dissect.cobaltstrike.pcap ========================= .. py:module:: dissect.cobaltstrike.pcap Attributes ---------- .. autoapisummary:: dissect.cobaltstrike.pcap.logger dissect.cobaltstrike.pcap.PacketRecord Classes ------- .. autoapisummary:: dissect.cobaltstrike.pcap.BeaconCapture Functions --------- .. autoapisummary:: dissect.cobaltstrike.pcap.packet_to_record dissect.cobaltstrike.pcap.c2packet_to_record dissect.cobaltstrike.pcap.raw_http_from_packet dissect.cobaltstrike.pcap.main Module Contents --------------- .. py:data:: logger .. py:data:: PacketRecord Record Descriptor for basic PCAP packet information .. py:function:: packet_to_record(packet: pyshark.packet.packet.Packet) -> flow.record.Record Convert pcap `packet` to a flow.record. .. py:function:: c2packet_to_record(c2packet: dissect.cobaltstrike.c2.C2Packet) -> flow.record.Record Convert `c2packet` to a flow.record. .. py:function:: raw_http_from_packet(packet: pyshark.packet.packet.Packet) -> bytes Return the extracted raw HTTP bytes from `packet`. .. py:class:: BeaconCapture(pcap: str, bconfig: Optional[dissect.cobaltstrike.beacon.BeaconConfig] = None, aes_key: Optional[bytes] = None, hmac_key: Optional[bytes] = None, rsa_private_key: Optional[Crypto.PublicKey.RSA.RsaKey] = None, verify_hmac: bool = True, all_metadata: bool = False, extract_beacons: bool = False) A class representing a beacon capture file. :param pcap: A PCAP file containing Cobalt Strike traffic :param nss: NSSKEYLOGFILE containing the client random and masterkey in NSS format :param aes_key: AES key used in the beacon session :param hmac_key: hmac key used in the beacon session (optional) :param c2: IP address of the Cobalt Strike C2 server :param config: A Cobalt Strike :class:`~dissect.cobaltstrike.beacon.BeaconConfig` configuration :param filter: A Wireshark display filter used for filtering the pcap .. py:attribute:: pcap .. py:attribute:: aes_key :value: None .. py:attribute:: hmac_key :value: None .. py:attribute:: rsa_private_key :value: None .. py:attribute:: bconfig :value: None .. py:attribute:: verify_hmac :value: True .. py:attribute:: all_metadata :value: False .. py:attribute:: packet_number_to_request .. py:attribute:: extract_beacons :value: False .. py:attribute:: c2http :value: None .. py:method:: __iter__() -> Iterator[Tuple[pyshark.packet.packet.Packet, dissect.cobaltstrike.c2.C2Packet]] Alias for :meth:`BeaconCapture.iter_parse_pcap`. .. py:method:: iter_parse_pcap(pcap: str, all_metadata: Optional[bool] = None, nss_keylog_file: Optional[str] = None, c2_ip: Optional[str] = None, display_filter: str = 'http', extract_beacons: bool = False) -> Iterator[Tuple[pyshark.packet.packet.Packet, dissect.cobaltstrike.c2.C2Packet]] Yields (packet, c2packet) for every decrypted http C2 packet in the PCAP. :param pcap: path to PCAP file :param all_metadata: If ``True`` it will yield all decrypted :class:`BeaconMetadata`. Otherwise, yield only the metadata that has not been seen yet. Useful if you want to ignore subsequent check-ins. :param nss_keylog_file: path to a ``SSLKEY_LOG`` file for decrypting TLS traffic in the pcap. :param c2_ip: IP address of the C2, if defined it will be used to filter packets and speed up processing. :param display_filter: A wireshark display filter to apply to the pcap. It's recommended to use at least ``http`` (default). :Yields: Tuple of (packet, c2packet) .. py:method:: find_staged_beacon(response: dissect.cobaltstrike.c2.HttpResponse) -> Optional[dissect.cobaltstrike.beacon.BeaconConfig] Returns a `BeaconConfig` if found in the HTTP `response` body. If the response has an associated `request` it will check if the request is a stager uri first. :param response: The :class:`HttpResponse` object to check for Stager URI and Beacon payload. :returns: The beacon config if found, otherwise `None`. :rtype: BeaconConfig .. py:function:: main()