dissect.cobaltstrike.version ============================ .. py:module:: dissect.cobaltstrike.version .. autoapi-nested-parse:: This module contains the :class:`BeaconVersion` class and mappings for determining the Cobalt Strike version of beacon payloads. .. note:: Deducing the Cobalt Strike version using :meth:`BeaconVersion.from_pe_export_stamp` is more accurate than :meth:`BeaconVersion.from_max_setting_enum`. However, if the `pe_export_stamp` is not known, deducing from `max_setting_enum` is still a good version estimate. Attributes ---------- .. autoapisummary:: dissect.cobaltstrike.version.MAX_ENUM_TO_VERSION dissect.cobaltstrike.version.PE_EXPORT_STAMP_TO_VERSION Classes ------- .. autoapisummary:: dissect.cobaltstrike.version.BeaconVersion Module Contents --------------- .. py:data:: MAX_ENUM_TO_VERSION :type: Dict[int, str] Max setting enum to Cobalt Strike version mapping .. py:data:: PE_EXPORT_STAMP_TO_VERSION :type: Dict[int, str] PE export timestamp to Cobalt Strike version mapping .. py:class:: BeaconVersion(version: str) Bases: :py:obj:`str` Helper class for dealing with Cobalt Strike version strings .. py:attribute:: REGEX_VERSION :value: 'Cobalt Strike (?P\\d+)\\.(?P\\d+)(\\.(?P\\d+))? \\((?P.*)\\)' .. py:attribute:: version :type: str full version string including date, e.g. ``"Cobalt Strike 4.5 (Dec 14, 2021)"`` .. py:attribute:: tuple :type: Optional[Union[Tuple[int, int], Tuple[int, int, int]]] :value: None the version as tuple of (major, minor) or (major, minor, patch), e.g. ``(4, 5)`` or ``(4, 7, 1)``. Otherwise, ``None``. .. py:attribute:: date :type: Optional[datetime.date] :value: None date of version as :class:`datetime.date` object, e.g. ``datetime.date(2021, 12, 14)``. Otherwise, ``None``. .. py:method:: from_pe_export_stamp(pe_export_stamp: int) -> BeaconVersion :classmethod: Construct :class:`BeaconVersion` by looking up `pe_export_stamp` in the :attr:`PE_EXPORT_STAMP_TO_VERSION` map. .. py:method:: from_max_setting_enum(enum: int) -> BeaconVersion :classmethod: Construct :class:`BeaconVersion` by looking up `enum` in the :attr:`MAX_ENUM_TO_VERSION` map. .. py:property:: version_string :type: str The version string without the date. e.g. ``"Cobalt Strike 4.5"`` .. py:property:: version_only :type: str The version number only string. e.g. ``"4.5"``, or ``"Unknown"`` if version is unknown. .. py:method:: __str__() -> str Return str(self). .. py:method:: __repr__() -> str Return repr(self).