dissect.cobaltstrike.c_c2

Structure definitions and classes for dealing with Cobalt Strike C2 packets. Mainly used by dissect.cobaltstrike.c2.

Attributes

C2_DEF

c2struct

BeaconMetadata

CallbackPacket

TaskPacket

Classes

BeaconCommand

Enum where members are also (and must be) ints

BeaconCallback

Enum where members are also (and must be) ints

Functions

typedef_for_enum(→ str)

Return C compatible typedef string for enum_class.

Module Contents

class dissect.cobaltstrike.c_c2.BeaconCommand[source]

Bases: enum.IntEnum

Enum where members are also (and must be) ints

COMMAND_SPAWN = 1[source]
COMMAND_SHELL = 2[source]
COMMAND_DIE = 3[source]
COMMAND_SLEEP = 4[source]
COMMAND_CD = 5[source]
COMMAND_KEYLOG_START = 6[source]
COMMAND_NOOP = 6[source]
COMMAND_KEYLOG_STOP = 7[source]
COMMAND_CHECKIN = 8[source]
COMMAND_INJECT_PID = 9[source]
COMMAND_UPLOAD = 10[source]
COMMAND_DOWNLOAD = 11[source]
COMMAND_EXECUTE = 12[source]
COMMAND_SPAWN_PROC_X86 = 13[source]
COMMAND_CONNECT = 14[source]
COMMAND_SEND = 15[source]
COMMAND_CLOSE = 16[source]
COMMAND_LISTEN = 17[source]
COMMAND_INJECT_PING = 18[source]
COMMAND_CANCEL_DOWNLOAD = 19[source]
COMMAND_PIPE_ROUTE = 22[source]
COMMAND_PIPE_CLOSE = 23[source]
COMMAND_PIPE_REOPEN = 24[source]
COMMAND_TOKEN_GETUID = 27[source]
COMMAND_TOKEN_REV2SELF = 28[source]
COMMAND_TIMESTOMP = 29[source]
COMMAND_STEAL_TOKEN = 31[source]
COMMAND_PS_LIST = 32[source]
COMMAND_PS_KILL = 33[source]
COMMAND_PSH_IMPORT = 37[source]
COMMAND_RUNAS = 38[source]
COMMAND_PWD = 39[source]
COMMAND_JOB_REGISTER = 40[source]
COMMAND_JOBS = 41[source]
COMMAND_JOB_KILL = 42[source]
COMMAND_INJECTX64_PID = 43[source]
COMMAND_SPAWNX64 = 44[source]
COMMAND_INJECT_PID_PING = 45[source]
COMMAND_INJECTX64_PID_PING = 46[source]
COMMAND_PAUSE = 47[source]
COMMAND_LOGINUSER = 49[source]
COMMAND_LSOCKET_BIND = 50[source]
COMMAND_LSOCKET_CLOSE = 51[source]
COMMAND_STAGE_PAYLOAD = 52[source]
COMMAND_FILE_LIST = 53[source]
COMMAND_FILE_MKDIR = 54[source]
COMMAND_FILE_DRIVES = 55[source]
COMMAND_FILE_RM = 56[source]
COMMAND_STAGE_PAYLOAD_SMB = 57[source]
COMMAND_WEBSERVER_LOCAL = 59[source]
COMMAND_ELEVATE_PRE = 60[source]
COMMAND_ELEVATE_POST = 61[source]
COMMAND_JOB_REGISTER_IMPERSONATE = 62[source]
COMMAND_SPAWN_POWERSHELLX86 = 63[source]
COMMAND_SPAWN_POWERSHELLX64 = 64[source]
COMMAND_INJECT_POWERSHELLX86_PID = 65[source]
COMMAND_INJECT_POWERSHELLX64_PID = 66[source]
COMMAND_UPLOAD_CONTINUE = 67[source]
COMMAND_PIPE_OPEN_EXPLICIT = 68[source]
COMMAND_SPAWN_PROC_X64 = 69[source]
COMMAND_JOB_SPAWN_X86 = 70[source]
COMMAND_JOB_SPAWN_X64 = 71[source]
COMMAND_SETENV = 72[source]
COMMAND_FILE_COPY = 73[source]
COMMAND_FILE_MOVE = 74[source]
COMMAND_PPID = 75[source]
COMMAND_RUN_UNDER_PID = 76[source]
COMMAND_GETPRIVS = 77[source]
COMMAND_EXECUTE_JOB = 78[source]
COMMAND_PSH_HOST_TCP = 79[source]
COMMAND_DLL_LOAD = 80[source]
COMMAND_REG_QUERY = 81[source]
COMMAND_LSOCKET_TCPPIVOT = 82[source]
COMMAND_ARGUE_ADD = 83[source]
COMMAND_ARGUE_REMOVE = 84[source]
COMMAND_ARGUE_LIST = 85[source]
COMMAND_TCP_CONNECT = 86[source]
COMMAND_JOB_SPAWN_TOKEN_X86 = 87[source]
COMMAND_JOB_SPAWN_TOKEN_X64 = 88[source]
COMMAND_SPAWN_TOKEN_X86 = 89[source]
COMMAND_SPAWN_TOKEN_X64 = 90[source]
COMMAND_INJECTX64_PING = 91[source]
COMMAND_BLOCKDLLS = 92[source]
COMMAND_SPAWNAS_X86 = 93[source]
COMMAND_SPAWNAS_X64 = 94[source]
COMMAND_INLINE_EXECUTE = 95[source]
COMMAND_RUN_INJECT_X86 = 96[source]
COMMAND_RUN_INJECT_X64 = 97[source]
COMMAND_SPAWNU_X86 = 98[source]
COMMAND_SPAWNU_X64 = 99[source]
COMMAND_INLINE_EXECUTE_OBJECT = 100[source]
COMMAND_JOB_REGISTER_MSGMODE = 101[source]
COMMAND_LSOCKET_BIND_LOCALHOST = 102[source]
class dissect.cobaltstrike.c_c2.BeaconCallback[source]

