dissect.cobaltstrike.guardrails

This module is responsible for finding and recovering Beacon Guardrails configuration from Cobalt Strike payloads. Guardrails is an additional layer of protection to the beacon config by using environmental keying (T1480).

Note

Beacon Guardrails was introduced in Cobalt Strike 4.8:

• https://www.cobaltstrike.com/blog/cobalt-strike-4-8-system-call-me-maybe

Other research on Beacon Guardrails:

• https://itea.org/journals/volume-45-3/cobalt-strike-cyber-assessment-challenge/

Attributes

log
C_GUARDRAILS_DEF
BEACON_CONFIG_PATCH_SIZE
GUARD_PATCH_SIZE
GUARD_CONFIG_STARTS
c_guardrails
GuardrailSetting
GuardOption

Classes

GuardrailMetadata

Class for holding Guardrail related data

Functions

iter_guardrail_configs(...)
find_xor_key_candidates(→ collections.abc.Iterator[bytes])
payload_checksum(→ int)
iter_guardrail_configs_with_beacon(...)

Module Contents

dissect.cobaltstrike.guardrails.log

dissect.cobaltstrike.guardrails.C_GUARDRAILS_DEF = Multiline-String

Show Value

"""
enum GuardOption: uint16 {
    GUARD_USER = 5,
    GUARD_COMPUTER = 6,
    GUARD_DOMAIN = 7,
    GUARD_LOCAL_IP = 8,
    GUARD_PAYLOAD_CHECKSUM = 9,
};

enum SettingsType: uint16 {
    TYPE_NONE = 0,
    TYPE_SHORT = 1,
    TYPE_INT = 2,
    TYPE_PTR = 3,
};

struct GuardrailSetting {
    GuardOption option;         // uint16
    SettingsType type;          // uint16
    uint16 length;              // uint16
    char value[length];
};
"""

dissect.cobaltstrike.guardrails.BEACON_CONFIG_PATCH_SIZE = 6144

dissect.cobaltstrike.guardrails.GUARD_PATCH_SIZE = 2048

dissect.cobaltstrike.guardrails.GUARD_CONFIG_STARTS = [b'\x00\x05\x00\x01\x00\x02', b'\x00\x06\x00\x01\x00\x02', b'\x00\x07\x00\x01\x00\x02',...

dissect.cobaltstrike.guardrails.c_guardrails

dissect.cobaltstrike.guardrails.GuardrailSetting

dissect.cobaltstrike.guardrails.GuardOption

class dissect.cobaltstrike.guardrails.GuardrailMetadata

Class for holding Guardrail related data

beacon_config_offset: int

Offset of the beacon configuration in the payload

guard_config_offset: int

Offset of the guardrail configuration in the payload

masked_beacon_config: bytes

Masked raw beacon configuration

masked_guard_config: bytes

Masked raw guardrail configuration

beacon_xor_key: bytes

Single byte XOR key used to mask the beacon configuration. (0x2e by default unless modified beacon)

guardrail_xor_key: bytes

Single byte XOR key used to unmask the guardrail configuration (0x8a by default unless modified beacon)

unmasked_guard_config: bytes

Unmasked guardrail configuration

checksum: int

Extracted payload checksum from guardrail configuration. This is used to validate the beacon configuration

payload_xor_key: bytes | None

XOR key used to unmask the guarded beacon configuration. This is the environmental key

unmasked_beacon_config: bytes

Unmasked beacon configuration

settings: list[GuardrailSetting]

List of guardrail settings

dissect.cobaltstrike.guardrails.iter_guardrail_configs(fh: BinaryIO, xorkey: bytes = b'\x8a') → collections.abc.Iterator[GuardrailMetadata]

dissect.cobaltstrike.guardrails.find_xor_key_candidates(fh: BinaryIO) → collections.abc.Iterator[bytes]

dissect.cobaltstrike.guardrails.payload_checksum(data: bytes) → int

dissect.cobaltstrike.guardrails.iter_guardrail_configs_with_beacon(fh: BinaryIO) → collections.abc.Iterator[GuardrailMetadata]