dissect.cobaltstrike documentation

Welcome! This is the official documentation for dissect.cobaltstrike.

dissect.cobaltstrike is a Python library for dissecting and parsing Cobalt Strike related data such as beacon payloads and Malleable C2 Profiles.

Source code can be found here:

• https://github.com/fox-it/dissect.cobaltstrike

Note

dissect.cobaltstrike is released under the MIT license.

Overview

• Installation
  • Install the latest pre-release version
  • Installing from source
  • Running tests
  • Linting
  • Documentation
• Examples
  • Beacon Configuration
  • Memory dumps
  • PE Artifacts
  • C2 Profiles
  • BeaconConfig to C2 Profile
  • Stager URIs and checksum8
• Tutorials
  • A Minimal Beacon Client
  • Decrypt Cobalt Strike PCAPs
• Scripts
  • example_client.py
  • checksum8-accesslogs.py
  • dump_beacon_keys.py

Tools

• beacon-artifact
• beacon-client
• beacon-dump
• beacon-pcap
• beacon-xordecode
• c2profile-dump

Reference

• API reference
  • Submodules
• Structure definitions
  • dissect.cobaltstrike.beacon.CS_DEF
  • dissect.cobaltstrike.pe.PE_DEF
  • dissect.cobaltstrike.c_c2.C2_DEF
  • dissect.cobaltstrike.guardrails.C_GUARDRAILS_DEF
• C2Profile grammar
• Beacon version identification

Links

• GitHub Repository
• GitHub Discussions
• Python Package Index

Indices and tables

• Index

• Module Index

• Search Page