"""
Structure definitions and classes for dealing with Cobalt Strike C2 packets.
Mainly used by :mod:`dissect.cobaltstrike.c2`.
"""
from enum import IntEnum
from dissect import cstruct
[docs]
class BeaconCommand(IntEnum):
[docs]
COMMAND_KEYLOG_START = 6
[docs]
COMMAND_KEYLOG_STOP = 7
[docs]
COMMAND_SPAWN_PROC_X86 = 13
[docs]
COMMAND_INJECT_PING = 18
[docs]
COMMAND_CANCEL_DOWNLOAD = 19
[docs]
COMMAND_PIPE_ROUTE = 22
[docs]
COMMAND_PIPE_CLOSE = 23
[docs]
COMMAND_PIPE_REOPEN = 24
[docs]
COMMAND_TOKEN_GETUID = 27
[docs]
COMMAND_TOKEN_REV2SELF = 28
[docs]
COMMAND_STEAL_TOKEN = 31
[docs]
COMMAND_PSH_IMPORT = 37
[docs]
COMMAND_JOB_REGISTER = 40
[docs]
COMMAND_INJECTX64_PID = 43
[docs]
COMMAND_INJECT_PID_PING = 45
[docs]
COMMAND_INJECTX64_PID_PING = 46
[docs]
COMMAND_LSOCKET_BIND = 50
[docs]
COMMAND_LSOCKET_CLOSE = 51
[docs]
COMMAND_STAGE_PAYLOAD = 52
[docs]
COMMAND_FILE_MKDIR = 54
[docs]
COMMAND_FILE_DRIVES = 55
[docs]
COMMAND_STAGE_PAYLOAD_SMB = 57
[docs]
COMMAND_WEBSERVER_LOCAL = 59
[docs]
COMMAND_ELEVATE_PRE = 60
[docs]
COMMAND_ELEVATE_POST = 61
[docs]
COMMAND_JOB_REGISTER_IMPERSONATE = 62
[docs]
COMMAND_SPAWN_POWERSHELLX86 = 63
[docs]
COMMAND_SPAWN_POWERSHELLX64 = 64
[docs]
COMMAND_INJECT_POWERSHELLX86_PID = 65
[docs]
COMMAND_INJECT_POWERSHELLX64_PID = 66
[docs]
COMMAND_UPLOAD_CONTINUE = 67
[docs]
COMMAND_PIPE_OPEN_EXPLICIT = 68
[docs]
COMMAND_SPAWN_PROC_X64 = 69
[docs]
COMMAND_JOB_SPAWN_X86 = 70
[docs]
COMMAND_JOB_SPAWN_X64 = 71
[docs]
COMMAND_RUN_UNDER_PID = 76
[docs]
COMMAND_EXECUTE_JOB = 78
[docs]
COMMAND_PSH_HOST_TCP = 79
[docs]
COMMAND_LSOCKET_TCPPIVOT = 82
[docs]
COMMAND_ARGUE_REMOVE = 84
[docs]
COMMAND_ARGUE_LIST = 85
[docs]
COMMAND_TCP_CONNECT = 86
[docs]
COMMAND_JOB_SPAWN_TOKEN_X86 = 87
[docs]
COMMAND_JOB_SPAWN_TOKEN_X64 = 88
[docs]
COMMAND_SPAWN_TOKEN_X86 = 89
[docs]
COMMAND_SPAWN_TOKEN_X64 = 90
[docs]
COMMAND_INJECTX64_PING = 91
[docs]
COMMAND_SPAWNAS_X86 = 93
[docs]
COMMAND_SPAWNAS_X64 = 94
[docs]
COMMAND_INLINE_EXECUTE = 95
[docs]
COMMAND_RUN_INJECT_X86 = 96
[docs]
COMMAND_RUN_INJECT_X64 = 97
[docs]
COMMAND_SPAWNU_X86 = 98
[docs]
COMMAND_SPAWNU_X64 = 99
[docs]
COMMAND_INLINE_EXECUTE_OBJECT = 100
[docs]
COMMAND_JOB_REGISTER_MSGMODE = 101
[docs]
COMMAND_LSOCKET_BIND_LOCALHOST = 102
[docs]
class BeaconCallback(IntEnum):
[docs]
CALLBACK_KEYSTROKES = 1
[docs]
CALLBACK_SCREENSHOT = 3
[docs]
CALLBACK_FILE_WRITE = 8
[docs]
CALLBACK_FILE_CLOSE = 9
[docs]
CALLBACK_PIPE_OPEN = 10
