GithubHelp home page GithubHelp logo

apr4h / cobaltstrikescan Goto Github PK

View Code? Open in Web Editor NEW
878.0 27.0 114.0 30.49 MB

Scan files or process memory for CobaltStrike beacons and parse their configuration

License: MIT License

C# 99.33% Smalltalk 0.67%

cobaltstrikescan's Introduction

CobaltStrikeScan

Scan files or process memory for Cobalt Strike beacons and parse their configuration.

CobaltStrikeScan scans Windows process memory for evidence of DLL injection (classic or reflective injection) and/or performs a YARA scan on the target process' memory for Cobalt Strike v3 and v4 beacon signatures.

Alternatively, CobaltStrikeScan can perform the same YARA scan on a file supplied by absolute or relative path as a command-line argument.

If a Cobalt Strike beacon is detected in the file or process, the beacon's configuration will be parsed and displayed to the console.

Cloning This Repo

CobaltStrikeScan contains GetInjectedThreads as a submodule. Ensure you use git clone --recursive https://github.com/Apr4h/CobaltStrikeScan.git when cloning CobaltStrikeScan so that the submodule's code is also downloaded/cloned.

Building the Solution

Costura.Fody is configured to embed CommandLine.dll and libyara.NET.dll in the compiled CobaltStrikeScan.exe assembly. CobaltStrikeScan.exe should then serve as a static, portable version of CobaltStrikeScan. For this to occur, ensure that the "Active Solution Platform" is set to x64 when building.

Acknowledgements

This project is inspired by the following research / articles:

Requirements

  • 64-bit Windows OS
  • .NET Framework 4.6
  • Administrator or SeDebugPrivilege is required to scan process memory for injected threads

Usage

  -d, --directory-scan          Scan all process/memory dump files in a directory for Cobalt Strike beacons

  -f, --scan-file               Scan a process/memory dump for Cobalt Strike beacons

  -i, --injected-threads        Scan running (64-bit) processes for injected threads and Cobalt Strike beacons

  -p, --scan-processes          Scan running processes for Cobalt Strike beacons

  -v, --verbose                 Write verbose output

  -w, --write-process-memory    Write process memory to file when injected threads are detected

  -h, --help                    Display Help Message

  --help                        Display this help screen.

  --version                     Display version information.

Example

Image

cobaltstrikescan's People

Contributors

apr4h avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

cobaltstrikescan's Issues

ArgumentException in Beacon.cs

Hi, I hope its okay that I raised another issue. I tested this with CobaltStrike beacon v4 on x64 injected threads on two different Windows 10 VMs and it produced the following output:


Scanning processes for injected threads
Found injected thread
Process : <process name>
Process ID : 4592
Thread ID : 5484

Scanning injected thread for CobaltStrike beacon

Unhandled Exception: System.ArgumentException: An item with the same key has already been added.
at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
at System.Collections.Generic.Dictionary2.Insert(TKey key, TValue value, Boolean add) at CobaltStrikeConfigParser.Beacon.ParseTLV(Byte[] configBytes) at ConsoleUI.Program.GetBeaconFromYaraScan(Dictionary2 beaconMatchOffsets, Byte[] bytes) in C:\Users<username>\CobaltStrikeScan\ConsoleUI\Program.cs:line 167
at ConsoleUI.Program.Main(String[] args) in C:\Users<username>\CobaltStrikeScan\ConsoleUI\Program.cs:line 52


I'm unable to debug CobaltStrikeConfigParser in the solution because of the build order so I wasn't able to dig deeper. I tried adding some try catch blocks and checks for whether the dict contains the key, but that doesn't seem to help.

Thank you!

Adding a license

Hi there! Would you consider adding a license to the code to provide contributors and users information about the acceptable terms of usage?

There are a lot of options, the site https://choosealicense.com/licenses/ provides a number of choices, though if you are considering something permissible that can help us all continue to combat threat actors I would suggest evaluating any of the following:

  1. Boost Software License 1.0 https://choosealicense.com/licenses/bsl-1.0/
  2. MIT https://choosealicense.com/licenses/mit/

If you would prefer no license, you can make it public domain, though it would help to include a license file similar to the one shown here: https://choosealicense.com/licenses/unlicense/

运行报错

未经处理的异常: System.MissingMethodException: 找不到方法:“Boolean System.Console.get_IsOutputRedirected()”。

Server stack trace:
在 CommandLine.ParserSettings.GetWindowWidth()
在 CommandLine.Parser.<>c.<.cctor>b__20_0()
在 System.Lazy`1.CreateValue()

Exception rethrown at [0]:
在 CommandLine.ParserSettings.GetWindowWidth()
在 CommandLine.Parser.<>c.<.cctor>b__20_0()
在 System.Lazy1.CreateValue() 在 System.Lazy1.LazyInitValue()
在 ConsoleUI.Program.Main(String[] args)

feature: Specify PID

Describe the solution you'd like
It appears the current method of scanning can take a little bit of time to scan through the entire system. It would be much more ideal if one could specify a suspected target process via a --pid argument (e.g. ./CobaltStrikeScan -i --pid 1234, much like malunpack or hollowshunter.

"libyaraNET" Missing

Hi,
I am having difficulties creating the program with msbuild. I get the error message that when CobaltStrikeConfigParser.csproj is created, "libyaraNET" cannot be found. The process is then canceled. What do I have to install so that the creation of the program works.

I'm using a Windows 10 system with Visual Studio Build Tools 2019 (Version 16.9.4) and .NET Framework Versions 4-4.6.1

Build errors - Visual Studio 2019

Hi, I've been trying to build your project for a few days to no avail. I've configured the project to build a x64 .NET 4.6 assembly

Error:

Severity Code Description Project File Line Suppression State
Error CS0006 Metadata file 'C:\Users<username>\CobaltStrikeScan\CobaltStrikeConfigParser\bin\Debug\CobaltStrikeConfigParser.dll' could not be found ConsoleUI C:\Users<username>\CobaltStrikeScan\ConsoleUI\CSC 1 Active

Error CS0006 Metadata file 'C:\Users<username>\CobaltStrikeScan\GetInjectedThreads\bin\Debug\GetInjectedThreads.dll' could not be found ConsoleUI C:\Users<username>\CobaltStrikeScan\ConsoleUI\CSC 1 Active

Error This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is packages\Microsoft.O365.Security.Native.libyara.NET.4.0.2\build\net46\Microsoft.O365.Security.Native.libyara.NET.props. CobaltStrikeConfigParser C:\Users<username>\CobaltStrikeScan\CobaltStrikeConfigParser\CobaltStrikeConfigParser.csproj 93

I've tried building CobaltStrikeConfigParser/GetInjectedThreads first before building the project, I've tried adding all the different versions of Microsoft.O365.Security.Native.libyara.NET via NuGet package manager, I've made sure that I cloned with the --recursive flag...nothing seems to work. This seems like a great project and I'd like to contribute

Suport for memory dump.

Thanks for the interesting/cool solution.

Is your feature request related to a problem? Please describe.
Would be nice to be able to scan memory dump.

Describe the solution you'd like
Scan memory dump and get offset and configuration

Describe alternatives you've considered
https://github.com/JPCERTCC/aa-tools

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.