dissect.cobaltstrike.artifact

This module is responsible for dumping payloads from ArtifactKit generated executables.

Module Contents

Classes

ArtifactKitPayload

Namedtuple containing the ArtifactKit metadata and decoded payload

Functions

iter_artifactkit_payloads(→ Iterator[ArtifactKitPayload])

Iterate over found ArtifactKitPayload by scanning fobj for possible ArtifactKit payloads.

main()

Entrypoint for beacon-artifact

Attributes

logger

dissect.cobaltstrike.artifact.logger[source]
class dissect.cobaltstrike.artifact.ArtifactKitPayload[source]

Bases: NamedTuple

Namedtuple containing the ArtifactKit metadata and decoded payload

offset: int[source]

Offset of the ArtifactKit metadata in the file

size: int[source]

Size of the payload

xorkey: bytes[source]

4-byte random xor mask

hints: bytes[source]

Loader hints (GetModuleHandleA, GetProcAddress)

payload: bytes[source]

Decoded ArtifactKit payload

dissect.cobaltstrike.artifact.iter_artifactkit_payloads(fobj: BinaryIO, start_offset: int | None = 0, maxrange: int | None = None) Iterator[ArtifactKitPayload][source]

Iterate over found ArtifactKitPayload by scanning fobj for possible ArtifactKit payloads.

Side effects: file position due to seeking

Note

No additional checks are done on the ArtifactKit payloads to ensure that what is found is actually correct.

Parameters:

  • fobj – file-like object

  • start_offset – starting offset to search for ArtifactKit payloads, if None it will search from current offset. (default: 0)

  • maxrange – maximum file offset to limit search to, if None it will search the entire file (default: None)

Yields:

ArtifactKitPayload

dissect.cobaltstrike.artifact.main()[source]

Entrypoint for beacon-artifact