Hi, I hope its okay that I raised another issue. I tested this with CobaltStrike beacon v4 on x64 injected threads on two different Windows 10 VMs and it produced the following output:

Scanning processes for injected threads
Found injected thread
Process : <process name>
Process ID : 4592
Thread ID : 5484

Scanning injected thread for CobaltStrike beacon

Unhandled Exception: System.ArgumentException: An item with the same key has already been added.
at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
at System.Collections.Generic.Dictionary2.Insert(TKey key, TValue value, Boolean add) at CobaltStrikeConfigParser.Beacon.ParseTLV(Byte[] configBytes) at ConsoleUI.Program.GetBeaconFromYaraScan(Dictionary2 beaconMatchOffsets, Byte[] bytes) in C:\Users<username>\CobaltStrikeScan\ConsoleUI\Program.cs:line 167
at ConsoleUI.Program.Main(String[] args) in C:\Users<username>\CobaltStrikeScan\ConsoleUI\Program.cs:line 52

I'm unable to debug CobaltStrikeConfigParser in the solution because of the build order so I wasn't able to dig deeper. I tried adding some try catch blocks and checks for whether the dict contains the key, but that doesn't seem to help.

Thank you!

Hi there! Would you consider adding a license to the code to provide contributors and users information about the acceptable terms of usage?

There are a lot of options, the site https://choosealicense.com/licenses/ provides a number of choices, though if you are considering something permissible that can help us all continue to combat threat actors I would suggest evaluating any of the following:

1. Boost Software License 1.0 https://choosealicense.com/licenses/bsl-1.0/
2. MIT https://choosealicense.com/licenses/mit/

If you would prefer no license, you can make it public domain, though it would help to include a license file similar to the one shown here: https://choosealicense.com/licenses/unlicense/

Folder GetInjectedThreads is empty.

Listening is http
no Malleable-C2-Profiles

未经处理的异常: System.MissingMethodException: 找不到方法:“Boolean System.Console.get_IsOutputRedirected()”。

Server stack trace:
在 CommandLine.ParserSettings.GetWindowWidth()
在 CommandLine.Parser.<>c.<.cctor>b__20_0()
在 System.Lazy`1.CreateValue()

Exception rethrown at [0]:
在 CommandLine.ParserSettings.GetWindowWidth()
在 CommandLine.Parser.<>c.<.cctor>b__20_0()
在 System.Lazy1.CreateValue() 在 System.Lazy1.LazyInitValue()
在 ConsoleUI.Program.Main(String[] args)

Describe the solution you'd like
It appears the current method of scanning can take a little bit of time to scan through the entire system. It would be much more ideal if one could specify a suspected target process via a --pid argument (e.g. ./CobaltStrikeScan -i --pid 1234, much like malunpack or hollowshunter.

Great tool.
It would be nice to include the following Google Yara rules in:
https://github.com/chronicle/GCTI/tree/main/YARA

Hi,
I am having difficulties creating the program with msbuild. I get the error message that when CobaltStrikeConfigParser.csproj is created, "libyaraNET" cannot be found. The process is then canceled. What do I have to install so that the creation of the program works.

I'm using a Windows 10 system with Visual Studio Build Tools 2019 (Version 16.9.4) and .NET Framework Versions 4-4.6.1

Please help me,
I scanned this tool on my server, but it's failed. You can see the attached pitures

Describe the bug
when i build this solution, there is a error about nuget

To Reproduce
build the solution

Expected behavior
build successfully,and run successfully

Screenshots

Desktop (please complete the following information):

• OS: win10 1903
• Tool Version vs2019
• .NET Framework Version 4.6

The current release does not work as a standalone product and only works when libyara is installed on the machine. Please recompile a working release.

Thank you!

Hi, I've been trying to build your project for a few days to no avail. I've configured the project to build a x64 .NET 4.6 assembly

Error:

Severity Code Description Project File Line Suppression State
Error CS0006 Metadata file 'C:\Users<username>\CobaltStrikeScan\CobaltStrikeConfigParser\bin\Debug\CobaltStrikeConfigParser.dll' could not be found ConsoleUI C:\Users<username>\CobaltStrikeScan\ConsoleUI\CSC 1 Active

Error CS0006 Metadata file 'C:\Users<username>\CobaltStrikeScan\GetInjectedThreads\bin\Debug\GetInjectedThreads.dll' could not be found ConsoleUI C:\Users<username>\CobaltStrikeScan\ConsoleUI\CSC 1 Active

Error This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is packages\Microsoft.O365.Security.Native.libyara.NET.4.0.2\build\net46\Microsoft.O365.Security.Native.libyara.NET.props. CobaltStrikeConfigParser C:\Users<username>\CobaltStrikeScan\CobaltStrikeConfigParser\CobaltStrikeConfigParser.csproj 93

I've tried building CobaltStrikeConfigParser/GetInjectedThreads first before building the project, I've tried adding all the different versions of Microsoft.O365.Security.Native.libyara.NET via NuGet package manager, I've made sure that I cloned with the --recursive flag...nothing seems to work. This seems like a great project and I'd like to contribute

Thanks for the interesting/cool solution.

Is your feature request related to a problem? Please describe.
Would be nice to be able to scan memory dump.

Describe the solution you'd like
Scan memory dump and get offset and configuration

Describe alternatives you've considered
https://github.com/JPCERTCC/aa-tools