CobaltStrikeScan – Scan Files Or Process Memory For CobaltStrike Beacons And Parse Their Configuration
Scan documents or procedure memory for Cobalt Strike beacons and parse their configuration.
CobaltStrikeScan scans Home windows procedure memory for proof of DLL injection (vintage or reflective injection) and performs a YARA scan on the goal process’ memory for Cobalt Strike v3 and v4 beacon signatures.
Alternatively, CobaltStrikeScan can perform the exact YARA scan on a file supplied by complete or relative path as a command-line argument.
If a Cobalt Strike beacon is detected in the file or system, the beacon’s configuration will be parsed and displayed to the console.
Cloning This Repo
CobaltStrikeScan has GetInjectedThreads as a submodule. Guarantee you use git clone --recursive https://github.com/Apr4h/CobaltStrikeScan.git when cloning CobaltStrikeScan so that the submodule’s code is also downloaded/cloned.
Constructing the Remedy
Costura.Fody is configured to embed CobaltStrikeConfigParser.dll and GetInjectedThreads.dll in the compiled ConsoleUI.exe assembly. ConsoleUI.exe really should then serve as a static, portable variation of CobaltStrikeScan. For this to occur, make certain that the “Lively Option Platform” is established to x64 when building, and that the CobaltStrikeConfigParser and GetInjectedThreads projects are developed right before the ConsoleUI challenge is constructed, so that Costura.Fody can obtain the essential DLLs to be embedded.
Acknowledgements
This task is influenced by the subsequent research / articles or blog posts:
- SpecterOps – Defenders Consider in Graphs Also
- JPCert – Volatility Plugin for Detecting Cobalt Strike
- SentinelLabs – The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration
Necessities
- 64-bit Windows OS
- .Internet Framework 4.6
- Administrator or SeDebugPrivilege is essential to scan method memory for injected threads
Use
-d, --dump-procedures Dump approach memory to file when injected threads are detected
-f, --scan-file Scan a file/procedure dump for CobaltStrike beacons
-i, --injected-threads Scan managing (64-little bit) procedures for injected threads (won't scan for CobaltStrike beacons)
-p, --scan-procedures Scan functioning processes for injected threads and CobaltStrike beacons
-v, --verbose Write verbose output (screen in-depth info for injected threads)
-h, --assistance Display Aid Information
--help Exhibit this help display screen.
--version Screen edition details.