Bases: enum.IntEnum

Enum where members are also (and must be) ints

CALLBACK_OUTPUT = 0[source]
CALLBACK_KEYSTROKES = 1[source]
CALLBACK_FILE = 2[source]
CALLBACK_SCREENSHOT = 3[source]
CALLBACK_CLOSE = 4[source]
CALLBACK_READ = 5[source]
CALLBACK_CONNECT = 6[source]
CALLBACK_PING = 7[source]
CALLBACK_FILE_WRITE = 8[source]
CALLBACK_FILE_CLOSE = 9[source]
CALLBACK_PIPE_OPEN = 10[source]
CALLBACK_PIPE_CLOSE = 11[source]
CALLBACK_PIPE_READ = 12[source]
CALLBACK_POST_ERROR = 13[source]
CALLBACK_PIPE_PING = 14[source]
CALLBACK_TOKEN_STOLEN = 15[source]
CALLBACK_TOKEN_GETUID = 16[source]
CALLBACK_PROCESS_LIST = 17[source]
CALLBACK_POST_REPLAY_ERROR = 18[source]
CALLBACK_PWD = 19[source]
CALLBACK_JOBS = 20[source]
CALLBACK_HASHDUMP = 21[source]
CALLBACK_PENDING = 22[source]
CALLBACK_ACCEPT = 23[source]
CALLBACK_NETVIEW = 24[source]
CALLBACK_PORTSCAN = 25[source]
CALLBACK_DEAD = 26[source]
CALLBACK_SSH_STATUS = 27[source]
CALLBACK_CHUNK_ALLOCATE = 28[source]
CALLBACK_CHUNK_SEND = 29[source]
CALLBACK_OUTPUT_OEM = 30[source]
CALLBACK_ERROR = 31[source]
CALLBACK_OUTPUT_UTF8 = 32[source]
dissect.cobaltstrike.c_c2.C2_DEF = Multiline-String[source]
Show Value
"""
// Callback data from: Beacon -> Team Server
typedef struct CallbackPacket {
    uint32 counter;
    uint32 size;
    BeaconCallback callback;
    char data[size];
};

// Task from: Team Server -> Beacon
typedef struct TaskPacket {
    uint32 epoch;
    uint32 total_size;
    BeaconCommand command;
    uint32 size;
    char data[size];
};

struct BeaconMetadata {
    uint32 magic;
    uint32 size;
    char aes_rand[16];
    uint16 ansi_cp;     // GetACP
    uint16 oem_cp;      // GetOEMCP
    uint32 bid;
    uint32 pid;
    uint16 port;
    uint8 flag;
    uint8 ver_major;
    uint8 ver_minor;
    uint16 ver_build;
    uint32 ptr_x64;     // for x64 addressing
    uint32 ptr_gmh;     // GetModuleHandle
    uint32 ptr_gpa;     // GetProcAddress
    uint32 ip;
    char info[size - 51];
};
"""
dissect.cobaltstrike.c_c2.c2struct[source]
dissect.cobaltstrike.c_c2.typedef_for_enum(enum_class: enum.IntEnum, int_type: str = 'uint32') str[source]

Return C compatible typedef string for enum_class.

dissect.cobaltstrike.c_c2.BeaconMetadata[source]
dissect.cobaltstrike.c_c2.CallbackPacket[source]
dissect.cobaltstrike.c_c2.TaskPacket[source]