[docs]
CALLBACK_PIPE_CLOSE = 11
[docs]
CALLBACK_PIPE_READ = 12
[docs]
CALLBACK_POST_ERROR = 13
[docs]
CALLBACK_PIPE_PING = 14
[docs]
CALLBACK_TOKEN_STOLEN = 15
[docs]
CALLBACK_TOKEN_GETUID = 16
[docs]
CALLBACK_PROCESS_LIST = 17
[docs]
CALLBACK_POST_REPLAY_ERROR = 18
[docs]
CALLBACK_SSH_STATUS = 27
[docs]
CALLBACK_CHUNK_ALLOCATE = 28
[docs]
CALLBACK_CHUNK_SEND = 29
[docs]
CALLBACK_OUTPUT_OEM = 30
[docs]
CALLBACK_OUTPUT_UTF8 = 32
[docs]
C2_DEF = """
// Callback data from: Beacon -> Team Server
typedef struct CallbackPacket {
uint32 counter;
uint32 size;
BeaconCallback callback;
char data[size];
};
// Task from: Team Server -> Beacon
typedef struct TaskPacket {
uint32 epoch;
uint32 total_size;
BeaconCommand command;
uint32 size;
char data[size];
};
struct BeaconMetadata {
uint32 magic;
uint32 size;
char aes_rand[16];
uint16 ansi_cp; // GetACP
uint16 oem_cp; // GetOEMCP
uint32 bid;
uint32 pid;
uint16 port;
uint8 flag;
uint8 ver_major;
uint8 ver_minor;
uint16 ver_build;
uint32 ptr_x64; // for x64 addressing
uint32 ptr_gmh; // GetModuleHandle
uint32 ptr_gpa; // GetProcAddress
uint32 ip;
char info[size - 51];
};
"""
[docs]
c2struct = cstruct.cstruct(endian=">")
[docs]
def typedef_for_enum(enum_class: IntEnum, int_type: str = "uint32") -> str:
"""Return C compatible typedef string for `enum_class`."""
header = f"typedef enum {enum_class.__name__} : {int_type} {{"
defs = (f" {e.name} = {e.value}," for e in enum_class)
footer = "};"
return "\n".join([header, *defs, footer])
c2struct.load(typedef_for_enum(BeaconCommand))
c2struct.load(typedef_for_enum(BeaconCallback))
c2struct.load(C2_DEF)
# Some wrapper classes for some dissect.cstruct structs, mainly so we can use `isinstance()`
[docs]
class CallbackPacket(cstruct.Instance):
[docs]
callback: BeaconCallback
def __init__(self, *args, **kwargs):
instance = c2struct.CallbackPacket(*args, **kwargs)
super().__init__(instance._type, instance._values, instance._sizes)
[docs]
def __eq__(self, other):
return self._values == other._values
[docs]
def __hash__(self):
return hash(tuple(self._values.items()))
[docs]
class TaskPacket(cstruct.Instance):
def __init__(self, *args, **kwargs):
instance = c2struct.TaskPacket(*args, **kwargs)
super().__init__(instance._type, instance._values, instance._sizes)
[docs]
def __eq__(self, other):
return self._values == other._values
[docs]
def __hash__(self):
return hash(tuple(self._values.items()))