.NET via NuGet package manager, I've made sure that I cloned with the --recursive flag...nothing seems to work. This seems like a great project and I'd like to contribute

Suport for memory dump.

Thanks for the interesting/cool solution.

Is your feature request related to a problem? Please describe.
Would be nice to be able to scan memory dump.

Describe the solution you'd like
Scan memory dump and get offset and configuration

Describe alternatives you've considered
https://github.com/JPCERTCC/aa-tools

Adding a license

Hi there! Would you consider adding a license to the code to provide contributors and users information about the acceptable terms of usage?

There are a lot of options, the site https://choosealicense.com/licenses/ provides a number of choices, though if you are considering something permissible that can help us all continue to combat threat actors I would suggest evaluating any of the following:

  1. Boost Software License 1.0 https://choosealicense.com/licenses/bsl-1.0/
  2. MIT https://choosealicense.com/licenses/mit/

If you would prefer no license, you can make it public domain, though it would help to include a license file similar to the one shown here: https://choosealicense.com/licenses/unlicense/

"libyaraNET" Missing

Hi,
I am having difficulties creating the program with msbuild. I get the error message that when CobaltStrikeConfigParser.csproj is created, "libyaraNET" cannot be found. The process is then canceled. What do I have to install so that the creation of the program works.

I'm using a Windows 10 system with Visual Studio Build Tools 2019 (Version 16.9.4) and .NET Framework Versions 4-4.6.1

运行报错

未经处理的异常: System.MissingMethodException: 找不到方法:“Boolean System.Console.get_IsOutputRedirected()”。

Server stack trace:
在 CommandLine.ParserSettings.GetWindowWidth()
在 CommandLine.Parser.<>c.<.cctor>b__20_0()
在 System.Lazy`1.CreateValue()

Exception rethrown at [0]:
在 CommandLine.ParserSettings.GetWindowWidth()
在 CommandLine.Parser.<>c.<.cctor>b__20_0()
在 System.Lazy1.CreateValue() 在 System.Lazy1.LazyInitValue()
在 ConsoleUI.Program.Main(String[] args)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.